vFeed


News

Published on September 22nd, 2013 | by NJ Ouchn

0

vFeed Open Source Aggregated Vulnerability Database v0.4.5 released (support of CWE 2.5, OWASP Top 2013 & Snort rules)

Finally, I forced myself to stay focused a bit and find a little time to review the vFeed roadmap. Indeed, it’s a long and rowdy road before achieving my goal that I reserve for vFeed. But that’s another story.

For now, I have finally found a few hours to stick my ass behind my screens. And I come up with this new release v0.4.5

CWE v2.5 and OWASP Top 2013

When OWASP Top 2013 list got announced, I had to integrate it with vFeed v0.4. But as I always say “Do not reinvent the wheel”. Fortunately the awesome folks from Mitre have already anticipated this by including it with the newest CWE v2.5 (see here the major changes since 2.4 >> http://cwe.mitre.org/data/reports/diff_reports/v2.4_v2.5.html)

One of the major update is the addition of the OWASP Top 2013 list and CWE-919: Weaknesses in Mobile Applications . It was then so easy to integrate it with vFeed 0.4.5. Here is an example (checking for CVE-2013-4004)

./vfeedcli.py get_category CVE-2013-4004
[category] : CWE-864 --> 2011 Top 25 - Insecure Interaction Between Components 
[category] : CWE-801 --> 2010 Top 25 - Insecure Interaction Between Components 
[category] : CWE-74 --> Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection) 
[category] : CWE-725 --> OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws 
[category] : CWE-722 --> OWASP Top Ten 2004 Category A1 - Unvalidated Input 
[category] : CWE-494 --> Download of Code Without Integrity Check 
[category] : CWE-352 --> Cross-Site Request Forgery (CSRF) 
[category] : CWE-442 --> Web Problems 
[category] : CWE-20 --> Improper Input Validation 
[category] : CWE-712 --> OWASP Top Ten 2007 Category A1 - Cross Site Scripting (XSS) 
[category] : CWE-751 --> 2009 Top 25 - Insecure Interaction Between Components 
[category] : CWE-811 --> OWASP Top Ten 2010 Category A2 - Cross-Site Scripting (XSS) 
[category] : CWE-896 --> SFP Cluster: Tainted Input 
[category] : CWE-931 --> OWASP Top Ten 2013 Category A3 - Cross-Site Scripting (XSS)

The get_risk() method has been also slightly modified to reflect the status of PCI Compliance. In fact, a nasty bug has been fixed to force PCI Compliance value to “Failed” when isTopAlert (as Top CWE 2011, OWASP 2010, OWASP 2013 etc ..) is set. And it makes sense. According to the PCI Security Standards, any vulnerability flagged as XSS, SQL should be reported with the “Failed” status.

./vfeedcli.py get_risk CVE-2013-4004
Severity: Low
Top vulnerablity: False
    [cvss_base]: 3.5
    [cvss_impact]: 2.9
    [cvss_exploit]: 6.8
PCI compliance: Failed
is Top alert: 2011 Top 25 - Insecure Interaction Between Components | OWASP Top Ten 2010 Category A2 - Cross-Site Scripting (XSS) | OWASP Top Ten 2013 Category A3 - Cross-Site Scripting (XSS)

Note also a minor update of get_risk() method. Now, the CVSS scores are displayed to clarify the ambiguity about the flag “TopVulnerability”  which means. When all CVSS scores are set to 10, then the Vulnerability should be highly considered in the patch management.

Top vulnerablity: True
    [cvss_base]: 10.0
    [cvss_impact]: 10.0
    [cvss_exploit]: 10.0

get_risk() comes with 4 flags : Severity, isTopVulnerability, PCIcompliance and isTopAlert. For the next version, i should add many more cool flags like mapping with standards (NERC, NIST, etc).

