marc ruef: adventures in a decade of tracking and consolidating security vulnerabilities
DESCRIPTION
The talk discusses the approach, possibilities and difficulties that a vulnerability database maintainer is handling. It will offer real-world insight into almost 15 years of vulnerability database management and a database that covers more than 12.000 entries today. The task didn't get any easier as more and more vulnerabilities get published with increasing complexity but much less information is provided in most original advisories. Correlating this data and compiling the best for the users is a complex task that requires a solid processing and a deep understanding of the technical background. Marc Ruef is co-founder and member of the board at scip AG in Zürich (http://www.scip.ch). The Swiss company provides consulting services covering security testing and forensic analysis, primarily in the financial sphere. He has written several books, whereas "Die Kunst des Penetration Testing" (The Art of Penetration Testing) is the most well-known (http://www.computec.ch/mruef/?s=dkdpt). He launched and joined several projects, discussing and improving the broad field of information technology. One of these projects is scip VulDB, a free vulnerability database which is covering more than 12.000 entries since 2003.TRANSCRIPT
id entr
y_tim
esta
mp_queue
entr
y_tim
esta
mp_cre
ate
entr
y_tim
esta
mp_change
entr
y_m
ain
tain
er_
queue
entr
y_m
ain
tain
er_
cre
ate
entr
y_m
ain
tain
er_
change
entr
y_changelo
g
entr
y_sm
ss
softw
are
_ty
pe
softw
are
_vendor
softw
are
_nam
e
softw
are
_vers
ion
softw
are
_pla
tform
softw
are
_com
ponent
softw
are
_fil
e
softw
are
_lib
rary
softw
are
_fu
nctio
n
softw
are
_arg
um
ent
softw
are
_in
put_
type
softw
are
_in
put_
valu
e
softw
are
_w
ebsite
softw
are
_affecte
dlis
t
softw
are
_advis
ory
quote
softw
are
_fr
eete
xt_
de
softw
are
_fr
eete
xt_
en
vuln
era
bility
_dis
covery
date
vuln
era
bility
_vendorinfo
rmdate
vuln
era
bility
_cla
ss
vuln
era
bility
_im
pact
vuln
era
bility
_risk
vuln
era
bility
_sim
plic
ity
vuln
era
bility
_popula
rity
vuln
era
bility
_his
toric
vuln
era
bility
_cvss_av
vuln
era
bility
_cvss_ac
vuln
era
bility
_cvss_au
vuln
era
bility
_cvss_ci
vuln
era
bility
_cvss_ii
vuln
era
bility
_cvss_ai
vuln
era
bility
_tit
lew
ord
vuln
era
bility
_keyw
ord
s
vuln
era
bility
_sourc
ecode
vuln
era
bility
_advis
ory
quote
vuln
era
bility
_fr
eete
xt_
de
vuln
era
bility
_fr
eete
xt_
en
advis
ory
_date
advis
ory
_lo
catio
n
advis
ory
_ty
pe
advis
ory
_url
advis
ory
_via
advis
ory
_id
entif
ier
advis
ory
_re
port
confid
ence
advis
ory
_coord
inatio
n
advis
ory
_pers
on_nam
e
advis
ory
_pers
on_nic
knam
e
advis
ory
_pers
on_m
ail
advis
ory
_pers
on_w
ebsite
advis
ory
_com
pany_nam
e
advis
ory
_confir
m_url
advis
ory
_confir
m_date
advis
ory
_dis
pute
d
advis
ory
_advis
ory
quote
advis
ory
_fr
eete
xt_
de
advis
ory
_fr
eete
xt_
en
explo
it_availa
bility
explo
it_date
explo
it_public
ity
explo
it_url
explo
it_develo
per_
nam
e
explo
it_develo
per_
nic
knam
e
explo
it_develo
per_
explo
it_develo
per_
website
explo
it_la
nguage
explo
it_explo
itability
explo
it_re
liability
explo
it_w
orm
ified
explo
it_google
hack
explo
it_advis
ory
quote
explo
