SlideShare a Scribd company logo

Adventures in a Decade of Tracking and Consolidating Security Vulnerabilities

Marc Ruef, profile picture
Marc Ruef

This document discusses the design and maintenance of a vulnerability database. It outlines important considerations for the design such as what information to include in each entry and prioritizing which details are most important to collect. It also evaluates different sources of vulnerability data like databases, vendor advisories, and vulnerability contributors. Key factors discussed include coverage, speed of updates, visibility of listings, inclusion of technical details and risk ratings.

Data & AnalyticsTechnology
Related topics:
Information Security
1 of 49
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
id entry_timestamp_queue entry_timestamp_create entry_timestamp_change entry_maintainer_queue entry_maintainer_create entry_maintainer_change entry_changelog entry_smss software_type software_vendor software_name software_version software_platform software_component software_file software_library software_function software_argument software_input_type software_input_value software_website software_affectedlist software_advisoryquote software_freetext_de software_freetext_en vulnerability_discoverydate vulnerability_vendorinformdate vulnerability_class vulnerability_impact vulnerability_risk vulnerability_simplicity vulnerability_popularity vulnerability_historic vulnerability_cvss_av vulnerability_cvss_ac vulnerability_cvss_au vulnerability_cvss_ci vulnerability_cvss_ii vulnerability_cvss_ai vulnerability_titleword vulnerability_keywords vulnerability_sourcecode vulnerability_advisoryquote vulnerability_freetext_de vulnerability_freetext_en advisory_date advisory_location advisory_type advisory_url advisory_via advisory_identifier advisory_reportconfidence advisory_coordination advisory_person_name advisory_person_nickname advisory_person_mail advisory_person_website advisory_company_name advisory_confirm_url advisory_confirm_date advisory_disputed advisory_advisoryquote advisory_freetext_de advisory_freetext_en exploit_availability exploit_date exploit_publicity exploit_url exploit_developer_name exploit_developer_nickname exploit_developer_mail exploit_developer_website exploit_language exploit_exploitability exploit_reliability exploit_wormified exploit_googlehack exploit_advisoryquote exploit_sourcecode exploit_freetext_de exploit_freetext_en countermeasure_remediationlev countermeasure_name countermeasure_date countermeasure_reliability countermeasure_upgrade_vers countermeasure_upgrade_url countermeasure_patch_name Adventures in a Decade of Tracking and Consolidating Security Vulnerabilities Marc Ruef www.scip.ch area41 Security Conference June 2014, Zürich, Switzerland
Agenda | Vulnerability Database Maintenance 1. Intro Introduction 2 min Who am I? 2 min What is the Goal? 2 min 2. Vulnerability Database Maintenance Design the Database 5 min Handling of Sources 4 min Interpretation of Data 4 min Correlation of Data 4 min Quality Management 5 min Extrapolation of Data 5 min Deliver your Results 5 min Statistical Analysis 5 min Provide Accessibility 5 min Use Connectivity 5 min 3. Outro Summary 2 min Questions 5 min area41 2014 2/34
Introduction | Who Am I? Name Marc Ruef Job Co-Owner / CTO, scip AG, Zürich Private Website http://www.computec.ch Last own Book „The Art of Penetration Testing“, Computer & Literatur Böblingen, ISBN 3-936546-49-5 Translation area41 2014 3/34 2013 2007 20022004
Introduction | What Is a Vulnerability Database? ◦ What? ◦ A database collecting vulnerabilities ◦ Why? ◦ To do vulnerability management ◦ What is vulnerable? ◦ What is to patch? ◦ To do statistical analysis ◦ Costs of patch management ◦ Robustness of products area41 2014 4
Introduction | scip VulDB Looks like This (Overview) area41 2014 5
Introduction | scip VulDB Looks like This (Detail) area41 2014 6
Design | What Should Your Vulnerability Database Do? ◦ How much? ◦ Full coverage ◦ Selective collection ◦ Inventory-only ◦ Vendor-selection ◦ Importance threshold ◦ Fixed only ◦ For whom? ◦ Everyone ◦ Public service ◦ Advertisement ◦ Customers ◦ Vulnerability management service ◦ Alerting service ◦ Tools ◦ Internal Use ◦ Knowledge-base ◦ For pentesters ◦ For administrators area41 2014 7
Design | What Is an Entry? ◦ A VDB entry consists of different elements. Minimal elements usually are: ◦ ID 12413 ◦ Title Linux Low-Address Protection Denial of Service ◦ Disclosure Date 02/21/2014 ◦ Description A vulnerability, classified as (…) ◦ Risk Rating problematic ◦ References CVE-2014-2039, BID 65700, … area41 2014 8
Design | Details Are Cool… ◦ Entry ◦ Software ◦ … ◦ Vulnerability ◦ … ◦ Advisory ◦ … ◦ Exploit ◦ Availability → yes|no ◦ Publicity → public|private ◦ Disclosure Date → yyyyMMdd ◦ Developer → $name ◦ Language → Ruby|Python|C|… ◦ Reliability → low|medium|high ◦ … ◦ Countermeasure ◦ … ◦ Sources ◦ … ◦ Tools ◦ … ◦ Misc ◦ … area41 2014 9
Design | But Details Take Time! ◦ We have compiled more than 13’400 entries since 2003 ◦ A scip VulDB entry consists of ~150 possible data points ◦ We rate data points to prioritize: ◦ Important = 33 (must be processed if available) ◦ Normal = 32 (shall be processed) ◦ Optional = 85 (can be processed, if you have «too much time») ◦ Statistical analysis of defined data points over all entries: ◦ Average = 49.92 ◦ Min = 26 ◦ Max = 90 ◦ We currently add ~15 new entries per day (work-days only) area41 2014 10
Sources | Possible Sources ◦ Vulnerability databases ◦ Vulnerability contributors (iDefense VCP, HP ZDI) ◦ Infosec mailinglists ◦ Vendor mailinglists ◦ Vendor advisories ◦ Code repositories ◦ News ◦ Blogs ◦ Social networks (e.g. Twitter, G+, LinkedIn) ◦ Friends, colleagues, co-workers, … area41 2014 11
Sources | Vulnerability Databases: Advantages and Disadvantages VDB  Pros Cons IBM X-Force http://xforce.iss.net • Good coverage • CVSSv2 base scores • CVSSv2 temporal scores • CVE support • Sometimes a bit slow (2-3 updates per week) • «Arbitrary» listing (default view: 5 entries, no backlog) • No RSS feed OSVDB http://www.osvdb.org • Very quick (daily updates) • Best coverage (everything!) • CVSSv2 base scores (via MITRE) • CVE support • No listing (since Feb 2014) • No own risk rating (CVSSv2 only) • No RSS feed (since 2012) Secunia http://secunia.com/community /advisories/historic/ • Good coverage • Good listing (default view: 25 entries) • CVE support • Login required (since Apr 2014) • Some details for paying customers only • Combining multiple vulnerabilities in one entry (by release/patch) • They don’t like other projects (they forbade to use their listing for vulscan.nse in 2013) • No RSS feed • No CVSSv2 scores SecurityFocus http://www.securityfocus.com/ bid • Good coverage • CVE support • Listing also shows updated entries (default view: 31 entries) • Site is slow • Data for an entry is spread over 5 sub- pages • No CVSSv2 scores SecurityTracker http://securitytracker.com • Sometimes quite quick • Simple listing (default view: 5 entries) • CVE support • Selective coverage (popular products only) • No CVSSv2 scores
Sources | Evaluation Rating Introduction ◦ Criteria are those we think are important ◦ We have addressed them as far as possible in our project (because of this prioritization) ◦ Rating is as fair as possible ◦ You might rate a bit differently Description Rating Feature is supported: always/fully 3 Feature is supported: often/partially 2 Feature is supported: sometimes/somehow 1 Feature is never/not supported 0
Sources | Vulnerability Databases: Rating VDB  Coverage (howmuch) Quickness (howfast) Listing (howvisible) Search (howsearchable) Handling (howergonomic) TechDetails (howdetailed) RiskRating (howmeasured) CVSS Base CVSS Temporal CVE Feeds (howaccessible) Total CERT VU http://www.kb.cert.org/vuls/ 1 3 3 2 2 3 0 3 3 3 3 26 Exploit-DB http://www.exploit-db.com 1 3 3 3 2 2 0 0 0 3 3 20 IBM X-Force http://xforce.iss.net 3 1 1 1 2 2 0 3 3 3 0 19 NIST NVD http://nvd.nist.gov 2 1 3 3 2 2 0 3 0 3 3 22 MITRE CVE http://cve.mitre.org 2 1 3 2 2 2 0 0 0 3 2 17 OSVDB http://www.osvdb.org 3 3 0 2 2 2 0 2 0 3 0 17 Secunia http://secunia.com/community/advisories/historic/ 3 2 3 3 2 2 3 0 0 3 0 21 SecurityFocus http://www.securityfocus.com/bid 3 2 2 2 1 2 0 0 0 3 0 15 SecurityTracker http://securitytracker.com 1 2 3 2 3 2 0 0 0 3 0 16 scip VulDB (rating ourselves comes with bias) http://www.scip.ch/en/?vuldb 2 2 3 2 3 3 3 3 3 3 3 30  2.1 2.0 2.4 2.2 2.1 2.2 0.6 1.4 0.9 3.0 1.4
