Sunday, September 3, 2023

The SIEM Project: 01 Retrieving CVE Information

Today, I am going to start my own personal project which is a simple SIEM. In my previous posts, I have already created small python programs that could be essential part of this project which are as follows:

  1. Python: Count Source IP Addresses from Captured Packets And Display on a Table
  2. A Simple Event Log Viewer in Python
  3. 2 Python Programs that are useful in Cyber Security

Moving on, I will have to start the project by retrieving information of a CVE(Common Vulnerabilities and Exposure). To achieve this, I will be using  the library NVDLIB. Check out the documentation and how to use the library here. The documentation may seem to be outdated at most scenarios. So in real world scenarios, it would be better to download the CVE list from the NIST website which is well over a million so that the query can be easily flexible because they often make changes to their API, but in my case, I will just use simple queries.

The scenario I am going to simulate is to select 3 CVE's related to Windows 10 which is my I am currently using. I will just display the CVE number, reference URL, description, the severity, vulnerability score index and the vector.

According to ChatGPT, CVE's are as follows:

CVEs (Common Vulnerabilities and Exposures) typically contain information about vulnerabilities in software or hardware systems, including information about the affected operating systems and their versions. However, the level of detail provided in a CVE entry may vary.

Here are the key elements you can find in a typical CVE entry related to affected operating systems:

  1. CVE Identifier (CVE-ID): A unique identifier assigned to the vulnerability.
  2. Description: A description of the vulnerability, its impact, and how it can be exploited.
  3. References: Links to additional resources, such as advisories or patches, related to the vulnerability.
  4. CVSS (Common Vulnerability Scoring System) Score: A numerical score that represents the severity of the vulnerability.
  5. Affected Software: Information about the software or hardware affected by the vulnerability. This can include:
    • Vendor Name: The name of the vendor or organization that created the affected software or hardware.
    • Product Name: The name of the specific product or software component.
    • Version(s): The version(s) of the software or hardware that are affected by the vulnerability.
    • Update Version(s): The version(s) of the software or hardware that have been fixed or patched.
  6. Vulnerable Configurations: Information about how the vulnerability can be exploited in different configurations.
  7. Vulnerability Type: The type or category of the vulnerability (e.g., buffer overflow, SQL injection, etc.).
  8. CWE (Common Weakness Enumeration) ID: An identifier from the CWE database that categorizes the type of weakness or vulnerability.
  9. Publication Date: The date when the CVE entry was published.

It's important to note that while CVE entries strive to provide accurate and detailed information, the level of detail may vary depending on the information available at the time of publication. Some CVE entries may provide specific details about affected operating systems and versions, while others may provide more general information about affected software components.

Security researchers, vendors, and organizations often collaborate to provide additional information and context for CVEs, such as patches or workarounds. When assessing the impact of a CVE, it's important to refer to additional resources and advisories provided by relevant vendors and security organizations.

The Python program is very short, all I have to de is define the search parameters(retrieve all Window 10 related CVE's) and just display the first 3. And here is the code:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
import nvdlib

r = nvdlib.searchCVE(cpeName = 'cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*')
print(len(r))
print(dir(r[0]))
x = 1
for r1 in r:
    if x <= 3:
        x +=1
        try:
            print(r1.id, str(r1.score[0]), r1.url)
            print(r1.v2severity + ' - ' + str(r1.v2score) + ' - ' + r1.v2vector)
            print(r1.descriptions[0].value)
        except:
            try:
                print(r1.v31severity + ' - ' + str(r1.v31score) + ' - ' + r1.v31vector)
                print(r1.descriptions[0].value)
            except:    
                print(dir(r1))

The search parameter is not very simple, it took me awhile to make it work, ChatGPT could not help me figure it out although it was able to explain the parts of the search parameter which is as follows:

In this CPE name:

  • cpe:2.3 indicates the CPE version.
  • o indicates that it is an operating system.
  • microsoft is the vendor (Microsoft).
  • windows_10 specifies the product (Windows 10).

The trailing * indicates that the CPE name is generic and does not specify a particular version or edition. The * is a wildcard character. And here is what ChatGPT suggested:

 cpe:2.3:o:microsoft:windows_10::version:1903:*

ChatGPT missed the '-' part, suggestion a version and it seems like the patch number which when missing('-'), the search parameter will not work and the versions and patch number doesn't seem to work as well, I figured that the search parameter can be found at the CVE NIST Details page, for example, CVE-2013-3900 can be found at NVD - CVE-2013-3900 (nist.gov) and check the section 'Known Affected Software Configurations', see screenshot below:


And furthermore, more information about CPE can be found at wikipedia

And that's all for now. Hire me if you have similar projects. 


No comments:

Post a Comment