it_sourc
ecode
explo
it_fr
eete
xt_
de
explo
it_fr
eete
xt_
en
counte
rmeasure
_re
media
tionle
vel
counte
rmeasure
_nam
e
counte
rmeasure
_date
counte
rmeasure
_re
liability
counte
rmeasure
_upgra
de_vers
ion
counte
rmeasure
_upgra
de_url
counte
rmeasure
_patc
h_nam
e
counte
rmeasure
_patc
h_url
counte
rmeasure
_config
_settin
g
counte
rmeasure
_fir
ew
alling_port
counte
rmeasure
_auth
entic
atio
n_nam
e
counte
rmeasure
_encry
ptio
n_nam
e
counte
rmeasure
_w
ork
aro
und
counte
rmeasure
_w
ork
aro
und_url
counte
rmeasure
_alte
rnativ
e_nam
e
counte
rmeasure
_sourc
ecode
counte
rmeasure
_advis
ory
quote
counte
rmeasure
_fr
eete
xt_
de
counte
rmeasure
_fr
eete
xt_
en
sourc
e_osvdb
sourc
e_osvdb_cre
ate
sourc
e_osvdb_tit
le
sourc
e_cve
sourc
e_cve_assig
ned
sourc
e_secunia
sourc
e_secunia
_tit
le
sourc
e_secunia
_risk
sourc
e_security
focus
sourc
e_security
focus_tit
le
sourc
e_sectr
acker
sourc
e_sectr
acker_
title
sourc
e_vupen
sourc
e_xfo
rce
sourc
e_xfo
rce_tit
le
sourc
e_xfo
rce_id
entif
ier
sourc
e_xfo
rce_risk
sourc
e_securite
am
sourc
e_explo
itdb
sourc
e_heis
e
sourc
e_te
cchannel
sourc
e_nessus_id
sourc
e_nessus_nam
e
sourc
e_nessus_risk
sourc
e_nessus_fa
mily
sourc
e_nessus_ty
pe
sourc
e_nessus_port
sourc
e_nessus_date
sourc
e_atk
sourc
e_snort
_id
sourc
e_snort
_m
essage
sourc
e_snort
_pattern
sourc
e_tip
pin
gpoin
t_id
sourc
e_tip
pin
gpoin
t_tit
le
sourc
e_tip
pin
gpoin
t_cate
gory
sourc
e_vid
eolin
k
sourc
e_m
isc
legacy_tit
le
legacy_affecte
d
legacy_descriptio
n
legacy_expert
Adventures in a Decade of Tracking and Consolidating Security Vulnerabilities
Marc Ruef
www.scip.ch
area41 Security Conference June 2014, Zürich, Switzerland
Agenda | Vulnerability Database Maintenance
1. Intro
Introduction 2 min
Who am I? 2 min
What is the Goal? 2 min
2. Vulnerability Database Maintenance
Design the Database 5 min
Handling of Sources 4 min
Interpretation of Data 4 min
Correlation of Data 4 min
Quality Management 5 min
Extrapolation of Data 5 min
Deliver your Results 5 min
Statistical Analysis 5 min
Provide Accessibility 5 min
Use Connectivity 5 min
3. Outro
Summary 2 min
Questions 5 min
area41 2014 2/34
Introduction | Who Am I?
Name Marc Ruef
Job Co-Owner / CTO, scip AG, Zürich
Private Website http://www.computec.ch
Last own Book „The Art of Penetration Testing“, Computer & Literatur Böblingen, ISBN 3-936546-49-5
Translation
area41 2014 3/34
2013 2007 2002 2004
Introduction | What Is a Vulnerability Database?
◦ What?
◦ A database collecting vulnerabilities
◦ Why?
◦ To do vulnerability management
◦ What is vulnerable?
◦ What is to patch?
◦ To do statistical analysis
◦ Costs of patch management
◦ Robustness of products
area41 2014 4
Introduction | scip VulDB Looks like This (Overview)
area41 2014 5
Introduction | scip VulDB Looks like This (Detail)
area41 2014 6
Design | What Should Your Vulnerability Database Do?
◦ How much?
◦ Full coverage
◦ Selective collection
◦ Inventory-only
◦ Vendor-selection
◦ Importance threshold
◦ Fixed only
◦ For whom?
◦ Everyone
◦ Public service
◦ Advertisement
◦ Customers
◦ Vulnerability management service
◦ Alerting service
◦ Tools
◦ Internal Use
◦ Knowledge-base
◦ For pentesters
◦ For administrators
area41 2014 7
Design | What Is an Entry?