Sources | Vulnerability Databases: Conclusion ◦ Being quick is not easy ◦ Technical details range from bad to good ◦ CVSS scores are pretty unpopular, especially «temporal scores» ◦ CVE has been established as the de facto standard (nice!) ◦ You can’t compare CERT VU, Exploit-DB, NIST NVD and MITRE CVE with anything else ◦ Exploit-DB inherits abstraction from researchers and is not self- consistent ◦ Secunia and SecurityFocus are very similar in many aspects ◦ X-Force and SecurityTracker remain pretty unpopular ◦ The «O» in OSVDB does not stand for «open» anymore ◦ Some features have been broken for ages (e.g. search on OSVDB and X-Force) ◦ Not everyone is a big fan of feeds area41 2014 15
Sources | Vendor Advisories: Advantages and Disadvantages Vendor  Pros Cons Adobe http://helpx.adobe.com/security. html • Product-related listing • Some technical details • Priority rating • CVE support • Advisory per release/upgrade • No RSS feed Apple • Simple technical details • CVE support • No risk rating • No CVSSv2 scores • No listing • Advisory per release/upgrade • No RSS feed Cisco https://tools.cisco.com/security/c enter/publicationListing.x • Advisory listing • Advisory per vulnerability • Sometimes additional technical details • CVSSv2 base scores • CVE support • Technical details with login only • Some details for customers only • No RSS feed Google • CVE support • No listing • Advisory per release/upgrade • Technical details with auth only • No risk rating • No CVSSv2 scores • No RSS feed Microsoft http://technet.microsoft.com/sec urity/advisory • Some technical details • Listing (default view: 5 entries) • RSS feed • Patch day collection (2nd Tuesday of each month) • Severity rating • No CVSSv2 scores Oracle http://www.oracle.com/technetwo rk/topics/security/alerts- 086861.html • Simple listing • CVSSv2 base scores • CVE support • Patch day collection (quarterly) • No technical details • No RSS feed
Sources | Vendor Advisories: Rating Vendor VulnID (howunique) Frequency (howfast) Listing (howvisible) TechDetails (howdetailed) Risk (howmeasured) CVSS Base CVSS Temporal CVE RSS Total FortiGuard http://www.fortiguard.com/advisory/ 3 3 3 3 3 0 0 3 3 21 Symantec http://www.symantec.com/security_response/securityupdates/list.jsp 3 3 3 3 0 3 0 3 3 21 Microsoft http://technet.microsoft.com/security/advisory 3 2 3 3 3 0 0 3 3 20 Checkpoint https://www.checkpoint.com/defense/advisories/public/summary.html 3 2 3 2 3 0 0 3 3 19 Cisco https://tools.cisco.com/security/center/publicationListing.x (details auth only) 3 3 3 3 0 3 0 3 0 18 Oracle http://www.oracle.com/technetwork/topics/security/alerts-086861.html 1 1 3 1 3 3 0 3 3 18 Adobe http://helpx.adobe.com/security.html 3 3 3 2 2 0 0 3 0 16 HP https://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive 3 3 3 1 0 3 0 3 0 16 SAP https://service.sap.com/sap/support/notes/ (auth only) 3 3 3 2 3 2 0 0 0 16 D-Link http://securityadvisories.dlink.com/security/ 3 3 2 2 0 0 0 2 0 12 Google http://www.google.com (details auth only) 3 3 1 2 0 0 0 3 0 12 Apple http://www.apple.com 1 2 1 1 0 0 0 3 0 8  2.66 2.58 2.58 2.08 1.41 1.16 0.0 2.66 1.25
Sources | Vendor Advisories: Conclusion ◦ Some vendors have really ugly advisory URLs ◦ Technical details range from bad to good ◦ CVSS scores are pretty unpopular, especially «temporal scores» ◦ Own risk ratings are also unpopular, because they are hard ◦ Nearly everybody likes CVE ◦ Microsoft and Oracle handle things better than it felt ◦ Juniper has a field «Last Updated» but no «Disclosure Date» ◦ SAP is very restrictive with information for non-customers, which introduces a severe disadvantage (VDB’s can’t categorize them, which decreases visibility) ◦ Vendors aren’t big fans of RSS feeds either area41 2014 18
Sources | Vuln Contributors: Advantages and Disadvantages Project  Pros Cons iDEFENSE Vulnerability Contributor Program http://www.verisigninc.com/en_US/cyber- security/index.xhtml • Started in 2003 • Incomplete listing • No announcement of upcoming advisories • No CVSSv2 support • No search capabilities • No RSS feed • All old links are broken since Zero Day Initiative http://www.zerodayinitiative.com • Provide announcement for upcoming advisories • Provide CVSSv2 Base Scores • RSS feeds available • No search capabilities
Sources | Vuln Contributors: Rating Project  Listing (howvisible) Search (howsearchable) Handling (howergonomic) TechDetails (howdetailed) RiskRating (howmeasured) CVSS Base CVSS Temporal CVE RSS Total iDEFENSE Vulnerability Contributor Program http://www.verisigninc.com/en_US/cyber-security/index.xhtml 3 0 3 2 0 0 0 3 0 11 Zero Day Initiative http://www.zerodayinitiative.com 3 0 3 2 0 3 0 3 3 17  3.0 0.0 3.0 2.0 0.0 1.5 0.0 3.0 1.5
Sources | Vuln Contributors: Conclusion ◦ Only 2 major players ◦ They are quite similar in most aspects ◦ Zero Day Initiative has 2 advantages of CVSSv2 and RSS support ◦ More competition might increase quality area41 2014 21
Interpretation | How to Analyze ◦ The basic approach of processing a source is simple: 1. Check source for new entries 2. Review source entry 3. Add necessary data to database 1. If entry is available → Update existing entry 2. If entry is not available → Create new entry 3. If source is false-positive → Ignore entry and flag for future reference 4. Goto 1 area41 2014 22
Interpretation | MITRE CVE as an Example cve description advisory cert vu software
Interpretation | MITRE CVE as an Example: What Is missing? ◦ What’s missing on a MITRE CVE entry? ◦ Disclosure date ◦ Exact naming of vulnerability class ◦ Risk rating ◦ Person responsible for disclosure ◦ Detailed mitigation/countermeasure ◦ … area41 2014 24
Interpretation | OSVDB as an Example cve sectracker product version description date exploit news
Interpretation | Contradicting Conventions (Disclosure Date) 02/19/2014 02/26/2014
Interpretation | Contradicting Conventions (Disclosure Date) CVE-2014-2284 net-snmp 5.7.1 on Linux ICMP-MIB Denial of Service 02/19/2014 02/20/2014 02/21/2014 02/22/2014 02/23/2014 02/24/2014 02/25/2014 02/26/2014 02/27/2014 ... 03/24/2014 SourceForge ReleaseNote SecFocus SecTracker VulDB OSVDB Secunia RedHat Our definition of a (public) disclosure date: The earliest known date to disclose an issue to the public in an unrestricted way. (we’re going to adopt a more differentiated approach in the near future) 03/05/2014oss-security ...CVE
Interpretation | Put the Different Pieces Together VDB  Product Version VulnClass Disclosure Date Advisory URL Attack Context Exploit Solution VulnDB Sources Misc. Links Total CERT VU http://www.kb.cert.org/vuls/ 3 2 3 2 3 3 1 3 0 1 21 Exploit-DB http://www.exploit-db.com 3 2 2 2 2 1 3 1 1 0 17 IBM X-Force http://xforce.iss.net 3 2 2 3 2 3 1 2 2 2 22 NIST NVD http://nvd.nist.gov 2 2 3 0 3 1 1 1 3 3 19 MITRE CVE http://cve.mitre.org 2 2 2 0 3 1 1 1 3 3 18 OSVDB http://www.osvdb.org 3 3 3 3 3 3 3 3 3 3 30 Secunia http://secunia.com/community/advisories/historic/ 2 2 2 2 3 1 1 2 0 0 15 SecurityFocus http://www.securityfocus.com/bid 3 3 3 3 2 1 2 2 0 1 20 SecurityTracker http://securitytracker.com 3 3 3 1 2 3 1 3 0 1 20 scip VulDB http://www.scip.ch/en/?vuldb 3 3 3 3 3 3 3 3 3 3 30  2.7 2.4 2.6 1.9 2.6 2.0 1.7 2.1 1.5 1.7
Sources | Vulnerability Databases: Conclusion ◦ OSVDB provides the best collection of data ◦ Secunia provides the worst collection of data ◦ SecurityFocus and Secunia usually don’t provide context ◦ X-Force, SecurityTracker and Secunia don’t provide exploit details ◦ SecurityTracker and Secunia have confusing disclosure dates ◦ SecurityFocus, SecurityTracker and Secunia don’t link to other VDB area41 2014 29
Correlation | That's Why You Have to Correlate ◦ Approach ◦ Merge different sources ◦ Compare similar data points ◦ Identify and verify contradictions ◦ Dangers ◦ Duplicates: Come up with annoying inconsistency ◦ Merges: Come up with dangerous mashups area41 2014 30
