cve-search - a free software to collect, search and analyse common vulnerabilities and exposures in software Freedom #0 in action Alexandre Dulaunoy

cve-search - a free software to collect, search and analyse common vulnerabilities and exposures in software

Freedom #0 in action

Alexandre Dulaunoy

alexandre.dulaunoy@circl.lu

20th December 2013

What we were looking for?

• Local search of common vulnerabilities and exposures (→ avoid searching NIST/US for your current vulnerable software...).

• Fast-lookup of vulnerabilities (e.g. live evaluation of network traffic for vulnerable software).

• Allow localized classification of vulnerabilities (e.g. classify software following your exposure).

• Flexible data structure (e.g. NIST/NVD is not the only source).

• Allowing the use of Unix-like tools to process the vulnerabilities.

History of cve-search

3 of 19

A functional overview of cve-search (populating database(s)

db mgmt.py db mgmt cpe dictionnary.py

db updater.py

db fulltext.py

fetch NVD/CVE from NIST

fetch CPE from NIST

index n last new CVE MongoDB

cve cpe ranking Whoosh index info

db dump.py

A functional overview of cve-search (tools)

MongoDB cve cpe ranking

info

Whoosh index

search.py dump last.py search xmpp.py

search fulltext.py

5 of 19

cve-search starting up...

Import and update of the CVE/NVD and CPE database:

1 % p y t h o n 3 . 3 d b u p d a t e r . py −v −i

Search CVE of a specific vendor (via CPE):

1 % p y t h o n 3 . 3 s e a r c h . py −p j o o m l a : 2 . . .

3 CVE−2012−5827

4 CVE−2012−6503

5 CVE−2012−6514

6 CVE−2013−1453

7 CVE−2013−1454

8 CVE−2013−1455

cve-search simple query and JSON output

1 s e a r c h . py −c CVE−2013−1455 −n

2 {” M o d i f i e d ” : ”2013−02−13T13 : 0 1 : 4 5 . 3 5 3−0 5 : 0 0 ” , ” P u b l i s h e d ” : ”2013−02−12T20 : 5 5 : 0 5 . 3 8 7−0 5 : 0 0 ” , ” i d ” : {” $ o i d ” : ” 514 c c e 0 d b 2 6 1 0 2 1 3 4 f a 3 f 2 1 1 ”}, ” c v s s ” : ” 5 . 0 ” , ” i d ” : ”CVE

−2013−1455 ” , ” r e f e r e n c e s ” : [ ” h t t p : / / x f o r c e . i s s . n e t / x f o r c e / x f d b /81926 ” , ” h t t p : / / d e v e l o p e r . j o o m l a . o r g / s e c u r i t y / news /549−20130202−c o r e−i n f o r m a t i o n−d i s c l o s u r e . h t m l ” ] , ” summary ” : ” J o o m l a ! 3 . 0 . x t h r o u g h 3 . 0 . 2 a l l o w s a t t a c k e r s t o o b t a i n s e n s i t i v e i n f o r m a t i o n v i a u n s p e c i f i e d v e c t o r s r e l a t e d t o an \” U n d e f i n e d v a r i a b l e .\” ” , ” v u l n e r a b l e c o n f i g u r a t i o n ” : [ ” J o o m l a ! 3 . 0 . 0 ” , ” J o o m l a ! 3 . 0 . 1 ” ]}

Without CPE name lookup:

1 ” v u l n e r a b l e c o n f i g u r a t i o n ” : [ ” c p e : / a : j o o m l a : j o o m l a

% 2 1 : 3 . 0 . 0 ” , ” c p e : / a : j o o m l a : j o o m l a % 2 1 : 3 . 0 . 1 ” ]}

7 of 19

CPE - an overview

1 c p e : /{p a r t}:{v e n d o r}:{p r o d u c t}:{v e r s i o n}:{u p d a t e}:{ e d i t i o n}:{l a n g u a g e}

part name

o Operating System a Application h Hardware

An empty part defines any element. CPE are updated at a regular interval by NIST but it happens that CPE dictionnary are updated afterwards.

Which are the top vendors using the word ”unknown”?