◦ A VDB entry consists of different elements. Minimal elements usually are:
◦ ID 12413
◦ Title Linux Low-Address Protection Denial of Service
◦ Disclosure Date 02/21/2014
◦ Description A vulnerability, classified as (…)
◦ Risk Rating problematic
◦ References CVE-2014-2039, BID 65700, …
area41 2014 8
Design | Details Are Cool…
◦ Entry
◦ Software
◦ …
◦ Vulnerability
◦ …
◦ Advisory
◦ …
◦ Exploit
◦ Availability → yes|no
◦ Publicity → public|private
◦ Disclosure Date → yyyyMMdd
◦ Developer → $name
◦ Language → Ruby|Python|C|…
◦ Reliability → low|medium|high
◦ …
◦ Countermeasure
◦ …
◦ Sources
◦ …
◦ Tools
◦ …
◦ Misc
◦ …
area41 2014 9
Design | But Details Take Time!
◦ We have compiled more than 13’400 entries since 2003
◦ A scip VulDB entry consists of ~150 possible data points
◦ We rate data points to prioritize:
◦ Important = 33 (must be processed if available)
◦ Normal = 32 (shall be processed)
◦ Optional = 85 (can be processed, if you have «too much time»)
◦ Statistical analysis of defined data points over all entries:
◦ Average = 49.92
◦ Min = 26
◦ Max = 90
◦ We currently add ~15 new entries per day (work-days only)
area41 2014 10
Sources | Possible Sources
◦ Vulnerability databases
◦ Vulnerability contributors (iDefense VCP, HP ZDI)
◦ Infosec mailinglists
◦ Vendor mailinglists
◦ Vendor advisories
◦ Code repositories
◦ News
◦ Blogs
◦ Social networks (e.g. Twitter, G+, LinkedIn)
◦ Friends, colleagues, co-workers, …
area41 2014 11
Sources | Vulnerability Databases: Advantages and Disadvantages
VDB Pros Cons
IBM X-Force http://xforce.iss.net
• Good coverage • CVSSv2 base scores • CVSSv2 temporal scores • CVE support
• Sometimes a bit slow (2-3 updates per week)
• «Arbitrary» listing (default view: 5 entries, no backlog)
• No RSS feed
OSVDB http://www.osvdb.org
• Very quick (daily updates) • Best coverage (everything!) • CVSSv2 base scores (via MITRE) • CVE support
• No listing (since Feb 2014) • No own risk rating (CVSSv2 only) • No RSS feed (since 2012)
Secunia http://secunia.com/community/advisories/historic/
• Good coverage • Good listing (default view: 25 entries) • CVE support
• Login required (since Apr 2014) • Some details for paying customers only • Combining multiple vulnerabilities in
one entry (by release/patch) • They don’t like other projects (they
forbade to use their listing for vulscan.nse in 2013)
• No RSS feed • No CVSSv2 scores
SecurityFocus http://www.securityfocus.com/bid
• Good coverage • CVE support
• Listing also shows updated entries (default view: 31 entries)
• Site is slow • Data for an entry is spread over 5 sub-
pages • No CVSSv2 scores
SecurityTracker http://securitytracker.com
• Sometimes quite quick • Simple listing (default view: 5 entries) • CVE support
• Selective coverage (popular products only)
• No CVSSv2 scores
Sources | Evaluation Rating Introduction
◦ Criteria are those we think are important
◦ We have addressed them as far as possible in our project (because of this prioritization)
◦ Rating is as fair as possible
◦ You might rate a bit differently
Description Rati
ng
Feature is supported: always/fully 3
Feature is supported: often/partially 2
Feature is supported: sometimes/somehow 1
Feature is never/not supported 0
Sources | Vulnerability Databases: Rating
VDB Co
verag
e
(how
much)
Qu
ickn
ess
(how
fast)
Lis
tin
g
(how
vis
ible
)
Search
(h
ow
searc
hable
)
Han
dlin
g
(how
erg
onom
ic)
Tech
Deta
ils
(how
deta
iled)
Ris
k R
ati
ng
(h
ow
measure
d)
CV
SS
B
ase
