oss cve trends
play

OSS CVE Trends Kazuki Omo( ): ka-omo@sios.com SIOS T echnology, - PowerPoint PPT Presentation

Dec 01, 2023 •383 likes •1.02k views

OSS CVE Trends Kazuki Omo( ): ka-omo@sios.com SIOS T echnology, Inc. Who am I ? - Security Researcher/Engineer (17 years) - SELinux/MAC Evangelist (13 years) - Antivirus Engineer (3 years) - SIEM Engineer (3 years) - Linux

  1. OSS CVE Trends Kazuki Omo( 面 和毅 ): ka-omo@sios.com SIOS T echnology, Inc.

  2. Who am I ? - Security Researcher/Engineer (17 years) - SELinux/MAC Evangelist (13 years) - Antivirus Engineer (3 years) - SIEM Engineer (3 years) - Linux Engineer (17 years) - Member of Secure OSS-Sig 2

  3. What is Secure OSS-Sig? Japanese Community interested in OSS security “T echnology”. 3

  4. Agenda 1. What is CVE? CPE? CWE? 2. CVE Trends (OSS, and so on) 3. How you can get CVE information quickly? 4

  5. 1. What is CVE? CPE? CWE?

  6. CVE: Common Vulnerabilities and Exposures 6

  7. Short Story...

  8. After 9.11… FISMA (Dec, 2002) 9.11 (Federal Information Security Management Act) NIST (National Institute of Standards and T echnology) - FIPS( Federal Information Processing Standards) - SP800 Series (SP 800-63A ( Identity Proofjng & Enrollment )) …. 8

  9. After 9.11… Many type of - security measurement “Annual” report to OMB!! - test - confjg ... (Offjce of Management and Budget) 9

  10. SCAP (Security Content Automation Protocol) NIST designed SCAP Object: Automated for - Vulnerability management - Vulnerability measurement - Policy compliance evaluation 10

  11. SCAP Components.. SCAP Enumerations Common Vulnerabilities and Exposures (CVE) Common Platform Enumeration (CPE) Lang Common Confjguration Enumeration (CCE) Common Weakness Enumeration (CWE) Common Vulnerability Scoring System (CVSS) Open Vulnerability and Assessment Language (OVAL) Extensible Confjguration Checklist Description Format (XCCDF) and so on…. 11

  12. CVE: Common Vulnerabilities and Exposures CVE ID Summary CVE-2017-5638 The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017. CVE-2017-6074 The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allows local users to obtain root privileges or cause a denial of service (double free) via an application that makes an IPV6_RECVPKTINFO setsockopt system call. 12

  13. CPE: Common Platform Enumeration CPE name title href cpe:/o:novell:leap: Novell https://en.opensuse.org/openSUSE:Leap 42.0 Leap 42.0 cpe:/o:redhat:ente Red Hat http://www.redhat.com/en/resources/whats- rprise_linux:7.1 Enterpris new-red-hat-enterprise-linux-71 e Linux 7.1 cpe:/a:isc:bind:9.8 bind 9.8 https://www.isc.org/downloads/bind/ 13

  14. CPE: Common Platform Enumeration [omok@localhost ]$ cat /etc/os-release NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/" CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7" 14

  15. CWE: Common Weakness Enumeration 15

  16. CWE: Common Weakness Enumeration CVE ID CWE-ID Desc CVE-2017-5638(Struts2) CWE-20 Improper Input Validation CVE-2016-6662(MySQL) CWE-264 Permissions, Privileges, and Access Controls CWE-119 Improper Restriction of Operations CVE-2014-0160(Heart Bleed) within the Bounds of a Memory Buffer 16

  17. CWE: Common Weakness Enumeration 17

  18. CVSS: Common Vulnerability Scoring System 18

  19. 2. CVE Status (Total)

  20. 10 years CVE Statistics ( no HW/Firmware ) 1800 1600 Heart Bleed 1400 1200 1000 800 600 400 200 0 01/01/07 09/01/07 05/01/08 01/01/09 09/01/09 05/01/10 01/01/11 09/01/11 05/01/12 01/01/13 09/01/13 05/01/14 01/01/15 09/01/15 05/01/16 01/01/17 20

