Abstract image of a woman sitting on books and studying on a laptop

Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vulnerabilities

A
Area41

The document discusses the maintenance and design of vulnerability databases, with a particular focus on SCIP's vulnerability database, presenting various aspects such as data sources, evaluation ratings, and the challenges of handling vulnerabilities. It outlines the goals of such databases, the importance of thorough data entry, and the variety of sources available for maintaining up-to-date information. Additionally, it covers the advantages and disadvantages of several vulnerability databases and vendors, as well as strategies for analyzing and interpreting data.

Technology
Related topics:
Vulnerability Management
1 of 49
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
id entry_timestamp_queue entry_timestamp_create entry_timestamp_change entry_maintainer_queue entry_maintainer_create entry_maintainer_change entry_changelog entry_smss software_type software_vendor software_name software_version software_platform software_component software_file software_library software_function software_argument software_input_type software_input_value software_website software_affectedlist software_advisoryquote software_freetext_de software_freetext_en vulnerability_discoverydate vulnerability_vendorinformdate vulnerability_class vulnerability_impact vulnerability_risk vulnerability_simplicity vulnerability_popularity vulnerability_historic vulnerability_cvss_av vulnerability_cvss_ac vulnerability_cvss_au vulnerability_cvss_ci vulnerability_cvss_ii vulnerability_cvss_ai vulnerability_titleword vulnerability_keywords vulnerability_sourcecode vulnerability_advisoryquote vulnerability_freetext_de vulnerability_freetext_en advisory_date advisory_location advisory_type advisory_url advisory_via advisory_identifier advisory_reportconfidence advisory_coordination advisory_person_name advisory_person_nickname advisory_person_mail advisory_person_website advisory_company_name advisory_confirm_url advisory_confirm_date advisory_disputed advisory_advisoryquote advisory_freetext_de advisory_freetext_en exploit_availability exploit_date exploit_publicity exploit_url exploit_developer_name exploit_developer_nickname exploit_developer_mail exploit_developer_website exploit_language exploit_exploitability exploit_reliability exploit_wormified exploit_googlehack exploit_advisoryquote exploit_sourcecode exploit_freetext_de exploit_freetext_en countermeasure_remediationlev countermeasure_name countermeasure_date countermeasure_reliability countermeasure_upgrade_vers countermeasure_upgrade_url countermeasure_patch_name Adventures in a Decade of Tracking and Consolidating Security Vulnerabilities Marc Ruef www.scip.ch area41 Security Conference June 2014, Zürich, Switzerland
Agenda | Vulnerability Database Maintenance 1. Intro Introduction 2 min Who am I? 2 min What is the Goal? 2 min 2. Vulnerability Database Maintenance Design the Database 5 min Handling of Sources 4 min Interpretation of Data 4 min Correlation of Data 4 min Quality Management 5 min Extrapolation of Data 5 min Deliver your Results 5 min Statistical Analysis 5 min Provide Accessibility 5 min Use Connectivity 5 min 3. Outro Summary 2 min Questions 5 min area41 2014 2/34
Introduction | Who Am I? Name Marc Ruef Job Co-Owner / CTO, scip AG, Zürich Private Website http://www.computec.ch Last own Book „The Art of Penetration Testing“, Computer & Literatur Böblingen, ISBN 3-936546-49-5 Translation area41 2014 3/34 2013 2007 20022004
Introduction | What Is a Vulnerability Database? ◦ What? ◦ A database collecting vulnerabilities ◦ Why? ◦ To do vulnerability management ◦ What is vulnerable? ◦ What is to patch? ◦ To do statistical analysis ◦ Costs of patch management ◦ Robustness of products area41 2014 4
Introduction | scip VulDB Looks like This (Overview) area41 2014 5
Introduction | scip VulDB Looks like This (Detail) area41 2014 6
Design | What Should Your Vulnerability Database Do? ◦ How much? ◦ Full coverage ◦ Selective collection ◦ Inventory-only ◦ Vendor-selection ◦ Importance threshold ◦ Fixed only ◦ For whom? ◦ Everyone ◦ Public service ◦ Advertisement ◦ Customers ◦ Vulnerability management service ◦ Alerting service ◦ Tools ◦ Internal Use ◦ Knowledge-base ◦ For pentesters ◦ For administrators area41 2014 7
Design | What Is an Entry? ◦ A VDB entry consists of different elements. Minimal elements usually are: ◦ ID 12413 ◦ Title Linux Low-Address Protection Denial of Service ◦ Disclosure Date 02/21/2014 ◦ Description A vulnerability, classified as (…) ◦ Risk Rating problematic ◦ References CVE-2014-2039, BID 65700, … area41 2014 8
Design | Details Are Cool… ◦ Entry ◦ Software ◦ … ◦ Vulnerability ◦ … ◦ Advisory ◦ … ◦ Exploit ◦ Availability → yes|no ◦ Publicity → public|private ◦ Disclosure Date → yyyyMMdd ◦ Developer → $name ◦ Language → Ruby|Python|C|… ◦ Reliability → low|medium|high ◦ … ◦ Countermeasure ◦ … ◦ Sources ◦ … ◦ Tools ◦ … ◦ Misc ◦ … area41 2014 9
Design | But Details Take Time! ◦ We have compiled more than 13’400 entries since 2003 ◦ A scip VulDB entry consists of ~150 possible data points ◦ We rate data points to prioritize: ◦ Important = 33 (must be processed if available) ◦ Normal = 32 (shall be processed) ◦ Optional = 85 (can be processed, if you have «too much time») ◦ Statistical analysis of defined data points over all entries: ◦ Average = 49.92 ◦ Min = 26 ◦ Max = 90 ◦ We currently add ~15 new entries per day (work-days only) area41 2014 10
Sources | Possible Sources ◦ Vulnerability databases ◦ Vulnerability contributors (iDefense VCP, HP ZDI) ◦ Infosec mailinglists ◦ Vendor mailinglists ◦ Vendor advisories ◦ Code repositories ◦ News ◦ Blogs ◦ Social networks (e.g. Twitter, G+, LinkedIn) ◦ Friends, colleagues, co-workers, … area41 2014 11
Sources | Vulnerability Databases: Advantages and Disadvantages VDB  Pros Cons IBM X-Force http://xforce.iss.net • Good coverage • CVSSv2 base scores • CVSSv2 temporal scores • CVE support • Sometimes a bit slow (2-3 updates per week) • «Arbitrary» listing (default view: 5 entries, no backlog) • No RSS feed OSVDB http://www.osvdb.org • Very quick (daily updates) • Best coverage (everything!) • CVSSv2 base scores (via MITRE) • CVE support • No listing (since Feb 2014) • No own risk rating (CVSSv2 only) • No RSS feed (since 2012) Secunia http://secunia.com/community /advisories/historic/ • Good coverage • Good listing (default view: 25 entries) • CVE support • Login required (since Apr 2014) • Some details for paying customers only • Combining multiple vulnerabilities in one entry (by release/patch) • They don’t like other projects (they forbade to use their listing for vulscan.nse in 2013) • No RSS feed • No CVSSv2 scores SecurityFocus http://www.securityfocus.com/ bid • Good coverage • CVE support • Listing also shows updated entries (default view: 31 entries) • Site is slow • Data for an entry is spread over 5 sub- pages • No CVSSv2 scores SecurityTracker http://securitytracker.com • Sometimes quite quick • Simple listing (default view: 5 entries) • CVE support • Selective coverage (popular products only) • No CVSSv2 scores
Sources | Evaluation Rating Introduction ◦ Criteria are those we think are important ◦ We have addressed them as far as possible in our project (because of this prioritization) ◦ Rating is as fair as possible ◦ You might rate a bit differently Description Rating Feature is supported: always/fully 3 Feature is supported: often/partially 2 Feature is supported: sometimes/somehow 1 Feature is never/not supported 0
Sources | Vulnerability Databases: Rating VDB  Coverage (howmuch) Quickness (howfast) Listing (howvisible) Search (howsearchable) Handling (howergonomic) TechDetails (howdetailed) RiskRating (howmeasured) CVSS Base CVSS Temporal CVE Feeds (howaccessible) Total CERT VU http://www.kb.cert.org/vuls/ 1 3 3 2 2 3 0 3 3 3 3 26 Exploit-DB http://www.exploit-db.com 1 3 3 3 2 2 0 0 0 3 3 20 IBM X-Force http://xforce.iss.net 3 1 1 1 2 2 0 3 3 3 0 19 NIST NVD http://nvd.nist.gov 2 1 3 3 2 2 0 3 0 3 3 22 MITRE CVE http://cve.mitre.org 2 1 3 2 2 2 0 0 0 3 2 17 OSVDB http://www.osvdb.org 3 3 0 2 2 2 0 2 0 3 0 17 Secunia http://secunia.com/community/advisories/historic/ 3 2 3 3 2 2 3 0 0 3 0 21 SecurityFocus http://www.securityfocus.com/bid 3 2 2 2 1 2 0 0 0 3 0 15 SecurityTracker http://securitytracker.com 1 2 3 2 3 2 0 0 0 3 0 16 scip VulDB (rating ourselves comes with bias) http://www.scip.ch/en/?vuldb 2 2 3 2 3 3 3 3 3 3 3 30  2.1 2.0 2.4 2.2 2.1 2.2 0.6 1.4 0.9 3.0 1.4