CV
SS
Tem
po
ral
CV
E
Feed
s
(how
accessib
le)
To
tal
CERT VU http://www.kb.cert.org/vuls/
1 3 3 2 2 3 0 3 3 3 3 26
Exploit-DB http://www.exploit-db.com
1 3 3 3 2 2 0 0 0 3 3 20
IBM X-Force http://xforce.iss.net
3 1 1 1 2 2 0 3 3 3 0 19
NIST NVD http://nvd.nist.gov
2 1 3 3 2 2 0 3 0 3 3 22
MITRE CVE http://cve.mitre.org
2 1 3 2 2 2 0 0 0 3 2 17
OSVDB http://www.osvdb.org
3 3 0 2 2 2 0 2 0 3 0 17
Secunia http://secunia.com/community/advisories/historic/
3 2 3 3 2 2 3 0 0 3 0 21
SecurityFocus http://www.securityfocus.com/bid
3 2 2 2 1 2 0 0 0 3 0 15
SecurityTracker http://securitytracker.com
1 2 3 2 3 2 0 0 0 3 0 16
scip VulDB (rating ourselves comes with bias)
http://www.scip.ch/en/?vuldb 2 2 3 2 3 3 3 3 3 3 3 30
2.1 2.0 2.4 2.2 2.1 2.2 0.6 1.4 0.9 3.0 1.4
Sources | Vulnerability Databases: Conclusion
◦ Being quick is not easy
◦ Technical details range from bad to good
◦ CVSS scores are pretty unpopular, especially «temporal scores»
◦ CVE has been established as the de facto standard (nice!)
◦ You can’t compare CERT VU, Exploit-DB, NIST NVD and MITRE CVE with anything else
◦ Exploit-DB inherits abstraction from researchers and is not self-consistent
◦ Secunia and SecurityFocus are very similar in many aspects
◦ X-Force and SecurityTracker remain pretty unpopular
◦ The «O» in OSVDB does not stand for «open» anymore
◦ Some features have been broken for ages (e.g. search on OSVDB and X-Force)
◦ Not everyone is a big fan of feeds
area41 2014 15
Sources | Vendor Advisories: Advantages and Disadvantages
Vendor Pros Cons
Adobe http://helpx.adobe.com/security.html
• Product-related listing • Some technical details • Priority rating • CVE support
• Advisory per release/upgrade • No RSS feed
Apple • Simple technical details • CVE support
• No risk rating • No CVSSv2 scores • No listing • Advisory per release/upgrade • No RSS feed
Cisco https://tools.cisco.com/security/center/publicationListing.x
• Advisory listing • Advisory per vulnerability • Sometimes additional technical details • CVSSv2 base scores • CVE support
• Technical details with login only • Some details for customers only • No RSS feed
Google • CVE support • No listing • Advisory per release/upgrade • Technical details with auth only • No risk rating • No CVSSv2 scores • No RSS feed
Microsoft http://technet.microsoft.com/security/advisory
• Some technical details • Listing (default view: 5 entries) • RSS feed
• Patch day collection (2nd Tuesday of each month)
• Severity rating • No CVSSv2 scores
Oracle http://www.oracle.com/technetwork/topics/security/alerts-086861.html
• Simple listing • CVSSv2 base scores • CVE support
• Patch day collection (quarterly) • No technical details • No RSS feed
Sources | Vendor Advisories: Rating
Vendor Vu
ln I
D
(how
uniq
ue)
Freq
uen
cy
(how
fast)
Lis
tin
g
(how
vis
ible
)
Tech
Deta
ils
(how
deta
iled)
Ris
k
(how
measure
d)
CV
SS
B
ase
CV
SS
Tem
po
ral
CV
E
RS
S
To
tal
FortiGuard http://www.fortiguard.com/advisory/
3 3 3 3 3 0 0 3 3 21
Symantec http://www.symantec.com/security_response/securityupdates/list.jsp
3 3 3 3 0 3 0 3 3 21
Microsoft http://technet.microsoft.com/security/advisory
3 2 3 3 3 0 0 3 3 20
Checkpoint https://www.checkpoint.com/defense/advisories/public/summary.html
3 2 3 2 3 0 0 3 3 19
Cisco https://tools.cisco.com/security/center/publicationListing.x (details auth only)
3 3 3 3 0 3 0 3 0 18
Oracle http://www.oracle.com/technetwork/topics/security/alerts-086861.html
1 1 3 1 3 3 0 3 3 18
