2.Public Vulnerability Databases

Course 1: Overview of Secure Programming, Section 2 Pascal Meunier, Ph.D., M.Sc., CISSP May 2004; updated August 12, 2004 Developed thanks to support and contributions from Symantec Corporation, support from the NSF SFS Capacity Building Program (Award Number 0113725) and the Purdue e-Enterprise Center Copyright (2004) Purdue Research Foundation. All rights reserved.

Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment and testing Shell and environment Resource management Trust management

Public Resources: Learning Objectives Become familiar with vulnerability databases and online secure programming resources Know how to use them Know which ones to select and consult Know how CVE numbers are used

Public Resources Why and for who Governmental and academic Security vendor resources Books

Why should you know about these resources? For insight into how vulnerabilities get tracked For situational awareness Be ready to answer queries from customers who also saw that information Get notification of vulnerabilities pertinent to your product As a backup (should be rare) The situation where developers learn first about a vulnerability through public sources should be covered in an organization's policy

Why should you know about these resources? (Cont.) To proactively prevent vulnerabilities in your product by being informed about vulnerabilities in other products Learn from other people's mistakes For reference For additional sources on best programming and software engineering practices So you can grow and learn more about secure programming on your own For other examples and ideas

Who should use them? Vulnerability response coordinators or IT security (check policies) At least one person from each team Any developer or architect interested in learning more Note that this material is insufficient for high assurance systems such as those with an Evaluation Assurance Level (EAL) of 5 or more (EALs will be discussed later)

Parts: Governmental and Academic Resources MITRE's CVE NIST's ICAT Cassandra CERT/CC US-CERT NIST documents Secure programming howtos

MITRE's CVE Common Vulnerabilities and Enumeration http://cve.mitre.org " A list of standardized names for vulnerabilities and other information security exposures — CVE aims to standardize the names for all publicly known vulnerabilities and security exposures." CVE names are unique, standard names to be used by CERTs, vulnerability databases, intrusion detection systems, etc... to identify vulnerabilities

CVE Quality Assurance Process MITRE employees gather information Check for duplicates That it is a real issue often request vendor confirmation That it is only one issue That the description is correct Can take weeks, but severe issues are given priority Researchers and vendors can reserve CVE numbers ahead of time so that their announcements and advisories include a unique identifier

CVE Names Two-state name system Candidates (name is CAN-year-number) Candidates need votes from editors to become mature Editors from industry, government and academia Voting can take months Mature entries (name is CVE-year-number) Entries renamed from CAN to CVE keep the same year and number if there were no problems

CVE Searches Search by keyword or CVE name Keywords are "translated" without user's knowledge and control Results are often not what you would expect

Search Results for "Symantec" Search engine is limited and results are inconsistent with those of other CVE-based tools Description is very short, barely long enough to identify the issue N.B.: Symantec is used only for this example. Other companies will be used for other examples, in an effort to provide an overall vendor-neutral sampling. Nothing else is meant or implied by the choices.

CVE Download CVE web site has versions in these formats: HTML Text Comma-separated MySQL format available elsewhere http://www.cerias.purdue.edu/homes/pmeunier/CVEdump.sql updated daily

CVE Change Log (CERIAS) For people maintaining vulnerability databases For day-to-day monitoring of the CVE https://cassandra.cerias.purdue.edu/CVE_changes/ Example: date: 2004-03-18 New candidate entries: 2004-0079 2004-0081 2004-0112 2004-0236 2004-0237 2004-0238 2004-0239 2004-0240 (...)

Exercise Point your browser to cve.mitre.org What is the number of the first vulnerability in 2004? Make sure to type "2004-0001" with the correct number of zeros! What operating system was involved in the first vulnerability of 2004? What stage is it in? Search for vulnerabilities in products from a company you know Look at the entries returned, and the CVE web site FAQs. Why are there missing results? What if the company name is not in the description?

