cve-search - a free software to collect, search and analyse common vulnerabilities and exposures in software
Freedom #0 in action
Alexandre Dulaunoy
alexandre.dulaunoy@circl.lu
20th December 2013
What we were looking for?
• Local search of common vulnerabilities and exposures (→ avoid searching NIST/US for your current vulnerable software...).
• Fast-lookup of vulnerabilities (e.g. live evaluation of network traffic for vulnerable software).
• Allow localized classification of vulnerabilities (e.g. classify software following your exposure).
• Flexible data structure (e.g. NIST/NVD is not the only source).
• Allowing the use of Unix-like tools to process the vulnerabilities.
History of cve-search
3 of 19
A functional overview of cve-search (populating database(s)
db mgmt.py db mgmt cpe dictionnary.py
db updater.py
db fulltext.py
fetch NVD/CVE from NIST
fetch CPE from NIST
index n last new CVE MongoDB
cve cpe ranking Whoosh index info
db dump.py
A functional overview of cve-search (tools)
MongoDB cve cpe ranking
info
Whoosh index
search.py dump last.py search xmpp.py
search fulltext.py
5 of 19
cve-search starting up...
Import and update of the CVE/NVD and CPE database:
1 % p y t h o n 3 . 3 d b u p d a t e r . py −v −i
Search CVE of a specific vendor (via CPE):
1 % p y t h o n 3 . 3 s e a r c h . py −p j o o m l a : 2 . . .
3 CVE−2012−5827
4 CVE−2012−6503
5 CVE−2012−6514
6 CVE−2013−1453
7 CVE−2013−1454
8 CVE−2013−1455
cve-search simple query and JSON output
1 s e a r c h . py −c CVE−2013−1455 −n
2 {” M o d i f i e d ” : ”2013−02−13T13 : 0 1 : 4 5 . 3 5 3−0 5 : 0 0 ” , ” P u b l i s h e d ” : ”2013−02−12T20 : 5 5 : 0 5 . 3 8 7−0 5 : 0 0 ” , ” i d ” : {” $ o i d ” : ” 514 c c e 0 d b 2 6 1 0 2 1 3 4 f a 3 f 2 1 1 ”}, ” c v s s ” : ” 5 . 0 ” , ” i d ” : ”CVE
−2013−1455 ” , ” r e f e r e n c e s ” : [ ” h t t p : / / x f o r c e . i s s . n e t / x f o r c e / x f d b /81926 ” , ” h t t p : / / d e v e l o p e r . j o o m l a . o r g / s e c u r i t y / news /549−20130202−c o r e−i n f o r m a t i o n−d i s c l o s u r e . h t m l ” ] , ” summary ” : ” J o o m l a ! 3 . 0 . x t h r o u g h 3 . 0 . 2 a l l o w s a t t a c k e r s t o o b t a i n s e n s i t i v e i n f o r m a t i o n v i a u n s p e c i f i e d v e c t o r s r e l a t e d t o an \” U n d e f i n e d v a r i a b l e .\” ” , ” v u l n e r a b l e c o n f i g u r a t i o n ” : [ ” J o o m l a ! 3 . 0 . 0 ” , ” J o o m l a ! 3 . 0 . 1 ” ]}
Without CPE name lookup:
1 ” v u l n e r a b l e c o n f i g u r a t i o n ” : [ ” c p e : / a : j o o m l a : j o o m l a
% 2 1 : 3 . 0 . 0 ” , ” c p e : / a : j o o m l a : j o o m l a % 2 1 : 3 . 0 . 1 ” ]}
7 of 19
CPE - an overview
1 c p e : /{p a r t}:{v e n d o r}:{p r o d u c t}:{v e r s i o n}:{u p d a t e}:{ e d i t i o n}:{l a n g u a g e}
part name
o Operating System a Application h Hardware
An empty part defines any element. CPE are updated at a regular interval by NIST but it happens that CPE dictionnary are updated afterwards.
Which are the top vendors using the word ”unknown”?
1 s e a r c h f u l l t e x t . py −q unknown −f | j q −r ’ . | .
v u l n e r a b l e c o n f i g u r a t i o n [ 0 ] ’ | c u t −f 3 −d : | s o r t | u n i q −c | s o r t −n r | h e a d −10
Count CPE vendor name 1145 oracle
367 sun
327 hp
208 google
192 ibm
113 mozilla 102 microsoft
98 adobe
76 apple
68 linux
9 of 19
Which are the top products using the word
”unknown”?