Correlation | Now Things Are Getting Tricky ◦ Sometimes vulnerabilities can’t be identified individually ◦ CVE helps a lot! But not every vulnerability (immediately) has a CVE number ◦ Some sources merge vulnerabilities into one entry ◦ Vendors do this within their patch release notes or patch days ◦ Secunia tends to compile different vulnerabilities of the same day or patch generation into one entry (e.g. 58519). SecurityFocus does it sometimes (e.g. 67553) and so does SecurityTracker in some cases (e.g. 1030269). ◦ Vulnerabilities with very few technical details often can’t be distinguished from similar vulnerabilities (e.g. Apple HT6145: no info available, but CVE assigned) area41 2014 31
Correlation | Keep Track, Detect Collisions ◦ Keep track of your sources and the entries already reviewed ◦ Verify that every new entry is really new and not just a duplicate or a minor fork of an existing entry. This is a very underestimated task! ◦ We do that with collision detection ◦ Compare new values with existing values of other entries (e.g. URLs, IDs, references). If there is a specified level of matches, we have to check for a duplicate. ◦ Our reference maps help to distinguish. Projects like vFeed support this very good. [https://github.com/toolswatch/vFeed/] area41 2014 32
Correlation | To Split or Not to Split Parameter → 5 entries File → 4 entries Component → 3 entries Vuln Class → 2 entries Advisory/Patch → 1 entry Advisory #VA42 Cross Site Scripting User Auth login.php login_user login_pass News Portal news.php news_id archive.php news_year SQL Injection Board forum.php post_id area41 2014 33
Correlation | Split Example (MS Patch Day, IE Vuls, Feb 2014) VulDB (vuln split) SecFocus* (vuln split) CVE (vuln split) Secunia (combined) Microsoft (combined) MS14-010 SA56796 CVE- 2014-0267 BID 65361 SID 12242 CVE- 2014-0268 BID 65392 SID 12239 … … … CVE- 2014-0293 BID 65394 SID 12241 area41 2014 34 * SecurityFocus often combines (e.g. BID 67553)
Correlation | Unwanted Split (cPanel, Dec 2013) ◦ TSR 2013-0011, http://cpanel.net/tsr-2013-0011-full-disclosure/ ◦ 12/18/2013 cPanel WHM Reseller Login Handler Cookie information disclosure ◦ 12/18/2013 cPanel WHM Login Security Handler Token information disclosure ◦ 12/18/2013 cPanel WHM Branding Subsystem privilege escalation ◦ 12/18/2013 cPanel WHM usr/local/cpanel/share/counter privilege escalation ◦ 12/18/2013 cPanel WHM Daily Process Log Screen Stored cross site scripting ◦ 12/18/2013 cPanel WHM cPAddons Upgrade Handler Password information disclosure ◦ 12/18/2013 cPanel WHM Edit DNS Zone Interface information disclosure ◦ 12/18/2013 cPanel WHM SSH Authentication Handler privilege escalation ◦ 12/18/2013 cPanel WHM X3 Theme countedit.cgi Directory Traversal ◦ 12/18/2013 cPanel WHM Bandmin passwd privilege escalation ◦ 12/18/2013 cPanel WHM cpsrvd Bypass privilege escalation ◦ 12/18/2013 cPanel WHM Bandmin Reflected cross site scripting ◦ 12/18/2013 cPanel WHM API Call Handler UI::dynamicincludelist Directory Traversal ◦ 12/18/2013 cPanel WHM Database Handler privilege escalation ◦ 12/18/2013 cPanel WHM Backup Archive Handler privilege escalation ◦ 12/18/2013 cPanel WHM Config Handler Cross Site Request Forgery ◦ 12/18/2013 cPanel WHM Translatable Phrase Handler Locale::Maketext privilege escalation ◦ 12/18/2013 cPanel WHM CSRF Protection Bypass Cross Site Request Forgery ◦ 12/18/2013 cPanel WHM cross site scripting ◦ 12/18/2013 cPanel WHM Logaholic Session File Handler /tmp privilege escalation ◦ 12/18/2013 cPanel WHM Virtualhost Installation Handler privilege escalation area41 2014 35
Correlation | Split Pros and Cons ◦ Advisory / Patch ◦ Few entries ◦ Good for overview ◦ Good for patch management ◦ Vulnerability ◦ Some entries ◦ Possible splits for 3rd party components ◦ Element ◦ A lot of entries ◦ Good for statistical analysis area41 2014 36
Quality | How to Provide the Best? ◦ Try to verify statements from researchers, vendors and vulnerability database maintainers ◦ Check for plausibility ◦ Verify from other sources ◦ Re-test within a lab ◦ Eliminate wrong statements ◦ Delete false entries ◦ Preserve false entries (prefered by CVE, SecurityFocus) ◦ Add further explanations ◦ Flag (prefered by OSVDB, scip VulDB) ◦ advisory_disputed=1 (e.g. scipID 13305, 13000, 12643) ◦ advisory_reportconfidence=UR (CVSSv2 temp score metric) ◦ Try to find and compile additional details area41 2014 37
Extrapolation | Versions of Affected Software ◦ Exact Version ◦ Internet Explorer 10 → X-Force, OSVDB, SecFocus, Secunia, VulDB ◦ Wildcards ◦ Internet Explorer 6.x → Secunia, SecFocus, SecTracker, VulDB ◦ Ranges ◦ Internet Explorer 8 – 10 → Secunia, CVE ◦ Internet Explorer prior 10 → SecurityTracker, Secunia ◦ Internet Explorer before 10 → CVE ◦ Internet Explorer up to 10 → VulDB ◦ Internet Explorer 8 and later → SecurityTracker area41 2014 3810 119876 10 up to 10 8 to 10 Internet Explorer Versions before 10 …
Extrapolation | What about The Unknown? ◦ Try to guess. Examples: ◦ «IE prior 9» → 6 – 9 ◦ «IE prior 11» → 7 – 10 ◦ Research and validate yourself ◦ A lot of work ◦ We combine with other projects (research or pentest) ◦ We enforce very important or interesting vulnerabilities ◦ Be quiet area41 2014 39
Delivery | Chose your Channels ◦ Web Site ◦ Mail ◦ RSS ◦ Widgets ◦ Facebook ◦ Twitter ◦ LinkedIn ◦ App ◦ … area41 2014 40
Statistics | Comparing Apples and Oranges ◦ Doing some statistics is easy. Doing it the right way is hard. Some say it is even impossible. [http://blog.osvdb.org/category/vulnerability-statistics/] ◦ Counting vulnerabilities doesn’t say anything: ◦ Weak code leads to a lot of vulnerabilities ◦ Complexity leads to a lot of vulnerabilities ◦ Popularity leads to a lot of vulnerabilities ◦ Bug bounty programs lead to a lot of vulnerabilities ◦ Open disclosure process leads to a lot of vulnerabilities ◦ We still provide statistical raw data and expect the viewers to think about it area41 2014 41
Statistics | Timelines Are Interesting ◦ Our timelines consist of multiple data points ◦ vulnerability_introduction_date ◦ vulnerability_discovery_date ◦ vulnerability_vendorinform_date ◦ advisory_date ◦ advisory_confirm_date ◦ exploit_date ◦ countermeasure_date ◦ source_cve_assigned ◦ source_secunia_date ◦ source_nessus_date ◦ entry_timestamp_create ◦ entry_timestamp_update Example Heartbleed [CVE-2014-0160] area41 2014 42
Statistics | Timelines Trivia (excerpt from 2014) ◦ [CVE-2014-0160] OpenSSL TLS/DTLS Heartbeat information disclosure got introduced in 01/01/2012 and fixed in 04/07/2014 ◦ existed 827 days ◦ [CVE-2014-0179] libvirt XML Entity Expansion Handler denial of service got introduced in 12/23/2009 and fixed in 05/06/2014 ◦ existed 1.595 days ◦ [CVE-2014-3122] Linux Kernel try_to_unmap_cluster() denial of service got introduced in 10/19/2008 and fixed in 04/10/2014 ◦ existed 1.996 days ◦ [CVE-2014-3460] Novell NetIQ Sentinel Agent Manager directory traversal vendor got informed in 09/04/2013 but did not respond until 05/19/2014 ◦ Novell ignored grace period of 257 days area41 2014 43
Accessibility | Choose Additional Representation ◦ To allow users to work with your data, it might be the best way to provide additional forms of representation: ◦ SQL ◦ XML ◦ JSON ◦ CSV ◦ CVRF [http://www.icasi.org/cvrf] area41 2014 44
Connectivity | Use Data for Vuln Scanning ◦ We are able to construct specific requests with our fields software_argument and software_input_value to create test cases and exploits (very simple for web-based vulns) ◦ Because of the fields software_* we are able to provide CPE lists [http://cpe.mitre.org/], which can be matched with tools like Nmap. Random examples: ◦ ID 12313 → cpe:/a:sap:netweaver:7.30 ◦ ID 12802 → cpe:/o:cisco:ios:15.4(1.1)t ◦ ID 13306 → cpe:/a:microsoft:internet_explorer:8 area41 2014 45
Outro | Summary ◦ Vulnerability databases help to manage vulnerabilities ◦ Different sources allow to collect a broad amount of issues ◦ Every source has some advantages and disadvantages ◦ Compiling and maintaining vulnerabilities takes a lot of effort ◦ Making your data accessible helps others area41 2014 46
Outro | Thank You ◦ I‘d like to thank a bunch of people which helped to discuss the many interesting aspects of vulnerability database management: ◦ Stefan Friedli, scip AG ◦ Steven M. Christey, MITRE area41 2014 47
Outro | Questions area41 2014 48
Security Is Our Business! scip AG Jakob-Fügli-Strasse 18 CH-8048 Zürich Tel +41 44 404 13 13 Fax +41 44 404 13 14 Mail info@scip.ch Web http://www.scip.ch Twitter http://twitter.com/scipag  Strategy | Consulting  Auditing | Testing  Forensics | Analysis area41 2014 49

