Vulnerability Intelligence and Assessment with vulners.com
Download as PPTX, PDF•5 likes•2,297 views
This document provides an overview of the Vulners Project, which aggregates vulnerability data from multiple sources to provide a comprehensive and machine-readable database. It describes Vulners' goals of being a centralized vulnerability search engine and information security "Google". Key features highlighted include a fast search engine, API, RSS feeds, email subscriptions, and tools for vulnerability scanning and auditing Linux systems. The document encourages integration of Vulners' data and using their free services for applications like security scanners and threat intelligence.
![26
Requests
- CentOS bulletins with remotely exploited vulnerabilities:
(type:centos AND (title:"Critical" OR title:"Important") AND
cvss.vector:"AV:NETWORK") order:published
- Important CVE vulnerabilities in Microsoft software:
(type:cve AND cvss.score:[6 TO 10] AND description:"Microsoft")
order:published
Search requests](https://image.slidesharecdn.com/vulnerspentestit-161022110511/85/Vulnerability-Intelligence-and-Assessment-with-vulners-com-26-320.jpg)
![27
Search requests
- Nessus plugins for remotely exploited vulnerabilities; exclude
Windows:
type:nessus AND cvss.score:[6 TO 10] AND
cvss.vector:"AV:NETWORK" AND (NOT naslFamily:"Local" AND
NOT naslFamily:"Windows : Microsoft Bulletins" AND NOT
naslFamily:"Windows") order:published
- OpenSSL and OpenSSH vulnerabilities:
(type:openssl OR ( type:cve AND cpe:*openssh* ) )
order:published](https://image.slidesharecdn.com/vulnerspentestit-161022110511/85/Vulnerability-Intelligence-and-Assessment-with-vulners-com-27-320.jpg)
![29
Search API
- GET/POST REST API with JSON output
- Search
https://vulners.com/api/v3/search/lucene/?query=type:centos%2
0cvss.score:[8%20TO%2010]%20order:published
- Information
https://vulners.com/api/v3/search/id?id=CESA-2016:1237
&references=true
- Export
https://vulners.com/api/v3/archive/collection?
type=exploitdb](https://image.slidesharecdn.com/vulnerspentestit-161022110511/85/Vulnerability-Intelligence-and-Assessment-with-vulners-com-29-320.jpg)
![37
Linux Audit API
curl -H "Accept: application/json" -H "Content-Type: application/json" -X POST -d
'{"os":"centos","package":["pcre-8.32-15.el7.x86_64", "samba-common-4.2.3-
11.el7_2.noarch", "gnu-free-fonts-common-20120503-8.el7.noarch", "libreport-centos-
2.1.11-32.el7.centos.x86_64", "libacl-2.2.51-12.el7.x86_64"],"version":"7"}'
https://vulners.com/api/v3/audit/audit/](https://image.slidesharecdn.com/vulnerspentestit-161022110511/85/Vulnerability-Intelligence-and-Assessment-with-vulners-com-37-320.jpg)
Vulnerability Intelligence and Assessment with vulners.com
- 1. Vulnerability Intelligence & Assessment with vulners.com Alexander Leonov Pentestit Lab, 2016
- 2. 2 #:whoami - Security Analyst at Mail.Ru Group - Texts and Analytics for vulners.com - Security Automation blog at avleonov.com
- 3. 3 Vulners Project - Was created by QIWI security team - Vulnerability source data aggregator - Normalized, machine-readable content - API-driven development - Absolutely free
- 5. 5 Definition Vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. Glossary of Key Information Security Terms NISTIR 7298 R2
- 6. 6 Risks - Information systems takeover - Revocation of the licenses - Business continuity - Money loss - ... and more
- 7. 7 Vulnerability management process - Mandatory component of information security - Need2be for a security-aware companies - Necessary to perform in accordance with the PCIDSS and others - Best practice for survival in the Internet
- 9. 9 Some problems of Vulnerability Scanners - When the scan is finished, the results may already be outdated - Per-host licensing Knowledge base - How quickly vendor adds new vulnerability checks? - Some vulnerabilities may be found only with authorization or correct service banner - No scanners will find all vulnerabilities of any software - You will never know real limitations of the product