Adobe http://helpx.adobe.com/security.html
3 3 3 2 2 0 0 3 0 16
HP https://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive
3 3 3 1 0 3 0 3 0 16
SAP https://service.sap.com/sap/support/notes/ (auth only)
3 3 3 2 3 2 0 0 0 16
D-Link http://securityadvisories.dlink.com/security/
3 3 2 2 0 0 0 2 0 12
Google http://www.google.com (details auth only)
3 3 1 2 0 0 0 3 0 12
Apple http://www.apple.com
1 2 1 1 0 0 0 3 0 8
2.66 2.58 2.58 2.08 1.41 1.16 0.0 2.66 1.25
Sources | Vendor Advisories: Conclusion
◦ Some vendors have really ugly advisory URLs
◦ Technical details range from bad to good
◦ CVSS scores are pretty unpopular, especially «temporal scores»
◦ Own risk ratings are also unpopular, because they are hard
◦ Nearly everybody likes CVE
◦ Microsoft and Oracle handle things better than it felt
◦ Juniper has a field «Last Updated» but no «Disclosure Date»
◦ SAP is very restrictive with information for non-customers, which introduces a severe disadvantage (VDB’s can’t categorize them, which decreases visibility)
◦ Vendors aren’t big fans of RSS feeds either
area41 2014 18
Sources | Vuln Contributors: Advantages and Disadvantages
Project Pros Cons
iDEFENSE Vulnerability Contributor Program http://www.verisigninc.com/en_US/cyber-security/index.xhtml
• Started in 2003 • Incomplete listing • No announcement of upcoming
advisories • No CVSSv2 support • No search capabilities • No RSS feed • All old links are broken since
Zero Day Initiative http://www.zerodayinitiative.com
• Provide announcement for upcoming advisories
• Provide CVSSv2 Base Scores • RSS feeds available
• No search capabilities
Sources | Vuln Contributors: Rating
Project Lis
tin
g
(how
vis
ible
)
Search
(h
ow
searc
hable
)
Han
dlin
g
(how
erg
onom
ic)
Tech
Deta
ils
(how
deta
iled)
Ris
k R
ati
ng
(h
ow
measure
d)
CV
SS
B
ase
CV
SS
Tem
po
ral
CV
E
RS
S
To
tal
iDEFENSE Vulnerability Contributor Program http://www.verisigninc.com/en_US/cyber-security/index.xhtml
3 0 3 2 0 0 0 3 0 11
Zero Day Initiative http://www.zerodayinitiative.com
3 0 3 2 0 3 0 3 3 17
3.0 0.0 3.0 2.0 0.0 1.5 0.0 3.0 1.5
Sources | Vuln Contributors: Conclusion
◦ Only 2 major players
◦ They are quite similar in most aspects
◦ Zero Day Initiative has 2 advantages of CVSSv2 and RSS support
◦ More competition might increase quality
area41 2014 21
Interpretation | How to Analyze
◦ The basic approach of processing a source is simple:
1. Check source for new entries
2. Review source entry
3. Add necessary data to database
1. If entry is available → Update existing entry
2. If entry is not available → Create new entry
3. If source is false-positive → Ignore entry and flag for future reference
4. Goto 1
area41 2014 22
Interpretation | MITRE CVE as an Example
cve
description
advisory
cert vu
software
Interpretation | MITRE CVE as an Example: What Is missing?
◦ What’s missing on a MITRE CVE entry?
◦ Disclosure date
◦ Exact naming of vulnerability class
◦ Risk rating
◦ Person responsible for disclosure
◦ Detailed mitigation/countermeasure
◦ …
area41 2014 24
Interpretation | OSVDB as an Example
cve sectracker
product version
description
date
exploit
news
Interpretation | Contradicting Conventions (Disclosure Date)
02/19/2014
02/26/2014
Interpretation | Contradicting Conventions (Disclosure Date)
CVE-2014-2284
net-snmp 5.7.1 on Linux ICMP-MIB Denial of Service
02/1
9/2
014
02/2
0/2
014
02/2
1/2
014
02/2
2/2
014
02/2
3/2
014
02/2
4/2
014
02/2
5/2
014
02/2
6/2
014
02/2
7/2
014
...
