I'm talking about the problems related to vulnerabilities: incorrect vulnerability descriptions in the Vulnerability Databases, incomplete Knowledge Bases of Vulnerability Scanners, imperfect detection methods, differences between ideal and real-life Vulnerability Management processes.
3. Problems
3
Poorly described vulnerabilities in Vulnerability Databases
Incomplete Knowledge Bases of Vulnerability Scanners
Imperfections in Vulnerability Detection mechanisms
Declared and real-life Vulnerability Management processes
4. Public Vulnerability Databases
4
Each vulnerability in each
product
One vulnerability - one ID
Vulnerabilities in some / their
own products
There may be entities "multiple
vulnerabilities in product N",
usually fixed by single patch
RHSACVE DSA
Individual
Vulnerabilities
Security
Bulletins
5. Commercial Vulnerability
Scanners and Aggregators
Public Vulnerability Databases
5
Individual
Vulnerabilities
BDU Fstec
JVN
Security
Bulletins
KB, MS
USNCESA
Government
RHSA
DSA
MFSA
All software in
repository
Open and formalized
detection rules
6. Databases of Individual Vulnerabilities
6
Full coverage
Trash
Incomplete
coverage
Only critical
Bug Feature Vulnerability
7. Everything is linked by CVE
7
CVSS, CPE
Vendor’s
Bug
Exploit
DBs
Media
Advisory
id
remediation
strategy
CERTs
…
…
…
8. How to evaluate criticality?
8
CVSS (Common Vulnerability Scoring System)
CWE (Common Weakness Enumeration)
Textual description of the vulnerability
Links to exploits
Links to malicious software
Exploitability flags in Vulnerability Scan reports
14. 14
CWE is used in a strange way
CWE Name Amount
CWE-119 Buffer Errors 9516
CWE-79 Cross-Site Scripting (XSS) 7920
CWE-264 Permissions, Privileges, and Access Control 6021
CWE-20 Input Validation 4896
CWE-89 SQL Injection 4552
CWE-200 Information Leak / Disclosure 4196
15. 15
CWE is used in a strange way
It is better to analyze the description
17. CPE statistics. What does it show? Anything?
17
Top 20 Products By Total Number Of
Vulnerabilities in NVD • Poorly written software?
• Popular products that are
more often analyzed?
• Products of some
responsible vendor who lists
all vulnerabilities publicly?
…
18. CPE statistics. What does it show? Anything?
18
Top 20 Vendors By Total Number Of
Vulnerabilities in NVD • Poorly written software?
• Popular products that are
more often analyzed?
• Products of some
responsible vendor who lists
all vulnerabilities publicly?
…
19. 19
Information about vulnerability comes from the vendor
https://securityadvisories.paloaltonetworks.com/Home/Detail/94
https://bdu.fstec.ru/vul/2017-02120
20. 20
Information about vulnerability comes from the vendor
https://securityadvisories.paloaltonetworks.com/Home/Detail/91
https://bdu.fstec.ru/vul/2017-02237
21. 21
Certificate cancellation
Банк данных угроз безопасности информации
https://fstec.ru/en/napisat-razrabotchiku/64-normotvorcheskaya/informatsionnye-i-analiticheskie-
materialy/1516-informatsionnoe-soobshchenie-fstek-rossii-ot-1-fevralya-2018-g-n-240-24-554
…
22. 22
“Упомянутые сертификаты 2012 года кончаются в
апреле 2018 года. Они настолько старые, что
относятся к устройствам, которые уже даже не
выпускаются: 2000 и 4000 серия, ну и версия
операционной системы уже далеко не 4.0, а 8.0.”
“Чтобы продлить эти сертификаты нужно было
снова показать исходный код, а делать это для
сертификатов которые кончаются через 2 месяца -
неэффективно. Поэтому офис Palo Alto Networks
сконцентрирован на получении новых
сертификатов на новые устройства и на новую
операционную систему.”
https://www.securitylab.ru/blog/personal/Morning/343440.php#
Certificate cancellation
23. From Vulnerability Database to Vulnerability Scanner
23
Vulnerability Base
advisories
exploits
metrics
+ Detection Rules
& Plugins
+ Transports
Vulnerability Scanner
CVSS, CPE
Vendor’s
Bug
Exploit
DBs
Media
Advisory
id
remediation
strategy
CERTs
…
…
…
parsers
25. 25
Vulnerability Detection
Asset Service Vulnerability
Hostname / IP cpe:/a:drupal:drupal:7.32 CVE-2018-7600
Data Gathering Assessment
Version-based
• Without authorization (service banners)
Backported patches =(
26. 26
Asset Service Vulnerability
Hostname / IP Drupal7-7.32-1+deb8u10
DSA-4156,
CVE-2018-7600
Data Gathering Assessment
Version-based
• With authorization (packages, registry, files)
Need credentials or agent =(
You need to trust the scanner =(
Vulnerability Detection
27. 27
Something is already working
asset_id == 'asset_98UNJ4K' | type == 'vulnerability' | bulletinFamily == 'NVD'
Search queries inspired by Splunk (or Bash):
28. 28
With exploitation attempt
Not for all vulnerabilities it
can be done =(
It's hard to do =(
Potentially dangerous =(
Vulnerability Detection
29. 29
Are all Vulnerability Scanners the same?
A Platforms (OSes)
x B Software Vendors making products for Platform
x C Products made by each Software Vendor
x D Vulnerabilities in each Product
x E Vulnerability detection methods (authenticated and unauthenticated)
Knowledge Base of Vulnerability Scanner
35. 35
January 09, 2018 Microsoft: Windows7 Blue screen after KB4056894
Tragicomedy of Chip Apocalypse
36. 36
January 10, 2018 Ubuntu: Kernel doesn’t boot
Tragicomedy of Chip Apocalypse
37. 37
January 23, 2018 Intel: don't use our patches
Tragicomedy of Chip Apocalypse
38. 38
March 29, 2018 Microsoft: patches created even more critical vulnerability
Spectre
CVE-2017-5753
CVE-2017-5715
Base Score:7.3, 6.5*
Meltdown
CVE-2017-5754
Base Score: 5.6*
Windows 7 or Server 2008 R2 +
applied Microsoft's Meltdown patches
=> CVE-2018-1038 "Windows Kernel
Elevation of Privilege Vulnerability."
(Base Score: 7.8*)
* CVSS v.3 xforce.ibmcloud.com
…
Tragicomedy of Chip Apocalypse. Stay tuned.
39. 39
April 05, 2018 Intel: we won’t patch some of its older processors against
Meltdown and Spectre
Tragicomedy of Chip Apocalypse. Stay tuned.
40. What should we do with this all?
40
Use multiple sources of data about Vulnerabilities, Exploits and Malware
Use multiple Vulnerability Scanners (don’t rely on them too much)
Use various methods of Vulnerability Detection
Develop of your own tools