NIST's ICAT NIST: National Institute of Standards and Technology Based on the CVE Uses the CERIAS CVE change-log service for quick updates Completes vendor and product information Adds a classification of vulnerabilities http: //icat . nist . gov

ICAT Search Menu Search by vendor, product or keyword, over a time period Click on a letter to get a select popup with a narrowed down list of vendors or products

ICAT Search Now click on a duration to get all the vulnerabilities in the selected vendor's products

ICAT Search Results Click on a CVE number to get details

ICAT Vulnerability Entry (part 1): CAN-2003-0291

ICAT Vulnerability Entry (part 2) Notice the link to where patches can be found:

Exercise Do a search for vulnerabilities in Adobe Acrobat reader on ICAT How many entries are there? What is their severity? How did the latest vulnerability happen (see vulnerability type)? Go to the statistics section of ICAT. Approximately what percentage of vulnerabilities are remotely exploitable, year after year? What do you have to do if you want to keep up to date on vulnerabilities in Symantec products?

Cassandra Vulnerability notification service based on ICAT and Secunia advisories Secunia advisories are more timely Main idea: remove the need for polling ICAT every day for new vulnerabilities Make a list of products and keywords A search is done every night Results are emailed to you https://cassandra.cerias.purdue.edu/main/index.html

Creating a Profile After creating a new account and logging in, you are taken to the profile management page:

Managing a Profile You can select to receive information from ICAT, Secunia, and whether you want all the information emailed to you Click on the profile name to change its contents

Adding Entries to a Profile Choose a vendor Choose products from this vendor

A Sample Profile These products are now part of the profile:

Keywords List Technologies Issues Interests (e.g., "remote", "path")

Searches By duration New entries since last search Search results (notice both ICAT and Secunia links):

Discussion How does information flow before you get a notification by Cassandra? How long does that take? Why were Secunia advisories added as a source of information? Why not advisories from another source (e.g., CERT)?

Discussion Sample Answers How does information flow before you get a notification by Cassandra? Public disclosure, MITRE, CERIAS, NIST, Cassandra How long does that take? It can take a month or more, although important issues are prioritized and may take "only" a week Why were Secunia advisories added as a source of information? For timeliness Why not advisories from another source (e.g., CERT)? Data not in a machine-parsable format

Parts: Governmental and Academic Resources MITRE's CVE NIST's ICAT Cassandra CERT/CC US/CERT NIST documents Secure programming howtos

CERT Coordination Center http://www.cert.org/ based at Carnegie-Mellon University Operated by the Software Engineering Institute Links to various SEI products for sale Used to produce: Advisories CERT advisory mailing list being phased out Incident Notes Vulnerability Notes Now "partner" with US-CERT most links on CERT/CC's web site now refer to US-CERT

US-CERT http://www.us-cert.gov Your Cyber Security Everything "Technical Cyber Security Alerts" "Non-technical Cyber Security Alerts" e.g., "Understanding Firewalls", like a "Firewalls for dummies" Cyber Security Bulletins Cyber Security Tips US-CERT Vulnerability Notes (why aren't they "cyber security vulnerability notes"? I don't know)

US-CERT Vulnerability Notes The old CERT/CC Vulnerability Notes renamed http://www.kb.cert. org/vuls/ Well written Informative Not exhaustive Mailing list Database No customized notification mechanism

Searching the US-CERT Vulnerability Notes Enter a keyword, vendor name, etc:

Example Vulnerability Note http://www.kb.cert.org/vuls/id/948750 Vulnerability Note VU#948750 Microsoft Outlook Web Access contains vulnerability in HTML redirection query Overview A cross-site scripting vulnerability in Microsoft Exchange 5.5 Outlook Web Access (OWA) could allow an attacker to execute arbitrary scripting code in the victim's browser

Searching for "Sun" Results list whenever Sun was involved:

Question If you are looking for vulnerabilities in your favorite vendor's products, what are the limitations of Vulnerability Notes? Hint: Did all the entries obtained when searching for "Sun" relate to Sun products?

