|
|
ToolsWatch
vFeed API and Vulnerability Database Community
http://www.toolswatch.org/vfeed-the-open-source-correlated-cross-linked-vulnerability-xml-database/ https://github.com/toolswatch/vFeed
Provide a short description of how and where your capability is made available to your customers and the public (required):
vFeed Python API and vFeed SQLite Vulnerability Database can be downloaded using the GitHub service. Once the vFeed Python API is installed, the customers can leverage a simple update to retrieve the full SQlite vFeed Vulnerability Database.The vFeed Python API can be retrieved from the following URL:
https://github.com/toolswatch/vFeed
Or, installed on any system running Python and SQLite using the following CLI:
#git clone https://github.com/toolswatch/vFeed.git
Once installed, the users can leverage the following syntax:
#python vfeedcli.py update
(output sample)
[install] getting fresh copy of vfeed.db. It may take a while ...
[progress 1 %] receiving 483328 out of 43325357 Bytes of vfeed.db.tgz
Describe how and where your capability indicates the most recent CVE version used to create or update its mappings (required):
The users can leverage from command line the following syntax:#python vfeedcli.py get_cve CVE-2014-10038
[cve_description]: SQL injection vulnerability in agenda/indexdate.php in DomPHP 0.83 and earlier allows remote attackers to execute arbitrary SQL commands via the ids parameter. [cve_published]: 2015-01-13T10:59:48.210-05:00 [cve_modified]: 2015-01-14T15:11:21.137-05:00 The get_cve method returns the CVE ID alongside the relevant information as description and dates.
The get_cve method returns the CVE ID alongside the relevant information as description and dates.
Indicate how often you plan on updating the mappings to reflect the current CVE content and describe your approach to keeping reasonably current with the CVE content when mapping them to your repository (required):
All new entries are added to our vFeed vulnerability database community within 15 business days. We fully rely on NVD CVE XML current year, recent and modified feeds. Once a quarter, the full XML NVD feeds are rescanned to generate a new fresh SQLite database.The users and researchers can leverage the following command to check the newest current CVEs: #python vfeedcli.py get_latest (sample output)
--- Snip ---
--------------------------------------------------------------
vFeed.db Statistics : Latest added CVEs
473 total added new CVEs
---------------------------------------------------------------
CVE-2015-0223
CVE-2015-0231
CVE-2015-0232
--- Snip ---
Describe how and where you explain to your customers the timeframe they should expect an update of your capability’s mappings to reflect newly available CVE content (required):
Due to the complexity of the vFeed Vulnerability Database Community's update process (as we rely on more than 50 different data sources, tools, signatures and feeds), the alerts are retrieved each fifteen (15) business days.
Describe the criteria used for determining the relevance of a given CVE Identifier to your Capability (required):
vFeed intends to cross-link and aggregated data from different sources. The CVE ID is the main identifier for vfeed.db and we ensure that all our sources attributes have at least one validated CVE Identifier.
Describe the mechanism used for reviewing CVE for content changes (required):
We are updating the content of vFeed.db SQLite Vulnerability Database Community every fifteen (15) business days based partially on the NVD XML repository. In addition, we are using extra data sources feeds to extend the reliability of the vulnerability database.
Describe the source of your CVE content (required):
The main feed for the CVEs basic information (such as Identifier and Description) is the NVD website. However, we use internal mappers to gather different attributes from third-party references to extend the accuracy and reliability of the vFeed.db Vulnerability Database Community.
Provide a copy, or directions to its location, of where your documentation describes CVE and CVE compatibility for your customers (required):
https://github.com/toolswatch/vFeed/wiki/1-vFeed-Framework-Concept
Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CVE names to find the individual security elements within your capability’s repository (required):
The correlated vulnerability database vFeed.db comes with a set of python API methods that help to query CVE identifiers within the database.Users can leverage different methods as described in our documentation at https://github.com/toolswatch/vFeed/wiki/3-vFeed-methods.
- The search method queries quickly the database and returns an excerpt of the description and relevant information such as existence of exploits.
#python vfeedcli.py search CVE-2014-0160
[+] Querying information for CVE-2014-0160 ...
[-] The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g ....
[!] 2 Metasploit Exploit(s) Found
[!] 4 Exploit DB sploits Found[INFO] Try vfeedcli.py export CVE-2014-0160 for more information!
The get_cve method returns the information as extracted from NVD XML feed data source.
