OSS CVE Trends Kazuki Omo( ): ka-omo@sios.com SIOS T echnology, - - PowerPoint PPT Presentation

OSS CVE Trends

Kazuki Omo( 面 和毅 ): ka-omo@sios.com SIOS T echnology, Inc.

2

Who am I ?

• Security Researcher/Engineer (17 years)
• SELinux/MAC Evangelist (13 years)
• Antivirus Engineer (3 years)
• SIEM Engineer (3 years)
• Linux Engineer (17 years)
• Member of Secure OSS-Sig

3

What is Secure OSS-Sig?

Japanese Community interested in OSS security “T echnology”.

4

Agenda

• 1. What is CVE? CPE? CWE?
• 2. CVE Trends (OSS, and so on)
• 3. How you can get CVE information quickly?

• 1. What is CVE? CPE? CWE?

6

CVE: Common Vulnerabilities and Exposures

Short Story...

8

After 9.11…

9.11 FISMA (Dec, 2002) (Federal Information Security Management Act) NIST (National Institute of Standards and T echnology)

• FIPS(Federal Information Processing Standards)
• SP800 Series (SP 800-63A (Identity Proofjng & Enrollment))

….

9

After 9.11…

Many type of

• security measurement
• test
• confjg ...

“Annual” report to OMB!! (Offjce of Management and Budget)

10

SCAP (Security Content Automation Protocol)

Object: Automated for

• Vulnerability management
• Vulnerability measurement
• Policy compliance evaluation

NIST designed SCAP

11

SCAP Components..

SCAP

Common Vulnerabilities and Exposures (CVE) Common Confjguration Enumeration (CCE) Common Platform Enumeration (CPE) Common Weakness Enumeration (CWE) Common Vulnerability Scoring System (CVSS)

Extensible Confjguration Checklist Description Format (XCCDF)

and so on…. Open Vulnerability and Assessment Language (OVAL)

Lang Enumerations

12

CVE: Common Vulnerabilities and Exposures

CVE ID Summary

CVE-2017-5638

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.

CVE-2017-6074

The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allows local users to

• btain root privileges or cause a denial of service (double free) via an

application that makes an IPV6_RECVPKTINFO setsockopt system call.

13

CPE: Common Platform Enumeration

CPE name title href cpe:/o:novell:leap: 42.0 Novell Leap 42.0 https://en.opensuse.org/openSUSE:Leap cpe:/o:redhat:ente rprise_linux:7.1 Red Hat Enterpris e Linux 7.1 http://www.redhat.com/en/resources/whats- new-red-hat-enterprise-linux-71

cpe:/a:isc:bind:9.8 bind 9.8 https://www.isc.org/downloads/bind/

14

CPE: Common Platform Enumeration

[omok@localhost ]$ cat /etc/os-release NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7"

15

CWE: Common Weakness Enumeration

16

CWE: Common Weakness Enumeration

CVE ID CWE-ID Desc CVE-2017-5638(Struts2) CWE-20

Improper Input Validation

CVE-2016-6662(MySQL) CWE-264

Permissions, Privileges, and Access Controls

CVE-2014-0160(Heart Bleed)

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

17

CWE: Common Weakness Enumeration

18

CVSS: Common Vulnerability Scoring System

• 2. CVE Status

(Total)

20

10 years CVE Statistics (no HW/Firmware)

01/01/07 09/01/07 05/01/08 01/01/09 09/01/09 05/01/10 01/01/11 09/01/11 05/01/12 01/01/13 09/01/13 05/01/14 01/01/15 09/01/15 05/01/16 01/01/17 200 400 600 800 1000 1200 1400 1600 1800

Heart Bleed

21

OS CVE Statistics (5 years)

50 100 150 200 250 300 350 400 OS OSS mobile

Heart Bleed

22

App CVE Statistics (5 years)