03/2
4/2
014
Sourc
eF
org
e
Rele
ase N
ote
SecF
ocus
SecT
racker
VulD
B
OS
VD
B
Secunia
Red H
at
Our definition of a (public) disclosure date:
The earliest known date to
disclose an issue to the public in an unrestricted way.
(we’re going to adopt a more differentiated approach in the
near future)
03/0
5/2
014
oss-s
ecurity
...
CV
E
Interpretation | Put the Different Pieces Together
VDB Pro
du
ct
Versio
n
Vu
ln C
lass
Dis
clo
su
re
Date
Ad
vis
ory
UR
L
Att
ack
Co
nte
xt
Exp
loit
So
luti
on
Vu
lnD
B
So
urces
Mis
c.
Lin
ks
To
tal
CERT VU http://www.kb.cert.org/vuls/
3 2 3 2 3 3 1 3 0 1 21
Exploit-DB http://www.exploit-db.com
3 2 2 2 2 1 3 1 1 0 17
IBM X-Force http://xforce.iss.net
3 2 2 3 2 3 1 2 2 2 22
NIST NVD http://nvd.nist.gov
2 2 3 0 3 1 1 1 3 3 19
MITRE CVE http://cve.mitre.org
2 2 2 0 3 1 1 1 3 3 18
OSVDB http://www.osvdb.org
3 3 3 3 3 3 3 3 3 3 30
Secunia http://secunia.com/community/advisories/historic/
2 2 2 2 3 1 1 2 0 0 15
SecurityFocus http://www.securityfocus.com/bid
3 3 3 3 2 1 2 2 0 1 20
SecurityTracker http://securitytracker.com
3 3 3 1 2 3 1 3 0 1 20
scip VulDB http://www.scip.ch/en/?vuldb
3 3 3 3 3 3 3 3 3 3 30
2.7 2.4 2.6 1.9 2.6 2.0 1.7 2.1 1.5 1.7
Sources | Vulnerability Databases: Conclusion
◦ OSVDB provides the best collection of data
◦ Secunia provides the worst collection of data
◦ SecurityFocus and Secunia usually don’t provide context
◦ X-Force, SecurityTracker and Secunia don’t provide exploit details
◦ SecurityTracker and Secunia have confusing disclosure dates
◦ SecurityFocus, SecurityTracker and Secunia don’t link to other VDB
area41 2014 29
Correlation | That's Why You Have to Correlate
◦ Approach
◦ Merge different sources
◦ Compare similar data points
◦ Identify and verify contradictions
◦ Dangers
◦ Duplicates: Come up with annoying inconsistency
◦ Merges: Come up with dangerous mashups
area41 2014 30
Correlation | Now Things Are Getting Tricky
◦ Sometimes vulnerabilities can’t be identified individually
◦ CVE helps a lot! But not every vulnerability (immediately) has a CVE number
◦ Some sources merge vulnerabilities into one entry
◦ Vendors do this within their patch release notes or patch days
◦ Secunia tends to compile different vulnerabilities of the same day or patch generation into one entry (e.g. 58519). SecurityFocus does it sometimes (e.g. 67553) and so does SecurityTracker in some cases (e.g. 1030269).
◦ Vulnerabilities with very few technical details often can’t be distinguished from similar vulnerabilities (e.g. Apple HT6145: no info available, but CVE assigned)
area41 2014 31
Correlation | Keep Track, Detect Collisions
◦ Keep track of your sources and the entries already reviewed
◦ Verify that every new entry is really new and not just a duplicate or a minor fork of an existing entry. This is a very underestimated task!
◦ We do that with collision detection
◦ Compare new values with existing values of other entries (e.g. URLs, IDs, references). If there is a specified level of matches, we have to check for a duplicate.