More Related Content

PDF
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Apostolos Giannakidis
 
PPTX
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
PDF
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
PDF
Wfuzz for Penetration Testers
Christian Martorella
 
PDF
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
CODE BLUE
 
PPTX
Nguyen phuong truong anh a story of bug bounty hunter
Security Bootcamp
 
PPTX
Owasp Top 10 - A1 Injection
Paul Ionescu
 
PPTX
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Apostolos Giannakidis
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
Wfuzz for Penetration Testers
Christian Martorella
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
CODE BLUE
 
Nguyen phuong truong anh a story of bug bounty hunter
Security Bootcamp
 
Owasp Top 10 - A1 Injection
Paul Ionescu
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 

What's hot (20)

PDF
All You Need is One - A ClickOnce Love Story - Secure360 2015
NetSPI
 
PDF
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
PPT
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
Steve Poole
 
PDF
Asec r01-resting-on-your-laurels-will-get-you-pwned
Dinis Cruz
 
PDF
Secure Coding for Java - An Introduction
Sebastien Gioria
 
PPTX
Geecon 2017 Anatomy of Java Vulnerabilities
Steve Poole
 
PDF
Thick Application Penetration Testing - A Crash Course
NetSPI
 
PPTX
Java Secure Coding Practices
OWASPKerala
 
PPTX
JavaScript security and tools evolution at 2017 OWASP Taiwan Week
dcervigni
 
PDF
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Christian Schneider
 
PDF
Attack All the Layers - What's Working in Penetration Testing
NetSPI
 
PDF
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
PDF
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Christian Schneider
 
PDF
Secure Application Development in the Age of Continuous Delivery
Black Duck by Synopsys
 
PDF
Applications secure by default
SecuRing
 
PDF
Advanced SQL Injection Attack & Defenses
Tiago Mendo
 
PDF
Web security for developers
Sunny Neo
 
PDF
Is code review the solution?
Tiago Mendo
 
PDF
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
PDF
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
Denim Group
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
NetSPI
 
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
Steve Poole
 
Asec r01-resting-on-your-laurels-will-get-you-pwned
Dinis Cruz
 
Secure Coding for Java - An Introduction
Sebastien Gioria
 
Geecon 2017 Anatomy of Java Vulnerabilities
Steve Poole
 
Thick Application Penetration Testing - A Crash Course
NetSPI
 
Java Secure Coding Practices
OWASPKerala
 
JavaScript security and tools evolution at 2017 OWASP Taiwan Week
dcervigni
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Christian Schneider
 
Attack All the Layers - What's Working in Penetration Testing
NetSPI
 
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Christian Schneider
 
Secure Application Development in the Age of Continuous Delivery
Black Duck by Synopsys
 
Applications secure by default
SecuRing
 
Advanced SQL Injection Attack & Defenses
Tiago Mendo
 
Web security for developers
Sunny Neo
 
Is code review the solution?
Tiago Mendo
 
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
Denim Group
 
Ad

Viewers also liked (6)

PPTX
Code Plagiarism - Technical Detection and Legal Prosecution
Marc Ruef
 
PDF
Lavarone neve 2012
sealandservice
 
PPTX
Step by step kulan
kahadugoda
 
PPT
Scala for Java Developers
RamnivasLaddad
 
PDF
Personal Branding for Workplace Leaders
Jocelyn Aucoin
 
PPTX
Firewall Rule Review and Modelling
Marc Ruef
 
Code Plagiarism - Technical Detection and Legal Prosecution
Marc Ruef
 
Lavarone neve 2012
sealandservice
 
Step by step kulan
kahadugoda
 
Scala for Java Developers
RamnivasLaddad
 
Personal Branding for Workplace Leaders
Jocelyn Aucoin
 
Firewall Rule Review and Modelling
Marc Ruef
 
Ad

Similar to Adventures in a Decade of Tracking and Consolidating Security Vulnerabilities (20)

PPTX
Vulnerability Intelligence and Assessment with vulners.com
Alexander Leonov
 
PPTX
Classification of vulnerabilities
Mayur Mehta
 
PDF
Security Vulnerabilities in Modern Operating Systems
Cisco Canada
 
PPTX
16 CVSS16 CVSS16 CVSS16 CVSS16 CVSS16 CVSS.pptx
abhimannyubanerjee
 
PPTX
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
Alexander Leonov
 
PDF
OSC2023_security_automation_data.pdf
Marcus Meissner
 
PPTX
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURE
Nurul Haszeli Ahmad
 
PPTX
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
Alexander Leonov
 
PPTX
DefCamp 2013 - Are we there yet?
DefCamp
 
PPTX
ITBN 2008 - Evolution of Key Risks - Dr. Richard Reiner - 200808.pptx
ssuser332fc01
 
PDF
CRA - overview of vulnerability handling
Olle E Johansson
 
PDF
Cvss guide file
mudyna
 
PPT
Common Vulnerabilities and Exposures details
nizlin1
 
PDF
Webinar–Delivering a Next Generation Vulnerability Feed
Synopsys Software Integrity Group
 
PPTX
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Kymberlee Price
 
PPTX
September 13, 2016: Security in the Age of Open Source:
Black Duck by Synopsys
 