Sources | Vulnerability Databases: Conclusion ◦ Being quick is not easy ◦ Technical details range from bad to good ◦ CVSS scores are pretty unpopular, especially «temporal scores» ◦ CVE has been established as the de facto standard (nice!) ◦ You can’t compare CERT VU, Exploit-DB, NIST NVD and MITRE CVE with anything else ◦ Exploit-DB inherits abstraction from researchers and is not self- consistent ◦ Secunia and SecurityFocus are very similar in many aspects ◦ X-Force and SecurityTracker remain pretty unpopular ◦ The «O» in OSVDB does not stand for «open» anymore ◦ Some features have been broken for ages (e.g. search on OSVDB and X-Force) ◦ Not everyone is a big fan of feeds area41 2014 15
Sources | Vendor Advisories: Advantages and Disadvantages Vendor  Pros Cons Adobe http://helpx.adobe.com/security. html • Product-related listing • Some technical details • Priority rating • CVE support • Advisory per release/upgrade • No RSS feed Apple • Simple technical details • CVE support • No risk rating • No CVSSv2 scores • No listing • Advisory per release/upgrade • No RSS feed Cisco https://tools.cisco.com/security/c enter/publicationListing.x • Advisory listing • Advisory per vulnerability • Sometimes additional technical details • CVSSv2 base scores • CVE support • Technical details with login only • Some details for customers only • No RSS feed Google • CVE support • No listing • Advisory per release/upgrade • Technical details with auth only • No risk rating • No CVSSv2 scores • No RSS feed Microsoft http://technet.microsoft.com/sec urity/advisory • Some technical details • Listing (default view: 5 entries) • RSS feed • Patch day collection (2nd Tuesday of each month) • Severity rating • No CVSSv2 scores Oracle http://www.oracle.com/technetwo rk/topics/security/alerts- 086861.html • Simple listing • CVSSv2 base scores • CVE support • Patch day collection (quarterly) • No technical details • No RSS feed
Sources | Vendor Advisories: Rating Vendor VulnID (howunique) Frequency (howfast) Listing (howvisible) TechDetails (howdetailed) Risk (howmeasured) CVSS Base CVSS Temporal CVE RSS Total FortiGuard http://www.fortiguard.com/advisory/ 3 3 3 3 3 0 0 3 3 21 Symantec http://www.symantec.com/security_response/securityupdates/list.jsp 3 3 3 3 0 3 0 3 3 21 Microsoft http://technet.microsoft.com/security/advisory 3 2 3 3 3 0 0 3 3 20 Checkpoint https://www.checkpoint.com/defense/advisories/public/summary.html 3 2 3 2 3 0 0 3 3 19 Cisco https://tools.cisco.com/security/center/publicationListing.x (details auth only) 3 3 3 3 0 3 0 3 0 18 Oracle http://www.oracle.com/technetwork/topics/security/alerts-086861.html 1 1 3 1 3 3 0 3 3 18 Adobe http://helpx.adobe.com/security.html 3 3 3 2 2 0 0 3 0 16 HP https://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive 3 3 3 1 0 3 0 3 0 16 SAP https://service.sap.com/sap/support/notes/ (auth only) 3 3 3 2 3 2 0 0 0 16 D-Link http://securityadvisories.dlink.com/security/ 3 3 2 2 0 0 0 2 0 12 Google http://www.google.com (details auth only) 3 3 1 2 0 0 0 3 0 12 Apple http://www.apple.com 1 2 1 1 0 0 0 3 0 8  2.66 2.58 2.58 2.08 1.41 1.16 0.0 2.66 1.25
Sources | Vendor Advisories: Conclusion ◦ Some vendors have really ugly advisory URLs ◦ Technical details range from bad to good ◦ CVSS scores are pretty unpopular, especially «temporal scores» ◦ Own risk ratings are also unpopular, because they are hard ◦ Nearly everybody likes CVE ◦ Microsoft and Oracle handle things better than it felt ◦ Juniper has a field «Last Updated» but no «Disclosure Date» ◦ SAP is very restrictive with information for non-customers, which introduces a severe disadvantage (VDB’s can’t categorize them, which decreases visibility) ◦ Vendors aren’t big fans of RSS feeds either area41 2014 18
Sources | Vuln Contributors: Advantages and Disadvantages Project  Pros Cons iDEFENSE Vulnerability Contributor Program http://www.verisigninc.com/en_US/cyber- security/index.xhtml • Started in 2003 • Incomplete listing • No announcement of upcoming advisories • No CVSSv2 support • No search capabilities • No RSS feed • All old links are broken since Zero Day Initiative http://www.zerodayinitiative.com • Provide announcement for upcoming advisories • Provide CVSSv2 Base Scores • RSS feeds available • No search capabilities
Sources | Vuln Contributors: Rating Project  Listing (howvisible) Search (howsearchable) Handling (howergonomic) TechDetails (howdetailed) RiskRating (howmeasured) CVSS Base CVSS Temporal CVE RSS Total iDEFENSE Vulnerability Contributor Program http://www.verisigninc.com/en_US/cyber-security/index.xhtml 3 0 3 2 0 0 0 3 0 11 Zero Day Initiative http://www.zerodayinitiative.com 3 0 3 2 0 3 0 3 3 17  3.0 0.0 3.0 2.0 0.0 1.5 0.0 3.0 1.5
Sources | Vuln Contributors: Conclusion ◦ Only 2 major players ◦ They are quite similar in most aspects ◦ Zero Day Initiative has 2 advantages of CVSSv2 and RSS support ◦ More competition might increase quality area41 2014 21
Interpretation | How to Analyze ◦ The basic approach of processing a source is simple: 1. Check source for new entries 2. Review source entry 3. Add necessary data to database 1. If entry is available → Update existing entry 2. If entry is not available → Create new entry 3. If source is false-positive → Ignore entry and flag for future reference 4. Goto 1 area41 2014 22
Interpretation | MITRE CVE as an Example cve description advisory cert vu software
Interpretation | MITRE CVE as an Example: What Is missing? ◦ What’s missing on a MITRE CVE entry? ◦ Disclosure date ◦ Exact naming of vulnerability class ◦ Risk rating ◦ Person responsible for disclosure ◦ Detailed mitigation/countermeasure ◦ … area41 2014 24
Interpretation | OSVDB as an Example cve sectracker product version description date exploit news
Interpretation | Contradicting Conventions (Disclosure Date) 02/19/2014 02/26/2014
Interpretation | Contradicting Conventions (Disclosure Date) CVE-2014-2284 net-snmp 5.7.1 on Linux ICMP-MIB Denial of Service 02/19/2014 02/20/2014 02/21/2014 02/22/2014 02/23/2014 02/24/2014 02/25/2014 02/26/2014 02/27/2014 ... 03/24/2014 SourceForge ReleaseNote SecFocus SecTracker VulDB OSVDB Secunia RedHat Our definition of a (public) disclosure date: The earliest known date to disclose an issue to the public in an unrestricted way. (we’re going to adopt a more differentiated approach in the near future) 03/05/2014oss-security ...CVE
Interpretation | Put the Different Pieces Together VDB  Product Version VulnClass Disclosure Date Advisory URL Attack Context Exploit Solution VulnDB Sources Misc. Links Total CERT VU http://www.kb.cert.org/vuls/ 3 2 3 2 3 3 1 3 0 1 21 Exploit-DB http://www.exploit-db.com 3 2 2 2 2 1 3 1 1 0 17 IBM X-Force http://xforce.iss.net 3 2 2 3 2 3 1 2 2 2 22 NIST NVD http://nvd.nist.gov 2 2 3 0 3 1 1 1 3 3 19 MITRE CVE http://cve.mitre.org 2 2 2 0 3 1 1 1 3 3 18 OSVDB http://www.osvdb.org 3 3 3 3 3 3 3 3 3 3 30 Secunia http://secunia.com/community/advisories/historic/ 2 2 2 2 3 1 1 2 0 0 15 SecurityFocus http://www.securityfocus.com/bid 3 3 3 3 2 1 2 2 0 1 20 SecurityTracker http://securitytracker.com 3 3 3 1 2 3 1 3 0 1 20 scip VulDB http://www.scip.ch/en/?vuldb 3 3 3 3 3 3 3 3 3 3 30  2.7 2.4 2.6 1.9 2.6 2.0 1.7 2.1 1.5 1.7
Sources | Vulnerability Databases: Conclusion ◦ OSVDB provides the best collection of data ◦ Secunia provides the worst collection of data ◦ SecurityFocus and Secunia usually don’t provide context ◦ X-Force, SecurityTracker and Secunia don’t provide exploit details ◦ SecurityTracker and Secunia have confusing disclosure dates ◦ SecurityFocus, SecurityTracker and Secunia don’t link to other VDB area41 2014 29
Correlation | That's Why You Have to Correlate ◦ Approach ◦ Merge different sources ◦ Compare similar data points ◦ Identify and verify contradictions ◦ Dangers ◦ Duplicates: Come up with annoying inconsistency ◦ Merges: Come up with dangerous mashups area41 2014 30
