I have a list of software installed on workstations which contains product name and version, for example my list contains Mysql Workbench 6.3.8. Searching in CVE Details I found out that this software has one vulnerability CVE-2017-3469. Is there any automated tool to do this kind of search in most popular vulnerability databases? What are the others vulnerability databases that I should search?
Asked
Active
Viewed 2,662 times
6
-
1Possible: https://security.stackexchange.com/questions/157641/public-vulnerability-feed-with-cvss-v3 – schroeder Dec 11 '17 at 18:14
4 Answers
3
Vulnerability Management tools are designed to do this very function. They usually are able to scan devices and lookup versions against known patch levels as well as CVEs.
There are a great many to choose from with a wide range of features.
The most crucial sources to check beside the CVE database are:
- Exploit-DB
- Metasploit exploit repository
There are also a number of tools that can take a csv file of product names and versions and look them up in these sources (or you can make your own).
schroeder
- 123,438
- 55
- 284
- 319
-
1I'd add seclists (oss-sec/full-disclosure) as a critical source. It's far more important than those two as they are limited to pre-weaponized exploits. – forest Dec 22 '17 at 22:22
2
A tool to use would be a vulnerability scanner such as OpenVAS, Nessus or even Metasploit. Now not all 3rd party software will be in there. Other than that, there are scripts on github that offer some assistance.
A good site to search manually or script it https://cve.mitre.org/find/
For Linux: https://github.com/clearlinux/cve-check-tool (need a local copy of CVE cache) A tool for local Database of CVE https://github.com/cve-search/cve-search
Furthermore.
Nmap has an NSE script for this called Vulscan. It can help you to map the version information you obtain from a target machine with the vulnerability database, such as:
- CVE from www.cve.mitre.org
- OSCDB www.osvdb.org
- scip VulDB www.scip.ch/?vuldb
- www.SecurityFocus.com
- www.securitytracker.com
schroeder
- 123,438
- 55
- 284
- 319
SecurityGoodman
- 21
- 3
1
I found the NIST site (mentioned in schroeder comment) quite useful to search for all CVE for a specific version without installing a vulnerability scanner.
Just choose the "Search Type = Advanced" and you will have a CPE section where you can choose the Vendor, Product and Version.
Example if you want to search a particular version of e.g. Apache Log4j vulnerability:
it will return:
For automating the requests, I suggest to read their Developers' section, you can register to get an API Key
рüффп
- 152
- 2
- 11
0
https://vulners.com/ to search for a product version number.
Vulners basically enumerates CVE's and vulnerability reports as well as security focused blogs and posts from across the internet. You can then search for anything that may be contained in these documents.
I started using it due to their robust API, which makes things even easier. I believe they have a method of setting up a vulnerability scanner as well.
bizarrechaos
- 26
- 2