  21. OS CVE Statistics (5 years) Heart Bleed 400 350 300 250 200 OS 150 OSS mobile 100 50 0 21

  22. App CVE Statistics (5 years) 1400 1200 Heart Bleed 1000 800 Apps 600 OSS Mobile 400 200 0 2012/04 2012/06 2012/08 2012/10 2012/12 2013/02 2013/04 2013/06 2013/08 2013/10 2013/12 2014/02 2014/04 2014/06 2014/08 2014/10 2014/12 2015/02 2015/04 2015/06 2015/08 2015/10 2015/12 2016/02 2016/04 2016/06 2016/08 2016/10 2016/12 2017/02 2017/04 22

  23. 2. OSS CVE Status (CWEs)

  24. OSS CVE Statistics with CWE (5 years) CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 50 40 30 CWE-89(app) 20 CWE-94(app) 10 0 12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/01 160 140 120 100 80 CWE-79(app) 60 40 20 0 12/04/01 12/10/01 13/04/01 13/10/01 14/04/01 14/10/01 15/04/01 15/10/01 16/04/01 16/10/01 17/04/01 24

  25. OSS CVE Statistics with CWE (5 years) CWE-119: Improper Restriction of Operations within the Bounds of a Memory Bufger 140 120 100 80 CWE-119 (Apps) 60 40 20 0 12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/01 60 50 40 30 CWE-119 (OS) 20 10 0 12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/01 25

  26. OSS CVE Statistics with CWE (5 years) CWE-125: Out-of-bounds Read CWE-190: Integer Overfmow or Wraparound 60 50 40 CWE-125(App) 30 CWE-190(App) 20 10 0 12/04/0112/08/0112/12/0113/04/0113/08/0113/12/0114/04/0114/08/0114/12/0115/04/0115/08/0115/12/0116/04/0116/08/0116/12/0117/04/01 12 10 8 6 CWE-125(OS) CWE-190(OS) 4 2 0 12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/01 26

  27. OSS CVE Statistics with CWE (5 years) CWE-284: Improper Access Control CWE-287: Improper Authentication 35 30 25 20 CWE-287(app) 15 CWE-284(app) 10 5 0 12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/01 20 18 16 14 12 CWE-287(OS) 10 CWE-284(OS) 8 6 4 2 0 12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/01 27

  28. OSS CVE Statistics with CWE (5 years) CWE-416: Use After Free 25 20 15 CWE-416(app) 10 5 0 12/04/01 12/08/01 12/12/01 13/04/01 13/08/01 13/12/01 14/04/01 14/08/01 14/12/01 15/04/01 15/08/01 15/12/01 16/04/01 16/08/01 16/12/01 17/04/01 8 7 6 5 4 CWE-416(OS) 3 2 1 0 12/04/01 12/08/01 12/12/01 13/04/01 13/08/01 13/12/01 14/04/01 14/08/01 14/12/01 15/04/01 15/08/01 15/12/01 16/04/01 16/08/01 16/12/01 17/04/01 28

  29. Tools for automatically fuzzing.. American Fuzzy Lop Famous to fjnd ShellShock Since 2014 http://lcamtuf.coredump.cx/afm OSS Fuzz Open Source Since 2016/12 https://github.com/google/oss-fuzz 29

  30. OSS CVE Statistics with CWE (5 years) CWE-125: Out-of-bounds Read CWE-190: Integer Overfmow or Wraparound 60 Google OSS Fuzz 50 40 CWE-125(App) 30 CWE-190(App) 20 10 0 12/04/0112/08/0112/12/0113/04/0113/08/0113/12/0114/04/0114/08/0114/12/0115/04/0115/08/0115/12/0116/04/0116/08/0116/12/0117/04/01 12 10 8 6 CWE-125(OS) CWE-190(OS) 4 2 0 12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/01 30

  31. 2. OSS CVE Status (Typical Apps)

  32. HeartBleed (2014/04/07) 800 700 Heart Bleed 600 500 400 CWE-310(app) 300 200 100 0 12/01/01 12/06/01 12/11/01 13/04/01 13/09/01 14/02/01 14/07/01 14/12/01 15/05/01 15/10/01 16/03/01 16/08/01 17/01/01 800 700 600 500 400 CWE-310(OS) 300 200 100 0 12/01/01 12/06/01 12/11/01 13/04/01 13/09/01 14/02/01 14/07/01 14/12/01 15/05/01 15/10/01 16/03/01 16/08/01 17/01/01 32

