oss cve trends - · pdf file12 cve: common vulnerabilities and exposures cve id summary...
TRANSCRIPT
2
Who am I ?
- Security Researcher/Engineer (17 years)
- SELinux/MAC Evangelist (13 years)
- Antivirus Engineer (3 years)
- SIEM Engineer (3 years)
- Linux Engineer (17 years)
- Member of Secure OSS-Sig
4
Agenda
1. What is CVE? CPE? CWE?
2. CVE Trends (OSS, and so on)
3. How you can get CVE information quickly?
8
After 9.11…
9.11 FISMA (Dec, 2002)
(Federal Information Security Management Act)
NIST (National Institute of Standards and Technology)
- FIPS(Federal Information Processing Standards)- SP800 Series (SP 800-63A (Identity Proofing & Enrollment))….
9
After 9.11…
Many type of - security measurement- test- config ...
“Annual” report to OMB!!(Office of Management and Budget)
10
SCAP(Security Content Automation Protocol)
Object: Automated for
- Vulnerability management
- Vulnerability measurement
- Policy compliance evaluation
NIST designed SCAP
11
SCAP Components..
SCAP
Common Vulnerabilities and Exposures (CVE)
Common Configuration Enumeration (CCE)
Common Platform Enumeration (CPE)
Common Weakness Enumeration (CWE)
Common Vulnerability Scoring System (CVSS)
Extensible Configuration Checklist Description Format (XCCDF)
and so on….
Open Vulnerability and Assessment Language (OVAL)
Lang
Enumerations
12
CVE: Common Vulnerabilities and Exposures
CVE ID Summary
CVE-2017-5638 The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.
CVE-2017-6074 The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allows local users to obtain root privileges or cause a denial of service (double free) via an application that makes an IPV6_RECVPKTINFO setsockopt system call.
13
CPE: Common Platform Enumeration
CPE name title href
cpe:/o:novell:leap:42.0
Novell Leap 42.0
https://en.opensuse.org/openSUSE:Leap
cpe:/o:redhat:enterprise_linux:7.1
Red Hat Enterprise Linux 7.1
http://www.redhat.com/en/resources/whats-new-red-hat-enterprise-linux-71
cpe:/a:isc:bind:9.8 bind 9.8 https://www.isc.org/downloads/bind/
14
CPE: Common Platform Enumeration
[omok@localhost ]$ cat /etc/os-release NAME="CentOS Linux"VERSION="7 (Core)"ID="centos"ID_LIKE="rhel fedora"VERSION_ID="7"PRETTY_NAME="CentOS Linux 7 (Core)"ANSI_COLOR="0;31"CPE_NAME="cpe:/o:centos:centos:7"HOME_URL="https://www.centos.org/"BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"CENTOS_MANTISBT_PROJECT_VERSION="7"REDHAT_SUPPORT_PRODUCT="centos"REDHAT_SUPPORT_PRODUCT_VERSION="7"
16
CWE: Common Weakness Enumeration
CVE ID CWE-ID Desc
CVE-2017-5638(Struts2) CWE-20 Improper Input Validation
CVE-2016-6662(MySQL) CWE-264 Permissions, Privileges, and Access Controls
CVE-2014-0160(Heart Bleed) CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
20
10 years CVE Statistics (no HW/Firmware)
01/01/07 09/01/07 05/01/08 01/01/09 09/01/09 05/01/10 01/01/11 09/01/11 05/01/12 01/01/13 09/01/13 05/01/14 01/01/15 09/01/15 05/01/16 01/01/170
200
400
600
800
1000
1200
1400
1600
1800
Heart Bleed
22
App CVE Statistics (5 years)
2012
/04
2012
/06
2012
/08
2012
/10
2012
/12
2013
/02
2013
/04
2013
/06
2013
/08
2013
/10
2013
/12
2014
/02
2014
/04
2014
/06
2014
/08
2014
/10
2014
/12
2015
/02
2015
/04
2015
/06
2015
/08
2015
/10
2015
/12
2016
/02
2016
/04
2016
/06
2016
/08
2016
/10
2016
/12
2017
/02
2017
/04
0
200
400
600
800
1000
1200
1400
Apps
OSS
Mobile
Heart Bleed
24
OSS CVE Statistics with CWE (5 years)CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')CWE-94: Improper Control of Generation of Code ('Code Injection')CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/010
10
20
30
40
50
CWE-89(app)
CWE-94(app)
12/04/01 12/10/01 13/04/01 13/10/01 14/04/01 14/10/01 15/04/01 15/10/01 16/04/01 16/10/01 17/04/010
20
40
60
80
100
120
140
160
CWE-79(app)
25
OSS CVE Statistics with CWE (5 years)
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/010
20
40
60
80
100
120
140
CWE-119 (Apps)
12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/010
10
20
30
40
50
60
CWE-119 (OS)
26
OSS CVE Statistics with CWE (5 years)
12/04/0112/08/0112/12/0113/04/0113/08/0113/12/0114/04/0114/08/0114/12/0115/04/0115/08/0115/12/0116/04/0116/08/0116/12/0117/04/010
10
20
30
40
50
60
CWE-125(App)
CWE-190(App)
12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/010
2
4
6
8
10
12
CWE-125(OS)
CWE-190(OS)
CWE-125: Out-of-bounds ReadCWE-190: Integer Overflow or Wraparound
27
OSS CVE Statistics with CWE (5 years)CWE-284: Improper Access ControlCWE-287: Improper Authentication
12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/010
5
10
15
20
25
30
35
CWE-287(app)
CWE-284(app)
12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/010
2
4
6
8
10
12
14
16
18
20
CWE-287(OS)
CWE-284(OS)
28
OSS CVE Statistics with CWE (5 years)
CWE-416: Use After Free
12/04/01 12/08/01 12/12/01 13/04/01 13/08/01 13/12/01 14/04/01 14/08/01 14/12/01 15/04/01 15/08/01 15/12/01 16/04/01 16/08/01 16/12/01 17/04/010
5
10
15
20
25
CWE-416(app)
12/04/01 12/08/01 12/12/01 13/04/01 13/08/01 13/12/01 14/04/01 14/08/01 14/12/01 15/04/01 15/08/01 15/12/01 16/04/01 16/08/01 16/12/01 17/04/010
1
2
3
4
5
6
7
8
CWE-416(OS)
29
Tools for automatically fuzzing..