2012/04 2012/06 2012/08 2012/10 2012/12 2013/02 2013/04 2013/06 2013/08 2013/10 2013/12 2014/02 2014/04 2014/06 2014/08 2014/10 2014/12 2015/02 2015/04 2015/06 2015/08 2015/10 2015/12 2016/02 2016/04 2016/06 2016/08 2016/10 2016/12 2017/02 2017/04 200 400 600 800 1000 1200 1400 Apps OSS Mobile

Heart Bleed

• 2. OSS CVE Status

(CWEs)

24

OSS CVE Statistics with CWE (5 years)

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/01 10 20 30 40 50 CWE-89(app) CWE-94(app) 12/04/01 12/10/01 13/04/01 13/10/01 14/04/01 14/10/01 15/04/01 15/10/01 16/04/01 16/10/01 17/04/01 20 40 60 80 100 120 140 160 CWE-79(app)

25

OSS CVE Statistics with CWE (5 years)

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Bufger

12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/01 20 40 60 80 100 120 140 CWE-119 (Apps) 12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/01 10 20 30 40 50 60 CWE-119 (OS)

26

OSS CVE Statistics with CWE (5 years)

12/04/0112/08/0112/12/0113/04/0113/08/0113/12/0114/04/0114/08/0114/12/0115/04/0115/08/0115/12/0116/04/0116/08/0116/12/0117/04/01 10 20 30 40 50 60 CWE-125(App) CWE-190(App) 12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/01 2 4 6 8 10 12 CWE-125(OS) CWE-190(OS)

CWE-125: Out-of-bounds Read CWE-190: Integer Overfmow or Wraparound

27

OSS CVE Statistics with CWE (5 years)

CWE-284: Improper Access Control CWE-287: Improper Authentication

12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/01 5 10 15 20 25 30 35 CWE-287(app) CWE-284(app) 12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/01 2 4 6 8 10 12 14 16 18 20 CWE-287(OS) CWE-284(OS)

28

OSS CVE Statistics with CWE (5 years)

CWE-416: Use After Free

12/04/01 12/08/01 12/12/01 13/04/01 13/08/01 13/12/01 14/04/01 14/08/01 14/12/01 15/04/01 15/08/01 15/12/01 16/04/01 16/08/01 16/12/01 17/04/01 5 10 15 20 25 CWE-416(app) 12/04/01 12/08/01 12/12/01 13/04/01 13/08/01 13/12/01 14/04/01 14/08/01 14/12/01 15/04/01 15/08/01 15/12/01 16/04/01 16/08/01 16/12/01 17/04/01 1 2 3 4 5 6 7 8 CWE-416(OS)

29

Tools for automatically fuzzing..

American Fuzzy Lop http://lcamtuf.coredump.cx/afm OSS Fuzz https://github.com/google/oss-fuzz Open Source Since 2016/12 Famous to fjnd ShellShock Since 2014

30

OSS CVE Statistics with CWE (5 years)

12/04/0112/08/0112/12/0113/04/0113/08/0113/12/0114/04/0114/08/0114/12/0115/04/0115/08/0115/12/0116/04/0116/08/0116/12/0117/04/01 10 20 30 40 50 60 CWE-125(App) CWE-190(App) 12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/01 2 4 6 8 10 12 CWE-125(OS) CWE-190(OS)

CWE-125: Out-of-bounds Read CWE-190: Integer Overfmow or Wraparound Google OSS Fuzz

• 2. OSS CVE Status

(Typical Apps)

32

HeartBleed (2014/04/07)

12/01/01 12/06/01 12/11/01 13/04/01 13/09/01 14/02/01 14/07/01 14/12/01 15/05/01 15/10/01 16/03/01 16/08/01 17/01/01 100 200 300 400 500 600 700 800 CWE-310(app) 12/01/01 12/06/01 12/11/01 13/04/01 13/09/01 14/02/01 14/07/01 14/12/01 15/05/01 15/10/01 16/03/01 16/08/01 17/01/01 100 200 300 400 500 600 700 800 CWE-310(OS)

