Tag Archives: CentOS

Vulnerability Databases: Classification and Registry

Vulnerability Databases: Classification and Registry. What publicly available Vulnerability Databases do we have? Well, I can only say that there are a lot of them and they are pretty different. Here I make an attempt to classify them.

It’s quite an ungrateful task. No matter how hard you try, the final result will be rather inaccurate and incomplete. I am sure someone will be complaining. But this is how I see it. 😉 If you want to add or change something feel free to make a comment bellow or email me@avleonov.com.

The main classifier, which I came up with:

  • There are individual vulnerability databases in which one identifier means one vulnerability. They try to cover all existing vulnerabilities.
  • And others are security bulletins. They cover vulnerabilities in a particular product or products. And they usually based on on patches. One patch may cover multiple vulnerabilities.

I made this diagram with some Vulnerability Databases. Note that I wanted to stay focused, so there are no exploit DBs, CERTs, lists of vulnerabilities detected by some researchers (CISCO Talos, PT Research, etc.), Media and Bug Bounty sites.

Vulnerability Databases classification

For these databases the descriptions of vulnerabilities are publicly available on the site (in html interface or downloadable data feed), or exist in a form of paid Vulnerability Intelligence service (for example, Flexera).

On one side there are databases of individual vulnerabilities, the most important is National Vulnerability Database. There are also Chinese, Japanese bases that can be derived from NVD or not.

On the other side we have security bulletins, for example RedHat Security Advisories.

And in the middle we have a Vulnerability Databases, for which it is not critical whether they have duplicated vulnerability IDs or not.

Continue reading

Vulchain scan workflow and search queries

Vulchain scan workflow and search queries. This post will be about my Vulnerability Scanner project – Vulchain. Recently I’ve spent couple of my weekends almost exclusively on coding: refactoring the scan engine, creating API and GUI.

Vulchain scan workflow and search queries

I was doing it because of the conferences, where I will be speaking soon:

Pretty intense schedule for a guy who spends most of his time in PyCharm and Linux console. 😉 Very excited! So, it seemed right to add a couple of slides about my project and show that something is already working.

Continue reading

Vulners NASL Plugin Feeds for OpenVAS 9

Vulners NASL Plugin Feeds for OpenVAS 9. As I already wrote earlier, you can easily add third party nasl plugins to OpenVAS. So, my friends from Vulners.com realised generation of NASL plugins for OpenVAS using own security content. I’ve tested it for scanning CentOS 7 host. And it works =)

Vulners OpenVAS vulnerabilities

Let’s see the whole process.

Continue reading

VirtualBox GuestAdditions for Linux Guest OS

VirtualBox GuestAdditions for Linux Guest OS. I often work with VirtualBox virtual machines and need to install GuestAdditions to use GUI applications comfortably. So, I decided to collect here some configuration scripts.

VirtualBox GuestAdditions

CentOS 8

See the section about VirtualBox in “CentOS 8 with IceWM Desktop Environment”

CentOS 7

In the configuration a new VirtualBox machine I add 2 network adapters:

  • Host Only Network
  • NAT

Installing clean CentOS (CentOS-7-x86_64-DVD-1611)

Activating network connections using `nmtui` and set the activation automatically

Continue reading

Scaner-VS: Vulnerability Management solution for Russian Military

Scaner-VS: Vulnerability Management solution for Russian Military. Scaner-VS is a Vulnerability Assessment system developed by Moscow-based NPO Echelon. It’s pretty popular in Russian government organizations, especially in Russian Army, because it comply all government requirements, has all necessary certificates and is relatively cheap.

Scaner-VS webgui

As for requirements and certificates, NPO Echelon itself is an important certification authority, so they know how to do the things right. It’s not a secret product or something. You can request trial version freely at http://scaner-vs.ru/version-for-testing/. But note, that it is only available in Russian. I am also sorry, but screenshots in this post will be also in Russian. I will try to do my best to describe them properly.

When you fill the form on Echelon website, you will soon get a link to 3.3 gb .iso file by email. Run it in VirtualBox virtual machine (choose Debian 64 or Debian 32).

Here is a boot menu. Choose first default option.

Scaner-VS boot

Some seconds later you will see Linux desktop environment with Scaner-VS web-GUI opened in Firefox.

Continue reading

Problems of Vulnerability Prioritization and Detection

Problems of Vulnerability Prioritization and Detection. It’s the third part of our talk with Daniil Svetlov at his radio show “Safe Environment” recorded 29.03.2017. In this part we talk about Vulnerability Prioritization and Detection:

  • Common Vulnerability Scoring System (CVSS)
  • Environmental factor
  • Manual and  automated vulnerability detection
  • Unauthenticated and authenticated  scanning
  • Why vulnerability scanners are so expensive and why the can’t detect everything

Scanner does not detect all vulnerabilities

Video with manually transcribed Russian/English subtitles:

Prioritization

– Here also the question how to prioritize vulnerabilities properly. Because if you have, as you said, two Linux servers and 20 workstations running Windows, then in principle, you may not need to do prioritization. But if you have fifteen hundred servers: some of them are on perimeter, some are in your DMZ, some are in the internal network. It is still necessary, probably, to understand correctly which vulnerabilities and where should be patched in in the first place.

Yes, this is absolutely true and it’s a very good question. How to prioritize?

Common Vulnerability Scoring System

A natural way. If we look at vulnerabilities with a CVE identifier, for them in the US National Vulnerability Database we can find CVSS Base Score. It is an assessment of vulnerability criticality level.

How is it calculated?

Some person fills the questionnaire: can it be remotely exploited – no, is there public exploit – no, etc.

CVSS framework

The result is a CVSS vector – this is a line in which you can see the main characteristics of this vulnerability and CVSS Base score is the score from 0 to 10 depending on criticality.

This is a natural way of prioritization. But sometimes this method does not give very good results.

Continue reading

Great OpenVAS news: delay in plugin feed will be dropped, new GVM-Tools for remote management released

Great OpenVAS news: delay in plugin feed will be dropped, new GVM-Tools for remote management released. Jan Oliver Wagner, CEO of Greenbone and OpenVAS Community leader sent recently several messages to community email list with the great news.

First of all, Greenbone decided to drop two weeks delay in a free plugin feed, that was implemented in June 2017 and made some OpenVAS users pretty nervous.

I wrote about it in “GSM Community Edition and lagging OpenVAS Plugin Feed“. The good thing is that, it has increased interest in NASL scripting among OpenVAS users. I also made some steps in this way in “Adding third party nasl plugins to OpenVAS“. I don’t now why Greenbone finally decided to drop this delay, but I am very glad for this decision. Wise move!

The feed will stay delayed until September 4th, 2017. To demonstrate the current state I used some data from Vulners.com collections. Let’s see the nasl vulnerability detection plugins for CentOS in Nessus and OpenVAS. I know that Windows would be much more clear, but Microsoft released latest MS17-023 bulletin in March, so now there is no much difference there.

CentOS Nessus Openvas 2 week delay

As you can see, no OpenVAS plugins since 2017-08-16, literally two weeks. And I hope this will change very soon.

Don’t forget that NVT will be called now GCF (Greenbone Community Feed) and some advanced enterprise-level checks will be now released only in paid feed.

Another good news is the recent release of open source GVM-Tools for controlling OpenVAS remotelly. It will replace old console client openvas-cli (omp). Let’s try to download and install it on Debian host with installed OpenVAS (see “Installing OpenVAS 9 from the sources“).

Continue reading