oss cve trends - · pdf file12 cve: common vulnerabilities and exposures cve id summary...
TRANSCRIPT
2
Who am I ?
- Security Researcher/Engineer (17 years)
- SELinux/MAC Evangelist (13 years)
- Antivirus Engineer (3 years)
- SIEM Engineer (3 years)
- Linux Engineer (17 years)
- Member of Secure OSS-Sig
3
What is Secure OSS-Sig?
Japanese Community interested in OSS security “Technology”.
4
Agenda
1. What is CVE? CPE? CWE?
2. CVE Trends (OSS, and so on)
3. How you can get CVE information quickly?
1. What is CVE? CPE? CWE?
6
CVE: Common Vulnerabilities and Exposures
Short Story...
8
After 9.11…
9.11 FISMA (Dec, 2002)
(Federal Information Security Management Act)
NIST (National Institute of Standards and Technology)
- FIPS(Federal Information Processing Standards)- SP800 Series (SP 800-63A (Identity Proofing & Enrollment))….
9
After 9.11…
Many type of - security measurement- test- config ...
“Annual” report to OMB!!(Office of Management and Budget)
10
SCAP(Security Content Automation Protocol)
Object: Automated for
- Vulnerability management
- Vulnerability measurement
- Policy compliance evaluation
NIST designed SCAP
11
SCAP Components..
SCAP
Common Vulnerabilities and Exposures (CVE)
Common Configuration Enumeration (CCE)
Common Platform Enumeration (CPE)
Common Weakness Enumeration (CWE)
Common Vulnerability Scoring System (CVSS)
Extensible Configuration Checklist Description Format (XCCDF)
and so on….
Open Vulnerability and Assessment Language (OVAL)
Lang
Enumerations
12
CVE: Common Vulnerabilities and Exposures
CVE ID Summary
CVE-2017-5638 The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.
CVE-2017-6074 The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allows local users to obtain root privileges or cause a denial of service (double free) via an application that makes an IPV6_RECVPKTINFO setsockopt system call.
13
CPE: Common Platform Enumeration
CPE name title href
cpe:/o:novell:leap:42.0
Novell Leap 42.0
https://en.opensuse.org/openSUSE:Leap
cpe:/o:redhat:enterprise_linux:7.1
Red Hat Enterprise Linux 7.1
http://www.redhat.com/en/resources/whats-new-red-hat-enterprise-linux-71
cpe:/a:isc:bind:9.8 bind 9.8 https://www.isc.org/downloads/bind/
14
CPE: Common Platform Enumeration
[omok@localhost ]$ cat /etc/os-release NAME="CentOS Linux"VERSION="7 (Core)"ID="centos"ID_LIKE="rhel fedora"VERSION_ID="7"PRETTY_NAME="CentOS Linux 7 (Core)"ANSI_COLOR="0;31"CPE_NAME="cpe:/o:centos:centos:7"HOME_URL="https://www.centos.org/"BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"CENTOS_MANTISBT_PROJECT_VERSION="7"REDHAT_SUPPORT_PRODUCT="centos"REDHAT_SUPPORT_PRODUCT_VERSION="7"
15
CWE: Common Weakness Enumeration
16
CWE: Common Weakness Enumeration
CVE ID CWE-ID Desc
CVE-2017-5638(Struts2) CWE-20 Improper Input Validation
CVE-2016-6662(MySQL) CWE-264 Permissions, Privileges, and Access Controls
CVE-2014-0160(Heart Bleed) CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
17
CWE: Common Weakness Enumeration
18
CVSS:Common Vulnerability Scoring System
2. CVE Status (Total)
20
10 years CVE Statistics (no HW/Firmware)
01/01/07 09/01/07 05/01/08 01/01/09 09/01/09 05/01/10 01/01/11 09/01/11 05/01/12 01/01/13 09/01/13 05/01/14 01/01/15 09/01/15 05/01/16 01/01/170
200
400
600
800
1000
1200
1400
1600
1800
Heart Bleed
21