Correlation | Now Things Are Getting Tricky ◦ Sometimes vulnerabilities can’t be identified individually ◦ CVE helps a lot! But not every vulnerability (immediately) has a CVE number ◦ Some sources merge vulnerabilities into one entry ◦ Vendors do this within their patch release notes or patch days ◦ Secunia tends to compile different vulnerabilities of the same day or patch generation into one entry (e.g. 58519). SecurityFocus does it sometimes (e.g. 67553) and so does SecurityTracker in some cases (e.g. 1030269). ◦ Vulnerabilities with very few technical details often can’t be distinguished from similar vulnerabilities (e.g. Apple HT6145: no info available, but CVE assigned) area41 2014 31
Correlation | Keep Track, Detect Collisions ◦ Keep track of your sources and the entries already reviewed ◦ Verify that every new entry is really new and not just a duplicate or a minor fork of an existing entry. This is a very underestimated task! ◦ We do that with collision detection ◦ Compare new values with existing values of other entries (e.g. URLs, IDs, references). If there is a specified level of matches, we have to check for a duplicate. ◦ Our reference maps help to distinguish. Projects like vFeed support this very good. [https://github.com/toolswatch/vFeed/] area41 2014 32
Correlation | To Split or Not to Split Parameter → 5 entries File → 4 entries Component → 3 entries Vuln Class → 2 entries Advisory/Patch → 1 entry Advisory #VA42 Cross Site Scripting User Auth login.php login_user login_pass News Portal news.php news_id archive.php news_year SQL Injection Board forum.php post_id area41 2014 33
Correlation | Split Example (MS Patch Day, IE Vuls, Feb 2014) VulDB (vuln split) SecFocus* (vuln split) CVE (vuln split) Secunia (combined) Microsoft (combined) MS14-010 SA56796 CVE- 2014-0267 BID 65361 SID 12242 CVE- 2014-0268 BID 65392 SID 12239 … … … CVE- 2014-0293 BID 65394 SID 12241 area41 2014 34 * SecurityFocus often combines (e.g. BID 67553)
Correlation | Unwanted Split (cPanel, Dec 2013) ◦ TSR 2013-0011, http://cpanel.net/tsr-2013-0011-full-disclosure/ ◦ 12/18/2013 cPanel WHM Reseller Login Handler Cookie information disclosure ◦ 12/18/2013 cPanel WHM Login Security Handler Token information disclosure ◦ 12/18/2013 cPanel WHM Branding Subsystem privilege escalation ◦ 12/18/2013 cPanel WHM usr/local/cpanel/share/counter privilege escalation ◦ 12/18/2013 cPanel WHM Daily Process Log Screen Stored cross site scripting ◦ 12/18/2013 cPanel WHM cPAddons Upgrade Handler Password information disclosure ◦ 12/18/2013 cPanel WHM Edit DNS Zone Interface information disclosure ◦ 12/18/2013 cPanel WHM SSH Authentication Handler privilege escalation ◦ 12/18/2013 cPanel WHM X3 Theme countedit.cgi Directory Traversal ◦ 12/18/2013 cPanel WHM Bandmin passwd privilege escalation ◦ 12/18/2013 cPanel WHM cpsrvd Bypass privilege escalation ◦ 12/18/2013 cPanel WHM Bandmin Reflected cross site scripting ◦ 12/18/2013 cPanel WHM API Call Handler UI::dynamicincludelist Directory Traversal ◦ 12/18/2013 cPanel WHM Database Handler privilege escalation ◦ 12/18/2013 cPanel WHM Backup Archive Handler privilege escalation ◦ 12/18/2013 cPanel WHM Config Handler Cross Site Request Forgery ◦ 12/18/2013 cPanel WHM Translatable Phrase Handler Locale::Maketext privilege escalation ◦ 12/18/2013 cPanel WHM CSRF Protection Bypass Cross Site Request Forgery ◦ 12/18/2013 cPanel WHM cross site scripting ◦ 12/18/2013 cPanel WHM Logaholic Session File Handler /tmp privilege escalation ◦ 12/18/2013 cPanel WHM Virtualhost Installation Handler privilege escalation area41 2014 35
Correlation | Split Pros and Cons ◦ Advisory / Patch ◦ Few entries ◦ Good for overview ◦ Good for patch management ◦ Vulnerability ◦ Some entries ◦ Possible splits for 3rd party components ◦ Element ◦ A lot of entries ◦ Good for statistical analysis area41 2014 36
Quality | How to Provide the Best? ◦ Try to verify statements from researchers, vendors and vulnerability database maintainers ◦ Check for plausibility ◦ Verify from other sources ◦ Re-test within a lab ◦ Eliminate wrong statements ◦ Delete false entries ◦ Preserve false entries (prefered by CVE, SecurityFocus) ◦ Add further explanations ◦ Flag (prefered by OSVDB, scip VulDB) ◦ advisory_disputed=1 (e.g. scipID 13305, 13000, 12643) ◦ advisory_reportconfidence=UR (CVSSv2 temp score metric) ◦ Try to find and compile additional details area41 2014 37
Extrapolation | Versions of Affected Software ◦ Exact Version ◦ Internet Explorer 10 → X-Force, OSVDB, SecFocus, Secunia, VulDB ◦ Wildcards ◦ Internet Explorer 6.x → Secunia, SecFocus, SecTracker, VulDB ◦ Ranges ◦ Internet Explorer 8 – 10 → Secunia, CVE ◦ Internet Explorer prior 10 → SecurityTracker, Secunia ◦ Internet Explorer before 10 → CVE ◦ Internet Explorer up to 10 → VulDB ◦ Internet Explorer 8 and later → SecurityTracker area41 2014 3810 119876 10 up to 10 8 to 10 Internet Explorer Versions before 10 …
Extrapolation | What about The Unknown? ◦ Try to guess. Examples: ◦ «IE prior 9» → 6 – 9 ◦ «IE prior 11» → 7 – 10 ◦ Research and validate yourself ◦ A lot of work ◦ We combine with other projects (research or pentest) ◦ We enforce very important or interesting vulnerabilities ◦ Be quiet area41 2014 39
Delivery | Chose your Channels ◦ Web Site ◦ Mail ◦ RSS ◦ Widgets ◦ Facebook ◦ Twitter ◦ LinkedIn ◦ App ◦ … area41 2014 40
Statistics | Comparing Apples and Oranges ◦ Doing some statistics is easy. Doing it the right way is hard. Some say it is even impossible. [http://blog.osvdb.org/category/vulnerability-statistics/] ◦ Counting vulnerabilities doesn’t say anything: ◦ Weak code leads to a lot of vulnerabilities ◦ Complexity leads to a lot of vulnerabilities ◦ Popularity leads to a lot of vulnerabilities ◦ Bug bounty programs lead to a lot of vulnerabilities ◦ Open disclosure process leads to a lot of vulnerabilities ◦ We still provide statistical raw data and expect the viewers to think about it area41 2014 41
Statistics | Timelines Are Interesting ◦ Our timelines consist of multiple data points ◦ vulnerability_introduction_date ◦ vulnerability_discovery_date ◦ vulnerability_vendorinform_date ◦ advisory_date ◦ advisory_confirm_date ◦ exploit_date ◦ countermeasure_date ◦ source_cve_assigned ◦ source_secunia_date ◦ source_nessus_date ◦ entry_timestamp_create ◦ entry_timestamp_update Example Heartbleed [CVE-2014-0160] area41 2014 42
Statistics | Timelines Trivia (excerpt from 2014) ◦ [CVE-2014-0160] OpenSSL TLS/DTLS Heartbeat information disclosure got introduced in 01/01/2012 and fixed in 04/07/2014 ◦ existed 827 days ◦ [CVE-2014-0179] libvirt XML Entity Expansion Handler denial of service got introduced in 12/23/2009 and fixed in 05/06/2014 ◦ existed 1.595 days ◦ [CVE-2014-3122] Linux Kernel try_to_unmap_cluster() denial of service got introduced in 10/19/2008 and fixed in 04/10/2014 ◦ existed 1.996 days ◦ [CVE-2014-3460] Novell NetIQ Sentinel Agent Manager directory traversal vendor got informed in 09/04/2013 but did not respond until 05/19/2014 ◦ Novell ignored grace period of 257 days area41 2014 43
Accessibility | Choose Additional Representation ◦ To allow users to work with your data, it might be the best way to provide additional forms of representation: ◦ SQL ◦ XML ◦ JSON ◦ CSV ◦ CVRF [http://www.icasi.org/cvrf] area41 2014 44
Connectivity | Use Data for Vuln Scanning ◦ We are able to construct specific requests with our fields software_argument and software_input_value to create test cases and exploits (very simple for web-based vulns) ◦ Because of the fields software_* we are able to provide CPE lists [http://cpe.mitre.org/], which can be matched with tools like Nmap. Random examples: ◦ ID 12313 → cpe:/a:sap:netweaver:7.30 ◦ ID 12802 → cpe:/o:cisco:ios:15.4(1.1)t ◦ ID 13306 → cpe:/a:microsoft:internet_explorer:8 area41 2014 45
Outro | Summary ◦ Vulnerability databases help to manage vulnerabilities ◦ Different sources allow to collect a broad amount of issues ◦ Every source has some advantages and disadvantages ◦ Compiling and maintaining vulnerabilities takes a lot of effort ◦ Making your data accessible helps others area41 2014 46
Outro | Thank You ◦ I‘d like to thank a bunch of people which helped to discuss the many interesting aspects of vulnerability database management: ◦ Stefan Friedli, scip AG ◦ Steven M. Christey, MITRE area41 2014 47
Outro | Questions area41 2014 48
Security Is Our Business! scip AG Jakob-Fügli-Strasse 18 CH-8048 Zürich Tel +41 44 404 13 13 Fax +41 44 404 13 14 Mail info@scip.ch Web http://www.scip.ch Twitter http://twitter.com/scipag  Strategy | Consulting  Auditing | Testing  Forensics | Analysis area41 2014 49

More Related Content

PDF
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Apostolos Giannakidis
 
PPTX
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
PDF
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
PDF
Wfuzz for Penetration Testers
Christian Martorella
 
PDF
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
CODE BLUE
 
PPTX
Nguyen phuong truong anh a story of bug bounty hunter
Security Bootcamp
 
PPTX
Owasp Top 10 - A1 Injection
Paul Ionescu
 
PPTX
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Apostolos Giannakidis
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
Wfuzz for Penetration Testers
Christian Martorella
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
CODE BLUE
 
Nguyen phuong truong anh a story of bug bounty hunter
Security Bootcamp
 
Owasp Top 10 - A1 Injection
Paul Ionescu
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 

What's hot (20)

PDF
All You Need is One - A ClickOnce Love Story - Secure360 2015
NetSPI
 
PDF
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
PPT
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
Steve Poole
 
PDF
Asec r01-resting-on-your-laurels-will-get-you-pwned
Dinis Cruz
 
PDF
Secure Coding for Java - An Introduction
Sebastien Gioria
 
PPTX
Geecon 2017 Anatomy of Java Vulnerabilities
Steve Poole
 
PDF
Thick Application Penetration Testing - A Crash Course
NetSPI
 
PPTX
Java Secure Coding Practices
OWASPKerala
 
PPTX
JavaScript security and tools evolution at 2017 OWASP Taiwan Week
dcervigni
 
PDF
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Christian Schneider
 
PDF
Attack All the Layers - What's Working in Penetration Testing
NetSPI
 
PDF
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
PDF
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Christian Schneider
 
PDF
Secure Application Development in the Age of Continuous Delivery
Black Duck by Synopsys
 
PDF
Applications secure by default
SecuRing
 
PDF
Advanced SQL Injection Attack & Defenses
Tiago Mendo
 
PDF
Web security for developers
Sunny Neo
 
PDF
Is code review the solution?
Tiago Mendo
 
PDF
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
PDF
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
Denim Group
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
NetSPI
 
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
Steve Poole
 
Asec r01-resting-on-your-laurels-will-get-you-pwned
Dinis Cruz
 
Secure Coding for Java - An Introduction
Sebastien Gioria
 
Geecon 2017 Anatomy of Java Vulnerabilities
Steve Poole
 
Thick Application Penetration Testing - A Crash Course
NetSPI
 
Java Secure Coding Practices
OWASPKerala
 
JavaScript security and tools evolution at 2017 OWASP Taiwan Week
dcervigni
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Christian Schneider
 
Attack All the Layers - What's Working in Penetration Testing
NetSPI
 
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Christian Schneider
 
Secure Application Development in the Age of Continuous Delivery
Black Duck by Synopsys
 
Applications secure by default
SecuRing
 
Advanced SQL Injection Attack & Defenses
Tiago Mendo
 
Web security for developers
Sunny Neo
 
Is code review the solution?
Tiago Mendo
 
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
Denim Group
 
Ad

Similar to Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vulnerabilities (20)

PDF
ProdSec: A Technical Approach
Jeremy Brown
 
PDF
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Security Bootcamp
 
PDF
Deepfence.pdf
Vishwas N
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
PPTX
Started In Security Now I'm Here
Christopher Grayson
 
ODP
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 
PPTX
DevSecOps : an Introduction
Prashanth B. P.
 