PDF
Verizon 2015 DBIR VM portion
Tawnia Beckwith
 
PPT
CVSS
Christian Heinrich
 
PDF
Fix What Matters
Ed Bellis
 
PDF
Donu’t Let Vulnerabilities Create a Hole in Your Organization
DevOps.com
 
Vulnerability Intelligence and Assessment with vulners.com
Alexander Leonov
 
Classification of vulnerabilities
Mayur Mehta
 
Security Vulnerabilities in Modern Operating Systems
Cisco Canada
 
16 CVSS16 CVSS16 CVSS16 CVSS16 CVSS16 CVSS.pptx
abhimannyubanerjee
 
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
Alexander Leonov
 
OSC2023_security_automation_data.pdf
Marcus Meissner
 
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURE
Nurul Haszeli Ahmad
 
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
Alexander Leonov
 
DefCamp 2013 - Are we there yet?
DefCamp
 
ITBN 2008 - Evolution of Key Risks - Dr. Richard Reiner - 200808.pptx
ssuser332fc01
 
CRA - overview of vulnerability handling
Olle E Johansson
 
Cvss guide file
mudyna
 
Common Vulnerabilities and Exposures details
nizlin1
 
Webinar–Delivering a Next Generation Vulnerability Feed
Synopsys Software Integrity Group
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Kymberlee Price
 
September 13, 2016: Security in the Age of Open Source:
Black Duck by Synopsys
 
Verizon 2015 DBIR VM portion
Tawnia Beckwith
 
CVSS
Christian Heinrich
 
Fix What Matters
Ed Bellis
 
Donu’t Let Vulnerabilities Create a Hole in Your Organization
DevOps.com
 

Recently uploaded (20)

PDF
OneRead_20250728_1808.pdfhdhddhshahwhwwjjaaja
DivyanshChauhan66
 
PDF
168300704-gasification-ppt.pdfhghhhsjsjhsuxush
sriram270905
 
PDF
How to run a consulting project- client discovery
P&CO
 
PPTX
retention in jsjsksksksnbsndjddjdnFPD.pptx
JayeshTaneja4
 
PDF
REAL ILLUMINATI AGENT IN KAMPALA UGANDA CALL ON+256765750853/0705037305
Real illuminati agent from Uganda Kampala call 0782561496/0756664682
 
PPTX
Pilar Kemerdekaan dan Identi Bangsa.pptx
RyanSyah40
 
PPTX
sac 451hinhgsgshssjsjsjheegdggeegegdggddgeg.pptx
Akash486765
 
PPT
ISS -ESG Data flows What is ESG and HowHow
lucandthemachine
 
DOCX
Factor Analysis Word Document Presentation
SoeMoe58
 
PDF
Optimise Shopper Experiences with a Strong Data Estate.pdf
Prasad Chandane
 
PDF
Business Analytics and business intelligence.pdf
khalidisah4750
 
PPTX
A Complete Guide to Streamlining Business Processes
Accentfuture
 
PPTX
mbdjdhjjodule 5-1 rhfhhfjtjjhafbrhfnfbbfnb
CHINTU5000
 
PPTX
AI Strategy room jwfjksfksfjsjsjsjsjfsjfsj
ankitpratapsingh28
 
PPTX
Qualitative Qantitative and Mixed Methods.pptx
AhmaduMohammed
 
PPTX
(Ali Hamza) Roll No: (F24-BSCS-1103).pptx
fb7654821
 
PPTX
Market Analysis -202507- Wind-Solar+Hybrid+Street+Lights+for+the+North+Amer...
LEDLUXX Smart Lite TEC
 
PPTX
Introduction to Inferential Statistics.pptx
CollegeofTeacherEduc3
 
PDF
[EN] Industrial Machine Downtime Prediction
Mônica N. de Resende
 
PDF
Capcut Pro Crack For PC Latest Version {Fully Unlocked 2025}
malikyahyah1122
 
OneRead_20250728_1808.pdfhdhddhshahwhwwjjaaja
DivyanshChauhan66
 
168300704-gasification-ppt.pdfhghhhsjsjhsuxush
sriram270905
 
How to run a consulting project- client discovery
P&CO
 
retention in jsjsksksksnbsndjddjdnFPD.pptx
JayeshTaneja4
 
REAL ILLUMINATI AGENT IN KAMPALA UGANDA CALL ON+256765750853/0705037305
Real illuminati agent from Uganda Kampala call 0782561496/0756664682
 
Pilar Kemerdekaan dan Identi Bangsa.pptx
RyanSyah40
 
sac 451hinhgsgshssjsjsjheegdggeegegdggddgeg.pptx
Akash486765
 
ISS -ESG Data flows What is ESG and HowHow
lucandthemachine
 
Factor Analysis Word Document Presentation
SoeMoe58
 
Optimise Shopper Experiences with a Strong Data Estate.pdf
Prasad Chandane
 
Business Analytics and business intelligence.pdf
khalidisah4750
 
A Complete Guide to Streamlining Business Processes
Accentfuture
 
mbdjdhjjodule 5-1 rhfhhfjtjjhafbrhfnfbbfnb
CHINTU5000
 
AI Strategy room jwfjksfksfjsjsjsjsjfsjfsj
ankitpratapsingh28
 
Qualitative Qantitative and Mixed Methods.pptx
AhmaduMohammed
 
(Ali Hamza) Roll No: (F24-BSCS-1103).pptx
fb7654821
 
Market Analysis -202507- Wind-Solar+Hybrid+Street+Lights+for+the+North+Amer...
LEDLUXX Smart Lite TEC
 
