All CVE Details at Your Fingertips - SANS Internet Storm Center

All CVE Details at Your Fingertips
CVE ("Common Vulnerabilities and Exposure") is a system developed to provide structured data for information security vulnerabilities. CVE numbers are everywhere and easy to find. When a security researcher finds a new vulnerability in a software or product, he can request a CVE number that will be assigned to his finding. The format is "CVE-yyyy-nnnn" where "yyyy" is the year of creation and "nnnn" is arbitrary digits. Note that the length is not restricted to 4 digits since 2014. Due to the growing amount of vulnerabilities, it is already possible to find 'CVE-yyyy-nnnnnn' if required for a specific year. There are many ways to search for CVE information online via websites like cvedetails.com. They propose search engines to browse CVE's based on vendors, period, severity, etc. Today, we are living in a connected world where information are accessed online but sometimes, it remains more convenient to have access to local information (stored on your computer). Having a local copy of the CVE database can be very helpful when: You're offline or in a restricted environment (ex: a classified network without access to the Net). You do not want to generate suspicious queries to public resources. You need the power of local tools to manipulate data. cve-search is a set of Python scripts that imports CVE and CPE ("Common Platform Enumeration") into a local database. If it started with CVE's, today, many other collections are supported and can be integrated together: cves (Common Vulnerabilities and Exposure items) - source NVD NIST cpe (Common Platform Enumeration items) - source NVD NIST vendor (Official Vendor Statements on CVE Vulnerabilities) - source NVD NIST cwe (Common Weakness Enumeration items) - source NVD NIST capec (Common Attack Pattern Enumeration and Classification) - source NVD NIST ranking (ranking rules per group) - local cve-search d2sec (Exploitation reference from D2 Elliot Web Exploitation Framework) - source d2sec.com vFeed (cross-references to CVE ids (e.g. OVAL, OpenVAS, ...)) - source vFeed ms - (Microsoft Bulletin (Security Vulnerabilities and Bulletin)) - source Microsoft exploitdb (Offensive Security - Exploit Database) - source offensive security info (metadata of each collection like last-modified) - local cve-search The installation is straight forward and integrates perfectly with Kali (my preferred choice). On the installation done and the database populated, we can search for nice stuff. Here are some examples: Searching details for a specific vulnerability: $ ./search.py -c CVE-2014-0160 Searching detail for a specific product: $ search.py -p juniper A full-text index can be generated and maintained to search for specific information across CVE's: $ search_fulltext.py -q backdoor Even if the primary usage is to have command line tools, cve-search comes with a web interface that can be run locally: $ web/index.py * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit) * Restarting with stat And an API is available to get JSON outputs: $ curl http://127.0.0.:5000/api/cve/CVE-2015-8446 { "Modified": "2015-12-10T01:00:11.573-05:00", "Published": "2015-12-10T01:00:10.387-05:00", "capec": [ { "id": "24", "name": "Filter Failure through Buffer Overflow", "prerequisites": [ "Ability to control the length of data passed to an active filter." ], "related_weakness": [ "120", "119", "118", "74", "20", "680", "733", "697" ], "solutions": [ <snip> Other communication channels are also available and maybe more exotic: XMPP or IRC. The command dump_last.py can be used to generate a RSS feed: $ ./dump_last -l 5 -o rss2 They are plenty of other options that could help you to integrate CVE details with your applications or operational tasks. If you don't want to maintain your own copy of the database locally, the Luxembourg CERT (CIRCL) offers a public access to the API. Xavier Mertens ISC Handler - Freelance Security Consultant PGP Key	Xme 484 Posts ISC Handler
Subscribe	Jan 30th 2016 3 years ago