OSS CVE Trends Kazuki Omo( 面 和毅 ): ka-omo@sios.com SIOS T echnology, Inc.
Who am I ? - Security Researcher/Engineer (17 years) - SELinux/MAC Evangelist (13 years) - Antivirus Engineer (3 years) - SIEM Engineer (3 years) - Linux Engineer (17 years) - Member of Secure OSS-Sig 2
What is Secure OSS-Sig? Japanese Community interested in OSS security “T echnology”. 3
Agenda 1. What is CVE? CPE? CWE? 2. CVE Trends (OSS, and so on) 3. How you can get CVE information quickly? 4
1. What is CVE? CPE? CWE?
CVE: Common Vulnerabilities and Exposures 6
Short Story...
After 9.11… FISMA (Dec, 2002) 9.11 (Federal Information Security Management Act) NIST (National Institute of Standards and T echnology) - FIPS( Federal Information Processing Standards) - SP800 Series (SP 800-63A ( Identity Proofjng & Enrollment )) …. 8
After 9.11… Many type of - security measurement “Annual” report to OMB!! - test - confjg ... (Offjce of Management and Budget) 9
SCAP (Security Content Automation Protocol) NIST designed SCAP Object: Automated for - Vulnerability management - Vulnerability measurement - Policy compliance evaluation 10
SCAP Components.. SCAP Enumerations Common Vulnerabilities and Exposures (CVE) Common Platform Enumeration (CPE) Lang Common Confjguration Enumeration (CCE) Common Weakness Enumeration (CWE) Common Vulnerability Scoring System (CVSS) Open Vulnerability and Assessment Language (OVAL) Extensible Confjguration Checklist Description Format (XCCDF) and so on…. 11
CVE: Common Vulnerabilities and Exposures CVE ID Summary CVE-2017-5638 The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017. CVE-2017-6074 The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allows local users to obtain root privileges or cause a denial of service (double free) via an application that makes an IPV6_RECVPKTINFO setsockopt system call. 12
CPE: Common Platform Enumeration CPE name title href cpe:/o:novell:leap: Novell https://en.opensuse.org/openSUSE:Leap 42.0 Leap 42.0 cpe:/o:redhat:ente Red Hat http://www.redhat.com/en/resources/whats- rprise_linux:7.1 Enterpris new-red-hat-enterprise-linux-71 e Linux 7.1 cpe:/a:isc:bind:9.8 bind 9.8 https://www.isc.org/downloads/bind/ 13
CPE: Common Platform Enumeration [omok@localhost ]$ cat /etc/os-release NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/" CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7" 14
CWE: Common Weakness Enumeration 15
CWE: Common Weakness Enumeration CVE ID CWE-ID Desc CVE-2017-5638(Struts2) CWE-20 Improper Input Validation CVE-2016-6662(MySQL) CWE-264 Permissions, Privileges, and Access Controls CWE-119 Improper Restriction of Operations CVE-2014-0160(Heart Bleed) within the Bounds of a Memory Buffer 16
CWE: Common Weakness Enumeration 17
CVSS: Common Vulnerability Scoring System 18
2. CVE Status (Total)
10 years CVE Statistics ( no HW/Firmware ) 1800 1600 Heart Bleed 1400 1200 1000 800 600 400 200 0 01/01/07 09/01/07 05/01/08 01/01/09 09/01/09 05/01/10 01/01/11 09/01/11 05/01/12 01/01/13 09/01/13 05/01/14 01/01/15 09/01/15 05/01/16 01/01/17 20
OS CVE Statistics (5 years) Heart Bleed 400 350 300 250 200 OS 150 OSS mobile 100 50 0 21
App CVE Statistics (5 years) 1400 1200 Heart Bleed 1000 800 Apps 600 OSS Mobile 400 200 0 2012/04 2012/06 2012/08 2012/10 2012/12 2013/02 2013/04 2013/06 2013/08 2013/10 2013/12 2014/02 2014/04 2014/06 2014/08 2014/10 2014/12 2015/02 2015/04 2015/06 2015/08 2015/10 2015/12 2016/02 2016/04 2016/06 2016/08 2016/10 2016/12 2017/02 2017/04 22
2. OSS CVE Status (CWEs)
OSS CVE Statistics with CWE (5 years) CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 50 40 30 CWE-89(app) 20 CWE-94(app) 10 0 12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/01 160 140 120 100 80 CWE-79(app) 60 40 20 0 12/04/01 12/10/01 13/04/01 13/10/01 14/04/01 14/10/01 15/04/01 15/10/01 16/04/01 16/10/01 17/04/01 24