◦ Our reference maps help to distinguish. Projects like vFeed support this very good. [https://github.com/toolswatch/vFeed/]
area41 2014 32
Correlation | To Split or Not to Split
Parameter
→ 5 entries
File
→ 4 entries
Component
→ 3 entries
Vuln Class
→ 2 entries
Advisory/Patch
→ 1 entry
Advisory #VA42
Cross Site Scripting
User Auth login.php
login_user
login_pass
News Portal
news.php news_id
archive.php news_year
SQL Injection
Board forum.php post_id
area41 2014 33
Correlation | Split Example (MS Patch Day, IE Vuls, Feb 2014)
VulDB
(vuln split)
SecFocus*
(vuln split)
CVE
(vuln split)
Secunia
(combined)
Microsoft (combined)
MS14-010 SA56796
CVE- 2014-0267
BID 65361 SID 12242
CVE- 2014-0268
BID 65392 SID 12239
… … …
CVE- 2014-0293
BID 65394 SID 12241
area41 2014 34
* SecurityFocus often combines (e.g. BID 67553)
Correlation | Unwanted Split (cPanel, Dec 2013)
◦ TSR 2013-0011, http://cpanel.net/tsr-2013-0011-full-disclosure/ ◦ 12/18/2013 cPanel WHM Reseller Login Handler Cookie information disclosure
◦ 12/18/2013 cPanel WHM Login Security Handler Token information disclosure
◦ 12/18/2013 cPanel WHM Branding Subsystem privilege escalation
◦ 12/18/2013 cPanel WHM usr/local/cpanel/share/counter privilege escalation
◦ 12/18/2013 cPanel WHM Daily Process Log Screen Stored cross site scripting
◦ 12/18/2013 cPanel WHM cPAddons Upgrade Handler Password information disclosure
◦ 12/18/2013 cPanel WHM Edit DNS Zone Interface information disclosure
◦ 12/18/2013 cPanel WHM SSH Authentication Handler privilege escalation
◦ 12/18/2013 cPanel WHM X3 Theme countedit.cgi Directory Traversal
◦ 12/18/2013 cPanel WHM Bandmin passwd privilege escalation
◦ 12/18/2013 cPanel WHM cpsrvd Bypass privilege escalation
◦ 12/18/2013 cPanel WHM Bandmin Reflected cross site scripting
◦ 12/18/2013 cPanel WHM API Call Handler UI::dynamicincludelist Directory Traversal
◦ 12/18/2013 cPanel WHM Database Handler privilege escalation
◦ 12/18/2013 cPanel WHM Backup Archive Handler privilege escalation
◦ 12/18/2013 cPanel WHM Config Handler Cross Site Request Forgery
◦ 12/18/2013 cPanel WHM Translatable Phrase Handler Locale::Maketext privilege escalation
◦ 12/18/2013 cPanel WHM CSRF Protection Bypass Cross Site Request Forgery
◦ 12/18/2013 cPanel WHM cross site scripting
◦ 12/18/2013 cPanel WHM Logaholic Session File Handler /tmp privilege escalation
◦ 12/18/2013 cPanel WHM Virtualhost Installation Handler privilege escalation area41 2014 35
Correlation | Split Pros and Cons
◦ Advisory / Patch
◦ Few entries
◦ Good for overview
◦ Good for patch management
◦ Vulnerability
◦ Some entries
◦ Possible splits for 3rd party components
◦ Element
◦ A lot of entries
◦ Good for statistical analysis
area41 2014 36
Quality | How to Provide the Best?
◦ Try to verify statements from researchers, vendors and vulnerability database maintainers
◦ Check for plausibility
◦ Verify from other sources
◦ Re-test within a lab
◦ Eliminate wrong statements
◦ Delete false entries
◦ Preserve false entries (prefered by CVE, SecurityFocus)
◦ Add further explanations
◦ Flag (prefered by OSVDB, scip VulDB)
◦ advisory_disputed=1 (e.g. scipID 13305, 13000, 12643)
◦ advisory_reportconfidence=UR (CVSSv2 temp score metric)
◦ Try to find and compile additional details
area41 2014 37
Extrapolation | Versions of Affected Software
◦ Exact Version
◦ Internet Explorer 10 → X-Force, OSVDB, SecFocus, Secunia, VulDB
◦ Wildcards
◦ Internet Explorer 6.x → Secunia, SecFocus, SecTracker, VulDB
◦ Ranges
◦ Internet Explorer 8 – 10 → Secunia, CVE
◦ Internet Explorer prior 10 → SecurityTracker, Secunia
◦ Internet Explorer before 10 → CVE
◦ Internet Explorer up to 10 → VulDB
◦ Internet Explorer 8 and later → SecurityTracker
area41 2014 38 10 11 9 8 7 6
10
up to 10
8 to 10
Internet Explorer Versions
before 10
…
Extrapolation | What about The Unknown?
