Cve trends 20170531

Click here to load reader

  • date post

    22-Jan-2018
  • Category

    Internet

  • view

    218
  • download

    1

Embed Size (px)

Transcript of Cve trends 20170531

  1. 1. OSS CVE Trends Kazuki Omo( ): [email protected] SIOS Technology, Inc.
  2. 2. 2 Objective Out of scope - New Security Product info - New Security Technology info Share - Current Vulnerability Trends. - How to get Vulnerability info quickly(public).
  3. 3. 3 Who am I ? - Security Researcher/Engineer (17 years) - SELinux/MAC Evangelist (13 years) - Antivirus Engineer (3 years) - SIEM Engineer (3 years) - CISSP (#366942) - 120kg Bench Press Max - Member of Secure OSS-Sig
  4. 4. 4 What is Secure OSS-Sig? Japanese Community interested in OSS security Technology.
  5. 5. 5 Agenda 1. What is CVE? CWE? 2. CVE Trends (OSS, etc.) 3. How to get Vulnerability information quickly?
  6. 6. 1. What is CVE? CWE?
  7. 7. 7 CVE: Common Vulnerabilities and Exposures
  8. 8. Short Story...
  9. 9. 9 After 9.11 9.11 FISMA (Dec, 2002) (Federal Information Security Management Act) NIST (National Institute of Standards and Technology) - FIPS(Federal Information Processing Standards) - SP800 Series (SP 800-63A (Identity Proofing & Enrollment)) .
  10. 10. 10 After 9.11 Many type of - security measurement - test - config ... - Manage with Compliance. - Annual report to OMB!! (Office of Management and Budget)
  11. 11. 11 SCAP (Security Content Automation Protocol) Object: Automated for - Vulnerability management - Vulnerability measurement - Policy compliance evaluation NIST designed SCAP
  12. 12. 12 SCAP Components.. SCAP Common Vulnerabilities and Exposures (CVE) Common Configuration Enumeration (CCE) Common Platform Enumeration (CPE) Common Weakness Enumeration (CWE) Common Vulnerability Scoring System (CVSS) Extensible Configuration Checklist Description Format (XCCDF) and so on. Open Vulnerability and Assessment Language (OVAL) Lang Enumerations
  13. 13. 13 CVE: Common Vulnerabilities and Exposures CVE ID Summary CVE-2017-5638 The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017. CVE-2017-6074 The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allows local users to obtain root privileges or cause a denial of service (double free) via an application that makes an IPV6_RECVPKTINFO setsockopt system call.
  14. 14. 14 CWE: Common Weakness Enumeration
  15. 15. 15 CWE: Common Weakness Enumeration CVE ID CWE-ID Desc CVE-2017-5638(Struts2) CWE-20 Improper Input Validation CVE-2016-6662(MySQL) CWE-264 Permissions, Privileges, and Access Controls CVE-2014-0160(Heart Bleed) CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
  16. 16. 2. CVE Status (Total)
  17. 17. 17 10 years CVE Statistics (no HW/Firmware) 01/01/07 09/01/07 05/01/08 01/01/09 09/01/09 05/01/10 01/01/11 09/01/11 05/01/12 01/01/13 09/01/13 05/01/14 01/01/15 09/01/15 05/01/16 01/01/17 0 200 400 600 800 1000 1200 1400 1600 1800 Heart Bleed
  18. 18. 18 OS CVE Statistics (5 years) 0 50 100 150 200 250 300 350 400 OS OSS mobile Heart Bleed