Introduction to Inferential Statistics.pptx
CollegeofTeacherEduc3
 
[EN] Industrial Machine Downtime Prediction
Mônica N. de Resende
 
Capcut Pro Crack For PC Latest Version {Fully Unlocked 2025}
malikyahyah1122
 

Adventures in a Decade of Tracking and Consolidating Security Vulnerabilities

  • 1. id entry_timestamp_queue entry_timestamp_create entry_timestamp_change entry_maintainer_queue entry_maintainer_create entry_maintainer_change entry_changelog entry_smss software_type software_vendor software_name software_version software_platform software_component software_file software_library software_function software_argument software_input_type software_input_value software_website software_affectedlist software_advisoryquote software_freetext_de software_freetext_en vulnerability_discoverydate vulnerability_vendorinformdate vulnerability_class vulnerability_impact vulnerability_risk vulnerability_simplicity vulnerability_popularity vulnerability_historic vulnerability_cvss_av vulnerability_cvss_ac vulnerability_cvss_au vulnerability_cvss_ci vulnerability_cvss_ii vulnerability_cvss_ai vulnerability_titleword vulnerability_keywords vulnerability_sourcecode vulnerability_advisoryquote vulnerability_freetext_de vulnerability_freetext_en advisory_date advisory_location advisory_type advisory_url advisory_via advisory_identifier advisory_reportconfidence advisory_coordination advisory_person_name advisory_person_nickname advisory_person_mail advisory_person_website advisory_company_name advisory_confirm_url advisory_confirm_date advisory_disputed advisory_advisoryquote advisory_freetext_de advisory_freetext_en exploit_availability exploit_date exploit_publicity exploit_url exploit_developer_name exploit_developer_nickname exploit_developer_mail exploit_developer_website exploit_language exploit_exploitability exploit_reliability exploit_wormified exploit_googlehack exploit_advisoryquote exploit_sourcecode exploit_freetext_de exploit_freetext_en countermeasure_remediationlev countermeasure_name countermeasure_date countermeasure_reliability countermeasure_upgrade_vers countermeasure_upgrade_url countermeasure_patch_name Adventures in a Decade of Tracking and Consolidating Security Vulnerabilities Marc Ruef www.scip.ch area41 Security Conference June 2014, Zürich, Switzerland
  • 2. Agenda | Vulnerability Database Maintenance 1. Intro Introduction 2 min Who am I? 2 min What is the Goal? 2 min 2. Vulnerability Database Maintenance Design the Database 5 min Handling of Sources 4 min Interpretation of Data 4 min Correlation of Data 4 min Quality Management 5 min Extrapolation of Data 5 min Deliver your Results 5 min Statistical Analysis 5 min Provide Accessibility 5 min Use Connectivity 5 min 3. Outro Summary 2 min Questions 5 min area41 2014 2/34
  • 3. Introduction | Who Am I? Name Marc Ruef Job Co-Owner / CTO, scip AG, Zürich Private Website http://www.computec.ch Last own Book „The Art of Penetration Testing“, Computer & Literatur Böblingen, ISBN 3-936546-49-5 Translation area41 2014 3/34 2013 2007 20022004
  • 4. Introduction | What Is a Vulnerability Database? ◦ What? ◦ A database collecting vulnerabilities ◦ Why? ◦ To do vulnerability management ◦ What is vulnerable? ◦ What is to patch? ◦ To do statistical analysis ◦ Costs of patch management ◦ Robustness of products area41 2014 4
  • 5. Introduction | scip VulDB Looks like This (Overview) area41 2014 5
  • 6. Introduction | scip VulDB Looks like This (Detail) area41 2014 6
  • 7. Design | What Should Your Vulnerability Database Do? ◦ How much? ◦ Full coverage ◦ Selective collection ◦ Inventory-only ◦ Vendor-selection ◦ Importance threshold ◦ Fixed only ◦ For whom? ◦ Everyone ◦ Public service ◦ Advertisement ◦ Customers ◦ Vulnerability management service ◦ Alerting service ◦ Tools ◦ Internal Use ◦ Knowledge-base ◦ For pentesters ◦ For administrators area41 2014 7
  • 8. Design | What Is an Entry? ◦ A VDB entry consists of different elements. Minimal elements usually are: ◦ ID 12413 ◦ Title Linux Low-Address Protection Denial of Service ◦ Disclosure Date 02/21/2014 ◦ Description A vulnerability, classified as (…) ◦ Risk Rating problematic ◦ References CVE-2014-2039, BID 65700, … area41 2014 8
  • 9. Design | Details Are Cool… ◦ Entry ◦ Software ◦ … ◦ Vulnerability ◦ … ◦ Advisory ◦ … ◦ Exploit ◦ Availability → yes|no ◦ Publicity → public|private ◦ Disclosure Date → yyyyMMdd ◦ Developer → $name ◦ Language → Ruby|Python|C|… ◦ Reliability → low|medium|high ◦ … ◦ Countermeasure ◦ … ◦ Sources ◦ … ◦ Tools ◦ … ◦ Misc ◦ … area41 2014 9
  • 10. Design | But Details Take Time! ◦ We have compiled more than 13’400 entries since 2003 ◦ A scip VulDB entry consists of ~150 possible data points ◦ We rate data points to prioritize: ◦ Important = 33 (must be processed if available) ◦ Normal = 32 (shall be processed) ◦ Optional = 85 (can be processed, if you have «too much time») ◦ Statistical analysis of defined data points over all entries: ◦ Average = 49.92 ◦ Min = 26 ◦ Max = 90 ◦ We currently add ~15 new entries per day (work-days only) area41 2014 10
  • 11. Sources | Possible Sources ◦ Vulnerability databases ◦ Vulnerability contributors (iDefense VCP, HP ZDI) ◦ Infosec mailinglists ◦ Vendor mailinglists ◦ Vendor advisories ◦ Code repositories ◦ News ◦ Blogs ◦ Social networks (e.g. Twitter, G+, LinkedIn) ◦ Friends, colleagues, co-workers, … area41 2014 11
  • 12. Sources | Vulnerability Databases: Advantages and Disadvantages VDB  Pros Cons IBM X-Force http://xforce.iss.net • Good coverage • CVSSv2 base scores • CVSSv2 temporal scores • CVE support • Sometimes a bit slow (2-3 updates per week) • «Arbitrary» listing (default view: 5 entries, no backlog) • No RSS feed OSVDB http://www.osvdb.org • Very quick (daily updates) • Best coverage (everything!) • CVSSv2 base scores (via MITRE) • CVE support • No listing (since Feb 2014) • No own risk rating (CVSSv2 only) • No RSS feed (since 2012) Secunia http://secunia.com/community /advisories/historic/ • Good coverage • Good listing (default view: 25 entries) • CVE support • Login required (since Apr 2014) • Some details for paying customers only • Combining multiple vulnerabilities in one entry (by release/patch) • They don’t like other projects (they forbade to use their listing for vulscan.nse in 2013) • No RSS feed • No CVSSv2 scores SecurityFocus http://www.securityfocus.com/ bid • Good coverage • CVE support • Listing also shows updated entries (default view: 31 entries) • Site is slow • Data for an entry is spread over 5 sub- pages • No CVSSv2 scores SecurityTracker http://securitytracker.com • Sometimes quite quick • Simple listing (default view: 5 entries) • CVE support • Selective coverage (popular products only) • No CVSSv2 scores
  • 13. Sources | Evaluation Rating Introduction ◦ Criteria are those we think are important ◦ We have addressed them as far as possible in our project (because of this prioritization) ◦ Rating is as fair as possible ◦ You might rate a bit differently Description Rating Feature is supported: always/fully 3 Feature is supported: often/partially 2 Feature is supported: sometimes/somehow 1 Feature is never/not supported 0
  • 14. Sources | Vulnerability Databases: Rating VDB  Coverage (howmuch) Quickness (howfast) Listing (howvisible) Search (howsearchable) Handling (howergonomic) TechDetails (howdetailed) RiskRating (howmeasured) CVSS Base CVSS Temporal CVE Feeds (howaccessible) Total CERT VU http://www.kb.cert.org/vuls/ 1 3 3 2 2 3 0 3 3 3 3 26 Exploit-DB http://www.exploit-db.com 1 3 3 3 2 2 0 0 0 3 3 20 IBM X-Force http://xforce.iss.net 3 1 1 1 2 2 0 3 3 3 0 19 NIST NVD http://nvd.nist.gov 2 1 3 3 2 2 0 3 0 3 3 22 MITRE CVE http://cve.mitre.org 2 1 3 2 2 2 0 0 0 3 2 17 OSVDB http://www.osvdb.org 3 3 0 2 2 2 0 2 0 3 0 17 Secunia http://secunia.com/community/advisories/historic/ 3 2 3 3 2 2 3 0 0 3 0 21 SecurityFocus http://www.securityfocus.com/bid 3 2 2 2 1 2 0 0 0 3 0 15 SecurityTracker http://securitytracker.com 1 2 3 2 3 2 0 0 0 3 0 16 scip VulDB (rating ourselves comes with bias) http://www.scip.ch/en/?vuldb 2 2 3 2 3 3 3 3 3 3 3 30  2.1 2.0 2.4 2.2 2.1 2.2 0.6 1.4 0.9 3.0 1.4