1 s e a r c h f u l l t e x t . py −q unknown −f | j q −r ’ . | .
v u l n e r a b l e c o n f i g u r a t i o n [ 0 ] ’ | c u t −f 3 , 4 −d : | s o r t | u n i q −c | s o r t −n r | h e a d −10
Count CPE vendor/product name 191 oracle:database server 189 google:chrome
115 oracle:e-business suite 111 sun:jre
101 mozilla:firefox
99 oracle:fusion middleware 95 oracle:application server 80 sun:solaris
68 linux:linux kernel 61 sun:sunos
10 of 19
oracle:java versus sun:jre
1 s e a r c h . py −p o r a c l e : j a v a −o j s o n | j q −r ’ . c v s s ’ |
R s c r i p t −e ’ summary ( a s . n u m e r i c (r e a d. t a b l e ( f i l e ( ” s t d i n ” ) ) [ , 1 ] ) ) ’
2
3 Min . 1 s t Qu . Median Mean 3 r d Qu . Max .
4 1 . 8 0 7 . 6 0 1 0 . 0 0 8 . 4 5 1 0 . 0 0 1 0 . 0 0 5
6 s e a r c h . py −p s u n : j r e −o j s o n | j q −r ’ . c v s s ’ | R s c r i p t − e ’ summary ( a s . n u m e r i c (r e a d. t a b l e ( f i l e ( ” s t d i n ” ) ) [ , 1 ] ) ) ’ 7
8 Min . 1 s t Qu . Median Mean 3 r d Qu . Max .
9 0 . 0 0 0 5 . 0 0 0 7 . 5 0 0 7 . 3 7 6 1 0 . 0 0 0 1 0 . 0 0 0
11 of 19
Ranking of vulnerabilities
1 d b r a n k i n g . py −c s a p : −g a c c o u n t i n g −r 3 2 s e a r c h . py −c CVE−2012−4341 −o j s o n −r
3 . . . ” c v s s ” : ” 1 0 . 0 ” , ” i d ” : ”CVE−2012−4341 ” , ” r a n k i n g ” : [ [{” a c c o u n t i n g ” : 3}] ] . . .
Ranking is simple and flexible. If you are a CSIRT, you can use your own tagging to weight the critical software/vendor in your
constituency.
Ranking helping for internal publishing of vulnerabilities
dump last.py can be used to generate an overview of the
current/recent vulnerabilities in your organization. You can limit the result to the ranked software to avoid non-related software
vulnerabilities.
1 d u m p l a s t . py −r −l 100 −f h t m l 2 d u m p l a s t . py −r −l 100 −f atom
13 of 19
search fulltext.py -g -s
Freedom #0
FSF Style:
The freedom to run the program, for any purpose (freedom 0).
Debian Style:
No Discrimination Against Fields of Endeavor
15 of 19
Can cve-search be used by bad guys?
• If you know that system is vulnerable, you have two options:
◦ If you are a good guy, you inform the system owner to fix the vulnerability.
◦ If you are a bad guy, you abuse your position and compromise the vulnerable system.
• cve-search could help both guys.
Where and how to infect random systems? TorInj research project
http://www.foo.be/torinj/
17 of 19
TorInj research project and cve-search
• In the initial version of TorInj, the vulnerabilities of the web browsers per client was evaluated offline.
• We were missing a tool to quickly lookup vulnerability per client and find an appropriate automatic exploitation.
• Next version of TorInj is relying on cve-search to do real-time vulnerability lookup, queue and try automatic exploitation.
• The objective of the research is show to the importance of using end-to-end authenticated encrypted communication with Tor and only with up-to-date software.
• Freedom #0 is important. Free software developed for an initial purpose (from defensive to offensive) can be redirected to a new one.
• Looking for open data source of software vulnerabilities to integrate in cve-search.
• Dataset of cve-search can be requested with localized ranking (e.g.
per country/region).
• Fork it, abuse it and then send pull request→ http://www.github.com/adulau/cve-search.
19 of 19