  19. 19. 19 App CVE Statistics (5 years) 2012/04 2012/06 2012/08 2012/10 2012/12 2013/02 2013/04 2013/06 2013/08 2013/10 2013/12 2014/02 2014/04 2014/06 2014/08 2014/10 2014/12 2015/02 2015/04 2015/06 2015/08 2015/10 2015/12 2016/02 2016/04 2016/06 2016/08 2016/10 2016/12 2017/02 2017/04 0 200 400 600 800 1000 1200 1400 Apps OSS Mobile Heart Bleed
  20. 20. 20 From these Graph 1. CVE is gentry growing up (HeartBleed is special). 2. After 2016, Rapidly Growing up.
  21. 21. 2. OSS CVE Status (CWEs)
  22. 22. 22 OSS CVE Statistics with CWE (5 years) CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-79: Improper Neutralization of Input During Web Page Generation ('XSS') 12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/01 0 10 20 30 40 50 CWE-89(app) CWE-94(app) 12/04/01 12/10/01 13/04/01 13/10/01 14/04/01 14/10/01 15/04/01 15/10/01 16/04/01 16/10/01 17/04/01 0 20 40 60 80 100 120 140 160 CWE-79(app)
  23. 23. 23 OSS CVE Statistics with CWE (5 years) CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer 12/04/01 12/09/01 13/02/01 13/07/01 13/12/01 14/05/01 14/10/01 15/03/01 15/08/01 16/01/01 16/06/01 16/11/01 17/04/01 0 20 40 60 80 100 120 140 160 CWE-119
  24. 24. 24 OSS CVE Statistics with CWE (5 years) CWE-125: Out-of-bounds Read CWE-190: Integer Overflow or Wraparound 12/04/01 12/08/01 12/12/01 13/04/01 13/08/01 13/12/01 14/04/01 14/08/01 14/12/01 15/04/01 15/08/01 15/12/01 16/04/01 16/08/01 16/12/01 17/04/01 0 10 20 30 40 50 60 70 CWE-125 CWE-190
  25. 25. 25 OSS CVE Statistics with CWE (5 years) CWE-416: Use After Free 12/04/01 12/08/01 12/12/01 13/04/01 13/08/01 13/12/01 14/04/01 14/08/01 14/12/01 15/04/01 15/08/01 15/12/01 16/04/01 16/08/01 16/12/01 17/04/01 0 5 10 15 20 25 CWE-416
  26. 26. 26 Tools for automatically fuzzing.. American Fuzzy Lop http://lcamtuf.coredump.cx/afl OSS Fuzz https://github.com/google/oss-fuzz Open Source Since 2016/12 Famous to find ShellShock Since 2014
  27. 27. 27 Tools for automatically fuzzing.. OSS Fuzz https://github.com/google/oss-fuzz Open Source Since 2016/12 - Heap/Global/Stack buffer overflows - Use After Frees - Out-of-bounds Access
  28. 28. 28 OSS CVE Statistics with CWE (5 years) CWE-416: Use After Free 12/04/01 12/08/01 12/12/01 13/04/01 13/08/01 13/12/01 14/04/01 14/08/01 14/12/01 15/04/01 15/08/01 15/12/01 16/04/01 16/08/01 16/12/01 17/04/01 0 5 10 15 20 25 CWE-416 Google OSS Fuzz Firefox, Chrome
  29. 29. 29 OSS CVE Statistics with CWE (5 years) CWE-125: Out-of-bounds Read CWE-190: Integer Overflow or Wraparound 12/04/01 12/08/01 12/12/01 13/04/01 13/08/01 13/12/01 14/04/01 14/08/01 14/12/01 15/04/01 15/08/01 15/12/01 16/04/01 16/08/01 16/12/01 17/04/01 0 10 20 30 40 50 60 70 CWE-125 CWE-190 Google OSS Fuzz Firefox, Chrome
  30. 30. 30 From these Graph 1. OSS CVE is growing up Security Researcher is brushing up them. Google OSS Fuzz
  31. 31. 2. OSS CVE Status (Typical Case)
  32. 32. 32 HeartBleed (2014/04/07) 12/01/01 12/06/01 12/11/01 13/04/01 13/09/01 14/02/01 14/07/01 14/12/01 15/05/01 15/10/01 16/03/01 16/08/01 17/01/01 0 100 200 300 400 500 600 700 800 CWE-310(app) 12/01/01 12/06/01 12/11/01 13/04/01 13/09/01 14/02/01 14/07/01 14/12/01 15/05/01 15/10/01 16/03/01 16/08/01 17/01/01 0 100 200 300 400 500 600 700 800 CWE-310(OS) Heart Bleed CWE-310 (Cryptographic Issues)
