Post on 22-Jan-2018
2
Objective
Out of scope
- New Security Product info
- New Security Technology info
Share
- Current Vulnerability Trends.
- How to get Vulnerability info quickly(public).
3
Who am I ?
- Security Researcher/Engineer (17 years)
- SELinux/MAC Evangelist (13 years)
- Antivirus Engineer (3 years)
- SIEM Engineer (3 years)
- CISSP (#366942)
- 120kg Bench Press Max
- Member of Secure OSS-Sig
4
What is Secure OSS-Sig?
Japanese Community interested in OSS security “Technology”.
5
Agenda
1. What is CVE? CWE?
2. CVE Trends (OSS, etc.)
3. How to get Vulnerability information quickly?
1. What is CVE? CWE?
7
CVE: Common Vulnerabilities and Exposures
Short Story...
9
After 9.11…
9.11 FISMA (Dec, 2002)
(Federal Information Security Management Act)
NIST (National Institute of Standards and Technology)
- FIPS(Federal Information Processing Standards)- SP800 Series (SP 800-63A (Identity Proofing & Enrollment))….
10
After 9.11…
Many type of - security measurement- test- config ...
- Manage with Compliance.
- “Annual” report to OMB!!(Office of Management and Budget)
11
SCAP(Security Content Automation Protocol)
Object: Automated for
- Vulnerability management
- Vulnerability measurement
- Policy compliance evaluation
NIST designed SCAP
12
SCAP Components..
SCAP
Common Vulnerabilities and Exposures (CVE)
Common Configuration Enumeration (CCE)
Common Platform Enumeration (CPE)
Common Weakness Enumeration (CWE)
Common Vulnerability Scoring System (CVSS)
Extensible Configuration Checklist Description Format (XCCDF)
and so on….
Open Vulnerability and Assessment Language (OVAL)
Lang
Enumerations
13
CVE: Common Vulnerabilities and Exposures
CVE ID Summary
CVE-2017-5638 The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.
CVE-2017-6074 The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allows local users to obtain root privileges or cause a denial of service (double free) via an application that makes an IPV6_RECVPKTINFO setsockopt system call.
14
CWE: Common Weakness Enumeration
15
CWE: Common Weakness Enumeration
CVE ID CWE-ID Desc
CVE-2017-5638(Struts2) CWE-20 Improper Input Validation
CVE-2016-6662(MySQL) CWE-264 Permissions, Privileges, and Access Controls
CVE-2014-0160(Heart Bleed) CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
2. CVE Status (Total)
17
10 years CVE Statistics (no HW/Firmware)
01/01/07 09/01/07 05/01/08 01/01/09 09/01/09 05/01/10 01/01/11 09/01/11 05/01/12 01/01/13 09/01/13 05/01/14 01/01/15 09/01/15 05/01/16 01/01/170
200
400
600
800
1000
1200
1400
1600
1800
Heart Bleed
18
OS CVE Statistics (5 years)
0
50
100
150
200
250
300
350
400
OS
OSS
mobile
Heart Bleed
19
App CVE Statistics (5 years)
2012
/04
2012
/06
2012
/08
2012
/10
2012
/12
2013
/02
2013
/04
2013
/06
2013
/08
2013
/10
2013
/12
2014
/02
2014
/04
2014
/06
2014
/08
2014
/10
2014
/12
2015
/02
2015
/04
2015
/06
2015
/08
2015
/10
2015
/12
2016
/02
2016
/04
2016
/06
2016
/08
2016
/10
2016
/12
2017
/02
2017
/04
0
200
400
600
800
1000
1200
1400
Apps
OSS
Mobile
Heart Bleed
20
From these Graph
1. CVE is gentry growing up (HeartBleed is special).
2. After 2016, Rapidly Growing up.
2. OSS CVE Status (CWEs)
22
OSS CVE Statistics with CWE (5 years)CWE-89: Improper Neutralization of Special Elements used in an
SQL Command ('SQL Injection')
CWE-94: Improper Control of Generation of Code ('Code Injection')
CWE-79: Improper Neutralization of Input During Web Page Generation ('XSS')
12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/010
10
20
30
40
50
CWE-89(app)
CWE-94(app)
12/04/01 12/10/01 13/04/01 13/10/01 14/04/01 14/10/01 15/04/01 15/10/01 16/04/01 16/10/01 17/04/010
20
40
60
80
100
120
140
160
CWE-79(app)
23
OSS CVE Statistics with CWE (5 years)
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/010
20
40
60
80
100
120
140
160
CWE-119
24
OSS CVE Statistics with CWE (5 years)
CWE-125: Out-of-bounds ReadCWE-190: Integer Overflow or Wraparound
12/04/01 12/08/01 12/12/01 13/04/01 13/08/01 13/12/01 14/04/01 14/08/01 14/12/01 15/04/01 15/08/01 15/12/01 16/04/01 16/08/01 16/12/01 17/04/010
10
20
30
40
50
60
70
CWE-125
CWE-190
25
OSS CVE Statistics with CWE (5 years)
CWE-416: Use After Free
12/04/01 12/08/01 12/12/01 13/04/01 13/08/01 13/12/01 14/04/01 14/08/01 14/12/01 15/04/01 15/08/01 15/12/01 16/04/01 16/08/01 16/12/01 17/04/010
5
10
15
20
25
CWE-416
26
Tools for automatically fuzzing..
