Threat Level: green Handler on Duty: Lorna Hutcheson

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2016-01-30 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

All CVE Details at Your Fingertips

Published: 2016-01-30
Last Updated: 2016-01-30 13:42:50 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

CVE ("Common Vulnerabilities and Exposure") is a system developed to provide structured data for information security vulnerabilities. CVE numbers are everywhere and easy to find. When a security researcher finds a new vulnerability in a software or product, he can request a CVE number that will be assigned to his finding. The  format is "CVE-yyyy-nnnn" where "yyyy" is the year of creation and "nnnn" is arbitrary digits. Note that the length is not restricted to 4 digits since 2014. Due to the growing amount of vulnerabilities, it is already possible to find 'CVE-yyyy-nnnnnn' if required for a specific year. There are many ways to search for CVE information online via websites like cvedetails.com. They propose search engines to browse CVE's based on vendors, period, severity, etc.

Today, we are living in a connected world where information are accessed online but sometimes, it remains more convenient to have access to local information (stored on your computer). Having a local copy of the CVE database can be very helpful when:

  • You're offline or in a restricted environment (ex: a classified network without access to the Net).
  • You do not want to generate suspicious queries to public resources.
  • You need the power of local tools to manipulate data.

cve-search is a set of Python scripts that imports CVE and CPE ("Common Platform Enumeration") into a local database. If it started with CVE's, today, many other collections are supported and can be integrated together:

  • cves (Common Vulnerabilities and Exposure items) - source NVD NIST
  • cpe (Common Platform Enumeration items) - source NVD NIST
  • vendor (Official Vendor Statements on CVE Vulnerabilities) - source NVD NIST
  • cwe (Common Weakness Enumeration items) - source NVD NIST
  • capec (Common Attack Pattern Enumeration and Classification) - source NVD NIST
  • ranking (ranking rules per group) - local cve-search
  • d2sec (Exploitation reference from D2 Elliot Web Exploitation Framework) - source d2sec.com
  • vFeed (cross-references to CVE ids (e.g. OVAL, OpenVAS, ...)) - source vFeed
  • ms - (Microsoft Bulletin (Security Vulnerabilities and Bulletin)) - source Microsoft
  • exploitdb (Offensive Security - Exploit Database) - source offensive security
  • info (metadata of each collection like last-modified) - local cve-search

The installation is straight forward and integrates perfectly with Kali (my preferred choice). On the installation done and the database populated, we can search for nice stuff. Here are some examples:

Searching details for a specific vulnerability:

$ ./search.py -c CVE-2014-0160​

Searching detail for a specific product:

$ search.py -p juniper

A full-text index can be generated and maintained to search for specific information across CVE's:

$ search_fulltext.py -q backdoor

Even if the primary usage is to have command line tools, cve-search comes with a web interface that can be run locally:

$ web/index.py
 * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)
 * Restarting with stat

 

And an API is available to get JSON outputs:

$ curl http://127.0.0.:5000/api/cve/CVE-2015-8446
{
  "Modified": "2015-12-10T01:00:11.573-05:00",
  "Published": "2015-12-10T01:00:10.387-05:00",
  "capec": [
    {
      "id": "24",
      "name": "Filter Failure through Buffer Overflow",
      "prerequisites": [
        "Ability to control the length of data passed to an active filter."
      ],
      "related_weakness": [
        "120",
        "119",
        "118",
        "74",
        "20",
        "680",
        "733",
        "697"
      ],
      "solutions": [
<snip>

Other communication channels are also available and maybe more exotic: XMPP or IRC. The command dump_last.py can be used to generate a RSS feed:

$ ./dump_last -l 5 -o rss2

They are plenty of other options that could help you to integrate CVE details with your applications or operational tasks. If you don't want to maintain your own copy of the database locally, the Luxembourg CERT (CIRCL) offers a public access to the API.

Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key

0 comment(s)
Diary Archives