Showing posts with label The SIEM Project. Show all posts
Showing posts with label The SIEM Project. Show all posts

Saturday, September 16, 2023

The SIEM Project: 02 - Verifying CVE Vulnerability in Affected Software Part 2

 This is a continuation of my previous post, if you have not read it yet, you may check it here

Item 4: Check for Updates/Patches

Visit the official website of the software vendor (e.g., Microsoft for Windows) and look for security updates or patches related to the CVE. Most vendors provide a list of security bulletins or advisories.

My Approach:

Since I am developing a siem software, my main goal is to scan my Windows 10 OS for installed patches. Then as I have chosen a particular CVE already, I will check if my OS is still vulnerable by checking the affected Windows patch or perhaps the required patch that addresses the mentioned vulnerability in the CVE. I would do this by going to the url found in the CVE Reference field as mentioned on the first part of my siem project post, if you have not read it yet, you may check it here.

The following program scans the patches I have installed on my OS:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
import wmi

# Connect to the Windows Management Instrumentation (WMI) service
c = wmi.WMI()

# Query for installed Windows updates
installed_updates = c.Win32_QuickFixEngineering()

# Print information about each update
for update in installed_updates:
    print(f"Description: {update.Description}")
    print(f"HotFixID: {update.HotFixID}")
    print(f"InstalledOn: {update.InstalledOn}")
    print(f"InstalledBy: {update.InstalledBy}")
    print("\n")

# Close the WMI connection
c = None

Now that I know already the patches installed, what I need to do is to get the patch that needs to be installed to address the vulnerability as indicated in the CVE. This is the hard part, the information I need is found on a Microsoft URL, see screenshot below:


To retrieve this information, I have prepared the following code snippet:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import requests

# Replace 'CVE-2015-2426' with the specific CVE you are interested in
cve_id = 'CVE-2015-2426'
base_url = 'https://services.nvd.nist.gov/rest/json/cve/1.0/'

# Fetch CVE data
response = requests.get(f'{base_url}/{cve_id}')
cve_data = response.json()

# Check if the CVE data contains CVE items
if 'CVE_Items' in cve_data['result']:
    cve_items = cve_data['result']['CVE_Items']
    
    # Initialize lists to store the URLs with "Third Party Advisory" and "VDB Entry" tags
    third_party_advisory_urls = []
    vdb_entry_urls = []
    
    # Iterate through the CVE items
    for cve_item in cve_items:
        references = cve_item['cve']['references']['reference_data']
        for reference in references:
            tags = reference.get('tags', [])
            if 'Vendor Advisory' in tags and 'Patch' in tags:
                print(reference['url'])

And if I navigate through the resulting url, I will get the KB Number see the picture below which is also the patch number or KB Number:

So I got the the list of patches(KB numbers) installed on my OS and selected the CVE to be examined and was able to identify the KB number. And that is it for now, I will create the code snippet that retrieves the KB Number in the resulting URL gathered from the chosen CVE on my next post and more...



By at No comments:
Labels: , ,

Wednesday, September 6, 2023

The SIEM Project: 02 - Verifying CVE Vulnerability in Affected Software

In my previous post (if you haven't read it yet, you can find it here), , I successfully retrieved details about a CVE that was randomly selected using specific search parameters. Now that we have comprehensive information about this CVE, it's time to confirm whether the software currently installed on my PC is still vulnerable. The software in question is my Windows 10 operating system.

In my example, the CVE was published in 2013, which predates the release of Windows 10 by two years. Windows 10 made its debut in 2015. To proceed, I need to adjust my original code to fetch CVEs published from 2020 up to the present year. Unfortunately, the search parameters don't provide this filtering option, so I'll need to filter the results myself.