American Fuzzy Lop http://lcamtuf.coredump.cx/afl
OSS Fuzzhttps://github.com/google/oss-fuzz
Open Source Since 2016/12
Famous to find ShellShock Since 2014
27
Tools for automatically fuzzing..
OSS Fuzzhttps://github.com/google/oss-fuzz
Open Source Since 2016/12
- Heap/Global/Stack buffer overflows- Use After Frees- Out-of-bounds Access
28
OSS CVE Statistics with CWE (5 years)
CWE-416: Use After Free
12/04/01 12/08/01 12/12/01 13/04/01 13/08/01 13/12/01 14/04/01 14/08/01 14/12/01 15/04/01 15/08/01 15/12/01 16/04/01 16/08/01 16/12/01 17/04/010
5
10
15
20
25
CWE-416
Google OSS Fuzz
Firefox, Chrome
29
OSS CVE Statistics with CWE (5 years)CWE-125: Out-of-bounds ReadCWE-190: Integer Overflow or Wraparound
12/04/01 12/08/01 12/12/01 13/04/01 13/08/01 13/12/01 14/04/01 14/08/01 14/12/01 15/04/01 15/08/01 15/12/01 16/04/01 16/08/01 16/12/01 17/04/010
10
20
30
40
50
60
70
CWE-125
CWE-190
Google OSS Fuzz
Firefox, Chrome
30
From these Graph
1. OSS CVE is growing up
→ Security Researcher is brushing up them.
→ Google “OSS Fuzz”
2. OSS CVE Status (Typical Case)
32
HeartBleed (2014/04/07)
12/01/01 12/06/01 12/11/01 13/04/01 13/09/01 14/02/01 14/07/01 14/12/01 15/05/01 15/10/01 16/03/01 16/08/01 17/01/010
100
200
300
400
500
600
700
800
CWE-310(app)
12/01/01 12/06/01 12/11/01 13/04/01 13/09/01 14/02/01 14/07/01 14/12/01 15/05/01 15/10/01 16/03/01 16/08/01 17/01/010
100
200
300
400
500
600
700
800
CWE-310(OS)
Heart BleedCWE-310 (Cryptographic Issues)
33
Wordpress
2012
/03
2012
/05
2012
/07
2012
/09
2012
/11
2013
/01
2013
/03
2013
/05
2013
/07
2013
/09
2013
/11
2014
/01
2014
/03
2014
/05
2014
/07
2014
/09
2014
/11
2015
/01
2015
/03
2015
/05
2015
/07
2015
/09
2015
/11
2016
/01
2016
/03
2016
/05
2016
/07
2016
/09
2016
/11
2017
/01
2017
/03
0
10
20
30
40
50
60
70
80
90
100
Wordpress
34
From these Graph
Big Incident
→ Related CVEs increasing (few Month later)
35
High Priority CVE Publish → Attack
2014
/01
2014
/02
2014
/03
2014
/04
2014
/05
2014
/06
2014
/07
2014
/08
2014
/09
2014
/10
2014
/11
2014
/12
2015
/01
2015
/02
2015
/03
2015
/04
2015
/05
2015
/06
2015
/07
2015
/08
2015
/09
2015
/10
2015
/11
2015
/12
2016
/01
2016
/02
2016
/03
2016
/04
2016
/05
2016
/06
2016
/07
2016
/08
2016
/09
2016
/10
2016
/11
2016
/12
2017
/01
2017
/02
2017
/03
2017
/04
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Heart BleedCVE-2014-0160 ShellShock
CVE-2014-6271
Struts2CVE-2016-3081ShellShock
CVE-2014-6271
Struts2CVE-2017-5638
4/7/2014 → 4/9/2014
9/24/2014 → 9/25/20143/6/2017 → 3/7/2017
4/21/2016 → 4/27/2016
36
From these Graph
High CVE public → Attack increase (quickly)
So, It’s better to getvulnerability info quickly!!
37
From these Graph
Distro/Projects get info before Public.
So, we would get vulnerability info quickly(after Public)!!
38
3. How you can get CVE info quickly?
39
Is it valuable for getting vulnerability info quickly?
Yes!!
