The SIEM Project: 02 - Verifying CVE Vulnerability in Affected Software

In my previous post (if you haven't read it yet, you can find it here), , I successfully retrieved details about a CVE that was randomly selected using specific search parameters. Now that we have comprehensive information about this CVE, it's time to confirm whether the software currently installed on my PC is still vulnerable. The software in question is my Windows 10 operating system.

In my example, the CVE was published in 2013, which predates the release of Windows 10 by two years. Windows 10 made its debut in 2015. To proceed, I need to adjust my original code to fetch CVEs published from 2020 up to the present year. Unfortunately, the search parameters don't provide this filtering option, so I'll need to filter the results myself.

But before I dive into that, I've asked ChatGPT what is the proper way to implement the verification process, and it gave a more generalized processed not the specific ones, here is his reply:

Verifying if the affected software is still vulnerable to a given CVE (Common Vulnerabilities and Exposures) typically involves the following steps:

1. Identify Affected Software: Determine the exact software and version that the CVE affects. You can usually find this information in the CVE description or on the NIST NVD (National Vulnerability Database) website.
2. Check Software Version: Verify the version of the software currently installed on your system. You can typically find this information within the software itself or in system settings.
3. CVE Details: Examine the details of the CVE, paying attention to the description and any information about patches or updates. CVE descriptions often include details about how the vulnerability can be exploited.
4. Check for Updates/Patches: Visit the official website of the software vendor (e.g., Microsoft for Windows) and look for security updates or patches related to the CVE. Most vendors provide a list of security bulletins or advisories.
5. Apply Updates: If updates or patches are available, download and apply them to your system. Make sure to follow the installation instructions provided by the vendor.
6. Test Vulnerability: After applying the updates, it's a good practice to test whether the vulnerability still exists. Some vulnerabilities are complex and may not be completely mitigated by a single patch.
7. Monitor Security Sources: Stay informed about security news and updates related to the software you're using. CVEs and security advisories are regularly published, and new vulnerabilities can emerge.
8. Use Vulnerability Scanning Tools: Consider using vulnerability scanning tools or security software that can automatically check your system for known vulnerabilities, including those associated with CVEs.
9. Regularly Update: Ensure that your software is regularly updated to the latest versions. Automated updates can help keep your system secure.
10. Security Best Practices: Implement security best practices such as using strong passwords, enabling firewalls, and employing security software to reduce the overall attack surface.

Remember that security is an ongoing process, and it's essential to keep your software up to date and stay informed about potential vulnerabilities and patches. Additionally, some organizations have dedicated IT teams or security experts who handle vulnerability assessment and management.

The process he suggested was ok, but what I have in mind how to implement this process without human intervention. Here is what I plan to do in this article: 

Item 1: Identifying Affected Software 

To pinpoint the software and version impacted by the CVE, you can often locate this information within the CVE description or on the NIST NVD (National Vulnerability Database) website.

My Approach: 

To identify the affected software in this specific scenario, I'll automate the process. The relevant data can be found in the CVE's CPE (Common Platform Enumeration) field. As mentioned in my previous post, the affected software is typically represented as the fourth field in the CPE structure (e.g., cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*).

To identify the affected version, I'll examine the CVE's configuration field. This field is structured as a dictionary and contains the information listed in the CVE's reference URLs under the 'Known Affected Software Configurations' section. The program will search for all occurrences of 'windows_10' and retrieve the four alphanumeric characters following the colon after 'windows_10.' These characters will indicate the affected Windows 10 version. Common versions include 21h2, 1607, 1809, and 1909(4 characters is what I saw but to be sure get all the character found in btween the 2 colons).

Item 2: Verifying Software Version 

It's important to verify the version of the software currently installed on your system. This information is typically accessible within the software itself or in system settings.

My Approach: 

From the outset, I've identified that the software in question is Windows 10. In my actual SIEM (Security Information and Event Management) setup, I'll develop a program to identify all installed software and their respective versions on my PC. This comprehensive approach ensures that I have a clear understanding of the software landscape on my system.

To detect the Operating System installed on my pc(assuming I don't know yet), I will use the platform library and here is the code:

import platform
print('System: ' + platform.uname().system)
print('Release: ' + platform.uname().release)
print('Version: ' + platform.uname().version)

I could use the following program to list all installed programs on my pc. It just displays the installed software much like what you would see in  control panel Programs and Features Section:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

import os import subprocess # Run a PowerShell command to retrieve a list of installed software powershell_command = 'Get-WmiObject -Class Win32_Product | Select-Object Name' installed_software = [] try: result = subprocess.check_output(['powershell', '-WindowStyle', 'Hidden', '-Command', powershell_command], text=True) installed_software = result.strip().split('\n')[2:] # Skip the header and extract software names except subprocess.CalledProcessError as e: print(f"Error executing PowerShell command: {e}") # Display the list of installed software for software in installed_software: print(software)

And that's it, the remaining items mentioned by ChatGPT is out of coverage by my post's scenario except Item # 4 which I will be discussing in more details on my next post.