But before I dive into that, I've asked ChatGPT what is the proper way to implement the verification process, and it gave a more generalized processed not the specific ones, here is his reply:

Verifying if the affected software is still vulnerable to a given CVE (Common Vulnerabilities and Exposures) typically involves the following steps:

  1. Identify Affected Software: Determine the exact software and version that the CVE affects. You can usually find this information in the CVE description or on the NIST NVD (National Vulnerability Database) website.
  2. Check Software Version: Verify the version of the software currently installed on your system. You can typically find this information within the software itself or in system settings.
  3. CVE Details: Examine the details of the CVE, paying attention to the description and any information about patches or updates. CVE descriptions often include details about how the vulnerability can be exploited.
  4. Check for Updates/Patches: Visit the official website of the software vendor (e.g., Microsoft for Windows) and look for security updates or patches related to the CVE. Most vendors provide a list of security bulletins or advisories.
  5. Apply Updates: If updates or patches are available, download and apply them to your system. Make sure to follow the installation instructions provided by the vendor.
  6. Test Vulnerability: After applying the updates, it's a good practice to test whether the vulnerability still exists. Some vulnerabilities are complex and may not be completely mitigated by a single patch.
  7. Monitor Security Sources: Stay informed about security news and updates related to the software you're using. CVEs and security advisories are regularly published, and new vulnerabilities can emerge.
  8. Use Vulnerability Scanning Tools: Consider using vulnerability scanning tools or security software that can automatically check your system for known vulnerabilities, including those associated with CVEs.
  9. Regularly Update: Ensure that your software is regularly updated to the latest versions. Automated updates can help keep your system secure.
  10. Security Best Practices: Implement security best practices such as using strong passwords, enabling firewalls, and employing security software to reduce the overall attack surface.

Remember that security is an ongoing process, and it's essential to keep your software up to date and stay informed about potential vulnerabilities and patches. Additionally, some organizations have dedicated IT teams or security experts who handle vulnerability assessment and management.

The process he suggested was ok, but what I have in mind how to implement this process without human intervention. Here is what I plan to do in this article: 

Item 1: Identifying Affected Software 

To pinpoint the software and version impacted by the CVE, you can often locate this information within the CVE description or on the NIST NVD (National Vulnerability Database) website.

My Approach: 

To identify the affected software in this specific scenario, I'll automate the process. The relevant data can be found in the CVE's CPE (Common Platform Enumeration) field. As mentioned in my previous post, the affected software is typically represented as the fourth field in the CPE structure (e.g., cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*).

To identify the affected version, I'll examine the CVE's configuration field. This field is structured as a dictionary and contains the information listed in the CVE's reference URLs under the 'Known Affected Software Configurations' section. The program will search for all occurrences of 'windows_10' and retrieve the four alphanumeric characters following the colon after 'windows_10.' These characters will indicate the affected Windows 10 version. Common versions include 21h2, 1607, 1809, and 1909(4 characters is what I saw but to be sure get all the character found in btween the 2 colons).

Item 2: Verifying Software Version 

It's important to verify the version of the software currently installed on your system. This information is typically accessible within the software itself or in system settings.

My Approach: 

From the outset, I've identified that the software in question is Windows 10. In my actual SIEM (Security Information and Event Management) setup, I'll develop a program to identify all installed software and their respective versions on my PC. This comprehensive approach ensures that I have a clear understanding of the software landscape on my system.

To detect the Operating System installed on my pc(assuming I don't know yet), I will use the platform library and here is the code:

import platform
print('System: ' + platform.uname().system)
print('Release: ' + platform.uname().release)
print('Version: ' + platform.uname().version)

I could use the following program to list all installed programs on my pc. It just displays the installed software much like what you would see in  control panel Programs and Features Section:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
import os
import subprocess

# Run a PowerShell command to retrieve a list of installed software
powershell_command = 'Get-WmiObject -Class Win32_Product | Select-Object Name'
installed_software = []

try:
    result = subprocess.check_output(['powershell', '-WindowStyle', 'Hidden', '-Command', powershell_command], text=True)
    installed_software = result.strip().split('\n')[2:]  # Skip the header and extract software names
except subprocess.CalledProcessError as e:
    print(f"Error executing PowerShell command: {e}")

# Display the list of installed software
for software in installed_software:
    print(software)

And that's it, the remaining items mentioned by ChatGPT is out of coverage by my post's scenario except Item # 4 which I will be discussing in more details on my next post.

By at No comments:
Labels: ,

Sunday, September 3, 2023

The SIEM Project: 01 Retrieving CVE Information

Today, I am going to start my own personal project which is a simple SIEM. In my previous posts, I have already created small python programs that could be essential part of this project which are as follows:

  1. Python: Count Source IP Addresses from Captured Packets And Display on a Table
  2. A Simple Event Log Viewer in Python
  3. 2 Python Programs that are useful in Cyber Security

Moving on, I will have to start the project by retrieving information of a CVE(Common Vulnerabilities and Exposure). To achieve this, I will be using  the library NVDLIB. Check out the documentation and how to use the library here. The documentation may seem to be outdated at most scenarios. So in real world scenarios, it would be better to download the CVE list from the NIST website which is well over a million so that the query can be easily flexible because they often make changes to their API, but in my case, I will just use simple queries.