OS CVE Statistics (5 years)
0
50
100
150
200
250
300
350
400
OS
OSS
mobile
Heart Bleed
22
App CVE Statistics (5 years)
2012
/04
2012
/06
2012
/08
2012
/10
2012
/12
2013
/02
2013
/04
2013
/06
2013
/08
2013
/10
2013
/12
2014
/02
2014
/04
2014
/06
2014
/08
2014
/10
2014
/12
2015
/02
2015
/04
2015
/06
2015
/08
2015
/10
2015
/12
2016
/02
2016
/04
2016
/06
2016
/08
2016
/10
2016
/12
2017
/02
2017
/04
0
200
400
600
800
1000
1200
1400
Apps
OSS
Mobile
Heart Bleed
2. OSS CVE Status (CWEs)
24
OSS CVE Statistics with CWE (5 years)CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')CWE-94: Improper Control of Generation of Code ('Code Injection')CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/010
10
20
30
40
50
CWE-89(app)
CWE-94(app)
12/04/01 12/10/01 13/04/01 13/10/01 14/04/01 14/10/01 15/04/01 15/10/01 16/04/01 16/10/01 17/04/010
20
40
60
80
100
120
140
160
CWE-79(app)
25
OSS CVE Statistics with CWE (5 years)
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/010
20
40
60
80
100
120
140
CWE-119 (Apps)
12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/010
10
20
30
40
50
60
CWE-119 (OS)
26
OSS CVE Statistics with CWE (5 years)
12/04/0112/08/0112/12/0113/04/0113/08/0113/12/0114/04/0114/08/0114/12/0115/04/0115/08/0115/12/0116/04/0116/08/0116/12/0117/04/010
10
20
30
40
50
60
CWE-125(App)
CWE-190(App)
12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/010
2
4
6
8
10
12
CWE-125(OS)
CWE-190(OS)
CWE-125: Out-of-bounds ReadCWE-190: Integer Overflow or Wraparound
27
OSS CVE Statistics with CWE (5 years)CWE-284: Improper Access ControlCWE-287: Improper Authentication
12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/010
5
10
15
20
25
30
35
CWE-287(app)
CWE-284(app)
12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/010
2
4
6
8
10
12
14
16
18
20
CWE-287(OS)
CWE-284(OS)
28
OSS CVE Statistics with CWE (5 years)
CWE-416: Use After Free
12/04/01 12/08/01 12/12/01 13/04/01 13/08/01 13/12/01 14/04/01 14/08/01 14/12/01 15/04/01 15/08/01 15/12/01 16/04/01 16/08/01 16/12/01 17/04/010
5
10
15
20
25
CWE-416(app)
12/04/01 12/08/01 12/12/01 13/04/01 13/08/01 13/12/01 14/04/01 14/08/01 14/12/01 15/04/01 15/08/01 15/12/01 16/04/01 16/08/01 16/12/01 17/04/010
1
2
3
4
5
6
7
8
CWE-416(OS)
29
Tools for automatically fuzzing..
American Fuzzy Lop http://lcamtuf.coredump.cx/afl
OSS Fuzzhttps://github.com/google/oss-fuzz
Open Source Since 2016/12
Famous to find ShellShock Since 2014
30
OSS CVE Statistics with CWE (5 years)
12/04/0112/08/0112/12/0113/04/0113/08/0113/12/0114/04/0114/08/0114/12/0115/04/0115/08/0115/12/0116/04/0116/08/0116/12/0117/04/010
10
20
30
40
50
60
CWE-125(App)
CWE-190(App)
12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/010
2
4
6
8
10
12
CWE-125(OS)
CWE-190(OS)
CWE-125: Out-of-bounds ReadCWE-190: Integer Overflow or Wraparound
Google OSS Fuzz
2. OSS CVE Status (Typical Apps)
32
HeartBleed (2014/04/07)
12/01/01 12/06/01 12/11/01 13/04/01 13/09/01 14/02/01 14/07/01 14/12/01 15/05/01 15/10/01 16/03/01 16/08/01 17/01/010
100
200
300
400
500
600
700
800
CWE-310(app)
12/01/01 12/06/01 12/11/01 13/04/01 13/09/01 14/02/01 14/07/01 14/12/01 15/05/01 15/10/01 16/03/01 16/08/01 17/01/010
100
200
300
400
500
600
700
800
CWE-310(OS)
Heart Bleed
33
Wordpress
2012
/03
2012
/05
2012
/07
2012
/09
2012
/11
2013
/01
2013
/03
2013
/05
2013
