The Common Vulnerabilities and Exposures (CVE) system provides a reference method for publicly known information security vulnerabilities and exposures. The National Cybersecurity FFRDC, operated by the MITRE Corporation, maintains the system with funding from the National Cyber Security Division of the United States Department of Homeland Security. The system was officially launched for the public in September 1999.
The Security Content Automation Protocol uses CVE, and CVE IDs are listed on MITRE’s system as well as in the US National Vulnerability Database. The CVE site can be found at https://cve.mitre.org/.
Since we have NetEye SIEM, I’d like to collect CVE issues in NetEye.
With Inventory 2.7, OCS released the CVE Reporting feature, and this version is included in the latest version of NetEye. By enabling this feature, OCS Inventory can automatically query a CVE-search server for vulnerabilities that may apply to your inventoried software.
This is great news for us. But first, a warning: CVE Reporting is a feature for informational purposes only. OCS Inventory does not guarantee the accuracy of the information provided. However, this is a good starting point.
I have NetEye 4.14 for test purposes, so I dumped an OCS DB to test this feature. Here we have the following situation:
In order to use the CVE Reporting feature, it’s recommended to install a CVE-search server, which you can do by following its documentation.
We installed a CVE-search server on a separate server and we set it up following the documentation. When done, we have to configure CVE Reporting by setting the VULN_CVESEARCH_HOST:
Then we launch the php cron_cve.php command to initialize CVE reporting. During execution we can view the log of the CVE-search server and see what OCS is searching:
On NetEye we see this message while php cron_cve.php runs:
At the end of the run we can explore CVE reporting. The results can be found by clicking on Inventory – CVE-Reporting:
The CVSS value shows the level of danger of each vulnerability. What is CVSS?
CVSS stands for the Common Vulnerability Scoring System, a vulnerability scoring system designed to provide an open and standardized method for rating IT vulnerabilities. CVSS helps organizations prioritize and coordinate a joint response to security vulnerabilities by communicating the base, temporal and environmental properties of a vulnerability. For additional information on CVSS v2, please see http://www.first.org/cvss and http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
CVSS is composed of three metric groups: Base, Temporal, and Environmental, each consisting of a set of metrics.
A numerical score is generated for each of these metric groups. A vector string (or simply “vector” in CVSSv2), represents the values of all the metrics as a block of text.
Scores range from 0 to 10, with 10 being the most severe. Here’s an example of a 10 score:
To conclude, we now have within NetEye a report that shows all the vulnerabilities found by comparing the CVE database and the software installed on our assets.
Starting from a particular CVE vulnerability, we can also navigate until we find a list of servers/clients impacted: