CVE/OVAL Talk

Report as inappropriate Your report has been received
Shared by: HC12091103242
Tags
Stats
views:: 0
posted:: 9/10/2012
language:: Unknown
pages:: 11
Public Domain
Document Sample
							                                                  1




               OVAL
 - Open Vulnerability Assessment Language -

(brought to you by Mitre, DHS and the Letter C)



                   Jay Beale

     CanSecWest 2004 Lightning Talk

                April 22, 2004
                                                 2


The Common Vulnerabilities and Exposures (CVE)
Initiative
0 An international security community activity
  led by MITRE focused on developing a list
  that provides common names for publicly
  known information security vulnerabilities
  and exposures.
0 Key tenets
   – One name for one vulnerability or
      exposure
   – One standardized description for each
      vulnerability or exposure
   – Existence as a dictionary rather than a
      database
   – Publicly accessible for review or
      download from the Internet
   – Industry participation in open forum
      (editorial board)
0 The CVE list and information about the CVE
  effort are available on the CVE web site at
  [cve.mitre.org]
                                                             3




OVAL Concept

0 Describe how to test for a vulnerability in XML and SQL.

  – Human readable
  – Machine Parseable

0 Use this to achieve consensus between security peoples
  about how best to test for the vulnerability.

0 Tests are host-based…
                                                             4




Host Based?

 0 Host-based means that you can test for vulns that can’t
  be checked by the network.

   – Network-based probably can’t test for around half of
     the vulns we’d like to know about.

 0 Host-based potentially means better accuracy.
   – Network-based has a much-reduced interaction.

 0 Host-based does present scalability problems.
                                                                5




Scalability of a Host-based System

 0 The OVAL definition interpreters are GPL, while the
  content is basically freeware.

 0 You could create an infrastructure. One way you might
  do this:

   – Place an agent on each host that receives new
     definitions files, runs an interpreter, and sends back
     results.xml files.
   – A central console could receive and parse those
     results files, allowing you to check for vulnerabilities
     for which you don’t yet have definitions.

   – Imagine if the central console pushed all the data
     covered by the schema, for each machine, into an
     SQL database.
                  6




OVAL Board




  ArcSight too…
                              7


OVAL Schema
& Definitions
 0 XML, SQL, & Pseudo
   Code
 0 Schemas for:
    – Microsoft Windows
      =   NT 4.0, 2000, XP,
          98, & Server 2003
    – Sun Solaris 7, 8, 9
    – Red Hat Linux
 0 Draft Schemas
    – Hewlett-Packard
      UNIX (HP-UX)
    – Debian Linux
 0 Definitions for above
   and some
   applications
    – IIS 4.0 and 5.0;
      Internet Explorer
      5.01, 5.5, and 6.0;
      and SQL Server
      2000
                                                                                                                         8




OVAL Definition: OVAL575
 <definitions>
 <definition id="OVAL575">
 <affected family="windows">
   <windows:platform>Microsoft Windows 2000</windows:platform>
    <product>Microsoft Windows Workstation Service</product>
  </affected>
 <cveid status="CAN">2003-0812</cveid>
 <dates>
  <created date="2003-11-12" />
  <modified date="2004-03-09">Changed the status from INTERIM to ACCEPTED and the version from 0 to 1</modified>
 </dates>
 <description> Stack-based buffer overflow in a logging function for Windows Workstation Service (WKSSVC.DLL) allows
    remote attackers to execute arbitrary code via RPC calls that cause long entries to be written to a debug log file
    ("NetSetup.LOG"), as demonstrated using the NetAddAlternateComputerName API. </description>
 <status>ACCEPTED</status>
 <version>1</version>
 <criteria>
  <software operation="AND">
  <criterion test_ref="wrt-1" comment="Windows 2000 is installed" />
  <criterion test_ref="wft-8" comment="the version of wkssvc.dll is less than 5.00.2195.6862" />
  <criterion test_ref="wrt-86" negate="true" comment="the patch q828749 is installed (Hotfix key)" /> </software>
  <configuration>
    <criterion test_ref="wrt-71" comment="the workstation service is enabled" /> </configuration> </criteria>
 </definition> </definitions>
                                                                                                                       9




OVAL Definition: OVAL575 - continued
 <tests>
 <!--~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
 <!-- ~~~~~windows file tests ~~~~~~~~~~ -->
 <file_test id="wft-8" comment="the version of wkssvc.dll is less than 5.00.2195.6862"
     xmlns="http://oval.mitre.org/XMLSchema/oval#windows">
 <path>
 <component type="registry_value"> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
     NT\CurrentVersion\SystemRoot</component>
 <component type="literal"> \system32\wkssvc.dll</component> </path>
 <version datatype="version" operator="less than">
 <major>5</major>
 <minor>00</minor>
 <build>2195</build>
 <private>6862</private> </version> </file_test>
 <!--~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
 <!-- ~~~~~windows registry tests ~~~~~~~~~ -->
 <registry_test id="wrt-1" comment="Windows 2000 is installed" xmlns="http://oval.mitre.org/XMLSchema/oval#windows">
 <hive>HKEY_LOCAL_MACHINE</hive>
 <key>SOFTWARE\Microsoft\Windows NT\CurrentVersion</key>
 <name>CurrentVersion</name>
 <value operator="equals">5.0</value> </registry_test>
 <registry_test id="wrt-71" comment="the workstation service is enabled"
     xmlns="http://oval.mitre.org/XMLSchema/oval#windows">
 <hive>HKEY_LOCAL_MACHINE</hive>
 <key>SYSTEM\CurrentControlSet\Services\lanmanworkstation</key>
 <name>Start</name>
 <value datatype="int" operator="not equal">4</value> </registry_test>
 <registry_test id="wrt-86" comment="the patch q828748 is installed (Hotfix key)"
     xmlns="http://oval.mitre.org/XMLSchema/oval#windows">
 <hive>HKEY_LOCAL_MACHINE</hive>
 <key>SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB828749</key>
 <name>Installed</name>
 <value datatype="int" operator="equals">1</value> </registry_test>
 <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
 </tests>
                                                                                           10




OVAL Status

 660 Total definitions:
           251 Accepted;132 Interim; 25 Draft; 252 Initial Submission
 0   Microsoft
      – Microsoft joined OVAL board
      – 373 definitions for Windows NT 4.0 and Windows 2000
      – 14 definitions for Windows XP
      – 68 multiple platforms
      – 172 initial submissions
 0   RedHat Linux
      – RedHat on OVAL board
      – 159+ draft definitions
      – Full coverage of Red Hat 9.0 vulnerability alerts
      – Full coverage of Red Hat Enterprise Linux 3.0 vulnerability alerts
 0   Solaris
      – 40 definitions for Solaris 7 and 8
 0   HP-UX
      – Collaboration with DLA and BAH
      – 12 initial submissions
 0   Debian
      – Draft schema submitted
      – Vendor representative participating on OVAL board
                                                                   (as of 12 April 2004)
                                                                      11




OVAL XML and SQL Definition Interpreters

 0 Mitre has released a “definition interpreter” for Windows NT and
  2000 that reads definitions written in SQL.
   – This program serves as a host-based vulnerability-assessment
     tool.

 0 Mitre is releasing an XML definition interpreter for Windows and
  Linux now.
   – I’ll demo the tool.