  33. Wordpress 100 90 80 70 60 50 40 Wordpress 30 20 10 0 2012/03 2012/05 2012/07 2012/09 2012/11 2013/01 2013/03 2013/05 2013/07 2013/09 2013/11 2014/01 2014/03 2014/05 2014/07 2014/09 2014/11 2015/01 2015/03 2015/05 2015/07 2015/09 2015/11 2016/01 2016/03 2016/05 2016/07 2016/09 2016/11 2017/01 2017/03 33

  34. Wordpress vs other CMS 100 90 80 70 60 50 Wordpress Drupal 40 Other CMS 30 20 10 0 2012/03 2012/05 2012/07 2012/09 2012/11 2013/01 2013/03 2013/05 2013/07 2013/09 2013/11 2014/01 2014/03 2014/05 2014/07 2014/09 2014/11 2015/01 2015/03 2015/05 2015/07 2015/09 2015/11 2016/01 2016/03 2016/05 2016/07 2016/09 2016/11 2017/01 2017/03 34

  35. Struts 9 8 7 6 5 4 CVEs 3 2 1 0 2012/04 2012/06 2012/08 2012/10 2012/12 2013/02 2013/04 2013/06 2013/08 2013/10 2013/12 2014/02 2014/04 2014/06 2014/08 2014/10 2014/12 2015/02 2015/04 2015/06 2015/08 2015/10 2015/12 2016/02 2016/04 2016/06 2016/08 2016/10 2016/12 2017/02 2017/04 35

  36. 3. How you can get CVE info quickly? 36

  37. Is it valuable for getting CVE info quickly? Yes!! CVE(2017/03/17) 37

  38. Is it valuable for getting CVE info quickly? If you know CVE earlier, - Read information (You need it? Or not?) - Prepare for Update (schedule, etc.) - T esting for Update ...etc. 38

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

E-TRENDS ARABNET 2014 IYAD KAMAL IY AD@ ARAMEX.COM IY AD KAMAL @ IY ADKAM E-TRENDS

E-TRENDS ARABNET 2014 IYAD KAMAL IY AD@ ARAMEX.COM IY AD KAMAL @ IY ADKAM E-TRENDS

E-TRENDS ARABNET 2014 IYAD KAMAL IY AD@ ARAMEX.COM IY AD KAMAL @ IY ADKAM E-TRENDS BUSINESS TRENDS P AYMENTS RETURNS SOCIAL TRENDS LAST MILE SOLUTION BUSINESS TRENDS THE MIXER E-TRENDS INCLUDE MIXED DATA FROM : SHOP AND SHIP

925 views • 28 slides
Global Presentation 2019 TRENDS, TRENDS, TRENDS in 2019 Martinique #1 of 21 Best Winter

Global Presentation 2019 TRENDS, TRENDS, TRENDS in 2019 Martinique #1 of 21 Best Winter

Global Presentation 2019 TRENDS, TRENDS, TRENDS in 2019 Martinique #1 of 21 Best Winter Getaways Martinique: A Slice of France, Tropical Forests and, Yes, Beaches Too 3 nominees in 10 Best 2019 Readers' Choice Travel Awards Martinique

921 views • 45 slides
Trends in High Performance Trends in High Performance Computing and the Grid Computing and the

Trends in High Performance Trends in High Performance Computing and the Grid Computing and the

Trends in High Performance Trends in High Performance Computing and the Grid Computing and the Grid Jack Dongarra University of Tennessee and Oak Ridge National Laboratory 1 Technology Trends: Technology Trends: Microprocessor Capacity

465 views • 23 slides
Trends in Agile Development Kent Beck Three Rivers Institute Development Trends Deployments

Trends in Agile Development Kent Beck Three Rivers Institute Development Trends Deployments

Trends in Agile Development Kent Beck Three Rivers Institute Development Trends Deployments Tests Co-location Complexity Scale Business Trends Accountability Oregon Health Sciences University publishes death rates

545 views • 13 slides
HR HR TRENDS TRENDS Wh What ats Notew Noteworthy? Michele Arseneau, PHR, SHRM CP TAC HR

HR HR TRENDS TRENDS Wh What ats Notew Noteworthy? Michele Arseneau, PHR, SHRM CP TAC HR

HR HR TRENDS TRENDS Wh What ats Notew Noteworthy? Michele Arseneau, PHR, SHRM CP TAC HR Consultant Discl Di sclaimer er This training is designed to provide general information about the subject matter covered. Neither TAC nor the