PDF
Building Your Application Security Data Hub - OWASP AppSecUSA
Denim Group
 
PDF
stackconf 2024 | How to hack and defend (your) open source by Roman Zhukov.pdf
NETWAYS
 
PDF
Open Source Security – A vendor's perspective
Matthew Wilkes
 
PDF
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
PPTX
Code Review Cybersecurity: Comprehensive Guide to Secure Code Evaluation & B...
hamdi71
 
PDF
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
PPTX
Jason Kent - AppSec Without Additional Tools
centralohioissa
 
PPTX
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
 
PPT
Agnitio: its static analysis, but not as we know it
Security BSides London
 
PDF
Blending Automated and Manual Testing
Denim Group
 
PDF
Problems with parameters b sides-msp
Mike Saunders
 
PPTX
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
 
PPTX
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
 
ProdSec: A Technical Approach
Jeremy Brown
 
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Security Bootcamp
 
Deepfence.pdf
Vishwas N
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Started In Security Now I'm Here
Christopher Grayson
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 
DevSecOps : an Introduction
Prashanth B. P.
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Denim Group
 
stackconf 2024 | How to hack and defend (your) open source by Roman Zhukov.pdf
NETWAYS
 
Open Source Security – A vendor's perspective
Matthew Wilkes
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
Code Review Cybersecurity: Comprehensive Guide to Secure Code Evaluation & B...
hamdi71
 
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
Jason Kent - AppSec Without Additional Tools
centralohioissa
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
 
Agnitio: its static analysis, but not as we know it
Security BSides London
 
Blending Automated and Manual Testing
Denim Group
 
Problems with parameters b sides-msp
Mike Saunders
 
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
 
Ad

More from Area41 (11)

PDF
Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...
Area41
 
PDF
Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease
Area41
 
PDF
Rob "Mubix" Fuller: Attacker Ghost Stories
Area41
 
PPTX
Halvar Flake: Why Johnny can’t tell if he is compromised
Area41
 
PDF
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
Area41
 
PDF
hashdays 2011: Mikko Hypponen - Keynote
Area41
 
PDF
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
Area41
 
PDF
hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal har...
Area41
 
PDF
hashdays 2011: Christian Bockermann - Protecting Databases with Trees
Area41
 
PDF
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
Area41
 
PDF
hashdays 2011: Jean-Philippe Aumasson - Cryptanalysis vs. Reality
Area41
 
Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...
Area41
 
Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease
Area41
 
Rob "Mubix" Fuller: Attacker Ghost Stories
Area41
 
Halvar Flake: Why Johnny can’t tell if he is compromised
Area41
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
Area41
 
hashdays 2011: Mikko Hypponen - Keynote
Area41
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
Area41
 
hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal har...
Area41
 
hashdays 2011: Christian Bockermann - Protecting Databases with Trees
Area41
 
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
Area41
 
hashdays 2011: Jean-Philippe Aumasson - Cryptanalysis vs. Reality
Area41
 

Recently uploaded (20)

PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PPTX
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PPTX
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
DOCX
search engine optimization ppt fir known well about this
StandardCodeLearning
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PPT
Geologic Time for studying geology for geologist
ssuser738f5a
 
PDF
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
PDF
Unlock new opportunities with location data.pdf
Precisely
 
PDF
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
PDF
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
search engine optimization ppt fir known well about this
StandardCodeLearning
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Geologic Time for studying geology for geologist
ssuser738f5a
 
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
Unlock new opportunities with location data.pdf
Precisely
 
