28. 03. 2024
SOCnews
The Common Vulnerabilities and Exposures (CVE) system provides a reference method for publicly known information security vulnerabilities and exposures. The National Cybersecurity FFRDC, operated by the MITRE Corporation, maintains the system with funding from the National Cyber Security Division of the United States Department of Homeland Security. The system was officially launched for the public in September 1999.
The Security Content Automation Protocol uses CVE, and CVE IDs are listed on MITRE’s system as well as in the US National Vulnerability Database. The CVE site can be found at https://cve.mitre.org/.
Since we have NetEye SIEM, I’d like to collect CVE issues in NetEye.
With Inventory 2.7, OCS released the CVE Reporting feature, and this version is included in the latest version of NetEye. By enabling this feature, OCS Inventory can automatically query a CVE-search server for vulnerabilities that may apply to your inventoried software.
This is great news for us. But first, a warning: CVE Reporting is a feature for informational purposes only. OCS Inventory does not guarantee the accuracy of the information provided. However, this is a good starting point.
I have NetEye 4.14 for test purposes, so I dumped an OCS DB to test this feature. Here we have the following situation:
In order to use the CVE Reporting feature, it’s recommended to install a CVE-search server, which you can do by following its documentation.
We installed a CVE-search server on a separate server and we set it up following the documentation. When done, we have to configure CVE Reporting by setting the VULN_CVESEARCH_HOST:
Then we launch the php cron_cve.php command to initialize CVE reporting. During execution we can view the log of the CVE-search server and see what OCS is searching:
On NetEye we see this message while php cron_cve.php runs:
At the end of the run we can explore CVE reporting. The results can be found by clicking on Inventory – CVE-Reporting:
The CVSS value shows the level of danger of each vulnerability. What is CVSS?
CVSS stands for the Common Vulnerability Scoring System, a vulnerability scoring system designed to provide an open and standardized method for rating IT vulnerabilities. CVSS helps organizations prioritize and coordinate a joint response to security vulnerabilities by communicating the base, temporal and environmental properties of a vulnerability. For additional information on CVSS v2, please see http://www.first.org/cvss and http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
CVSS is composed of three metric groups: Base, Temporal, and Environmental, each consisting of a set of metrics.
- Base Metrics are for qualities intrinsic to a vulnerability
- Temporal Metrics are for characteristics that evolve over the lifetime of a vulnerability
- Environmental Metrics are for vulnerabilities that depend on a particular implementation or environment
A numerical score is generated for each of these metric groups. A vector string (or simply “vector” in CVSSv2), represents the values of all the metrics as a block of text.
Scores range from 0 to 10, with 10 being the most severe. Here’s an example of a 10 score:
To conclude, we now have within NetEye a report that shows all the vulnerabilities found by comparing the CVE database and the software installed on our assets.
Starting from a particular CVE vulnerability, we can also navigate until we find a list of servers/clients impacted:
Franco Federico
Hi, I’m Franco and I was born in Monza. For 20 years I worked for IBM in various roles. I started as a customer service representative (help desk operator), then I was promoted to Windows expert. In 2004 I changed again and was promoted to consultant, business analyst, then Java developer, and finally technical support and system integrator for Enterprise Content Management (FileNet). Several years ago I became fascinated by the Open Source world, the GNU\Linux operating system, and security in general. So for 4 years during my free time I studied security systems and computer networks in order to extend my knowledge. I came across several open source technologies including the Elastic stack (formerly ELK), and started to explore them and other similar ones like Grafana, Greylog, Snort, Grok, etc. I like to script in Python, too. Then I started to work in Würth Phoenix like consultant. Two years ago I moved with my family in Berlin to work for a startup in fintech(Nuri), but the startup went bankrupt due to insolvency. No problem, Berlin offered many other opportunities and I started working for Helios IT Service as an infrastructure monitoring expert with Icinga and Elastic, but after another year I preferred to return to Italy for various reasons that we can go into in person 🙂 In my free time I continue to dedicate myself to my family(especially my daughter) and I like walking, reading, dancing and making pizza for friends and relatives.
Author
Latest posts by Franco Federico
25. 03. 2024
APM, NetEye, Visual Synthetic Monitoring
Migration from Alyvix Server to Alyvix Service
10. 12. 2021
APM, NetEye, Real User Experience, Visual Synthetic Monitoring
NEP Alyvix – Ready for Use