773 views • 30 slides
Private Equity Trends in CEE 5/6/2018 Rastko Petakovi Worldwide trends European trends CEE

Private Equity Trends in CEE 5/6/2018 Rastko Petakovi Worldwide trends European trends CEE

Private Equity Trends in CEE 5/6/2018 Rastko Petakovi Worldwide trends European trends CEE trends 2018 A Year for New Records 2018 A Year for New Records Worldwide , notable increase in value (+18%), decrease in volume of deals

301 views • 17 slides
Trends and futures Planning for complexity Were going to talk about GOALS FOR PEI

Trends and futures Planning for complexity Were going to talk about GOALS FOR PEI

Trends and futures Planning for complexity Were going to talk about GOALS FOR PEI Divergence Complexity Goals TRENDS IMPACTING EDUCATION The Anatomy of a Trend OECD Trends Report Our Trends FUTURES THINKING What is it for?

994 views • 88 slides
Trends in HIV+ Community Challenges and Boundaries to Care This is an examination of trends in

Trends in HIV+ Community Challenges and Boundaries to Care This is an examination of trends in

Trends in HIV+ Community Challenges and Boundaries to Care This is an examination of trends in the challenges faced by Ryan White Part A consumers interviewed during the Councils COLAs and Needs Assessments between the years 2013 -2016. Our

562 views • 25 slides
Building on Trends in Citrus in North America ICBC - 2014 FlavourVision TM 2012 Beverage Trends

Building on Trends in Citrus in North America ICBC - 2014 FlavourVision TM 2012 Beverage Trends

Building on Trends in Citrus in North America ICBC - 2014 FlavourVision TM 2012 Beverage Trends FlavourVision TM 2013 Beverage Trends Signature Happy Excited All Family Refreshing All American Honey Simpler Labels Kids Arnold Palmer

202 views • 19 slides
Urban Mobility Market Trends & Learnings A Discussion Document Mega-trends and the Real

Urban Mobility Market Trends & Learnings A Discussion Document Mega-trends and the Real

Urban Mobility Market Trends & Learnings A Discussion Document Mega-trends and the Real World Some of the relevant Mega-trends related to Urban Mobility Shift in Global Economic Power : Impact of Emerging Markets 1 By 2030, the E7 s

388 views • 13 slides
Tree Removal Trends FY 2020 Quarterly Trends FY 2014 FY 2020 Trends DDH and Illegal Tree

Tree Removal Trends FY 2020 Quarterly Trends FY 2014 FY 2020 Trends DDH and Illegal Tree

Tree Removal Trends FY 2020 Quarterly Trends FY 2014 FY 2020 Trends DDH and Illegal Tree Removal Tree Replanting Presentation by The Tree Next Door using annual & quarterly reports provided by the City of Atlanta Department of City

648 views • 15 slides
Oral Care Trends 2012 Key Trends 2 2 Innovation keeps consumers interested and intrigued, and

Oral Care Trends 2012 Key Trends 2 2 Innovation keeps consumers interested and intrigued, and

Oral Care Trends 2012 Key Trends 2 2 Innovation keeps consumers interested and intrigued, and drives desire. Credible product development within brands can support huge growth Apple being a fine example of this. A constant stream of new

724 views • 35 slides
Business Trends for the U.S. Defense Enterprise $700 Declining Revenue Trends $600 PB 2012 PB

Business Trends for the U.S. Defense Enterprise $700 Declining Revenue Trends $600 PB 2012 PB

Business Trends for the U.S. Defense Enterprise $700 Declining Revenue Trends $600 PB 2012 PB 2013 PB 2016 PB 2014 $500 PB 2015 Actuals $Billion, TY $400 Ten-Year s (FY12-23) PB12 to PB13: - $500B $300 PB13 to PB14: - $80B

276 views • 8 slides
The Future of Games 1 Introduction Lots of things are changing in the games industry

The Future of Games 1 Introduction Lots of things are changing in the games industry

The Future of Games 1 Introduction Lots of things are changing in the games industry Were going to talk about a few of them Hardware trends Software trends Game design trends Business model trends Hardware Trends More

579 views • 36 slides
That Will Help Define Business Success February 21, 2013 What Well Share Today Trends:

