PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
Download as PPTX, PDF3 likes767 views
The document discusses the challenges in vulnerability management, highlighting issues such as poorly described vulnerabilities, incomplete knowledge bases, and challenges in detection mechanisms. It emphasizes the importance of using multiple sources and scanners for evaluating vulnerabilities and suggests that understanding and analyzing vulnerability descriptions is crucial. Additionally, it notes the complications that arise from significant vulnerabilities, like those associated with the chip apocalypse, and calls for a comprehensive approach to vulnerability management.
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
- 1. Vulnerability Databases: sifting thousands tons of verbal ore May, 2018
- 2. 2 #whoami Alexander Leonov Lead security analyst at 6+ years at Vulnerability Management vendor Security Automation Blog at avleonov.com
- 3. Problems 3 Poorly described vulnerabilities in Vulnerability Databases Incomplete Knowledge Bases of Vulnerability Scanners Imperfections in Vulnerability Detection mechanisms Declared and real-life Vulnerability Management processes
- 4. Public Vulnerability Databases 4 Each vulnerability in each product One vulnerability - one ID Vulnerabilities in some / their own products There may be entities "multiple vulnerabilities in product N", usually fixed by single patch RHSACVE DSA Individual Vulnerabilities Security Bulletins
- 5. Commercial Vulnerability Scanners and Aggregators Public Vulnerability Databases 5 Individual Vulnerabilities BDU Fstec JVN Security Bulletins KB, MS USNCESA Government RHSA DSA MFSA All software in repository Open and formalized detection rules
- 6. Databases of Individual Vulnerabilities 6 Full coverage Trash Incomplete coverage Only critical Bug Feature Vulnerability
- 7. Everything is linked by CVE 7 CVSS, CPE Vendor’s Bug Exploit DBs Media Advisory id remediation strategy CERTs … … …
- 8. How to evaluate criticality? 8 CVSS (Common Vulnerability Scoring System) CWE (Common Weakness Enumeration) Textual description of the vulnerability Links to exploits Links to malicious software Exploitability flags in Vulnerability Scan reports
- 10. 10 Link Link type CWE CPE Vulnerabilities in NVD
- 11. 11 CVSS vector Publicly available Unavailable and constantly changing It is necessary to evaluate it by yourself
- 12. 12 CWE IDs in NVD
- 13. 13 Interesting CWE IDs CWE-94 'Code Injection' CWE-95 'Eval Injection' CWE-400 'Resource Exhaustion'
- 14. 14 CWE is used in a strange way CWE Name Amount CWE-119 Buffer Errors 9516 CWE-79 Cross-Site Scripting (XSS) 7920 CWE-264 Permissions, Privileges, and Access Control 6021 CWE-20 Input Validation 4896 CWE-89 SQL Injection 4552 CWE-200 Information Leak / Disclosure 4196
- 15. 15 CWE is used in a strange way It is better to analyze the description
- 16. 16 CPE is good when it was set correctly
- 17. CPE statistics. What does it show? Anything? 17 Top 20 Products By Total Number Of Vulnerabilities in NVD • Poorly written software? • Popular products that are more often analyzed? • Products of some responsible vendor who lists all vulnerabilities publicly? …
- 18. CPE statistics. What does it show? Anything? 18 Top 20 Vendors By Total Number Of Vulnerabilities in NVD • Poorly written software? • Popular products that are more often analyzed? • Products of some responsible vendor who lists all vulnerabilities publicly? …
- 19. 19 Information about vulnerability comes from the vendor https://securityadvisories.paloaltonetworks.com/Home/Detail/94 https://bdu.fstec.ru/vul/2017-02120
- 20. 20 Information about vulnerability comes from the vendor https://securityadvisories.paloaltonetworks.com/Home/Detail/91 https://bdu.fstec.ru/vul/2017-02237