  • 15. Sources | Vulnerability Databases: Conclusion ◦ Being quick is not easy ◦ Technical details range from bad to good ◦ CVSS scores are pretty unpopular, especially «temporal scores» ◦ CVE has been established as the de facto standard (nice!) ◦ You can’t compare CERT VU, Exploit-DB, NIST NVD and MITRE CVE with anything else ◦ Exploit-DB inherits abstraction from researchers and is not self- consistent ◦ Secunia and SecurityFocus are very similar in many aspects ◦ X-Force and SecurityTracker remain pretty unpopular ◦ The «O» in OSVDB does not stand for «open» anymore ◦ Some features have been broken for ages (e.g. search on OSVDB and X-Force) ◦ Not everyone is a big fan of feeds area41 2014 15
  • 16. Sources | Vendor Advisories: Advantages and Disadvantages Vendor  Pros Cons Adobe http://helpx.adobe.com/security. html • Product-related listing • Some technical details • Priority rating • CVE support • Advisory per release/upgrade • No RSS feed Apple • Simple technical details • CVE support • No risk rating • No CVSSv2 scores • No listing • Advisory per release/upgrade • No RSS feed Cisco https://tools.cisco.com/security/c enter/publicationListing.x • Advisory listing • Advisory per vulnerability • Sometimes additional technical details • CVSSv2 base scores • CVE support • Technical details with login only • Some details for customers only • No RSS feed Google • CVE support • No listing • Advisory per release/upgrade • Technical details with auth only • No risk rating • No CVSSv2 scores • No RSS feed Microsoft http://technet.microsoft.com/sec urity/advisory • Some technical details • Listing (default view: 5 entries) • RSS feed • Patch day collection (2nd Tuesday of each month) • Severity rating • No CVSSv2 scores Oracle http://www.oracle.com/technetwo rk/topics/security/alerts- 086861.html • Simple listing • CVSSv2 base scores • CVE support • Patch day collection (quarterly) • No technical details • No RSS feed
  • 17. Sources | Vendor Advisories: Rating Vendor VulnID (howunique) Frequency (howfast) Listing (howvisible) TechDetails (howdetailed) Risk (howmeasured) CVSS Base CVSS Temporal CVE RSS Total FortiGuard http://www.fortiguard.com/advisory/ 3 3 3 3 3 0 0 3 3 21 Symantec http://www.symantec.com/security_response/securityupdates/list.jsp 3 3 3 3 0 3 0 3 3 21 Microsoft http://technet.microsoft.com/security/advisory 3 2 3 3 3 0 0 3 3 20 Checkpoint https://www.checkpoint.com/defense/advisories/public/summary.html 3 2 3 2 3 0 0 3 3 19 Cisco https://tools.cisco.com/security/center/publicationListing.x (details auth only) 3 3 3 3 0 3 0 3 0 18 Oracle http://www.oracle.com/technetwork/topics/security/alerts-086861.html 1 1 3 1 3 3 0 3 3 18 Adobe http://helpx.adobe.com/security.html 3 3 3 2 2 0 0 3 0 16 HP https://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive 3 3 3 1 0 3 0 3 0 16 SAP https://service.sap.com/sap/support/notes/ (auth only) 3 3 3 2 3 2 0 0 0 16 D-Link http://securityadvisories.dlink.com/security/ 3 3 2 2 0 0 0 2 0 12 Google http://www.google.com (details auth only) 3 3 1 2 0 0 0 3 0 12 Apple http://www.apple.com 1 2 1 1 0 0 0 3 0 8  2.66 2.58 2.58 2.08 1.41 1.16 0.0 2.66 1.25
  • 18. Sources | Vendor Advisories: Conclusion ◦ Some vendors have really ugly advisory URLs ◦ Technical details range from bad to good ◦ CVSS scores are pretty unpopular, especially «temporal scores» ◦ Own risk ratings are also unpopular, because they are hard ◦ Nearly everybody likes CVE ◦ Microsoft and Oracle handle things better than it felt ◦ Juniper has a field «Last Updated» but no «Disclosure Date» ◦ SAP is very restrictive with information for non-customers, which introduces a severe disadvantage (VDB’s can’t categorize them, which decreases visibility) ◦ Vendors aren’t big fans of RSS feeds either area41 2014 18
  • 19. Sources | Vuln Contributors: Advantages and Disadvantages Project  Pros Cons iDEFENSE Vulnerability Contributor Program http://www.verisigninc.com/en_US/cyber- security/index.xhtml • Started in 2003 • Incomplete listing • No announcement of upcoming advisories • No CVSSv2 support • No search capabilities • No RSS feed • All old links are broken since Zero Day Initiative http://www.zerodayinitiative.com • Provide announcement for upcoming advisories • Provide CVSSv2 Base Scores • RSS feeds available • No search capabilities
  • 20. Sources | Vuln Contributors: Rating Project  Listing (howvisible) Search (howsearchable) Handling (howergonomic) TechDetails (howdetailed) RiskRating (howmeasured) CVSS Base CVSS Temporal CVE RSS Total iDEFENSE Vulnerability Contributor Program http://www.verisigninc.com/en_US/cyber-security/index.xhtml 3 0 3 2 0 0 0 3 0 11 Zero Day Initiative http://www.zerodayinitiative.com 3 0 3 2 0 3 0 3 3 17  3.0 0.0 3.0 2.0 0.0 1.5 0.0 3.0 1.5
  • 21. Sources | Vuln Contributors: Conclusion ◦ Only 2 major players ◦ They are quite similar in most aspects ◦ Zero Day Initiative has 2 advantages of CVSSv2 and RSS support ◦ More competition might increase quality area41 2014 21
  • 22. Interpretation | How to Analyze ◦ The basic approach of processing a source is simple: 1. Check source for new entries 2. Review source entry 3. Add necessary data to database 1. If entry is available → Update existing entry 2. If entry is not available → Create new entry 3. If source is false-positive → Ignore entry and flag for future reference 4. Goto 1 area41 2014 22
  • 23. Interpretation | MITRE CVE as an Example cve description advisory cert vu software
  • 24. Interpretation | MITRE CVE as an Example: What Is missing? ◦ What’s missing on a MITRE CVE entry? ◦ Disclosure date ◦ Exact naming of vulnerability class ◦ Risk rating ◦ Person responsible for disclosure ◦ Detailed mitigation/countermeasure ◦ … area41 2014 24
  • 25. Interpretation | OSVDB as an Example cve sectracker product version description date exploit news
  • 26. Interpretation | Contradicting Conventions (Disclosure Date) 02/19/2014 02/26/2014
  • 27. Interpretation | Contradicting Conventions (Disclosure Date) CVE-2014-2284 net-snmp 5.7.1 on Linux ICMP-MIB Denial of Service 02/19/2014 02/20/2014 02/21/2014 02/22/2014 02/23/2014 02/24/2014 02/25/2014 02/26/2014 02/27/2014 ... 03/24/2014 SourceForge ReleaseNote SecFocus SecTracker VulDB OSVDB Secunia RedHat Our definition of a (public) disclosure date: The earliest known date to disclose an issue to the public in an unrestricted way. (we’re going to adopt a more differentiated approach in the near future) 03/05/2014oss-security ...CVE
  • 28. Interpretation | Put the Different Pieces Together VDB  Product Version VulnClass Disclosure Date Advisory URL Attack Context Exploit Solution VulnDB Sources Misc. Links Total CERT VU http://www.kb.cert.org/vuls/ 3 2 3 2 3 3 1 3 0 1 21 Exploit-DB http://www.exploit-db.com 3 2 2 2 2 1 3 1 1 0 17 IBM X-Force http://xforce.iss.net 3 2 2 3 2 3 1 2 2 2 22 NIST NVD http://nvd.nist.gov 2 2 3 0 3 1 1 1 3 3 19 MITRE CVE http://cve.mitre.org 2 2 2 0 3 1 1 1 3 3 18 OSVDB http://www.osvdb.org 3 3 3 3 3 3 3 3 3 3 30 Secunia http://secunia.com/community/advisories/historic/ 2 2 2 2 3 1 1 2 0 0 15 SecurityFocus http://www.securityfocus.com/bid 3 3 3 3 2 1 2 2 0 1 20 SecurityTracker http://securitytracker.com 3 3 3 1 2 3 1 3 0 1 20 scip VulDB http://www.scip.ch/en/?vuldb 3 3 3 3 3 3 3 3 3 3 30  2.7 2.4 2.6 1.9 2.6 2.0 1.7 2.1 1.5 1.7
  • 29. Sources | Vulnerability Databases: Conclusion ◦ OSVDB provides the best collection of data ◦ Secunia provides the worst collection of data ◦ SecurityFocus and Secunia usually don’t provide context ◦ X-Force, SecurityTracker and Secunia don’t provide exploit details ◦ SecurityTracker and Secunia have confusing disclosure dates ◦ SecurityFocus, SecurityTracker and Secunia don’t link to other VDB area41 2014 29
  • 30. Correlation | That's Why You Have to Correlate ◦ Approach ◦ Merge different sources ◦ Compare similar data points ◦ Identify and verify contradictions ◦ Dangers ◦ Duplicates: Come up with annoying inconsistency ◦ Merges: Come up with dangerous mashups area41 2014 30
  • 31. Correlation | Now Things Are Getting Tricky ◦ Sometimes vulnerabilities can’t be identified individually ◦ CVE helps a lot! But not every vulnerability (immediately) has a CVE number ◦ Some sources merge vulnerabilities into one entry ◦ Vendors do this within their patch release notes or patch days ◦ Secunia tends to compile different vulnerabilities of the same day or patch generation into one entry (e.g. 58519). SecurityFocus does it sometimes (e.g. 67553) and so does SecurityTracker in some cases (e.g. 1030269). ◦ Vulnerabilities with very few technical details often can’t be distinguished from similar vulnerabilities (e.g. Apple HT6145: no info available, but CVE assigned) area41 2014 31