- 10. 10 Nessus vs. Openvas All CVEs: 80196 Nessus CVE links: 35032 OpenVAS CVE links: 29240 OpenVAS vs. Nessus: 3787;25453;9579
- 11. 11 Nessus vs. Openvas All CVEs: 80196 Nessus CVE links: 35032 OpenVAS CVE links: 29240 OpenVAS vs. Nessus: 3787;25453;9579 2673 OpenVAS plugins 6639 Nessus plugins 38207 OpenVAS plugins and 50896 Nessus plugins All NASL plugins OpenVAS: 49747 Nessus: 81349
- 12. 12 Why? - “Old” vulnerabilities - Vendor forgot to add links to CVE id - Vulnerabilities in plugins (WordPress VideoWhisper) - Don’t support “Local” software (openMairie) - Stopped adding new vulnerabilities (vBulletin)
- 13. 13 Examples: OpenVAS detects, Nessus not - D-Link DIR-100 Router Multiple Vulnerabilities - Cisco Firepower Management Center Privilege Escalation Vulnerability - vBulletin 3.6.x to 4.2.2/4.2.3 Forumrunner 'request.php' SQL Injection - WordPress VideoWhisper Live Streaming Integration Multiple Vulnerabilities
- 14. 14 Examples: Nessus detects, OpenVAS not - Solaris vulnerabilities since 2010 - Apple Quicktime - MOV File Parsing Memory Corruption Vulnerability
- 15. 15 In other words - Vulnerability Scanner is a necessity - Don't depend too much on them - Scanner does not detect some vulnerability — it’s YOUR problem not your VM vendor - Choose solution you can control and vendors you can trust - Have alternative sources of Vulnerability Data
- 16. 16 Vulnerability Intelligence and PCI DSS
- 17. 17 Vulnerability Data Sources - Born in 90’s - Every product has it’s own source of vulnerability data - Most information is not acceptable for automatic vulnerability scanners - MITRE, NVD, SCAP, OVAL and others failed to standardize it - Everyone is working on their own - "Search”? Forget about it. Use Google instead.
- 18. 18 vulners.com: Information security “Google” - Vulnerability source data aggregator - Created by security specialists for security specialists - Incredibly fast search engine - Normalized, machine-readable content - Audit features out-of-the-box - API-driven development - Absolutely free
- 19. 19 Content #Bug Bounty Hacker One openbugbounty.org Vulnerability Lab XSSed #Bulletins Network Vendor Cisco F5 Networks Huawei OpenWrt Palo Alto Networks #Bulletins Software Apache Httpd Drupal Mozilla Nginx OpenSSL Opera ownCloud PostgreSQL Samba TYPO3 WPScan Database Xen Project #Bulletins Virtualization Vendor VMware #Bullitens BSD FreeBSD #Bullitens Hardware Lenovo #Bullitens Linux Amazon Linux AMI Arch Linux CentOS Linux Debian Linux Gentoo Linux Oracle Linux RedHat Linux Slackware Linux SUSE Linux Ubuntu Linux #Detection Vendor NMAP OpenVAS Tenable Nessus W3AF #Exploit Base 0day.today DSquare Exploit Pack Exploit-DB Immunity Canvas Malware exploit database Metasploit SAINTexploit™ #Media rdot.org ThreatPost #Possible 0day Hackapp InfoWatch APPERCUT #Vulnerability Base CERT ERPScan ICS Microsoft Vulnerability Research NDV CVE Positive Technologies seebug.org Symantec Zero Day Initiative 58 Sources
- 20. 20 Stats
- 22. 22 Search - Google-style search string - Dorks, advanced queries and many more - UX-driven - Human-oriented - References and data linkage - Extremely fast
- 24. 24 Object
- 25. 25 Search requests - Any complex query title:httpd type:centos order:published last year - Sortable by any field of the model (type, CVSS, dates, etc.) - Apache Lucene syntax (AND, OR and so on) - Exploit search by sources and CVE’s cvelist:CVE-2014-0160 type:exploitdb sourceData:.bash_profile sourceData:"magic bytes”
- 26. 26 Requests - CentOS bulletins with remotely exploited vulnerabilities: (type:centos AND (title:"Critical" OR title:"Important") AND cvss.vector:"AV:NETWORK") order:published - Important CVE vulnerabilities in Microsoft software: (type:cve AND cvss.score:[6 TO 10] AND description:"Microsoft") order:published Search requests
