Dailydave mailing list archives

Re: Exploits matter.

From: alexm <alexm () immunityinc com>
Date: Thu, 08 Oct 2009 15:11:43 -0400

Tom Parker wrote:

It would indeed be a good thing if Immunity et al would publish some kind of
unified database of their proprietary exploits, mapped to CVE-ID etc, but
I'm not sure if it's their responsibility to do so. IMO, the scanning
vendors, Qualys, Rapid7, nCircle etc are missing a trick if they aren't
buying themselves a copy of CANVAS and ensuring that when their scanner
finds a vulnerability supported by it [CANVAS], they are providing users a
CVSS score based on the fact that they have independently verified the
existence of robust exploit code for the respective vuln

Most of our exploits are mapped to their respective CVE numbers, many
months ago we made an internal push to get everything much more uniform
within the documentation dicts of exploit modules. We include CVE
Number, CVE URL and since we do a lot of Microsoft bugs the MS security
number as appropriate. With some of our 3rd party vendors who deal in
0day obviously CVE numbers are not available and sometimes exploits will
be developed against bugs that are silently patched, so it's not a
perfect system.

We had a lot of customer requests for being able to import results from
some vulnerability scanning tools. Looking at the formats for those
files we realized that all the major scanning tools had an option to
report vulnerabilities as their CVE number. So the way this specific
part of the code works is that once hosts and CVEs are parsed out of the
report, those CVE numbers which have corresponding  CANVAS modules are
kept and attributed to the host while those that do not have modules are
dumped.

One of the primary usage cases we see for CANVAS works like this:
1) Use vulnerability scanning product X over network segment
2) X returns a list of potential vulnerabilities against the hosts on
that segment
3) Start CANVAS, import list, run the appropriate modules against the
imported hosts

So while it's not our responsibility as such to maintain this reference
between exploit modules and CVEs I think it's in our best interests to
do so and we've got a pretty strong case from our customers to make it
happen. I'm sure the other products/projects in this space do similar
things.

Cheers,
-AlexM
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: Exploits matter., (continued)
- - - Re: Exploits matter. Tom Parker (Oct 07)
    - Re: Exploits matter. security curmudgeon (Oct 07)
    - Re: Exploits matter. c0lists (Oct 07)
    - Re: Exploits matter. security curmudgeon (Oct 07)
    - Re: Exploits matter. c0lists (Oct 07)
    - Re: Exploits matter. Matthew Wollenweber (Oct 08)
    - Message not available
    - Re: Exploits matter. security curmudgeon (Oct 22)
    - Message not available
    - Re: Exploits matter. security curmudgeon (Oct 08)
    - Message not available
    - Re: Exploits matter. security curmudgeon (Oct 08)
    - Re: Exploits matter. Tom Parker (Oct 08)
    - Re: Exploits matter. alexm (Oct 08)
    - Re: Exploits matter. vincent hinderer (Oct 08)
    - Re: Exploits matter. security curmudgeon (Oct 08)
- Re: Exploits matter. Steve Shockley (Oct 07)
  - Re: Exploits matter. Ilfak Guilfanov (Oct 08)
    - Re: Exploits matter. Alexander Sotirov (Oct 08)
    - Re: Exploits matter. Jesse Gough (Oct 08)
    - Re: Exploits matter. Aaron (Oct 08)