Gareth Rushgrove Attacking CVE data with automation

No content

sdsd @garethr

- An introduction to CVEs - Sources of CVE data - Existing tools - Automation example

Common Vulnerabilities and Exposures

CVE is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known cyber security issues. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this "common enumeration."

No content

- CVE-2014-6271 - CVSS v2 Base Score: 10.0 HIGH - Access Vector: Network exploitable Access Complexity: Low Authentication: Not required to exploit Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

No content

Sources of CVE data

No content

No content

No content

No content

And lots more...

Many operating system vendors publish CVE data for system packages

No content

No content

Naming things And other common problems

I posit that CVE Information is really only useful if you can tie it to a software product and version

CPE is a structured naming scheme for information technology systems, software, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name.

How do you link installed software to a CPE?

How do you link installed software to a CPE? Manually

Software packaging and distribution vs upstream versioning

Systemd v220 vs 215-17+deb8u7

The CVE dataset is centered around CVEs, not around software

sdsd Normalising data sets and Libraries.io

Programmatically retrieving a list of CVEs for a given software product is unfortunately non-trivial

High-level tools Applications you can use today

Lots of high-level tools exist to try and help with answering the question “am I vulnerable?”

sdsd Local CVE database

sdsd Windows developer tools

sdsd Java packages

sdsd Application dependencies

sdsd Containers

sdsd System scanner

And lots more...

However, very few security tools adhere to the unix philosophy

- Write programs that do one thing - Write programs to work together - Write programs to handle text streams

Automation example The live demo part

I have a list of installed software packages and their versions

I can get package and version information from puppet $ puppet resource package

$ puppet resource package --param provider package: acl: ensure : '2.2.52-2' provider: 'apt' adduser: ensure : '3.113+nmu3' provider: 'apt' apt: ensure : '1.0.9.8.4' provider: 'apt'

No content

I can get package and version information about containers with $ lumogon scan

No content

$ lumogon scan {"$schema":"http://puppet.com/lumogon/core/draf t-01/schema#1","generated":"2017-08-07 11:35:16.6517922 +0000 UTC","owner":"default","group":["default"],"cli ent_version":{"BuildVersion":"development","Bui ldTime":"2017-05-11 08:24:20 UTC","BuildSHA":"a7f2943697f83ba74514a0169890ec f8ad1cfacb"},"reportid":"c6a8731e-9681-4758-915 1-9c2699769418","containers":{"8c8024760f3e4692 e93c6f4f76dc56eaab879e56ace06f876afeccc5c615ac2 8":{"$schema":"http://puppet.com/lumogon/contai nerreport/draft-01/schema#1","generated":"2017- 08-07 11:35:16.1308581 +0000 UTC","container_report_id":"2e65f6e7-371d-4bae-

I’d like to know if any of those packages have known CVEs

No content

Query our package list for known CVEs $ lumogon scan | findcve lumogon

Live Demo Klaxon

Summary If all you remember is...

- A central list of vulnerabilities is useful - Naming things is hard - CPE vs package managers vs GitHub - Still possible to build useful things - Requires work to normalize datasets

Questions? And thanks for listening