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 

Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vulnerabilities

  • 1. id entry_timestamp_queue entry_timestamp_create entry_timestamp_change entry_maintainer_queue entry_maintainer_create entry_maintainer_change entry_changelog entry_smss software_type software_vendor software_name software_version software_platform software_component software_file software_library software_function software_argument software_input_type software_input_value software_website software_affectedlist software_advisoryquote software_freetext_de software_freetext_en vulnerability_discoverydate vulnerability_vendorinformdate vulnerability_class vulnerability_impact vulnerability_risk vulnerability_simplicity vulnerability_popularity vulnerability_historic vulnerability_cvss_av vulnerability_cvss_ac vulnerability_cvss_au vulnerability_cvss_ci vulnerability_cvss_ii vulnerability_cvss_ai vulnerability_titleword vulnerability_keywords vulnerability_sourcecode vulnerability_advisoryquote vulnerability_freetext_de vulnerability_freetext_en advisory_date advisory_location advisory_type advisory_url advisory_via advisory_identifier advisory_reportconfidence advisory_coordination advisory_person_name advisory_person_nickname advisory_person_mail advisory_person_website advisory_company_name advisory_confirm_url advisory_confirm_date advisory_disputed advisory_advisoryquote advisory_freetext_de advisory_freetext_en exploit_availability exploit_date exploit_publicity exploit_url exploit_developer_name exploit_developer_nickname exploit_developer_mail exploit_developer_website exploit_language exploit_exploitability exploit_reliability exploit_wormified exploit_googlehack exploit_advisoryquote exploit_sourcecode exploit_freetext_de exploit_freetext_en countermeasure_remediationlev countermeasure_name countermeasure_date countermeasure_reliability countermeasure_upgrade_vers countermeasure_upgrade_url countermeasure_patch_name Adventures in a Decade of Tracking and Consolidating Security Vulnerabilities Marc Ruef www.scip.ch area41 Security Conference June 2014, Zürich, Switzerland
  • 2. Agenda | Vulnerability Database Maintenance 1. Intro Introduction 2 min Who am I? 2 min What is the Goal? 2 min 2. Vulnerability Database Maintenance Design the Database 5 min Handling of Sources 4 min Interpretation of Data 4 min Correlation of Data 4 min Quality Management 5 min Extrapolation of Data 5 min Deliver your Results 5 min Statistical Analysis 5 min Provide Accessibility 5 min Use Connectivity 5 min 3. Outro Summary 2 min Questions 5 min area41 2014 2/34
  • 3. Introduction | Who Am I? Name Marc Ruef Job Co-Owner / CTO, scip AG, Zürich Private Website http://www.computec.ch Last own Book „The Art of Penetration Testing“, Computer & Literatur Böblingen, ISBN 3-936546-49-5 Translation area41 2014 3/34 2013 2007 20022004
  • 4. Introduction | What Is a Vulnerability Database? ◦ What? ◦ A database collecting vulnerabilities ◦ Why? ◦ To do vulnerability management ◦ What is vulnerable? ◦ What is to patch? ◦ To do statistical analysis ◦ Costs of patch management ◦ Robustness of products area41 2014 4
  • 5. Introduction | scip VulDB Looks like This (Overview) area41 2014 5
  • 6. Introduction | scip VulDB Looks like This (Detail) area41 2014 6
  • 7. Design | What Should Your Vulnerability Database Do? ◦ How much? ◦ Full coverage ◦ Selective collection ◦ Inventory-only ◦ Vendor-selection ◦ Importance threshold ◦ Fixed only ◦ For whom? ◦ Everyone ◦ Public service ◦ Advertisement ◦ Customers ◦ Vulnerability management service ◦ Alerting service ◦ Tools ◦ Internal Use ◦ Knowledge-base ◦ For pentesters ◦ For administrators area41 2014 7
  • 8. Design | What Is an Entry? ◦ A VDB entry consists of different elements. Minimal elements usually are: ◦ ID 12413 ◦ Title Linux Low-Address Protection Denial of Service ◦ Disclosure Date 02/21/2014 ◦ Description A vulnerability, classified as (…) ◦ Risk Rating problematic ◦ References CVE-2014-2039, BID 65700, … area41 2014 8
  • 9. Design | Details Are Cool… ◦ Entry ◦ Software ◦ … ◦ Vulnerability ◦ … ◦ Advisory ◦ … ◦ Exploit ◦ Availability → yes|no ◦ Publicity → public|private ◦ Disclosure Date → yyyyMMdd ◦ Developer → $name ◦ Language → Ruby|Python|C|… ◦ Reliability → low|medium|high ◦ … ◦ Countermeasure ◦ … ◦ Sources ◦ … ◦ Tools ◦ … ◦ Misc ◦ … area41 2014 9
  • 10. Design | But Details Take Time! ◦ We have compiled more than 13’400 entries since 2003 ◦ A scip VulDB entry consists of ~150 possible data points ◦ We rate data points to prioritize: ◦ Important = 33 (must be processed if available) ◦ Normal = 32 (shall be processed) ◦ Optional = 85 (can be processed, if you have «too much time») ◦ Statistical analysis of defined data points over all entries: ◦ Average = 49.92 ◦ Min = 26 ◦ Max = 90 ◦ We currently add ~15 new entries per day (work-days only) area41 2014 10
  • 11. Sources | Possible Sources ◦ Vulnerability databases ◦ Vulnerability contributors (iDefense VCP, HP ZDI) ◦ Infosec mailinglists ◦ Vendor mailinglists ◦ Vendor advisories ◦ Code repositories ◦ News ◦ Blogs ◦ Social networks (e.g. Twitter, G+, LinkedIn) ◦ Friends, colleagues, co-workers, … area41 2014 11
  • 12. Sources | Vulnerability Databases: Advantages and Disadvantages VDB  Pros Cons IBM X-Force http://xforce.iss.net • Good coverage • CVSSv2 base scores • CVSSv2 temporal scores • CVE support • Sometimes a bit slow (2-3 updates per week) • «Arbitrary» listing (default view: 5 entries, no backlog) • No RSS feed OSVDB http://www.osvdb.org • Very quick (daily updates) • Best coverage (everything!) • CVSSv2 base scores (via MITRE) • CVE support • No listing (since Feb 2014) • No own risk rating (CVSSv2 only) • No RSS feed (since 2012) Secunia http://secunia.com/community /advisories/historic/ • Good coverage • Good listing (default view: 25 entries) • CVE support • Login required (since Apr 2014) • Some details for paying customers only • Combining multiple vulnerabilities in one entry (by release/patch) • They don’t like other projects (they forbade to use their listing for vulscan.nse in 2013) • No RSS feed • No CVSSv2 scores SecurityFocus http://www.securityfocus.com/ bid • Good coverage • CVE support • Listing also shows updated entries (default view: 31 entries) • Site is slow • Data for an entry is spread over 5 sub- pages • No CVSSv2 scores SecurityTracker http://securitytracker.com • Sometimes quite quick • Simple listing (default view: 5 entries) • CVE support • Selective coverage (popular products only) • No CVSSv2 scores
  • 13. Sources | Evaluation Rating Introduction ◦ Criteria are those we think are important ◦ We have addressed them as far as possible in our project (because of this prioritization) ◦ Rating is as fair as possible ◦ You might rate a bit differently Description Rating Feature is supported: always/fully 3 Feature is supported: often/partially 2 Feature is supported: sometimes/somehow 1 Feature is never/not supported 0
  • 14. Sources | Vulnerability Databases: Rating VDB  Coverage (howmuch) Quickness (howfast) Listing (howvisible) Search (howsearchable) Handling (howergonomic) TechDetails (howdetailed) RiskRating (howmeasured) CVSS Base CVSS Temporal CVE Feeds (howaccessible) Total CERT VU http://www.kb.cert.org/vuls/ 1 3 3 2 2 3 0 3 3 3 3 26 Exploit-DB http://www.exploit-db.com 1 3 3 3 2 2 0 0 0 3 3 20 IBM X-Force http://xforce.iss.net 3 1 1 1 2 2 0 3 3 3 0 19 NIST NVD http://nvd.nist.gov 2 1 3 3 2 2 0 3 0 3 3 22 MITRE CVE http://cve.mitre.org 2 1 3 2 2 2 0 0 0 3 2 17 OSVDB http://www.osvdb.org 3 3 0 2 2 2 0 2 0 3 0 17 Secunia http://secunia.com/community/advisories/historic/ 3 2 3 3 2 2 3 0 0 3 0 21 SecurityFocus http://www.securityfocus.com/bid 3 2 2 2 1 2 0 0 0 3 0 15 SecurityTracker http://securitytracker.com 1 2 3 2 3 2 0 0 0 3 0 16 scip VulDB (rating ourselves comes with bias) http://www.scip.ch/en/?vuldb 2 2 3 2 3 3 3 3 3 3 3 30  2.1 2.0 2.4 2.2 2.1 2.2 0.6 1.4 0.9 3.0 1.4