Question Answers If you are looking for vulnerabilities in your favorite vendor's products, what are the limitations of Vulnerability Notes? Results are not exhaustive Only the most "serious" vulnerabilities have notes Lists every involvement of the vendor even when some other vendor is at fault Security vendors typically get listed when they publish an advisory and OS vendors typically get listed when there's a problem with another company's product for their platform

Exercise Find both the CVE number and VU# of an AOL Instant Messenger vulnerability on the US-CERT Vulnerability Notes web site http://www.kb.cert. org/vuls/

Question Why do you particularly not want to have your product mentioned in a US-CERT Vulnerability Note (choose the most important reason)? because only the most severe vulnerabilities are mentioned because it is highly visible because it is government interference with the industry (and your company)

Question Answer Why do you particularly not want to have your product mentioned in a US-CERT Vulnerability Note? a) because only the most severe vulnerabilities are mentioned That means you made a big mistake!

Parts: Governmental and Academic Resources MITRE's CVE NIST's ICAT Cassandra CERT/CC US-CERT NIST Documents Secure programming howtos

NIST Security Documents http://csrc.nist.gov/publications/nistpubs/index.html SP 800-64 Security Considerations in the Information System Development Life Cycle, October 2003 SP 800-55 Security Metrics Guide for Information Technology Systems, July 2003 SP 800-51 Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme, September 2002 SP 800-47 Security Guide for Interconnecting Information Technology Systems, September 2002 And many others...

Exercises Find a NIST publication that describes how your customers might select information security products What is the title of special publication 800-27? Download it and open it. Who is the intended audience? Which principle are we directly addressing today? Quote another principle that you already knew and explain it to the class, or select one that is relevant to your work and explain to the class why you think it is relevant. (Instructor: it is suggested to start student reports after about 15-20 minutes, and give up to 2 minutes for each student to quote a principle )

Secure Programming How-Tos David Wheeler's Secure Programming for Linux and UNIX How-To http://www.dwheeler.com/secure-programs Secure UNIX Programming FAQ http://www.whitefang.com/sup/secure-faq.html OWASP (Open Web Application Security Project) Guide http://www.owasp.org Etc... (Google "secure programming")

Parts: Security Vendor Resources Security Focus SANS ISS X-Force Secunia Security Tracker Symantec's Security Response Online DB AtStake Etc...

Symantec tms.symantec.com More in-depth Analyst reports Subscription required alerts.symantec.com "DeepSight" Subscription required

Books High Level Secure Coding, Principles and Practices (M.G. Graff and K.R. Van Wyk 2003) Technical Secure Programming Cookbook (J. Viega and M. Messier) Several practical cryptographic applications Both UNIX and Windows validity Writing Secure Code, 2nd Edition (Howard and Leblanc) Microsoft technologies Significantly better than 1st Edition Information in chapter 24, "Writing Documentation and Error Messages", is useful and difficult to find elsewhere

Free Books Improving Web Application Security: Threats and Countermeasures Roadmap J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan Microsoft Corporation MSDN Library, June 2003 http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp

About These Slides You are free to copy, distribute, display, and perform the work; and to make derivative works, under the following conditions. You must give the original author and other contributors credit The work will be used for personal or non-commercial educational uses only, and not for commercial activities and purposes For any reuse or distribution, you must make clear to others the terms of use for this work Derivative works must retain and be subject to the same conditions, and contain a note identifying the new contributor(s) and date of modification For other uses please contact the Purdue Office of Technology Commercialization. Developed thanks to the support of Symantec Corporation

Pascal Meunier [email_address] Contributors: Jared Robinson, Alan Krassowski, Craig Ozancin, Tim Brown, Wes Higaki, Melissa Dark, Chris Clifton, Gustavo Rodriguez-Rivera

2.Public Vulnerability Databases

More Related Content

What's hot

Viewers also liked

Similar to 2.Public Vulnerability Databases

More from phanleson

Recently uploaded

2.Public Vulnerability Databases

Editor's Notes