The scenario I am going to simulate is to select 3 CVE's related to Windows 10 which is my I am currently using. I will just display the CVE number, reference URL, description, the severity, vulnerability score index and the vector.

According to ChatGPT, CVE's are as follows:

CVEs (Common Vulnerabilities and Exposures) typically contain information about vulnerabilities in software or hardware systems, including information about the affected operating systems and their versions. However, the level of detail provided in a CVE entry may vary.

Here are the key elements you can find in a typical CVE entry related to affected operating systems:

  1. CVE Identifier (CVE-ID): A unique identifier assigned to the vulnerability.
  2. Description: A description of the vulnerability, its impact, and how it can be exploited.
  3. References: Links to additional resources, such as advisories or patches, related to the vulnerability.
  4. CVSS (Common Vulnerability Scoring System) Score: A numerical score that represents the severity of the vulnerability.
  5. Affected Software: Information about the software or hardware affected by the vulnerability. This can include:
    • Vendor Name: The name of the vendor or organization that created the affected software or hardware.
    • Product Name: The name of the specific product or software component.
    • Version(s): The version(s) of the software or hardware that are affected by the vulnerability.
    • Update Version(s): The version(s) of the software or hardware that have been fixed or patched.
  6. Vulnerable Configurations: Information about how the vulnerability can be exploited in different configurations.
  7. Vulnerability Type: The type or category of the vulnerability (e.g., buffer overflow, SQL injection, etc.).
  8. CWE (Common Weakness Enumeration) ID: An identifier from the CWE database that categorizes the type of weakness or vulnerability.
  9. Publication Date: The date when the CVE entry was published.

It's important to note that while CVE entries strive to provide accurate and detailed information, the level of detail may vary depending on the information available at the time of publication. Some CVE entries may provide specific details about affected operating systems and versions, while others may provide more general information about affected software components.

Security researchers, vendors, and organizations often collaborate to provide additional information and context for CVEs, such as patches or workarounds. When assessing the impact of a CVE, it's important to refer to additional resources and advisories provided by relevant vendors and security organizations.

The Python program is very short, all I have to de is define the search parameters(retrieve all Window 10 related CVE's) and just display the first 3. And here is the code:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
import nvdlib

r = nvdlib.searchCVE(cpeName = 'cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*')
print(len(r))
print(dir(r[0]))
x = 1
for r1 in r:
    if x <= 3:
        x +=1
        try:
            print(r1.id, str(r1.score[0]), r1.url)
            print(r1.v2severity + ' - ' + str(r1.v2score) + ' - ' + r1.v2vector)
            print(r1.descriptions[0].value)
        except:
            try:
                print(r1.v31severity + ' - ' + str(r1.v31score) + ' - ' + r1.v31vector)
                print(r1.descriptions[0].value)
            except:    
                print(dir(r1))

The search parameter is not very simple, it took me awhile to make it work, ChatGPT could not help me figure it out although it was able to explain the parts of the search parameter which is as follows:

In this CPE name:

  • cpe:2.3 indicates the CPE version.
  • o indicates that it is an operating system.
  • microsoft is the vendor (Microsoft).
  • windows_10 specifies the product (Windows 10).

The trailing * indicates that the CPE name is generic and does not specify a particular version or edition. The * is a wildcard character. And here is what ChatGPT suggested:

 cpe:2.3:o:microsoft:windows_10::version:1903:*

ChatGPT missed the '-' part, suggestion a version and it seems like the patch number which when missing('-'), the search parameter will not work and the versions and patch number doesn't seem to work as well, I figured that the search parameter can be found at the CVE NIST Details page, for example, CVE-2013-3900 can be found at NVD - CVE-2013-3900 (nist.gov) and check the section 'Known Affected Software Configurations', see screenshot below:


And furthermore, more information about CPE can be found at wikipedia

And that's all for now. Hire me if you have similar projects. 


By at No comments:
Labels: ,
Subscribe to: Comments (Atom)