oval_developer@lists.cisecurity.org
A list for people interested in developing the OVAL language.
View all threadsRe: [OVAL DEVELOPER] Automated Generation of OVAL Vulnerability Definitions for Microsoft
Hi,
Just to inform you that I will start sharing my experiment.
The tool:
- Takes a CVE-ID (or MS-ID, oldschool before Security Guidance) as input
- Uses a specified target filename (i.e.: win32k.sys, preferred method) as input (otherwise, it does best effort to guess* it (so lot of hardcoding))
Then it will visit Microsoft website (security-guidance, or old security/bulletin)
For old bulletins, it will scrap the webpages to retrieve the affected product names (and/or use the list of CPEs obtained from NVD). Now this list can be obtained with the MS API.
It will scrap to list the KB numbers. (now can be obtained via MS API)
While scraping, it will find the updated files and versions (if available) directly from the tables on Microsoft website, or download/parse the CSVs.
Otherwise, it will visit the catalog, download the patches, extract them (with expand or 7zip), and search in the extracted cab/msp/msi/msu.
It will use XORCISM (an SQL version of the CIS OVAL Repo) to retrieve the existing corresponding OVAL Definitions, Tests, Objects, States IDs, or creates new ones.
Finally, it will write the OVAL Definition.
Some notes:
This is still work in progress, dirty code, not optimized, with some known bugs and limitations (LDR/GDR, supersedence obtained from MS API, complexity levels, etc.)...
It works well when the target filename is specified. *Otherwise, you will understand that it is difficult to identify 3 filenames for 3 CVEs covered by the same patches/archives.
A lot of hardcoding is from pre-MS API.
A lot of hardcoding is due to no-normalization, or no-alignment of the product names from Microsoft (pre-MS API) and in/with the OVAL ones.
Expect to download Gigabytes
I will also share some raw tests (without specifying the target filenames) results, that I will be working on, for some CVEs that are missing today in the CIS OVAL Repo.
I just hope some functions could be useful for the community.
https://github.com/athiasjerome/XORCISM/blob/master/Sandbox/OVAL/
...
Hi Jerome,
Good day.
We’ve been looking at the tool you have created. However, we are not able to figure out how to run the tool. Hope you could help assist with this.
Thank you in advance.
Alex
From: OVAL_Developer [mailto:oval_developer-bounces@lists.cisecurity.org] On Behalf Of Jerome Athias
Sent: Saturday, June 03, 2017 2:23 PM
To: oval_developer@lists.cisecurity.org
Subject: Re: [OVAL DEVELOPER] Automated Generation of OVAL Vulnerability Definitions for Microsoft
Hi,
Just to inform you that I will start sharing my experiment.
The tool:
- Takes a CVE-ID (or MS-ID, oldschool before Security Guidance) as input
- Uses a specified target filename (i.e.: win32k.sys, preferred method) as input (otherwise, it does best effort to guess* it (so lot of hardcoding))
Then it will visit Microsoft website (security-guidance, or old security/bulletin)
For old bulletins, it will scrap the webpages to retrieve the affected product names (and/or use the list of CPEs obtained from NVD). Now this list can be obtained with the MS API.
It will scrap to list the KB numbers. (now can be obtained via MS API)
While scraping, it will find the updated files and versions (if available) directly from the tables on Microsoft website, or download/parse the CSVs.
Otherwise, it will visit the catalog, download the patches, extract them (with expand or 7zip), and search in the extracted cab/msp/msi/msu.
It will use XORCISM (an SQL version of the CIS OVAL Repo) to retrieve the existing corresponding OVAL Definitions, Tests, Objects, States IDs, or creates new ones.
Finally, it will write the OVAL Definition.
Some notes:
This is still work in progress, dirty code, not optimized, with some known bugs and limitations (LDR/GDR, supersedence obtained from MS API, complexity levels, etc.)...
It works well when the target filename is specified. *Otherwise, you will understand that it is difficult to identify 3 filenames for 3 CVEs covered by the same patches/archives.
A lot of hardcoding is from pre-MS API.
A lot of hardcoding is due to no-normalization, or no-alignment of the product names from Microsoft (pre-MS API) and in/with the OVAL ones.
Expect to download Gigabytes
I will also share some raw tests (without specifying the target filenames) results, that I will be working on, for some CVEs that are missing today in the CIS OVAL Repo.
I just hope some functions could be useful for the community.
https://protect-us.mimecast.com/s/bApzBYum14Jil?domain=github.com
...
DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.