  • 15. Sources | Vulnerability Databases: Conclusion ◦ Being quick is not easy ◦ Technical details range from bad to good ◦ CVSS scores are pretty unpopular, especially «temporal scores» ◦ CVE has been established as the de facto standard (nice!) ◦ You can’t compare CERT VU, Exploit-DB, NIST NVD and MITRE CVE with anything else ◦ Exploit-DB inherits abstraction from researchers and is not self- consistent ◦ Secunia and SecurityFocus are very similar in many aspects ◦ X-Force and SecurityTracker remain pretty unpopular ◦ The «O» in OSVDB does not stand for «open» anymore ◦ Some features have been broken for ages (e.g. search on OSVDB and X-Force) ◦ Not everyone is a big fan of feeds area41 2014 15
  • 16. Sources | Vendor Advisories: Advantages and Disadvantages Vendor  Pros Cons Adobe http://helpx.adobe.com/security. html • Product-related listing • Some technical details • Priority rating • CVE support • Advisory per release/upgrade • No RSS feed Apple • Simple technical details • CVE support • No risk rating • No CVSSv2 scores • No listing • Advisory per release/upgrade • No RSS feed Cisco https://tools.cisco.com/security/c enter/publicationListing.x • Advisory listing • Advisory per vulnerability • Sometimes additional technical details • CVSSv2 base scores • CVE support • Technical details with login only • Some details for customers only • No RSS feed Google • CVE support • No listing • Advisory per release/upgrade • Technical details with auth only • No risk rating • No CVSSv2 scores • No RSS feed Microsoft http://technet.microsoft.com/sec urity/advisory • Some technical details • Listing (default view: 5 entries) • RSS feed • Patch day collection (2nd Tuesday of each month) • Severity rating • No CVSSv2 scores Oracle http://www.oracle.com/technetwo rk/topics/security/alerts- 086861.html • Simple listing • CVSSv2 base scores • CVE support • Patch day collection (quarterly) • No technical details • No RSS feed
  • 17. Sources | Vendor Advisories: Rating Vendor VulnID (howunique) Frequency (howfast) Listing (howvisible) TechDetails (howdetailed) Risk (howmeasured) CVSS Base CVSS Temporal CVE RSS Total FortiGuard http://www.fortiguard.com/advisory/ 3 3 3 3 3 0 0 3 3 21 Symantec http://www.symantec.com/security_response/securityupdates/list.jsp 3 3 3 3 0 3 0 3 3 21 Microsoft http://technet.microsoft.com/security/advisory 3 2 3 3 3 0 0 3 3 20 Checkpoint https://www.checkpoint.com/defense/advisories/public/summary.html 3 2 3 2 3 0 0 3 3 19 Cisco https://tools.cisco.com/security/center/publicationListing.x (details auth only) 3 3 3 3 0 3 0 3 0 18 Oracle http://www.oracle.com/technetwork/topics/security/alerts-086861.html 1 1 3 1 3 3 0 3 3 18 Adobe http://helpx.adobe.com/security.html 3 3 3 2 2 0 0 3 0 16 HP https://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive 3 3 3 1 0 3 0 3 0 16 SAP https://service.sap.com/sap/support/notes/ (auth only) 3 3 3 2 3 2 0 0 0 16 D-Link http://securityadvisories.dlink.com/security/ 3 3 2 2 0 0 0 2 0 12 Google http://www.google.com (details auth only) 3 3 1 2 0 0 0 3 0 12 Apple http://www.apple.com 1 2 1 1 0 0 0 3 0 8  2.66 2.58 2.58 2.08 1.41 1.16 0.0 2.66 1.25
  • 18. Sources | Vendor Advisories: Conclusion ◦ Some vendors have really ugly advisory URLs ◦ Technical details range from bad to good ◦ CVSS scores are pretty unpopular, especially «temporal scores» ◦ Own risk ratings are also unpopular, because they are hard ◦ Nearly everybody likes CVE ◦ Microsoft and Oracle handle things better than it felt ◦ Juniper has a field «Last Updated» but no «Disclosure Date» ◦ SAP is very restrictive with information for non-customers, which introduces a severe disadvantage (VDB’s can’t categorize them, which decreases visibility) ◦ Vendors aren’t big fans of RSS feeds either area41 2014 18
  • 19. Sources | Vuln Contributors: Advantages and Disadvantages Project  Pros Cons iDEFENSE Vulnerability Contributor Program http://www.verisigninc.com/en_US/cyber- security/index.xhtml • Started in 2003 • Incomplete listing • No announcement of upcoming advisories • No CVSSv2 support • No search capabilities • No RSS feed • All old links are broken since Zero Day Initiative http://www.zerodayinitiative.com • Provide announcement for upcoming advisories • Provide CVSSv2 Base Scores • RSS feeds available • No search capabilities
  • 20. Sources | Vuln Contributors: Rating Project  Listing (howvisible) Search (howsearchable) Handling (howergonomic) TechDetails (howdetailed) RiskRating (howmeasured) CVSS Base CVSS Temporal CVE RSS Total iDEFENSE Vulnerability Contributor Program http://www.verisigninc.com/en_US/cyber-security/index.xhtml 3 0 3 2 0 0 0 3 0 11 Zero Day Initiative http://www.zerodayinitiative.com 3 0 3 2 0 3 0 3 3 17  3.0 0.0 3.0 2.0 0.0 1.5 0.0 3.0 1.5
  • 21. Sources | Vuln Contributors: Conclusion ◦ Only 2 major players ◦ They are quite similar in most aspects ◦ Zero Day Initiative has 2 advantages of CVSSv2 and RSS support ◦ More competition might increase quality area41 2014 21
  • 22. Interpretation | How to Analyze ◦ The basic approach of processing a source is simple: 1. Check source for new entries 2. Review source entry 3. Add necessary data to database 1. If entry is available → Update existing entry 2. If entry is not available → Create new entry 3. If source is false-positive → Ignore entry and flag for future reference 4. Goto 1 area41 2014 22
  • 23. Interpretation | MITRE CVE as an Example cve description advisory cert vu software
  • 24. Interpretation | MITRE CVE as an Example: What Is missing? ◦ What’s missing on a MITRE CVE entry? ◦ Disclosure date ◦ Exact naming of vulnerability class ◦ Risk rating ◦ Person responsible for disclosure ◦ Detailed mitigation/countermeasure ◦ … area41 2014 24
  • 25. Interpretation | OSVDB as an Example cve sectracker product version description date exploit news
  • 26. Interpretation | Contradicting Conventions (Disclosure Date) 02/19/2014 02/26/2014
  • 27. Interpretation | Contradicting Conventions (Disclosure Date) CVE-2014-2284 net-snmp 5.7.1 on Linux ICMP-MIB Denial of Service 02/19/2014 02/20/2014 02/21/2014 02/22/2014 02/23/2014 02/24/2014 02/25/2014 02/26/2014 02/27/2014 ... 03/24/2014 SourceForge ReleaseNote SecFocus SecTracker VulDB OSVDB Secunia RedHat Our definition of a (public) disclosure date: The earliest known date to disclose an issue to the public in an unrestricted way. (we’re going to adopt a more differentiated approach in the near future) 03/05/2014oss-security ...CVE
  • 28. Interpretation | Put the Different Pieces Together VDB  Product Version VulnClass Disclosure Date Advisory URL Attack Context Exploit Solution VulnDB Sources Misc. Links Total CERT VU http://www.kb.cert.org/vuls/ 3 2 3 2 3 3 1 3 0 1 21 Exploit-DB http://www.exploit-db.com 3 2 2 2 2 1 3 1 1 0 17 IBM X-Force http://xforce.iss.net 3 2 2 3 2 3 1 2 2 2 22 NIST NVD http://nvd.nist.gov 2 2 3 0 3 1 1 1 3 3 19 MITRE CVE http://cve.mitre.org 2 2 2 0 3 1 1 1 3 3 18 OSVDB http://www.osvdb.org 3 3 3 3 3 3 3 3 3 3 30 Secunia http://secunia.com/community/advisories/historic/ 2 2 2 2 3 1 1 2 0 0 15 SecurityFocus http://www.securityfocus.com/bid 3 3 3 3 2 1 2 2 0 1 20 SecurityTracker http://securitytracker.com 3 3 3 1 2 3 1 3 0 1 20 scip VulDB http://www.scip.ch/en/?vuldb 3 3 3 3 3 3 3 3 3 3 30  2.7 2.4 2.6 1.9 2.6 2.0 1.7 2.1 1.5 1.7
  • 29. Sources | Vulnerability Databases: Conclusion ◦ OSVDB provides the best collection of data ◦ Secunia provides the worst collection of data ◦ SecurityFocus and Secunia usually don’t provide context ◦ X-Force, SecurityTracker and Secunia don’t provide exploit details ◦ SecurityTracker and Secunia have confusing disclosure dates ◦ SecurityFocus, SecurityTracker and Secunia don’t link to other VDB area41 2014 29
  • 30. Correlation | That's Why You Have to Correlate ◦ Approach ◦ Merge different sources ◦ Compare similar data points ◦ Identify and verify contradictions ◦ Dangers ◦ Duplicates: Come up with annoying inconsistency ◦ Merges: Come up with dangerous mashups area41 2014 30
  • 31. Correlation | Now Things Are Getting Tricky ◦ Sometimes vulnerabilities can’t be identified individually ◦ CVE helps a lot! But not every vulnerability (immediately) has a CVE number ◦ Some sources merge vulnerabilities into one entry ◦ Vendors do this within their patch release notes or patch days ◦ Secunia tends to compile different vulnerabilities of the same day or patch generation into one entry (e.g. 58519). SecurityFocus does it sometimes (e.g. 67553) and so does SecurityTracker in some cases (e.g. 1030269). ◦ Vulnerabilities with very few technical details often can’t be distinguished from similar vulnerabilities (e.g. Apple HT6145: no info available, but CVE assigned) area41 2014 31