That Will Help Define Business Success February 21, 2013 What Well Share Today Trends:

The 2013 Landscape: Consumer Trends That Will Help Define Business Success February 21, 2013 What Well Share Today Trends: Definition and evolution Why trends are important 2013 crucial consumer trends A selection

623 views • 43 slides
Trends in Gold Transaction Values 2014-17 Current Trends in Mining Finance New York SME

Trends in Gold Transaction Values 2014-17 Current Trends in Mining Finance New York SME

Trends in Gold Transaction Values 2014-17 Current Trends in Mining Finance New York SME Conference William E. Roscoe and Paul Chamois RPA Inc. May 2, 2017 Toronto Denver London Vancouver Quebec City Rock Solid Resources. Proven

610 views • 22 slides
Written and Presented by David H. Ringstrom, CPA Accounting Advisors, Inc.

Written and Presented by David H. Ringstrom, CPA Accounting Advisors, Inc.

Slide ID: 445 www.accountingweb.com/highimpactexcel Customer service/CPE questions: editor@accountingweb.com Written and Presented by David H. Ringstrom, CPA Accounting Advisors, Inc. www.accountingadvisors.com About the speaker: David is

450 views • 21 slides
Simulation of CMS Phase 2 Pixel Tracker for HL-LHC Bahareh Roozbahani USCMS FPIX Simulation Group

Simulation of CMS Phase 2 Pixel Tracker for HL-LHC Bahareh Roozbahani USCMS FPIX Simulation Group

FERMILAB-SLIDES-18-069-CMS This manuscript has been authored by Fermi Research Alliance, LLC under Contract No. DE-AC02-07CH11359 with the U.S. Department of Energy, Office of Science, Office of High Energy Physics. Simulation of CMS Phase 2

365 views • 17 slides
MEDIA RELEASE 9 April 2013 Raising the Bar for Quality in Private Education 1. More than 300

MEDIA RELEASE 9 April 2013 Raising the Bar for Quality in Private Education 1. More than 300

MEDIA RELEASE 9 April 2013 Raising the Bar for Quality in Private Education 1. More than 300 participants from the private education industry gathered today at the inaugural Private Education Conference - "Raising the Bar on Quality - to

356 views • 24 slides
Welcome 2018 Board of Examiners Examiner Training Day 1 Introductions Name Company

Welcome 2018 Board of Examiners Examiner Training Day 1 Introductions Name Company

Welcome 2018 Board of Examiners Examiner Training Day 1 Introductions Name Company What is your intention for examiner training? What are you famous for? 2 Team Agreement How can we make this a successful training course?

1.45k views • 132 slides
FEDERAL LAW convenient, and responsible manner Also reduces diversion and the introduction of

FEDERAL LAW convenient, and responsible manner Also reduces diversion and the introduction of

Richard Mazzoni RPh Chariman NE Amy Buesing RPh Hospital LuGina Mendez RPh NW Joe Anderson RPh Central Neal Dungan RPh SE Chris Woodul RPh SW Buffie Saavedra Public Cathleen Wingert Public Vacant Public

514 views • 15 slides
Google Classroom Training How to Access Google Classroom How to Join a Class How to find

Google Classroom Training How to Access Google Classroom How to Join a Class How to find

Google Classroom Training How to Access Google Classroom How to Join a Class How to find Assignments Lets try it! How do I know when my childs work is due? Graded Work Google Meet How does my child turn in

325 views • 10 slides
Competency-Based Education Competencies, Criteria, & Assessment Saturday Session #2 of 4

Competency-Based Education Competencies, Criteria, & Assessment Saturday Session #2 of 4

Competency-Based Education Competencies, Criteria, & Assessment Saturday Session #2 of 4 March 30, 2019 Benito Juarez Community Academy TODAYS FACILITATORS From the Great Schools Partnership Carrie McWilliams, Senior Associate

323 views • 20 slides
Safe AI for CPS Andr Platzer Carnegie Mellon University Joint work with Nathan Fulton

Safe AI for CPS Andr Platzer Carnegie Mellon University Joint work with Nathan Fulton

Safe AI for CPS Andr Platzer Carnegie Mellon University Joint work with Nathan Fulton Safety-Critical Systems "How can we provide people with cyber-physical systems they can bet their lives on?" - Jeannette Wing Safety-Critical

1.19k views • 95 slides

More recommend