#python vfeedcli.py get_cve CVE-2014-10038
[cve_description]: SQL injection vulnerability in agenda/indexdate.php in DomPHP 0.83 and earlier allows remote attackers to execute arbitrary SQL commands via the ids parameter.[cve_published]: 2015-01-13T10:59:48.210-05:00 [cve_modified]: 2015-01-14T15:11:21.137-05:00
Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CVE names associated with individual security elements within your capability’s repository (required):
CVE ID alongside all attributes and elements are displayed using vFeed built-in functions or within pre-formatted vFeed proprietary XML format.As described in section CR_4.2, vFeed uses different python APIs such as get_cve or search to display CVE information.
The export function can as well be leveraged to document a CVE Identifier as XML export. The XML file is a proprietary format of ToolsWatch.org.
#python vfeedcli.py export CVE-2014-10038
[info] vFeed xml file CVE_2014_10038.xml exported for CVE-2014-10038Here is an excerpt of CVE-2014-10038 correlated with available public information
<?xml version="1.0" ?>
<vFeed xmlns="http://www.toolswatch.org/vfeed/" xmlns:meta="http://www.toolswatch.org/vfeed/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.toolswatch.org/vfeed/ http://www.toolswatch.org/vfeed/vFeed.xsd">
<!--#####################################-->
<!--vFeed - Open Source Cross-linked and Aggregated Local Vulnerability Database-->
<!--Generated by vFeedApi.py-->
<release>
<name>vFeed XML for CVE-2014-10038</name>
<version>0.5.0</version>
<author>NJ OUCHN @toolswatch</author>
<url>https://github.com/toolswatch/vFeed</url>
<date_generated>Sun, 01 Mar 2015 09:51:58</date_generated>
</release>
<!--#####################################-->
<!--Entry ID-->
<entry exported="CVE_2014_10038.xml" id="CVE-2014-10038">
<date modified="2015-01-14T15:11:21.137-05:00" published="2015-01-13T10:59:48.210-05:00"/>
<summary>SQL injection vulnerability in agenda/indexdate.php in DomPHP 0.83 and earlier allows remote attackers to execute arbitrary SQL commands via the ids parameter.</summary>
<cve_ref>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-10038</cve_ref>
<!--#####################################-->
<!--Official References-->
<references>
<ref source="XF" url="http://xforce.iss.net/xforce/xfdb/90528"/>
<ref source="EXPLOIT-DB" url="http://www.exploit-db.com/exploits/30872"/>
<ref source="MISC" url="http://packetstormsecurity.com/files/124801"/>
<ref source="OSVDB" url="http://osvdb.org/show/osvdb/102180"/>
</references>
<!--#####################################-->
<!--vFeed Mapped References-->
<crossReferences>
<ref id="102180" source="OSVDB" url="http://www.osvdb.org/show/osvdb/102180"/>
</crossReferences>
<!--#####################################-->
<!--Vulnerable Targets according to CPE-->
<vulnerableTargets>
<cpe id="cpe:/a:domphp:domphp:0.83"/>
</vulnerableTargets>
<!--#####################################-->
<!--Risk Scoring Evaluation-->
<riskScoring>
<severityLevel status="High"/>
<cvss base="7.5" exploit="10.0" impact="6.4"/>
<cvssVector A="partial" AC="low" AV="network" Au="none" C="partial" I="partial"/>
<topVulnerable status="False"/>
<topAlert status="
- 2011 Top 25 - Insecure Interaction Between Components
- OWASP Top Ten 2010 Category A1 - Injection
- OWASP Top Ten 2013 Category A1 - Injection"/>
<pciCompliance status="Failed"/>
</riskScoring>
<!--#####################################-->
<!--Patch Management-->
<patchManagement/>
<!--#####################################-->
<!--Attack and Weaknesses Categories. Useful when performing classification of threats-->
<attackPattern>
<cwe id="CWE-89" standard="CWE - Common Weakness Enumeration" title="Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" url="https://cwe.mitre.org/data/definitions/89"/>
<capec id="108" relatedCWE="CWE-89" standard="CAPEC - Common Attack Pattern Enumeration and Classification" url="https://capec.mitre.org/data/definitions/108"/>
<capec id="109" relatedCWE="CWE-89" standard="CAPEC - Common Attack Pattern Enumeration and Classification" url="https://capec.mitre.org/data/definitions/109"/>
<capec id="110" relatedCWE="CWE-89" standard="CAPEC - Common Attack Pattern Enumeration and Classification" url="https://capec.mitre.org/data/definitions/110"/>
<capec id="470" relatedCWE="CWE-89" standard="CAPEC - Common Attack Pattern Enumeration and Classification" url="https://capec.mitre.org/data/definitions/470"/>
<capec id="66" relatedCWE="CWE-89" standard="CAPEC - Common Attack Pattern Enumeration and Classification" url="https://capec.mitre.org/data/definitions/66"/>
<capec id="7" relatedCWE="CWE-89" standard="CAPEC - Common Attack Pattern Enumeration and Classification" url="https://capec.mitre.org/data/definitions/7"/>
</attackPattern>
<!--#####################################-->
<!--Assessment and security Tests. The IDs and source could be leveraged to test the vulnerability-->
<assessment>
<check file="" id="30872" link="http://www.exploit-db.com/exploits/30872" type="Exploitation" utility="exploit-db"/>
</assessment>
<!--#####################################-->
<!--Defense and IDS rules. The IDs and source could be leveraged to deploy effective rules-->
<defense/>
</entry>
</vFeed>
If your documentation includes an index, provide a copy of the items and resources that you have listed under "CVE" in your index. Alternately, provide directions to where these "CVE" items are posted on your web site (recommended):
A good example to illustrate this case can be the search for the CPE associated CVE Identifiers.By leveraging the search function, we may be able to achieve such task. Note that the vFeed documentation wiki explains in details the functions and their syntaxes.