1 s e a r c h f u l l t e x t . py −q unknown −f | j q −r ’ . | .

v u l n e r a b l e c o n f i g u r a t i o n [ 0 ] ’ | c u t −f 3 −d : | s o r t | u n i q −c | s o r t −n r | h e a d −10

Count CPE vendor name 1145 oracle

367 sun

327 hp

208 google

192 ibm

113 mozilla 102 microsoft

98 adobe

76 apple

68 linux

9 of 19

Which are the top products using the word

”unknown”?

1 s e a r c h f u l l t e x t . py −q unknown −f | j q −r ’ . | .

v u l n e r a b l e c o n f i g u r a t i o n [ 0 ] ’ | c u t −f 3 , 4 −d : | s o r t | u n i q −c | s o r t −n r | h e a d −10

Count CPE vendor/product name 191 oracle:database server 189 google:chrome

115 oracle:e-business suite 111 sun:jre

101 mozilla:firefox

99 oracle:fusion middleware 95 oracle:application server 80 sun:solaris

68 linux:linux kernel 61 sun:sunos

10 of 19

oracle:java versus sun:jre

1 s e a r c h . py −p o r a c l e : j a v a −o j s o n | j q −r ’ . c v s s ’ |

R s c r i p t −e ’ summary ( a s . n u m e r i c (r e a d. t a b l e ( f i l e ( ” s t d i n ” ) ) [ , 1 ] ) ) ’

2

3 Min . 1 s t Qu . Median Mean 3 r d Qu . Max .

4 1 . 8 0 7 . 6 0 1 0 . 0 0 8 . 4 5 1 0 . 0 0 1 0 . 0 0 5

6 s e a r c h . py −p s u n : j r e −o j s o n | j q −r ’ . c v s s ’ | R s c r i p t − e ’ summary ( a s . n u m e r i c (r e a d. t a b l e ( f i l e ( ” s t d i n ” ) ) [ , 1 ] ) ) ’ 7

8 Min . 1 s t Qu . Median Mean 3 r d Qu . Max .

9 0 . 0 0 0 5 . 0 0 0 7 . 5 0 0 7 . 3 7 6 1 0 . 0 0 0 1 0 . 0 0 0

11 of 19

Ranking of vulnerabilities

1 d b r a n k i n g . py −c s a p : −g a c c o u n t i n g −r 3 2 s e a r c h . py −c CVE−2012−4341 −o j s o n −r

3 . . . ” c v s s ” : ” 1 0 . 0 ” , ” i d ” : ”CVE−2012−4341 ” , ” r a n k i n g ” : [ [{” a c c o u n t i n g ” : 3}] ] . . .

Ranking is simple and flexible. If you are a CSIRT, you can use your own tagging to weight the critical software/vendor in your

constituency.

Ranking helping for internal publishing of vulnerabilities

dump last.py can be used to generate an overview of the

current/recent vulnerabilities in your organization. You can limit the result to the ranked software to avoid non-related software

vulnerabilities.

1 d u m p l a s t . py −r −l 100 −f h t m l 2 d u m p l a s t . py −r −l 100 −f atom

13 of 19

search fulltext.py -g -s

Freedom #0

FSF Style:

The freedom to run the program, for any purpose (freedom 0).

Debian Style:

No Discrimination Against Fields of Endeavor

15 of 19

Can cve-search be used by bad guys?

• If you know that system is vulnerable, you have two options:

◦ If you are a good guy, you inform the system owner to fix the vulnerability.

◦ If you are a bad guy, you abuse your position and compromise the vulnerable system.

• cve-search could help both guys.

Where and how to infect random systems? TorInj research project

http://www.foo.be/torinj/

17 of 19

TorInj research project and cve-search

• In the initial version of TorInj, the vulnerabilities of the web browsers per client was evaluated offline.

• We were missing a tool to quickly lookup vulnerability per client and find an appropriate automatic exploitation.

• Next version of TorInj is relying on cve-search to do real-time vulnerability lookup, queue and try automatic exploitation.

• The objective of the research is show to the importance of using end-to-end authenticated encrypted communication with Tor and only with up-to-date software.

• Freedom #0 is important. Free software developed for an initial purpose (from defensive to offensive) can be redirected to a new one.

• Looking for open data source of software vulnerabilities to integrate in cve-search.

• Dataset of cve-search can be requested with localized ranking (e.g.

per country/region).

• Fork it, abuse it and then send pull request→ http://www.github.com/adulau/cve-search.

19 of 19