0

I am looking for a list of known vulnerabilities and their signatures. Is there any publicly available list of security vulnerabilities and their signatures?

NVD (NATIONAL VULNERABILITY DATABASE) provides a database of known vulnerabilities, but does this list contain their signatures? is there any list of vulnerabilities along with the signatures?

MOH
  • 31
  • 5
  • 2
    What specifically do you mean by a vulnerability signature? – Arminius Oct 23 '18 at 23:43
  • @Arminius a signature to detect the vulnerability through scanning, or an instruction to check whether the system has the vulnerability or not – MOH Oct 23 '18 at 23:51
  • I am not particularly sure what you will use the signatures for because there is a lot of software available, mostly open source, which you can use to detect these vulnerabilities with less effort. e.g. Qualys Scan, Nmap etc. – Katlego M Oct 24 '18 at 08:58
  • @KatlegoM Nmap only detects the service running on the machine? doesn't it? for detecting the vulnerabilities it should be combined with some vulnerability database. – MOH Oct 24 '18 at 16:51
  • @KatlegoM I want to implement a vulnerability scanner, is there any open-source reliable software? – MOH Oct 24 '18 at 16:52
  • @MOH: there are already a number of vulnerability scanners that uses such vulnerability databases, for example [yum-security/yum-plugin-security](https://linux.die.net/man/8/yum-security), [debsecan](https://wiki.debian.org/DebianSecurity/debsecan), [safety](https://pypi.org/project/safety/), [clair](https://github.com/coreos/clair), [dependency-check-maven](https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html), etc. Most such scanner depends on a package manager as they're an easy and reliable way to obtain installed software versions. – Lie Ryan Oct 25 '18 at 12:54

3 Answers3

2

The NVD contains the list of known versions of the software that are vulnerable to the issue, combined witha database of installed software versions, this can be used to identify vulnerable softwares.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
  • Thanks much, is the version of vulnerable softwares updated over time for a particular vulnerability? or is the version of the vulnerable software at the time that the vulnerability detected? – MOH Oct 24 '18 at 00:18
2

To me, it sounds like think this gets at an underlying area of confusion around what vulnerabilities actually are. A vulnerability is simply an area where someone can get through the security controls that are put in place. In many contexts, this might mean that the vulnerability in question follows a specific design, like XSS or CSRF. But that isn't always the case, because the concept of a vulnerability is much more abstract.

Security as a field and a concept is really broad, and applies to systems as much as individual pieces of software. As an example, in a corporate context, every human is a vulnerability, because every human is able to disclose information or compromise security in other ways. Doors are also vulnerabilities, because attackers can enter through them and assets can accidentally exit through them. Same with trash cans, because assets could get lost in them. Toilets are the same. Of course, humans and doors and trash cans and toilets are all risks that necessarily must be accepted, but they're still vulnerabilities.

So to answer your original question, vulnerabilities don't have signatures because they are abstract and represent something intangible. They can't have signatures, because they exist as a concept at a much higher level. Viruses can have signatures, but that's because viruses are discrete pieces of software that function in an incredibly narrow way. (Note the distinction there, by the way - viruses can have signatures, but malware doesn't have signatures.)

It sounds like you might be looking for something related to vuln scanning - awesome! Vuln scanning is a super cool space! OWASP has a great list about significant vuln scanners here, so definitely check that out. There are other scanners and scanning tools not included in that last, but it's pretty comprehensive and should give you a good starting place. Virus signature databases also exist of course - I can't recommend any in specific, but searching on "virus signature database" should hopefully get you some useful results if that's what you're after. And, of course, as you mentioned, NIST has a great repository of vulnerabilities, as does MITRE.

schroeder
  • 123,438
  • 55
  • 284
  • 319
securityOrange
  • 913
  • 4
  • 12
  • 1
    thanks for your comprehensive answer, why do you say malware does not have signatures? – MOH Oct 26 '18 at 07:06
  • One more thing, so is there any database for vulnerabilities and their solutions (patches)? – MOH Oct 26 '18 at 07:08
  • @MOH vendors maintain those lists for their products. Vuln scanners can match the vulnerabilities found with the available patches, if any. – schroeder Oct 26 '18 at 09:39
  • @MOH Happy to help! What schroeder said is right - vendors tend to maintain their own lists. In terms of centralized repositories, NIST and MITRE are definitely the best you're going to get I think. – securityOrange Oct 27 '18 at 00:39
  • @MOH Regarding malware signatures, that answer is similar to vulnerabilities: malware is simply software of any kind designed to carry out malicious actions, so the genre is extremely broad. If you were to do something as simple as write a script to send a ping flood to a friend's computer, that script is absolutely malware. Or even a benevolent application that loses control and accidentally does something wrong when it runs is acting as malware in that instance. So signatures can't exist because malware is simply about a disconnect between desired outcome and actual outcome. – securityOrange Oct 27 '18 at 00:39
0

If your question about integration, then I would recommend you to review the STIX and TAXII standards, these are the protocol used to communicate the signature between Security systems and IoC providers

below an example of STIX example sharing SHA256 of the file

<indicator:Observable id="example:Observable-7b97c8a2-2d0b-4af7-bcf0-cad28f2fea5a">
    <cybox:Object id="example:File-b04bfc7c-04ae-4dfe-ba8e-a297f0717552">
        <cybox:Properties xsi:type="FileObj:FileObjectType">
            <FileObj:Hashes>
                <cyboxCommon:Hash>
                    <cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>
                    <cyboxCommon:Simple_Hash_Value condition="Equals">e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855</cyboxCommon:Simple_Hash_Value>
                </cyboxCommon:Hash>
            </FileObj:Hashes>
        </cybox:Properties>
    </cybox:Object>
</indicator:Observable>
Feras
  • 126
  • 3