#python vfeedcli.py search cpe:/a:domphp:domphp
[+] Querying information for cpe:/a:domphp:domphp ...
[-] Total Unique CVEs [6]
[-] Total Found CPEs [3]
[+] Gathering information ...
[-] cpe:/a:domphp:domphp:0.83
[-] CVE-2014-10037 | CVSS Base :7.5
[->] Directory traversal vulnerability in DomPHP 0.83 and ....
[!] 1 Exploit DB sploits Found
[-] CVE-2014-10038 | CVSS Base :7.5
[->] SQL injection vulnerability in agenda/indexdate.php in DomPHP ....
[!] 1 Exploit DB sploits Found
[-] cpe:/a:domphp:domphp:0.82
[-] CVE-2008-0745 | CVSS Base :7.5
[->] Directory traversal vulnerability in aides/index.php in DomPHP....
[-] cpe:/a:domphp:domphp:0.81
[-] CVE-2008-0282 | CVSS Base :7.5
[->] SQL injection vulnerability in welcome/inscription.php in DomPHP
[-] CVE-2008-0283 | CVSS Base :6.8
[->] PHP remote file inclusion vulnerability in /aides/index.php ....
[-] CVE-2008-6064 | CVSS Base :7.5
[->] Multiple SQL injection vulnerabilities in DomPHP 0.81 ....
As depicted previously, CVE Identifiers are listed alongside respective CVSS base scores.
Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CVE name (required):
The vFeed Vulnerability Database Community comes as per today with 2 methods that can be leveraged to search and export information about CVEs.#python vfeedcli.py get_cve CVE-2014-10038
[cve_description]: SQL injection vulnerability in agenda/indexdate.php in DomPHP 0.83 and earlier allows remote attackers to execute arbitrary SQL commands via the ids parameter.
[cve_published]: 2015-01-13T10:59:48.210-05:00 [cve_modified]: 2015-01-14T15:11:21.137-05:00#python vfeedcli.py search CVE-2014-10038
[+] Querying information for CVE-2014-10038 ...
[-] SQL injection vulnerability in agenda/indexdate.php in DomPHP 0.83 and earlier allows remote attackers to execute arbitrary SQL commands via the ids parameter.
[!] 1 Exploit DB sploits Found[INFO] Try vfeedcli.py export CVE-2014-10038 for more information !!
Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CVE names for the individual security elements in the report (required):
We provide a set of python API methods to explore the SQLite vFeed.db Vulnerability Database Community. The methods are explained in the online documentation wiki at https://github.com/toolswatch/vFeed/wiki/2-Usage.
We wrapped up as well all these functions into an export method that generates a vFeed proprietary XML. The XML describes the CVE with associated third party attributes as CPE, CWE, CVSS, OVAL identifiers, Nessus scripts, metasploit exploits, multiple patches information, and so on. The full list of methods is documented here (under vFeed Methods Page) at https://github.com/toolswatch/vFeed/wiki/3-vFeed-methods.
Running the command line vFeed Python API gives as well indication on how to explore the database.
Give detailed examples and explanations of how a user can obtain a listing of all of the CVE names that are associated with the tool’s tasks (recommended):
Please see the answer to <CR_A.2.2>.
