Slide 1

Slide 1 text

Gareth Rushgrove Attacking CVE data with automation

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

sdsd @garethr

Slide 4

Slide 4 text

- An introduction to CVEs - Sources of CVE data - Existing tools - Automation example

Slide 5

Slide 5 text

Common Vulnerabilities and Exposures

Slide 6

Slide 6 text

CVE is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known cyber security issues. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this "common enumeration."

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

- CVE-2014-6271 - CVSS v2 Base Score: 10.0 HIGH - Access Vector: Network exploitable Access Complexity: Low Authentication: Not required to exploit Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

Sources of CVE data

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

And lots more...

Slide 16

Slide 16 text

Many operating system vendors publish CVE data for system packages

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

Naming things And other common problems

Slide 20

Slide 20 text

I posit that CVE Information is really only useful if you can tie it to a software product and version

Slide 21

Slide 21 text

CPE is a structured naming scheme for information technology systems, software, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name.

Slide 22

Slide 22 text

How do you link installed software to a CPE?

Slide 23

Slide 23 text

How do you link installed software to a CPE? Manually

Slide 24

Slide 24 text

Software packaging and distribution vs upstream versioning

Slide 25

Slide 25 text

Systemd v220 vs 215-17+deb8u7

Slide 26

Slide 26 text

The CVE dataset is centered around CVEs, not around software

Slide 27

Slide 27 text

sdsd Normalising data sets and Libraries.io

Slide 28

Slide 28 text

Programmatically retrieving a list of CVEs for a given software product is unfortunately non-trivial

Slide 29

Slide 29 text

High-level tools Applications you can use today

Slide 30

Slide 30 text

Lots of high-level tools exist to try and help with answering the question “am I vulnerable?”

Slide 31

Slide 31 text

sdsd Local CVE database

Slide 32

Slide 32 text

sdsd Windows developer tools

Slide 33

Slide 33 text

sdsd Java packages

Slide 34

Slide 34 text

sdsd Application dependencies

Slide 35

Slide 35 text

sdsd Containers

Slide 36

Slide 36 text

sdsd System scanner

Slide 37

Slide 37 text

And lots more...

Slide 38

Slide 38 text

However, very few security tools adhere to the unix philosophy

Slide 39

Slide 39 text

- Write programs that do one thing - Write programs to work together - Write programs to handle text streams

Slide 40

Slide 40 text

Automation example The live demo part

Slide 41

Slide 41 text

I have a list of installed software packages and their versions

Slide 42

Slide 42 text

I can get package and version information from puppet $ puppet resource package

Slide 43

Slide 43 text

$ puppet resource package --param provider package: acl: ensure : '2.2.52-2' provider: 'apt' adduser: ensure : '3.113+nmu3' provider: 'apt' apt: ensure : '1.0.9.8.4' provider: 'apt'

Slide 44

Slide 44 text

No content

Slide 45

Slide 45 text

I can get package and version information about containers with $ lumogon scan

Slide 46

Slide 46 text

No content

Slide 47

Slide 47 text

$ lumogon scan {"$schema":"http://puppet.com/lumogon/core/draf t-01/schema#1","generated":"2017-08-07 11:35:16.6517922 +0000 UTC","owner":"default","group":["default"],"cli ent_version":{"BuildVersion":"development","Bui ldTime":"2017-05-11 08:24:20 UTC","BuildSHA":"a7f2943697f83ba74514a0169890ec f8ad1cfacb"},"reportid":"c6a8731e-9681-4758-915 1-9c2699769418","containers":{"8c8024760f3e4692 e93c6f4f76dc56eaab879e56ace06f876afeccc5c615ac2 8":{"$schema":"http://puppet.com/lumogon/contai nerreport/draft-01/schema#1","generated":"2017- 08-07 11:35:16.1308581 +0000 UTC","container_report_id":"2e65f6e7-371d-4bae-

Slide 48

Slide 48 text

I’d like to know if any of those packages have known CVEs

Slide 49

Slide 49 text

No content

Slide 50

Slide 50 text

Query our package list for known CVEs $ lumogon scan | findcve lumogon

Slide 51

Slide 51 text

Live Demo Klaxon

Slide 52

Slide 52 text

Summary If all you remember is...

Slide 53

Slide 53 text

- A central list of vulnerabilities is useful - Naming things is hard - CPE vs package managers vs GitHub - Still possible to build useful things - Requires work to normalize datasets

Slide 54

Slide 54 text

Questions? And thanks for listening