  • 32. Correlation | Keep Track, Detect Collisions ◦ Keep track of your sources and the entries already reviewed ◦ Verify that every new entry is really new and not just a duplicate or a minor fork of an existing entry. This is a very underestimated task! ◦ We do that with collision detection ◦ Compare new values with existing values of other entries (e.g. URLs, IDs, references). If there is a specified level of matches, we have to check for a duplicate. ◦ Our reference maps help to distinguish. Projects like vFeed support this very good. [https://github.com/toolswatch/vFeed/] area41 2014 32
  • 33. Correlation | To Split or Not to Split Parameter → 5 entries File → 4 entries Component → 3 entries Vuln Class → 2 entries Advisory/Patch → 1 entry Advisory #VA42 Cross Site Scripting User Auth login.php login_user login_pass News Portal news.php news_id archive.php news_year SQL Injection Board forum.php post_id area41 2014 33
  • 34. Correlation | Split Example (MS Patch Day, IE Vuls, Feb 2014) VulDB (vuln split) SecFocus* (vuln split) CVE (vuln split) Secunia (combined) Microsoft (combined) MS14-010 SA56796 CVE- 2014-0267 BID 65361 SID 12242 CVE- 2014-0268 BID 65392 SID 12239 … … … CVE- 2014-0293 BID 65394 SID 12241 area41 2014 34 * SecurityFocus often combines (e.g. BID 67553)
  • 35. Correlation | Unwanted Split (cPanel, Dec 2013) ◦ TSR 2013-0011, http://cpanel.net/tsr-2013-0011-full-disclosure/ ◦ 12/18/2013 cPanel WHM Reseller Login Handler Cookie information disclosure ◦ 12/18/2013 cPanel WHM Login Security Handler Token information disclosure ◦ 12/18/2013 cPanel WHM Branding Subsystem privilege escalation ◦ 12/18/2013 cPanel WHM usr/local/cpanel/share/counter privilege escalation ◦ 12/18/2013 cPanel WHM Daily Process Log Screen Stored cross site scripting ◦ 12/18/2013 cPanel WHM cPAddons Upgrade Handler Password information disclosure ◦ 12/18/2013 cPanel WHM Edit DNS Zone Interface information disclosure ◦ 12/18/2013 cPanel WHM SSH Authentication Handler privilege escalation ◦ 12/18/2013 cPanel WHM X3 Theme countedit.cgi Directory Traversal ◦ 12/18/2013 cPanel WHM Bandmin passwd privilege escalation ◦ 12/18/2013 cPanel WHM cpsrvd Bypass privilege escalation ◦ 12/18/2013 cPanel WHM Bandmin Reflected cross site scripting ◦ 12/18/2013 cPanel WHM API Call Handler UI::dynamicincludelist Directory Traversal ◦ 12/18/2013 cPanel WHM Database Handler privilege escalation ◦ 12/18/2013 cPanel WHM Backup Archive Handler privilege escalation ◦ 12/18/2013 cPanel WHM Config Handler Cross Site Request Forgery ◦ 12/18/2013 cPanel WHM Translatable Phrase Handler Locale::Maketext privilege escalation ◦ 12/18/2013 cPanel WHM CSRF Protection Bypass Cross Site Request Forgery ◦ 12/18/2013 cPanel WHM cross site scripting ◦ 12/18/2013 cPanel WHM Logaholic Session File Handler /tmp privilege escalation ◦ 12/18/2013 cPanel WHM Virtualhost Installation Handler privilege escalation area41 2014 35
  • 36. Correlation | Split Pros and Cons ◦ Advisory / Patch ◦ Few entries ◦ Good for overview ◦ Good for patch management ◦ Vulnerability ◦ Some entries ◦ Possible splits for 3rd party components ◦ Element ◦ A lot of entries ◦ Good for statistical analysis area41 2014 36
  • 37. Quality | How to Provide the Best? ◦ Try to verify statements from researchers, vendors and vulnerability database maintainers ◦ Check for plausibility ◦ Verify from other sources ◦ Re-test within a lab ◦ Eliminate wrong statements ◦ Delete false entries ◦ Preserve false entries (prefered by CVE, SecurityFocus) ◦ Add further explanations ◦ Flag (prefered by OSVDB, scip VulDB) ◦ advisory_disputed=1 (e.g. scipID 13305, 13000, 12643) ◦ advisory_reportconfidence=UR (CVSSv2 temp score metric) ◦ Try to find and compile additional details area41 2014 37
  • 38. Extrapolation | Versions of Affected Software ◦ Exact Version ◦ Internet Explorer 10 → X-Force, OSVDB, SecFocus, Secunia, VulDB ◦ Wildcards ◦ Internet Explorer 6.x → Secunia, SecFocus, SecTracker, VulDB ◦ Ranges ◦ Internet Explorer 8 – 10 → Secunia, CVE ◦ Internet Explorer prior 10 → SecurityTracker, Secunia ◦ Internet Explorer before 10 → CVE ◦ Internet Explorer up to 10 → VulDB ◦ Internet Explorer 8 and later → SecurityTracker area41 2014 3810 119876 10 up to 10 8 to 10 Internet Explorer Versions before 10 …
  • 39. Extrapolation | What about The Unknown? ◦ Try to guess. Examples: ◦ «IE prior 9» → 6 – 9 ◦ «IE prior 11» → 7 – 10 ◦ Research and validate yourself ◦ A lot of work ◦ We combine with other projects (research or pentest) ◦ We enforce very important or interesting vulnerabilities ◦ Be quiet area41 2014 39
  • 40. Delivery | Chose your Channels ◦ Web Site ◦ Mail ◦ RSS ◦ Widgets ◦ Facebook ◦ Twitter ◦ LinkedIn ◦ App ◦ … area41 2014 40
  • 41. Statistics | Comparing Apples and Oranges ◦ Doing some statistics is easy. Doing it the right way is hard. Some say it is even impossible. [http://blog.osvdb.org/category/vulnerability-statistics/] ◦ Counting vulnerabilities doesn’t say anything: ◦ Weak code leads to a lot of vulnerabilities ◦ Complexity leads to a lot of vulnerabilities ◦ Popularity leads to a lot of vulnerabilities ◦ Bug bounty programs lead to a lot of vulnerabilities ◦ Open disclosure process leads to a lot of vulnerabilities ◦ We still provide statistical raw data and expect the viewers to think about it area41 2014 41
  • 42. Statistics | Timelines Are Interesting ◦ Our timelines consist of multiple data points ◦ vulnerability_introduction_date ◦ vulnerability_discovery_date ◦ vulnerability_vendorinform_date ◦ advisory_date ◦ advisory_confirm_date ◦ exploit_date ◦ countermeasure_date ◦ source_cve_assigned ◦ source_secunia_date ◦ source_nessus_date ◦ entry_timestamp_create ◦ entry_timestamp_update Example Heartbleed [CVE-2014-0160] area41 2014 42
  • 43. Statistics | Timelines Trivia (excerpt from 2014) ◦ [CVE-2014-0160] OpenSSL TLS/DTLS Heartbeat information disclosure got introduced in 01/01/2012 and fixed in 04/07/2014 ◦ existed 827 days ◦ [CVE-2014-0179] libvirt XML Entity Expansion Handler denial of service got introduced in 12/23/2009 and fixed in 05/06/2014 ◦ existed 1.595 days ◦ [CVE-2014-3122] Linux Kernel try_to_unmap_cluster() denial of service got introduced in 10/19/2008 and fixed in 04/10/2014 ◦ existed 1.996 days ◦ [CVE-2014-3460] Novell NetIQ Sentinel Agent Manager directory traversal vendor got informed in 09/04/2013 but did not respond until 05/19/2014 ◦ Novell ignored grace period of 257 days area41 2014 43
  • 44. Accessibility | Choose Additional Representation ◦ To allow users to work with your data, it might be the best way to provide additional forms of representation: ◦ SQL ◦ XML ◦ JSON ◦ CSV ◦ CVRF [http://www.icasi.org/cvrf] area41 2014 44
  • 45. Connectivity | Use Data for Vuln Scanning ◦ We are able to construct specific requests with our fields software_argument and software_input_value to create test cases and exploits (very simple for web-based vulns) ◦ Because of the fields software_* we are able to provide CPE lists [http://cpe.mitre.org/], which can be matched with tools like Nmap. Random examples: ◦ ID 12313 → cpe:/a:sap:netweaver:7.30 ◦ ID 12802 → cpe:/o:cisco:ios:15.4(1.1)t ◦ ID 13306 → cpe:/a:microsoft:internet_explorer:8 area41 2014 45
  • 46. Outro | Summary ◦ Vulnerability databases help to manage vulnerabilities ◦ Different sources allow to collect a broad amount of issues ◦ Every source has some advantages and disadvantages ◦ Compiling and maintaining vulnerabilities takes a lot of effort ◦ Making your data accessible helps others area41 2014 46
  • 47. Outro | Thank You ◦ I‘d like to thank a bunch of people which helped to discuss the many interesting aspects of vulnerability database management: ◦ Stefan Friedli, scip AG ◦ Steven M. Christey, MITRE area41 2014 47
  • 49. Security Is Our Business! scip AG Jakob-Fügli-Strasse 18 CH-8048 Zürich Tel +41 44 404 13 13 Fax +41 44 404 13 14 Mail info@scip.ch Web http://www.scip.ch Twitter http://twitter.com/scipag  Strategy | Consulting  Auditing | Testing  Forensics | Analysis area41 2014 49