Give detailed examples and explanations of the different ways that a user can use CVE names to find out which security elements are tested or detected by the service (i.e. by asking, by providing a list, by examining a coverage map, or by some other mechanism) (required):
CVE ID alongside all attributes and element is displayed using python functions or within pre-formatted vFeed proprietary XML output. vFeed comes with average 40 methods that allow users to enumerate attributes related to a CVE.When executing the vfeedcli.py wrapper a list of methods is displayed.
-----------------------------------------------------------------------------
vFeed - Open Source Cross-linked and Aggregated Local Vulnerability Database
version 0.5.0
https://github.com/toolswatch/vFeed
-----------------------------------------------------------------------------
[usage 1]: python ./vfeedcli.py <Method> <CVE>
[info] Available vFeed methods:
Information ==> get_cve | get_cpe | get_cwe | get_capec | get_category
References ==> get_refs | get_scip | get_osvdb | get_certvn | get_bid | get_iavm
Risk ==> get_risk | get_cvss
Patchs 1/2 ==> get_ms | get_kb | get_aixapar | get_redhat | get_suse | get_debian | get_hp
Patchs 2/2 ==> get_mandriva | get_cisco | get_ubuntu | get_gentoo | get_fedora | get_vmware
Assessment ==> get_oval | get_nmap | get_nessus | get_openvas
Defense ==> get_snort | get_suricata
Exploitation ==> get_milw0rm | get_edb | get_saint | get_msf | get_d2
----------
[usage 2]: python ./vfeedcli.py export <CVE>
[info]: This method will export the CVE as vFeed XML format
----------
[usage 3]: python ./vfeedcli.py search <CVE> | <CPE>
[info]: This method searches for CVE or CPE. It returns useful information that will help you dig deeper.
For example, getting the list the associated CWEs will be achieved through get_cwe method as depicted below:
#python vfeedcli.py get_cwe cve-2014-0160
-------
[cwe_id]: CWE-119
[cwe_title]: Improper Restriction of Operations within the Bounds of a Memory Buffer
One of the added values of vFeed is the proprietary XML format. It can be leveraged using the export function. The export method will craft a special XML file with all attributes around a CVE ranging from scores, weaknesses, patches to scanning, exploitation and defenses scripts.
Here is a pre-generated export for the well-known SSL Heartbleed vulnerability aka CVE-2014-0160 at http://toolswatch.org/vfeed/CVE_2014_0160.xml.
Users can as well rely on the search method to list information about a CVE.
#python vfeedcli.py search cve-2014-0160
[+] Querying information for CVE-2014-0160 ...
[-] The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
[!] 2 Metasploit Exploit(s) Found
[!] 4 Exploit DB Exploit(s) Found
[INFO] Try vfeedcli.py export CVE-2014-0160 for more information !!
Give detailed examples and explanations of how, for reports that identify individual security elements, the user can determine the associated CVE names for the individual security elements in the report (required):
Please see the answer to <CR_A.2.2> or <CR_A.3.1>.
Please provide the name and version number of any product that the service allows users to have direct access to if that product identifies security elements (recommended):
vFeed version 0.5.0 and above
Give detailed examples and explanations of how a "find" or "search" function is available to the user to locate tasks in the online capability by looking for their associated CVE name or through an online mapping that links each element of the capability with its associated CVE name(s) (required):
vFeed Vulnerability Database Community comes with a built-in search function suitable for CVEs and CPEs. The get_cve function can also be leverage to search for any CVE occurrences.#python vfeedcli.py search CVE-2014-0160
[+] Querying information for CVE-2014-0160 ...
[-] The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g ....
[!] 2 Metasploit Exploit(s) Found
[!] 4 Exploit DB sploits Found[INFO] Try vfeedcli.py export CVE-2014-0160 for more information!
The get_cve method returns the information as extracted from NVD XML feed data source.#python vfeedcli.py get_cve CVE-2014-10038
[cve_description]: SQL injection vulnerability in agenda/indexdate.php in DomPHP 0.83 and earlier allows remote attackers to execute arbitrary SQL commands via the ids parameter.
[cve_published]: 2015-01-13T10:59:48.210-05:00
[cve_modified]: 2015-01-14T15:11:21.137-05:00
Finding CVE Names Using Online Capability Elements <CR_A.4.2>
Give detailed examples and explanations of how, for reports that identify individual security elements, the online capability allows the user to determine the associated CVE names for the individual security elements in the report. (required):
Please refer to the answer to <CR_A.2.2>.Online Capability Element to CVE Name Mapping <CR_A.4.3>
If details for individual security elements are not provided, give examples and explanations of how a user can obtain a mapping that links each element with its associated CVE name(s), otherwise enter N/A (required):
Please refer to the answer to <CR_A.2.2>.Aggregation Capability QuestionsFinding Elements Using CVE Names <CR_A.5.1>
Give detailed examples and explanations of how a user can find associated elements in the capability by looking for their associated CVE name (required):
The users can leveraged the multiple built-in functions as described here at https://github.com/toolswatch/vFeed/wiki/3-vFeed-methods.The export function can as well be leveraged to create a complete CVE overview with associated attributes.
