[OVAL DEVELOPER] Automated Generation of OVAL Vulnerability Definitions for Microsoft

Jerome Athias jerome.athias at protonmail.com
Sat Jun 3 02:22:59 EDT 2017


Just to inform you that I will start sharing my experiment.

The tool:
- Takes a CVE-ID (or MS-ID, oldschool before Security Guidance) as input
- Uses a specified target filename (i.e.: win32k.sys, preferred method) as input (otherwise, it does best effort to guess* it (so lot of hardcoding))

Then it will visit Microsoft website (security-guidance, or old security/bulletin)
For old bulletins, it will scrap the webpages to retrieve the affected product names (and/or use the list of CPEs obtained from NVD). Now this list can be obtained with the MS API.

It will scrap to list the KB numbers. (now can be obtained via MS API)

While scraping, it will find the updated files and versions (if available) directly from the tables on Microsoft website, or download/parse the CSVs.
Otherwise, it will visit the catalog, download the patches, extract them (with expand or 7zip), and search in the extracted cab/msp/msi/msu.

It will use XORCISM (an SQL version of the CIS OVAL Repo) to retrieve the existing corresponding OVAL Definitions, Tests, Objects, States IDs, or creates new ones.

Finally, it will write the OVAL Definition.

Some notes:
This is still work in progress, dirty code, not optimized, with some known bugs and limitations (LDR/GDR, supersedence obtained from MS API, complexity levels, etc.)...
It works well when the target filename is specified. *Otherwise, you will understand that it is difficult to identify 3 filenames for 3 CVEs covered by the same patches/archives.
A lot of hardcoding is from pre-MS API.
A lot of hardcoding is due to no-normalization, or no-alignment of the product names from Microsoft (pre-MS API) and in/with the OVAL ones.
Expect to download Gigabytes

I will also share some raw tests (without specifying the target filenames) results, that I will be working on, for some CVEs that are missing today in the CIS OVAL Repo.

I just hope some functions could be useful for the community.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cisecurity.org/pipermail/oval_developer_lists.cisecurity.org/attachments/20170603/22c7d010/attachment-0002.html>

More information about the OVAL_Developer mailing list