- 27. 27 Search requests - Nessus plugins for remotely exploited vulnerabilities; exclude Windows: type:nessus AND cvss.score:[6 TO 10] AND cvss.vector:"AV:NETWORK" AND (NOT naslFamily:"Local" AND NOT naslFamily:"Windows : Microsoft Bulletins" AND NOT naslFamily:"Windows") order:published - OpenSSL and OpenSSH vulnerabilities: (type:openssl OR ( type:cve AND cpe:*openssh* ) ) order:published
- 29. 29 Search API - GET/POST REST API with JSON output - Search https://vulners.com/api/v3/search/lucene/?query=type:centos%2 0cvss.score:[8%20TO%2010]%20order:published - Information https://vulners.com/api/v3/search/id?id=CESA-2016:1237 &references=true - Export https://vulners.com/api/v3/archive/collection? type=exploitdb
- 30. 30 RSS - Fully customizable news feed in RSS format - Powered by Apache Lucene query https://vulners.com/rss.xml?query=type:debian - No cache, it builds right when you ask it to. - Atom, Webfeeds, mrss compatible
- 31. 31 Telegram Bot - Up to 3 subscriptions - In-app search - Broadcast for emergency news https://telegram.me/vulnersBot
- 32. 32 Email Subscriptions - Up to 5 subscriptions - Awareness service - Absolutely customizable https://vulners.com/#subscription s
- 34. 34 Linux Audit GUI - Linux OS vulnerability scan - Immediate results - Dramatically simple https://vulners.com/#audit
- 35. 35 - RedHat - CentOS - Fedora - Oracle Linux - Ubuntu - Debian Linux Audit GUI
- 37. 37 Linux Audit API curl -H "Accept: application/json" -H "Content-Type: application/json" -X POST -d '{"os":"centos","package":["pcre-8.32-15.el7.x86_64", "samba-common-4.2.3- 11.el7_2.noarch", "gnu-free-fonts-common-20120503-8.el7.noarch", "libreport-centos- 2.1.11-32.el7.centos.x86_64", "libacl-2.2.51-12.el7.x86_64"],"version":"7"}' https://vulners.com/api/v3/audit/audit/
- 38. 38 Linux Audit API - JSON result: Vulnerabilities list Reason of the decision References list (exploits, and so on) - Ready to go for Red Hat and Debian family - Typical call time for 500+ packages list = 160ms - It’s fast. Really fast.
- 39. 39 Linux Audit API { "result": "OK", "data": { "reasons": [ { "providedPackage": "sos-3.2-35.el7.centos.noarch", "operator": "lt", "bulletinID": "CESA-2016:0188", "providedVersion": "0:3.2-35.el7.centos", "bulletinPackage": "sos-3.2-35.el7.centos.3.noarch.rpm", "bulletinVersion": "3.2-35.el7.centos.3", "package": "sos-3.2-35.el7.centos.noarch" }, ...
- 40. 40 Agent-Based Scanner$ git clone https://github.com/videns/vulners-scanner $ cd vulners-scanner $ ./linuxScanner.py _ __ ___ _| |_ __ ___ _ __ ___ / / | | | | '_ / _ '__/ __| V /| |_| | | | | | __/ | __ _/ __,_|_|_| |_|___|_| |___/ ========================================== Host info - Host machine OS Name - centos, OS Version - 7 Total found packages: 1026 Vulnerable packages: krb5-libs-1.13.2-10.el7.x86_64 CESA-2016:0532 - 'Moderate krb5 Security Update', cvss.score - 6.8 openssh-server-6.6.1p1-23.el7_2.x86_64 CESA-2016:0465 - 'Moderate openssh Security Update', cvss.score - 7.7 libtdb-1.3.6-2.el7.x86_64 CESA-2016:0612 - 'Critical ipa Security Update', cvss.score - 0.0 kernel-tools-3.10.0-327.4.5.el7.x86_64 CESA-2016:1033 - 'Important kernel Security Update', cvss.score - 0.0 CESA-2016:1633 - 'Important kernel Security Update', cvss.score - 4.3 CESA-2016:0185 - 'Important kernel Security Update', cvss.score - 7.2 CESA-2016:1539 - 'Important kernel Security Update', cvss.score - 7.2 CESA-2016:1277 - 'Important kernel Security Update', cvss.score - 7.2 openssl-libs-1.0.1e-51.el7_2.2.x86_64 - Available at GitHub - Example of integration - Free to fork
- 41. 41 It’s absolutely free! - Free for commercial and enterprise use DB and API - Make your own solutions using our powers: Security scanners Threat intelligence Subscriptions Security automation - Just please, post references if you can ;-)
- 43. 43 Thanks - [email protected] - Scanner: https://github.com/videns/vulners-scanner/ - Vulners Blog: https://blog.vulners.com/ - My Blog: http://avleonov.com/tag/vulners-com/