◦ Try to guess. Examples:
◦ «IE prior 9» → 6 – 9
◦ «IE prior 11» → 7 – 10
◦ Research and validate yourself
◦ A lot of work
◦ We combine with other projects (research or pentest)
◦ We enforce very important or interesting vulnerabilities
◦ Be quiet
area41 2014 39
Delivery | Chose your Channels
◦ Web Site
◦ RSS
◦ Widgets
◦ App
◦ …
area41 2014 40
Statistics | Comparing Apples and Oranges
◦ Doing some statistics is easy. Doing it the right way is hard. Some say it is even impossible. [http://blog.osvdb.org/category/vulnerability-statistics/]
◦ Counting vulnerabilities doesn’t say anything:
◦ Weak code leads to a lot of vulnerabilities
◦ Complexity leads to a lot of vulnerabilities
◦ Popularity leads to a lot of vulnerabilities
◦ Bug bounty programs lead to a lot of vulnerabilities
◦ Open disclosure process leads to a lot of vulnerabilities
◦ We still provide statistical raw data and expect the viewers to think about it
area41 2014 41
Statistics | Timelines Are Interesting
◦ Our timelines consist of multiple data points
◦ vulnerability_introduction_date
◦ vulnerability_discovery_date
◦ vulnerability_vendorinform_date
◦ advisory_date
◦ advisory_confirm_date
◦ exploit_date
◦ countermeasure_date
◦ source_cve_assigned
◦ source_secunia_date
◦ source_nessus_date
◦ entry_timestamp_create
◦ entry_timestamp_update
Example Heartbleed [CVE-2014-0160]
area41 2014 42
Statistics | Timelines Trivia (excerpt from 2014)
◦ [CVE-2014-0160] OpenSSL TLS/DTLS Heartbeat information disclosure got introduced in 01/01/2012 and fixed in 04/07/2014
◦ existed 827 days
◦ [CVE-2014-0179] libvirt XML Entity Expansion Handler denial of service got introduced in 12/23/2009 and fixed in 05/06/2014
◦ existed 1.595 days
◦ [CVE-2014-3122] Linux Kernel try_to_unmap_cluster() denial of service got introduced in 10/19/2008 and fixed in 04/10/2014
◦ existed 1.996 days
◦ [CVE-2014-3460] Novell NetIQ Sentinel Agent Manager directory traversal vendor got informed in 09/04/2013 but did not respond until 05/19/2014
◦ Novell ignored grace period of 257 days
area41 2014 43
Accessibility | Choose Additional Representation
◦ To allow users to work with your data, it might be the best way to provide additional forms of representation:
◦ SQL
◦ XML
◦ JSON
◦ CSV
◦ CVRF [http://www.icasi.org/cvrf]
area41 2014 44
Connectivity | Use Data for Vuln Scanning
◦ We are able to construct specific requests with our fields software_argument and software_input_value to create test cases and exploits (very simple for web-based vulns)
◦ Because of the fields software_* we are able to provide CPE lists [http://cpe.mitre.org/], which can be matched with tools like Nmap. Random examples:
◦ ID 12313 → cpe:/a:sap:netweaver:7.30
◦ ID 12802 → cpe:/o:cisco:ios:15.4(1.1)t
◦ ID 13306 → cpe:/a:microsoft:internet_explorer:8
area41 2014 45
Outro | Summary
◦ Vulnerability databases help to manage vulnerabilities
◦ Different sources allow to collect a broad amount of issues
◦ Every source has some advantages and disadvantages
◦ Compiling and maintaining vulnerabilities takes a lot of effort
◦ Making your data accessible helps others
area41 2014 46
Outro | Thank You
◦ I‘d like to thank a bunch of people which helped to discuss the many interesting aspects of vulnerability database management:
◦ Stefan Friedli, scip AG
◦ Steven M. Christey, MITRE
area41 2014 47
Outro | Questions
area41 2014 48
Security Is Our Business!
scip AG
Jakob-Fügli-Strasse 18
CH-8048 Zürich
Tel +41 44 404 13 13
Fax +41 44 404 13 14
Mail [email protected]
Web http://www.scip.ch
Twitter http://twitter.com/scipag
Strategy | Consulting
Auditing | Testing
Forensics | Analysis
area41 2014 49