  33. 33. 33 Wordpress 2012/03 2012/05 2012/07 2012/09 2012/11 2013/01 2013/03 2013/05 2013/07 2013/09 2013/11 2014/01 2014/03 2014/05 2014/07 2014/09 2014/11 2015/01 2015/03 2015/05 2015/07 2015/09 2015/11 2016/01 2016/03 2016/05 2016/07 2016/09 2016/11 2017/01 2017/03 0 10 20 30 40 50 60 70 80 90 100 Wordpress
  34. 34. 34 From these Graph Big Incident Related CVEs increasing (few Month later)
  35. 35. 35 High Priority CVE Publish Attack 2014/01 2014/02 2014/03 2014/04 2014/05 2014/06 2014/07 2014/08 2014/09 2014/10 2014/11 2014/12 2015/01 2015/02 2015/03 2015/04 2015/05 2015/06 2015/07 2015/08 2015/09 2015/10 2015/11 2015/12 2016/01 2016/02 2016/03 2016/04 2016/05 2016/06 2016/07 2016/08 2016/09 2016/10 2016/11 2016/12 2017/01 2017/02 2017/03 2017/04 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1Heart Bleed CVE-2014-0160 ShellShock CVE-2014-6271 Struts2 CVE-2016-3081 ShellShock CVE-2014-6271 Struts2 CVE-2017-5638 4/7/2014 4/9/2014 9/24/2014 9/25/2014 3/6/2017 3/7/2017 4/21/2016 4/27/2016
  36. 36. 36 From these Graph High CVE public Attack increase (quickly) So, Its better to get vulnerability info quickly!!
  37. 37. 37 From these Graph Distro/Projects get info before Public. So, we would get vulnerability info quickly(after Public)!!
  38. 38. 38 3. How you can get CVE info quickly?
  39. 39. 39 Is it valuable for getting vulnerability info quickly? Yes!! CVE(2017/03/17)
  40. 40. 40 Is it valuable for getting vulnerability info quickly? If you know vulnerability earlier, - Read/know information (You need to fix? Or not?) - Prepare for Attack (FW config, etc.) - Prepare for Update (schedule, etc.) - Testing for Update ...etc.
  41. 41. 41 CVE Request (Previous) Before 02/09/2017 OSS-Security ML Send vulnerability details, then MITRE will assign CVEs. Merit for User: 1. During CVE assign, had time to confirm/reproduce. 2. Detailed information for vulnerability.
  42. 42. 42 Current CVE Request Use Webform for CVE Request.
  43. 43. 43 How you can get CVE info quickly. So now we get only a few info from oss-security ML. What is alter way?
  44. 44. 44 Mitre official 1. Daily CVE Changelog
  45. 45. 45 Mitre official 2. Twitter (almost Real Time)
  46. 46. 46 OSS (CVE-Search) 3. Create Internal CVE Database for Searching
  47. 47. 47 Alternative 4. Regist to several typical announce ML
  48. 48. 48 Alternative 4. Regist to several typical ML
  49. 49. 49 Alternative 5. Check typical OSS website. http://tomcat.apache.org/security-9.html https://www.postgresql.org/support/security/
  50. 50. 50 Alternative 5. Check typical OSS website. https://www.oracle.com/technetwork/topics/security/alerts-086861.html
  51. 51. 51 Alternative 6. Check several Deep Info website. https://blogs.gentoo.org/ago/
  52. 52. 52 My Blog (Japanese Lang, sorry) https://oss.sios.com/security
  53. 53. 53 By the way. Each Distro speciality (from my personal experience) Speed (Open Vulnerability in