Dailydave mailing list archives
Re: Exploits matter.
From: alexm <alexm () immunityinc com>
Date: Thu, 08 Oct 2009 15:11:43 -0400
Tom Parker wrote:
It would indeed be a good thing if Immunity et al would publish some kind of unified database of their proprietary exploits, mapped to CVE-ID etc, but I'm not sure if it's their responsibility to do so. IMO, the scanning vendors, Qualys, Rapid7, nCircle etc are missing a trick if they aren't buying themselves a copy of CANVAS and ensuring that when their scanner finds a vulnerability supported by it [CANVAS], they are providing users a CVSS score based on the fact that they have independently verified the existence of robust exploit code for the respective vuln
Most of our exploits are mapped to their respective CVE numbers, many months ago we made an internal push to get everything much more uniform within the documentation dicts of exploit modules. We include CVE Number, CVE URL and since we do a lot of Microsoft bugs the MS security number as appropriate. With some of our 3rd party vendors who deal in 0day obviously CVE numbers are not available and sometimes exploits will be developed against bugs that are silently patched, so it's not a perfect system. We had a lot of customer requests for being able to import results from some vulnerability scanning tools. Looking at the formats for those files we realized that all the major scanning tools had an option to report vulnerabilities as their CVE number. So the way this specific part of the code works is that once hosts and CVEs are parsed out of the report, those CVE numbers which have corresponding CANVAS modules are kept and attributed to the host while those that do not have modules are dumped. One of the primary usage cases we see for CANVAS works like this: 1) Use vulnerability scanning product X over network segment 2) X returns a list of potential vulnerabilities against the hosts on that segment 3) Start CANVAS, import list, run the appropriate modules against the imported hosts So while it's not our responsibility as such to maintain this reference between exploit modules and CVEs I think it's in our best interests to do so and we've got a pretty strong case from our customers to make it happen. I'm sure the other products/projects in this space do similar things. Cheers, -AlexM _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Exploits matter., (continued)
- Re: Exploits matter. Tom Parker (Oct 07)
- Re: Exploits matter. security curmudgeon (Oct 07)
- Re: Exploits matter. c0lists (Oct 07)
- Re: Exploits matter. security curmudgeon (Oct 07)
- Re: Exploits matter. c0lists (Oct 07)
- Re: Exploits matter. Matthew Wollenweber (Oct 08)
- Message not available
- Re: Exploits matter. security curmudgeon (Oct 22)
- Message not available
- Re: Exploits matter. security curmudgeon (Oct 08)
- Message not available
- Re: Exploits matter. security curmudgeon (Oct 08)
- Re: Exploits matter. Tom Parker (Oct 08)
- Re: Exploits matter. alexm (Oct 08)
- Re: Exploits matter. vincent hinderer (Oct 08)
- Re: Exploits matter. security curmudgeon (Oct 08)
- Re: Exploits matter. Ilfak Guilfanov (Oct 08)
- Re: Exploits matter. Alexander Sotirov (Oct 08)
- Re: Exploits matter. Jesse Gough (Oct 08)
- Re: Exploits matter. Aaron (Oct 08)