Heart Bleed

33

Wordpress

2012/03 2012/05 2012/07 2012/09 2012/11 2013/01 2013/03 2013/05 2013/07 2013/09 2013/11 2014/01 2014/03 2014/05 2014/07 2014/09 2014/11 2015/01 2015/03 2015/05 2015/07 2015/09 2015/11 2016/01 2016/03 2016/05 2016/07 2016/09 2016/11 2017/01 2017/03 10 20 30 40 50 60 70 80 90 100 Wordpress

34

Wordpress vs other CMS

2012/03 2012/05 2012/07 2012/09 2012/11 2013/01 2013/03 2013/05 2013/07 2013/09 2013/11 2014/01 2014/03 2014/05 2014/07 2014/09 2014/11 2015/01 2015/03 2015/05 2015/07 2015/09 2015/11 2016/01 2016/03 2016/05 2016/07 2016/09 2016/11 2017/01 2017/03 10 20 30 40 50 60 70 80 90 100 Wordpress Drupal Other CMS

35

Struts

2012/04 2012/06 2012/08 2012/10 2012/12 2013/02 2013/04 2013/06 2013/08 2013/10 2013/12 2014/02 2014/04 2014/06 2014/08 2014/10 2014/12 2015/02 2015/04 2015/06 2015/08 2015/10 2015/12 2016/02 2016/04 2016/06 2016/08 2016/10 2016/12 2017/02 2017/04 1 2 3 4 5 6 7 8 9 CVEs

36

• 3. How you can get CVE info quickly?

37

Is it valuable for getting CVE info quickly?

Yes!!

CVE(2017/03/17)

38

Is it valuable for getting CVE info quickly?

If you know CVE earlier,

• Read information (You need it? Or not?)
• Prepare for Update (schedule, etc.)
• T

esting for Update ...etc.

39

Who assign CVE?

40

Who assign CVE?

Red Hat MicroFocus MITRE ISV DWF ISV

41

DWF (Distributed Weakness Filing)

42

How can you get CVE info quickly?

Before 02/09/2017 OSS-Security ML Send vulnerability details, then CVE would be assigned By MITRE. Merit for User:

• 1. During CVE assign, had time to confjrm/reproduce.
• 2. Detailed information for vulnerability

.

43

Current CVE Request

Use Webform for CVE Request.

44

How you can get CVE info quickly.

So now we get only a few info from oss-security ML. What is alter way?

45

Mitre offjcial

• 1. Daily CVE Changelog

46

Mitre offjcial

• 2. T

witter (almost Real Time)

47

OSS (CVE-Search)

• 3. Create CVE Database for Searching

48

Alternative

• 4. Regist to several typical ML

49

Alternative

• 4. Regist to several typical ML

50

Alternative

• 5. Check typical OSS website.

http://tomcat.apache.org/security-9.html

https://www.postgresql.org/support/security/

51

Alternative

• 5. Check typical OSS website.

https://www.oracle.com/technetwork/topics/security/alerts-086861.html

52

Alternative

• 6. Check several “Deep Info” website.

https://blogs.gentoo.org/ago/

53

My Blog (Japanese, sorry…)

https://oss.sios.com/security

54

By the way….

Each Distro speciality (in my personal experience)

Open Vulnerability info as Public Debian >> RedHat, SuSE > Ubuntu Quality of Vulnerability Info RedHat > SuSE >= Debian, Ubuntu PoC Info… :-) SuSE >= RedHat >> Debian, Ubuntu

55

How you can get “PoC” info.

https://www.exploit-db.com/

56

How you can get “PoC” info.

https://community.rapid7.com/community/metasploit/content? fjlterID=contentstatus[published]~objecttype~objecttype[thread]

57

Why I need “PoC”?

http://www.secureoss.jp/

58

SELinux Policy/Module BoF Today 16:50 am

59

Conclusion

60

Conclusion

• 1. OSS CVE is growing up

→ Does not mean “OSS is Insecure”!! → Security Researcher is brushing up.

• 2. google fuzzing application is helping to fjnd

new vulnerability.

• 3. After CVE public, attack will be increasing.

Also After famous attack, public CVE will be increasing.

• 4. You can get CVE or vulnerability info quickly.

61

Any Questinos?

62

Thank You!!!