Snort rules and introduction of  new vFeed XML format attribute <Defense>

The  XML export (using method export() ) is the flagship of the vFeed. It is a very easy to interpret syntax and to consume. Here are the main attributes

  • The Entry ID: with CVE id, vFeed id, description, issue date and link to the original identifier.
  • The Vulnerability References: References related to the CVE
  • Vulnerable Targets: Listing of CPE (Common Platform Enumeration)
  • Risk Scoring Evaluation: The security status (high, moderate or low), CVSS (base, exploit, impact), Top Vulnerable (True : if CVSS(base, exploit, impact) eq 10 | False : either), PCI Compliance (Passed/Failed)
  • Patch Management: Patch References IDs from Vendors
  • Attack and Weaknesses Categories: Listing of CWE (Common Weakness Enumeration)
  • Assessment and security Tests: Enumeration of all scripts that could be leveraged to check/test the vulnerability (OVAL ids, Nessus Scripts, Exploits (EDB, SaintCorpotation, Metasploit) ….)

For this release, a new attribute section has been introduced :

  • Defense: Enumeration of all defense rules to help leverage the appropriate detection solution.

With this comes the integration of Snort Community Rules. A new method has been added : get_snort()

Here is a CVE-2008-0655 snort extract.

./vfeedcli.py get_snort CVE-2008-0655
[snort_id]: sid:21438
[snort_signature]: EXPLOIT-KIT Blackhole exploit kit JavaScript carat string splitting with hostile applet
[snort_classtype]: trojan-activity
[snort_id]: sid:21492
[snort_signature]: EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch
[snort_classtype]: attempted-user
[snort_id]: sid:21646
[snort_signature]: EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch
[snort_classtype]: attempted-user
[snort_id]: sid:27040
[snort_signature]: EXPLOIT-KIT Styx exploit kit plugin detection connection jorg
[snort_classtype]: trojan-activity
[snort_id]: sid:27041
[snort_signature]: EXPLOIT-KIT Styx exploit kit plugin detection connection jlnp
[snort_classtype]: trojan-activity
[snort_id]: sid:27042
[snort_signature]: EXPLOIT-KIT Styx exploit kit plugin detection connection jovf
[snort_classtype]: trojan-activity

The get_snort() method returns : the Snort SID, the attack signature and the classtype. This could only help a security administrator to tune its IDS/IPS for better detecting the vulnerability. You can also rely on Snort SID for research and exploit development.

When leveraging the export() method, here is the output

./vfeedcli.py export CVE-2008-0655
[info] vFeed xml file CVE_2008_0655.xml exported for CVE-2008-0655
CUT -------
    <!--#####################################-->
    <!--Defense and IDS rules. The IDs and source could be leveraged to deploy effective rules-->
    <defense>
      <rule classtype="trojan-activity" id="sid:21438" signature="EXPLOIT-KIT Blackhole exploit kit JavaScript carat string splitting with hostile applet" type="Defense" utility="Snort"/>
      <rule classtype="attempted-user" id="sid:21492" signature="EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch" type="Defense" utility="Snort"/>
      <rule classtype="attempted-user" id="sid:21646" signature="EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch" type="Defense" utility="Snort"/>
      <rule classtype="trojan-activity" id="sid:27040" signature="EXPLOIT-KIT Styx exploit kit plugin detection connection jorg" type="Defense" utility="Snort"/>
      <rule classtype="trojan-activity" id="sid:27041" signature="EXPLOIT-KIT Styx exploit kit plugin detection connection jlnp" type="Defense" utility="Snort"/>
      <rule classtype="trojan-activity" id="sid:27042" signature="EXPLOIT-KIT Styx exploit kit plugin detection connection jovf" type="Defense" utility="Snort"/>
    </defense>
  </entry>
</vFeed>

The more information you have about a CVE, the more your understanding is better and reporting is accurate. And this is what vFeed concept is all about.

Major Microsoft Bulletins & KB mapping update

vFeed is now relying on full downloadable Microsoft source to update its database. A major upgrade has been done (specially Microsoft KB ids). Here are as per today the stats:

  • Microsoft KB in vfeed.db : 2173  (208 in last vfeed.db version)
  • Microsoft Bulletins in vfeed.db : 1129 (1103 in last vfeed.db version)

vfeed.db updated

To reflect the changes, the vfeed.db has been updated with the latest information from CVE, CWE, CPE, CVSS, Snort, Metasploit etc etc and the whole stuff you already know about.

Just execute the script vfeed_update.py to get a fresh copy.

 

Tags: , , , , , , , , , , , , ,


About the Author

"Passion is needed for any great work, and for the revolution, passion and audacity are required in big doses"



Back to Top ↑