Please refer also to the answer to
for the search capability. Finding CVE Names Using Elements in Reports <CR_A.5.2>
Give detailed examples and explanations of how, for reports that identify individual security elements, the capability allows the user to determine the associated CVE names for the individual security elements in the report (required):
Please refer also to the answer to <CR_A.5.1>.Getting a List of CVE Names Associated with Tasks <CR_A.5.4>
Give detailed examples and explanations of how a user can obtain a listing of all of the CVE names that are associated with the capability’s tasks (recommended):
The export function is able to generate a very detailed proprietary XML file.
Refer as well to the answer tofor more explanation. Selecting Tasks with a List of CVE Names <CR_A.5.5>
Describe the steps and format that a user would use to select a set of tasks by providing a file with a list of CVE names (recommended):
Please refer to the answer to <CR_A.4.1>.Note that vFeed API is CLI.
Selecting Tasks Using Individual CVE Names <CR_A.5.6>
Describe the steps that a user would follow to browse, select, and deselect a set of tasks for the capability by using individual CVE names (recommended):
Please refer to the answer to <CR_A.4.1>.Note that vFeed API is CLI.
Media QuestionsElectronic Document Format Info <CR_B.3.1>
Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CVE-related text (required):
CLI outputLeveraging the search function as depicted below:
#python vfeedcli.py search CVE-2014-0160
[+] Querying information for CVE-2014-0160 ...
[-] The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g ....
[!] 2 Metasploit Exploit(s) Found [!] 4 Exploit DB ploits FoundXML output
The export function will produce a proprietary XML file with attributes and daya about a CVE. Here is the example for the well-known SSL Heartbleed vulnerability aka CVE-2014-0160 at http://toolswatch.org/vfeed/CVE_2014_0160.xmlThe export method is leveraged using the following command line #python vfeedcli.py export CVE-2014-0160
Electronic Document Listing of CVE Names <CR_B.3.2>
If one of the capability’s standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CVE names are listed for each individual security element (required):
Please refer to the answer to <CR_A.2.2>.Electronic Document Element to CVE Name Mapping <CR_B.3.3>
Provide example documents that demonstrate the mapping from the capability’s individual elements to the respective CVE name(s) (recommended):
Please refer to the answer to <CR_A.2.2>.Graphical User Interface (GUI)Finding Elements Using CVE Names Through the GUI <CR_B.4.1>
Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability’s elements by looking for their associated CVE name(s) (required):
vFeed python API CLI. All functions are CLI based.GUI Element to CVE Name Mapping <CR_B.4.2>
Briefly describe how the associated CVE names are listed for the individual security elements or discuss how the user can use the mapping between CVE entries and the capability’s elements, also describe the format of the mapping (required):
vFeed python API CLI. All functions are CLI based.GUI Export Electronic Document Format Info <CR_B.4.3>
Provide details about the different electronic document formats that you provide for exporting or accessing CVE-related data and describe how they can be searched for specific CVE-related text (recommended):
vFeed python API CLI. All functions are CLI based. Refer to the answer to <CR_B.3.1>.Questions for SignatureStatement of Compatibility <CR_2.7>
Have an authorized individual sign and date the following Compatibility Statement (required):
"As an authorized representative of my organization I agree that we will abide by all of the mandatory CVE Compatibility Requirements as well as all of the additional mandatory CVE Compatibility Requirements that are appropriate for our specific type of capability."
Name: Nabil Joseph OUCHN
Title: Founder/Developer
Statement of Accuracy <CR_3.4>
Have an authorized individual sign and date the following accuracy Statement (recommended):
"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability’s Repository and the CVE entries our capability identifies."
Name: Nabil Joseph OUCHN
Title: Founder/Developer
Statement on False-Positives and False-Negatives <CR_A.2.8 and/or CR_A.3.5>
FOR TOOLS ONLY - Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):
"As an authorized representative of my organization and to the best of my knowledge, normally when our capability reports a specific security element, it is generally correct and normally when an event occurs that is related to a specific security element our capability generally reports it."
Name: Nabil Joseph OUCHN
Title: Founder/Developer