American Fuzzy Lop http://lcamtuf.coredump.cx/afl
OSS Fuzzhttps://github.com/google/oss-fuzz
Open Source Since 2016/12
Famous to find ShellShock Since 2014
30
OSS CVE Statistics with CWE (5 years)
12/04/0112/08/0112/12/0113/04/0113/08/0113/12/0114/04/0114/08/0114/12/0115/04/0115/08/0115/12/0116/04/0116/08/0116/12/0117/04/010
10
20
30
40
50
60
CWE-125(App)
CWE-190(App)
12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/010
2
4
6
8
10
12
CWE-125(OS)
CWE-190(OS)
CWE-125: Out-of-bounds ReadCWE-190: Integer Overflow or Wraparound
Google OSS Fuzz
32
HeartBleed (2014/04/07)
12/01/01 12/06/01 12/11/01 13/04/01 13/09/01 14/02/01 14/07/01 14/12/01 15/05/01 15/10/01 16/03/01 16/08/01 17/01/010
100
200
300
400
500
600
700
800
CWE-310(app)
12/01/01 12/06/01 12/11/01 13/04/01 13/09/01 14/02/01 14/07/01 14/12/01 15/05/01 15/10/01 16/03/01 16/08/01 17/01/010
100
200
300
400
500
600
700
800
CWE-310(OS)
Heart Bleed
33
Wordpress
2012
/03
2012
/05
2012
/07
2012
/09
2012
/11
2013
/01
2013
/03
2013
/05
2013
/07
2013
/09
2013
/11
2014
/01
2014
/03
2014
/05
2014
/07
2014
/09
2014
/11
2015
/01
2015
/03
2015
/05
2015
/07
2015
/09
2015
/11
2016
/01
2016
/03
2016
/05
2016
/07
2016
/09
2016
/11
2017
/01
2017
/03
0
10
20
30
40
50
60
70
80
90
100
Wordpress
34
Wordpress vs other CMS
2012
/03
2012
/05
2012
/07
2012
/09
2012
/11
2013
/01
2013
/03
2013
/05
2013
/07
2013
/09
2013
/11
2014
/01
2014
/03
2014
/05
2014
/07
2014
/09
2014
/11
2015
/01
2015
/03
2015
/05
2015
/07
2015
/09
2015
/11
2016
/01
2016
/03
2016
/05
2016
/07
2016
/09
2016
/11
2017
/01
2017
/03
0
10
20
30
40
50
60
70
80
90
100
Wordpress
Drupal
Other CMS
35
Struts
2012
/04
2012
/06
2012
/08
2012
/10
2012
/12
2013
/02
2013
/04
2013
/06
2013
/08
2013
/10
2013
/12
2014
/02
2014
/04
2014
/06
2014
/08
2014
/10
2014
/12
2015
/02
2015
/04
2015
/06
2015
/08
2015
/10
2015
/12
2016
/02
2016
/04
2016
/06
2016
/08
2016
/10
2016
/12
2017
/02
2017
/04
0
1
2
3
4
5
6
7
8
9
CVEs
38
Is it valuable for getting CVE info quickly?
If you know CVE earlier,
- Read information (You need it? Or not?)
- Prepare for Update (schedule, etc.)
- Testing for Update
...etc.
42
How can you get CVE info quickly?
Before 02/09/2017
OSS-Security ML
Send vulnerability details, then CVE would be assigned By MITRE.
Merit for User:
1. During CVE assign, had time to confirm/reproduce.2. Detailed information for vulnerability.
44
How you can get CVE info quickly.
So now we get only a few info from oss-security ML.
What is alter way?
50
Alternative
5. Check typical OSS website.
http://tomcat.apache.org/security-9.html
https://www.postgresql.org/support/security/
51
Alternative
5. Check typical OSS website.
https://www.oracle.com/technetwork/topics/security/alerts-086861.html
54
By the way….Each Distro speciality (in my personal experience)
Open Vulnerability info as Public
Debian >> RedHat, SuSE > Ubuntu
Quality of Vulnerability Info
RedHat > SuSE >= Debian, Ubuntu
PoC Info… :-)
SuSE >= RedHat >> Debian, Ubuntu
56
How you can get “PoC” info.
https://community.rapid7.com/community/metasploit/content?filterID=contentstatus[published]~objecttype~objecttype[thread]
60
Conclusion
1. OSS CVE is growing up→ Does not mean “OSS is Insecure”!!
→ Security Researcher is brushing up.
2. google fuzzing application is helping to find new vulnerability.
3. After CVE public, attack will be increasing.Also After famous attack, public CVE will be increasing.
4. You can get CVE or vulnerability info quickly.