/07
2013
/09
2013
/11
2014
/01
2014
/03
2014
/05
2014
/07
2014
/09
2014
/11
2015
/01
2015
/03
2015
/05
2015
/07
2015
/09
2015
/11
2016
/01
2016
/03
2016
/05
2016
/07
2016
/09
2016
/11
2017
/01
2017
/03
0
10
20
30
40
50
60
70
80
90
100
Wordpress
34
Wordpress vs other CMS
2012
/03
2012
/05
2012
/07
2012
/09
2012
/11
2013
/01
2013
/03
2013
/05
2013
/07
2013
/09
2013
/11
2014
/01
2014
/03
2014
/05
2014
/07
2014
/09
2014
/11
2015
/01
2015
/03
2015
/05
2015
/07
2015
/09
2015
/11
2016
/01
2016
/03
2016
/05
2016
/07
2016
/09
2016
/11
2017
/01
2017
/03
0
10
20
30
40
50
60
70
80
90
100
Wordpress
Drupal
Other CMS
35
Struts
2012
/04
2012
/06
2012
/08
2012
/10
2012
/12
2013
/02
2013
/04
2013
/06
2013
/08
2013
/10
2013
/12
2014
/02
2014
/04
2014
/06
2014
/08
2014
/10
2014
/12
2015
/02
2015
/04
2015
/06
2015
/08
2015
/10
2015
/12
2016
/02
2016
/04
2016
/06
2016
/08
2016
/10
2016
/12
2017
/02
2017
/04
0
1
2
3
4
5
6
7
8
9
CVEs
36
3. How you can get CVE info quickly?
37
Is it valuable for getting CVE info quickly?
Yes!!
CVE(2017/03/17)
38
Is it valuable for getting CVE info quickly?
If you know CVE earlier,
- Read information (You need it? Or not?)
- Prepare for Update (schedule, etc.)
- Testing for Update
...etc.
39
Who assign CVE?
40
Who assign CVE?
Red Hat MicroFocus
MITRE
ISV DWFISV
41
DWF (Distributed Weakness Filing)
42
How can you get CVE info quickly?
Before 02/09/2017
OSS-Security ML
Send vulnerability details, then CVE would be assigned By MITRE.
Merit for User:
1. During CVE assign, had time to confirm/reproduce.2. Detailed information for vulnerability.
43
Current CVE Request
Use Webform for CVE Request.
44
How you can get CVE info quickly.
So now we get only a few info from oss-security ML.
What is alter way?
45
Mitre official
1. Daily CVE Changelog
46
Mitre official
2. Twitter (almost Real Time)
47
OSS (CVE-Search)
3. Create CVE Database for Searching
48
Alternative
4. Regist to several typical ML
49
Alternative
4. Regist to several typical ML
50
Alternative
5. Check typical OSS website.
http://tomcat.apache.org/security-9.html
https://www.postgresql.org/support/security/
51
Alternative
5. Check typical OSS website.
https://www.oracle.com/technetwork/topics/security/alerts-086861.html
52
Alternative
6. Check several “Deep Info” website.
https://blogs.gentoo.org/ago/
53
My Blog (Japanese, sorry…)
https://oss.sios.com/security
54
By the way….Each Distro speciality (in my personal experience)
Open Vulnerability info as Public
Debian >> RedHat, SuSE > Ubuntu
Quality of Vulnerability Info
RedHat > SuSE >= Debian, Ubuntu
PoC Info… :-)
SuSE >= RedHat >> Debian, Ubuntu
55
How you can get “PoC” info.
https://www.exploit-db.com/
56
How you can get “PoC” info.
https://community.rapid7.com/community/metasploit/content?filterID=contentstatus[published]~objecttype~objecttype[thread]
57
Why I need “PoC”?
http://www.secureoss.jp/
58
SELinux Policy/Module BoFToday 16:50 am
59
Conclusion
60
Conclusion
1. OSS CVE is growing up→ Does not mean “OSS is Insecure”!!
→ Security Researcher is brushing up.
2. google fuzzing application is helping to find new vulnerability.
3. After CVE public, attack will be increasing.Also After famous attack, public CVE will be increasing.
4. You can get CVE or vulnerability info quickly.
61
Any Questinos?
62
Thank You!!!