OSS CVE Statistics with CWE (5 years) CWE-119: Improper Restriction of Operations within the Bounds of a Memory Bufger 140 120 100 80 CWE-119 (Apps) 60 40 20 0 12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/01 60 50 40 30 CWE-119 (OS) 20 10 0 12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/01 25
OSS CVE Statistics with CWE (5 years) CWE-125: Out-of-bounds Read CWE-190: Integer Overfmow or Wraparound 60 50 40 CWE-125(App) 30 CWE-190(App) 20 10 0 12/04/0112/08/0112/12/0113/04/0113/08/0113/12/0114/04/0114/08/0114/12/0115/04/0115/08/0115/12/0116/04/0116/08/0116/12/0117/04/01 12 10 8 6 CWE-125(OS) CWE-190(OS) 4 2 0 12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/01 26
OSS CVE Statistics with CWE (5 years) CWE-284: Improper Access Control CWE-287: Improper Authentication 35 30 25 20 CWE-287(app) 15 CWE-284(app) 10 5 0 12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/01 20 18 16 14 12 CWE-287(OS) 10 CWE-284(OS) 8 6 4 2 0 12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/01 27
OSS CVE Statistics with CWE (5 years) CWE-416: Use After Free 25 20 15 CWE-416(app) 10 5 0 12/04/01 12/08/01 12/12/01 13/04/01 13/08/01 13/12/01 14/04/01 14/08/01 14/12/01 15/04/01 15/08/01 15/12/01 16/04/01 16/08/01 16/12/01 17/04/01 8 7 6 5 4 CWE-416(OS) 3 2 1 0 12/04/01 12/08/01 12/12/01 13/04/01 13/08/01 13/12/01 14/04/01 14/08/01 14/12/01 15/04/01 15/08/01 15/12/01 16/04/01 16/08/01 16/12/01 17/04/01 28
Tools for automatically fuzzing.. American Fuzzy Lop Famous to fjnd ShellShock Since 2014 http://lcamtuf.coredump.cx/afm OSS Fuzz Open Source Since 2016/12 https://github.com/google/oss-fuzz 29
OSS CVE Statistics with CWE (5 years) CWE-125: Out-of-bounds Read CWE-190: Integer Overfmow or Wraparound 60 Google OSS Fuzz 50 40 CWE-125(App) 30 CWE-190(App) 20 10 0 12/04/0112/08/0112/12/0113/04/0113/08/0113/12/0114/04/0114/08/0114/12/0115/04/0115/08/0115/12/0116/04/0116/08/0116/12/0117/04/01 12 10 8 6 CWE-125(OS) CWE-190(OS) 4 2 0 12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/01 30
2. OSS CVE Status (Typical Apps)
HeartBleed (2014/04/07) 800 700 Heart Bleed 600 500 400 CWE-310(app) 300 200 100 0 12/01/01 12/06/01 12/11/01 13/04/01 13/09/01 14/02/01 14/07/01 14/12/01 15/05/01 15/10/01 16/03/01 16/08/01 17/01/01 800 700 600 500 400 CWE-310(OS) 300 200 100 0 12/01/01 12/06/01 12/11/01 13/04/01 13/09/01 14/02/01 14/07/01 14/12/01 15/05/01 15/10/01 16/03/01 16/08/01 17/01/01 32
Wordpress 100 90 80 70 60 50 40 Wordpress 30 20 10 0 2012/03 2012/05 2012/07 2012/09 2012/11 2013/01 2013/03 2013/05 2013/07 2013/09 2013/11 2014/01 2014/03 2014/05 2014/07 2014/09 2014/11 2015/01 2015/03 2015/05 2015/07 2015/09 2015/11 2016/01 2016/03 2016/05 2016/07 2016/09 2016/11 2017/01 2017/03 33
Wordpress vs other CMS 100 90 80 70 60 50 Wordpress Drupal 40 Other CMS 30 20 10 0 2012/03 2012/05 2012/07 2012/09 2012/11 2013/01 2013/03 2013/05 2013/07 2013/09 2013/11 2014/01 2014/03 2014/05 2014/07 2014/09 2014/11 2015/01 2015/03 2015/05 2015/07 2015/09 2015/11 2016/01 2016/03 2016/05 2016/07 2016/09 2016/11 2017/01 2017/03 34
Struts 9 8 7 6 5 4 CVEs 3 2 1 0 2012/04 2012/06 2012/08 2012/10 2012/12 2013/02 2013/04 2013/06 2013/08 2013/10 2013/12 2014/02 2014/04 2014/06 2014/08 2014/10 2014/12 2015/02 2015/04 2015/06 2015/08 2015/10 2015/12 2016/02 2016/04 2016/06 2016/08 2016/10 2016/12 2017/02 2017/04 35
3. How you can get CVE info quickly? 36
Is it valuable for getting CVE info quickly? Yes!! CVE(2017/03/17) 37
Is it valuable for getting CVE info quickly? If you know CVE earlier, - Read information (You need it? Or not?) - Prepare for Update (schedule, etc.) - T esting for Update ...etc. 38
Recommend
More recommend