- 21. 21 Certificate cancellation Банк данных угроз безопасности информации https://fstec.ru/en/napisat-razrabotchiku/64-normotvorcheskaya/informatsionnye-i-analiticheskie- materialy/1516-informatsionnoe-soobshchenie-fstek-rossii-ot-1-fevralya-2018-g-n-240-24-554 …
- 22. 22 “Упомянутые сертификаты 2012 года кончаются в апреле 2018 года. Они настолько старые, что относятся к устройствам, которые уже даже не выпускаются: 2000 и 4000 серия, ну и версия операционной системы уже далеко не 4.0, а 8.0.” “Чтобы продлить эти сертификаты нужно было снова показать исходный код, а делать это для сертификатов которые кончаются через 2 месяца - неэффективно. Поэтому офис Palo Alto Networks сконцентрирован на получении новых сертификатов на новые устройства и на новую операционную систему.” https://www.securitylab.ru/blog/personal/Morning/343440.php# Certificate cancellation
- 23. From Vulnerability Database to Vulnerability Scanner 23 Vulnerability Base advisories exploits metrics + Detection Rules & Plugins + Transports Vulnerability Scanner CVSS, CPE Vendor’s Bug Exploit DBs Media Advisory id remediation strategy CERTs … … … parsers
- 24. Typical Vulnerability Scanner 24 IPs Task Results Tasks Reports Dynamics
- 25. 25 Vulnerability Detection Asset Service Vulnerability Hostname / IP cpe:/a:drupal:drupal:7.32 CVE-2018-7600 Data Gathering Assessment Version-based • Without authorization (service banners) Backported patches =(
- 26. 26 Asset Service Vulnerability Hostname / IP Drupal7-7.32-1+deb8u10 DSA-4156, CVE-2018-7600 Data Gathering Assessment Version-based • With authorization (packages, registry, files) Need credentials or agent =( You need to trust the scanner =( Vulnerability Detection
- 27. 27 Something is already working asset_id == 'asset_98UNJ4K' | type == 'vulnerability' | bulletinFamily == 'NVD' Search queries inspired by Splunk (or Bash):
- 28. 28 With exploitation attempt Not for all vulnerabilities it can be done =( It's hard to do =( Potentially dangerous =( Vulnerability Detection
- 29. 29 Are all Vulnerability Scanners the same? A Platforms (OSes) x B Software Vendors making products for Platform x C Products made by each Software Vendor x D Vulnerabilities in each Product x E Vulnerability detection methods (authenticated and unauthenticated) Knowledge Base of Vulnerability Scanner
- 30. 30 CVE-based comparison *based on data ALL CVEs in NVD: 104794 2018 CVEs in NVD: 2373
- 32. 32https://blog.qualys.com/news/2018/02/27/recline-on-the-qualys-couch-examining-patching-behavior Recline on the Qualys Couch: Examining Patching Behavior Real Vulnerability Management processes
- 33. 33 Tragicomedy of Chip Apocalypse Spectre CVE-2017-5753 CVE-2017-5715 Meltdown CVE-2017-5754 January 03, 2018 Vulnerabilities became public
- 34. 34 January 03-04, 2018 VM vendors: update immediately Tragicomedy of Chip Apocalypse
- 35. 35 January 09, 2018 Microsoft: Windows7 Blue screen after KB4056894 Tragicomedy of Chip Apocalypse
- 36. 36 January 10, 2018 Ubuntu: Kernel doesn’t boot Tragicomedy of Chip Apocalypse
- 37. 37 January 23, 2018 Intel: don't use our patches Tragicomedy of Chip Apocalypse
- 38. 38 March 29, 2018 Microsoft: patches created even more critical vulnerability Spectre CVE-2017-5753 CVE-2017-5715 Base Score:7.3, 6.5* Meltdown CVE-2017-5754 Base Score: 5.6* Windows 7 or Server 2008 R2 + applied Microsoft's Meltdown patches => CVE-2018-1038 "Windows Kernel Elevation of Privilege Vulnerability." (Base Score: 7.8*) * CVSS v.3 xforce.ibmcloud.com … Tragicomedy of Chip Apocalypse. Stay tuned.
- 39. 39 April 05, 2018 Intel: we won’t patch some of its older processors against Meltdown and Spectre Tragicomedy of Chip Apocalypse. Stay tuned.
- 40. What should we do with this all? 40 Use multiple sources of data about Vulnerabilities, Exploits and Malware Use multiple Vulnerability Scanners (don’t rely on them too much) Use various methods of Vulnerability Detection Develop of your own tools
- 41. Questions? me@avleonov.com 41 Thanks for your attention!