CVE(2017/03/17)
40
Is it valuable for getting vulnerability info quickly?
If you know vulnerability earlier,
- Read/know information (You need to fix? Or not?)
- Prepare for Attack (FW config, etc.)
- Prepare for Update (schedule, etc.)
- Testing for Update
...etc.
41
CVE Request (Previous)
Before 02/09/2017
OSS-Security ML
Send vulnerability details, then MITRE will assign CVEs.
Merit for User:
1. During CVE assign, had time to confirm/reproduce.2. Detailed information for vulnerability.
42
Current CVE Request
Use Webform for CVE Request.
43
How you can get CVE info quickly.
So now we get only a few info from oss-security ML.
What is alter way?
44
Mitre official
1. Daily CVE Changelog
45
Mitre official
2. Twitter (almost Real Time)
46
OSS (CVE-Search)
3. Create Internal CVE Database for Searching
47
Alternative
4. Regist to several typical announce ML
48
Alternative
4. Regist to several typical ML
49
Alternative
5. Check typical OSS website.
http://tomcat.apache.org/security-9.html
https://www.postgresql.org/support/security/
50
Alternative
5. Check typical OSS website.
https://www.oracle.com/technetwork/topics/security/alerts-086861.html
51
Alternative
6. Check several “Deep Info” website.
https://blogs.gentoo.org/ago/
52
My Blog (Japanese Lang, sorry…)
https://oss.sios.com/security
53
By the way….Each Distro speciality (from my personal experience)
Speed (Open Vulnerability info)
Debian >> RedHat, SuSE > Ubuntu
Quality (Vulnerability Info)
RedHat > SuSE >= Debian, Ubuntu
PoC Info… :-)
54
How you can get “PoC” info.
https://www.exploit-db.com/
55
How you can get “PoC” info.
https://community.rapid7.com/community/metasploit/content?filterID=contentstatus[published]~objecttype~objecttype[thread]
56
Why I need “PoC”?
http://www.secureoss.jp/
57
SELinux Policy/Module BoFToday 16:50.
58
Conclusion
59
Conclusion
1. OSS CVE is growing up→ Does not mean “OSS is Insecure”!!
→ Security Researcher is brushing up. → Google “OSS Fuzz”
2. - Big Incident → Related CVEs increase (few Month later) - High CVE publish → Attack increase (quickly)
3. You can get CVE or vulnerability info quickly.
60
Any Questinos?
61
Thank You!!!
62
Appendix
63
Who assign CVE?
64
Who assign CVE?
Red Hat MicroFocus
MITRE
ISV DWFISV
65
DWF (Distributed Weakness Filing)
66
Wordpress vs other CMS
2012
/03
2012
/05
2012
/07
2012
/09
2012
/11
2013
/01
2013
/03
2013
/05
2013
/07
2013
/09
2013
/11
2014
/01
2014
/03
2014
/05
2014
/07
2014
/09
2014
/11
2015
/01
2015
/03
2015
/05
2015
/07
2015
/09
2015
/11
2016
/01
2016
/03
2016
/05
2016
/07
2016
/09
2016
/11
2017
/01
2017
/03
0
10
20
30
40
50
60
70
80
90
100
Wordpress
Drupal
Other CMS
67
CWE: Common Weakness Enumeration
68
CVSS:Common Vulnerability Scoring System
69
OSS CVE Statistics with CWE (5 years)CWE-284: Improper Access ControlCWE-287: Improper Authentication
12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/010
5
10
15
20
25
30
35
CWE-287(app)
CWE-284(app)
12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/010
2
4
6
8
10
12
14
16
18
20
CWE-287(OS)
CWE-284(OS)
70
CPE: Common Platform Enumeration
CPE name title href
cpe:/o:novell:leap:42.0
Novell Leap 42.0
https://en.opensuse.org/openSUSE:Leap
cpe:/o:redhat:enterprise_linux:7.1
Red Hat Enterprise Linux 7.1
http://www.redhat.com/en/resources/whats-new-red-hat-enterprise-linux-71
cpe:/a:isc:bind:9.8 bind 9.8 https://www.isc.org/downloads/bind/
71
CPE: Common Platform Enumeration
[omok@localhost ]$ cat /etc/os-release NAME="CentOS Linux"VERSION="7 (Core)"ID="centos"ID_LIKE="rhel fedora"VERSION_ID="7"PRETTY_NAME="CentOS Linux 7 (Core)"ANSI_COLOR="0;31"CPE_NAME="cpe:/o:centos:centos:7"HOME_URL="https://www.centos.org/"BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"CENTOS_MANTISBT_PROJECT_VERSION="7"REDHAT_SUPPORT_PRODUCT="centos"REDHAT_SUPPORT_PRODUCT_VERSION="7"