  • 32. Correlation | Keep Track, Detect Collisions ◦ Keep track of your sources and the entries already reviewed ◦ Verify that every new entry is really new and not just a duplicate or a minor fork of an existing entry. This is a very underestimated task! ◦ We do that with collision detection ◦ Compare new values with existing values of other entries (e.g. URLs, IDs, references). If there is a specified level of matches, we have to check for a duplicate. ◦ Our reference maps help to distinguish. Projects like vFeed support this very good. [https://github.com/toolswatch/vFeed/] area41 2014 32
  • 33. Correlation | To Split or Not to Split Parameter → 5 entries File → 4 entries Component → 3 entries Vuln Class → 2 entries Advisory/Patch → 1 entry Advisory #VA42 Cross Site Scripting User Auth login.php login_user login_pass News Portal news.php news_id archive.php news_year SQL Injection Board forum.php post_id area41 2014 33
  • 34. Correlation | Split Example (MS Patch Day, IE Vuls, Feb 2014) VulDB (vuln split) SecFocus* (vuln split) CVE (vuln split) Secunia (combined) Microsoft (combined) MS14-010 SA56796 CVE- 2014-0267 BID 65361 SID 12242 CVE- 2014-0268 BID 65392 SID 12239 … … … CVE- 2014-0293 BID 65394 SID 12241 area41 2014 34 * SecurityFocus often combines (e.g. BID 67553)
  • 35. Correlation | Unwanted Split (cPanel, Dec 2013) ◦ TSR 2013-0011, http://cpanel.net/tsr-2013-0011-full-disclosure/ ◦ 12/18/2013 cPanel WHM Reseller Login Handler Cookie information disclosure ◦ 12/18/2013 cPanel WHM Login Security Handler Token information disclosure ◦ 12/18/2013 cPanel WHM Branding Subsystem privilege escalation ◦ 12/18/2013 cPanel WHM usr/local/cpanel/share/counter privilege escalation ◦ 12/18/2013 cPanel WHM Daily Process Log Screen Stored cross site scripting ◦ 12/18/2013 cPanel WHM cPAddons Upgrade Handler Password information disclosure ◦ 12/18/2013 cPanel WHM Edit DNS Zone Interface information disclosure ◦ 12/18/2013 cPanel WHM SSH Authentication Handler privilege escalation ◦ 12/18/2013 cPanel WHM X3 Theme countedit.cgi Directory Traversal ◦ 12/18/2013 cPanel WHM Bandmin passwd privilege escalation ◦ 12/18/2013 cPanel WHM cpsrvd Bypass privilege escalation ◦ 12/18/2013 cPanel WHM Bandmin Reflected cross site scripting ◦ 12/18/2013 cPanel WHM API Call Handler UI::dynamicincludelist Directory Traversal ◦ 12/18/2013 cPanel WHM Database Handler privilege escalation ◦ 12/18/2013 cPanel WHM Backup Archive Handler privilege escalation ◦ 12/18/2013 cPanel WHM Config Handler Cross Site Request Forgery ◦ 12/18/2013 cPanel WHM Translatable Phrase Handler Locale::Maketext privilege escalation ◦ 12/18/2013 cPanel WHM CSRF Protection Bypass Cross Site Request Forgery ◦ 12/18/2013 cPanel WHM cross site scripting ◦ 12/18/2013 cPanel WHM Logaholic Session File Handler /tmp privilege escalation ◦ 12/18/2013 cPanel WHM Virtualhost Installation Handler privilege escalation area41 2014 35
  • 36. Correlation | Split Pros and Cons ◦ Advisory / Patch ◦ Few entries ◦ Good for overview ◦ Good for patch management ◦ Vulnerability ◦ Some entries ◦ Possible splits for 3rd party components ◦ Element ◦ A lot of entries ◦ Good for statistical analysis area41 2014 36
  • 37. Quality | How to Provide the Best? ◦ Try to verify statements from researchers, vendors and vulnerability database maintainers ◦ Check for plausibility ◦ Verify from other sources ◦ Re-test within a lab ◦ Eliminate wrong statements ◦ Delete false entries ◦ Preserve false entries (prefered by CVE, SecurityFocus) ◦ Add further explanations ◦ Flag (prefered by OSVDB, scip VulDB) ◦ advisory_disputed=1 (e.g. scipID 13305, 13000, 12643) ◦ advisory_reportconfidence=UR (CVSSv2 temp score metric) ◦ Try to find and compile additional details area41 2014 37
  • 38. Extrapolation | Versions of Affected Software ◦ Exact Version ◦ Internet Explorer 10 → X-Force, OSVDB, SecFocus, Secunia, VulDB ◦ Wildcards ◦ Internet Explorer 6.x → Secunia, SecFocus, SecTracker, VulDB ◦ Ranges ◦ Internet Explorer 8 – 10 → Secunia, CVE ◦ Internet Explorer prior 10 → SecurityTracker, Secunia ◦ Internet Explorer before 10 → CVE ◦ Internet Explorer up to 10 → VulDB ◦ Internet Explorer 8 and later → SecurityTracker area41 2014 3810 119876 10 up to 10 8 to 10 Internet Explorer Versions before 10 …
  • 39. Extrapolation | What about The Unknown? ◦ Try to guess. Examples: ◦ «IE prior 9» → 6 – 9 ◦ «IE prior 11» → 7 – 10 ◦ Research and validate yourself ◦ A lot of work ◦ We combine with other projects (research or pentest) ◦ We enforce very important or interesting vulnerabilities ◦ Be quiet area41 2014 39
  • 40. Delivery | Chose your Channels ◦ Web Site ◦ Mail ◦ RSS ◦ Widgets ◦ Facebook ◦ Twitter ◦ LinkedIn ◦ App ◦ … area41 2014 40
  • 41. Statistics | Comparing Apples and Oranges ◦ Doing some statistics is easy. Doing it the right way is hard. Some say it is even impossible. [http://blog.osvdb.org/category/vulnerability-statistics/] ◦ Counting vulnerabilities doesn’t say anything: ◦ Weak code leads to a lot of vulnerabilities ◦ Complexity leads to a lot of vulnerabilities ◦ Popularity leads to a lot of vulnerabilities ◦ Bug bounty programs lead to a lot of vulnerabilities ◦ Open disclosure process leads to a lot of vulnerabilities ◦ We still provide statistical raw data and expect the viewers to think about it area41 2014 41
  • 42. Statistics | Timelines Are Interesting ◦ Our timelines consist of multiple data points ◦ vulnerability_introduction_date ◦ vulnerability_discovery_date ◦ vulnerability_vendorinform_date ◦ advisory_date ◦ advisory_confirm_date ◦ exploit_date ◦ countermeasure_date ◦ source_cve_assigned ◦ source_secunia_date ◦ source_nessus_date ◦ entry_timestamp_create ◦ entry_timestamp_update Example Heartbleed [CVE-2014-0160] area41 2014 42
  • 43. Statistics | Timelines Trivia (excerpt from 2014) ◦ [CVE-2014-0160] OpenSSL TLS/DTLS Heartbeat information disclosure got introduced in 01/01/2012 and fixed in 04/07/2014 ◦ existed 827 days ◦ [CVE-2014-0179] libvirt XML Entity Expansion Handler denial of service got introduced in 12/23/2009 and fixed in 05/06/2014 ◦ existed 1.595 days ◦ [CVE-2014-3122] Linux Kernel try_to_unmap_cluster() denial of service got introduced in 10/19/2008 and fixed in 04/10/2014 ◦ existed 1.996 days ◦ [CVE-2014-3460] Novell NetIQ Sentinel Agent Manager directory traversal vendor got informed in 09/04/2013 but did not respond until 05/19/2014 ◦ Novell ignored grace period of 257 days area41 2014 43
  • 44. Accessibility | Choose Additional Representation ◦ To allow users to work with your data, it might be the best way to provide additional forms of representation: ◦ SQL ◦ XML ◦ JSON ◦ CSV ◦ CVRF [http://www.icasi.org/cvrf] area41 2014 44
  • 45. Connectivity | Use Data for Vuln Scanning ◦ We are able to construct specific requests with our fields software_argument and software_input_value to create test cases and exploits (very simple for web-based vulns) ◦ Because of the fields software_* we are able to provide CPE lists [http://cpe.mitre.org/], which can be matched with tools like Nmap. Random examples: ◦ ID 12313 → cpe:/a:sap:netweaver:7.30 ◦ ID 12802 → cpe:/o:cisco:ios:15.4(1.1)t ◦ ID 13306 → cpe:/a:microsoft:internet_explorer:8 area41 2014 45
  • 46. Outro | Summary ◦ Vulnerability databases help to manage vulnerabilities ◦ Different sources allow to collect a broad amount of issues ◦ Every source has some advantages and disadvantages ◦ Compiling and maintaining vulnerabilities takes a lot of effort ◦ Making your data accessible helps others area41 2014 46
  • 47. Outro | Thank You ◦ I‘d like to thank a bunch of people which helped to discuss the many interesting aspects of vulnerability database management: ◦ Stefan Friedli, scip AG ◦ Steven M. Christey, MITRE area41 2014 47
  • 49. Security Is Our Business! scip AG Jakob-Fügli-Strasse 18 CH-8048 Zürich Tel +41 44 404 13 13 Fax +41 44 404 13 14 Mail info@scip.ch Web http://www.scip.ch Twitter http://twitter.com/scipag  Strategy | Consulting  Auditing | Testing  Forensics | Analysis area41 2014 49