loon-cybersecurity-odbac

NVD Version Limits: Version End Including

Sun, 06 Oct 2024 20:23:54 GMT

This is a subtitle for your new post

Yesterday we explored the Version End Excluding which is one of the most common version limit declarations. The other method of declaring an up limit to a version check. Example for this is Adobe’s Photoshop with vulnerability CVE-2023-44330 and the text of an configuration example is below.

CVE-2023-44330

{

"operator": "AND",

"nodes": [

{

"operator": "OR",

"negate": false,

"cpeMatch": [

{

"vulnerable": true,

"criteria": "cpe:2.3:a:adobe:photoshop:*:*:*:*:*:*:*:*",

"versionEndIncluding": "24.7.1",

"matchCriteriaId": "F6792846-8164-4C67-A210-1244E503BE88"

}

]

{

"operator": "OR",

"negate": false,

"cpeMatch": [

{

"vulnerable": false,

"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*",

"matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E"

{

"vulnerable": false,

"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",

"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"

}

]

}

]

}

In this example yo know you have version 24.7.1 as a vulnerable and anything later than that shouldn’t be considered vulnerable. The big challenge with this is you don’t know the next version to update to. This makes building guidance more difficult.

Two cases you may want to use a versionEndIncluding are you don’t know when the version will come out and what the exact version that fixes it will be or if you don’t intend to fix this family of the software.

Occasionally you see this type used with hot fixes as vendors won’t increment the version for the vulnerability patch. This will be discussed in a latter post around Apple’s Operating Systems and some SaaS SBOM components.

Thanks for reading!

NVD Version Limits: Version End Excluding

Fri, 27 Sep 2024 14:51:44 GMT

This is a subtitle for your new post

We have thus far covered a few cases of how to detect the application but we haven’t yet moved to how to determine what a resolution to the vulnerability is in this case we are still exclusively looking at NVD configurations. Working with vendors security portals is a much later topic where you can get into detecting conjugation of the application.

There are 4 primary version checks they are Version End Excluding, Version End Including, Version Start Including, and Version Start Excluding. Of all these the one you will find most frequently is a Version End Excluding. I attached an exert to the vulnerability CVE-2023-6336. Again not targeting any specific vendor or software, just using a recent at the time of writing example.

It should be noted there are 3 other fix versions that will be discussed much later. The version IS statement, the no fix will be provided statement, and the redirect to a different source common for Microsoft. Later blog posts.

CVE-2023-6336

{

"operator": "AND",

"nodes": [

{

"operator": "OR",

"negate": false,

"cpeMatch": [

{

"vulnerable": true,

"criteria": "cpe:2.3:a:hypr:workforce_access:*:*:*:*:*:*:*:*",

"versionEndExcluding": "8.7",

"matchCriteriaId": "83E3E9E9-12B1-41CE-B254-894EDCC79B3F"

}

]

{

"operator": "OR",

"negate": false,

"cpeMatch": [

{

"vulnerable": false,

"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*",

"matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E"

}

]

}

]

}

Version End Excluding covers the vast majority of reports as it informs you of the fix version. You can see this in many of the XDR agents that include remediation guidance. You can pull them directly from this record and reflect them to a customer without modification.

For this vulnerability you know that something in the family of 8.7 exists and that version specifically remediated this vulnerability. Thus the easiest method of detection

Thanks for reading

Applications that tell you what Platform, Part 2

Thu, 26 Sep 2024 14:24:22 GMT

This is a subtitle for your new post

The body content of your post goes here. To edit this text, click on it and delete this default text and start typing your own or paste your own from a different source.

Applications that tell you what Platform, Part 1

Wed, 25 Sep 2024 15:54:18 GMT

Applications that tell you what Platform Part 1

When a ven dor releases a Vulnerability they may specify a platform that the vulnerability exists on. There are many reasons they might do this, perhaps the vulnerability only exists with this software and that platform. It could be inherited from the operating system or platform but the vendor wants to declare they have a fix, workaround, or have otherwise remediated it. This was common for applications reporting Log4J and other industry similar ones. Sometimes they are good natured and want to assist you in specifying the platform it runs on. Very common with iPhone and Android apps.

In this case we are going to look at CVE-2024-31489 to examine one of the ways that vulnerabilities can be declared. I often refer to this method as the Easy Application, Operating System Included. Yesterday’s blog on Wireshare was an example of an Easy Application and I will give a brief description but save the complicated part for another blog. But here is the Configuration object from the CVE.

{

"vulnerable": true,

"criteria": "cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:macos:*:*",

"versionStartIncluding": "7.2.0",

"versionEndExcluding": "7.2.5",

"matchCriteriaId": "2244A437-D579-4065-8FB0-37476ED7AC3C"

}

If you split the criteria string on the colon you end up with 13 objects. If the slots 6-10 are *’s I refer this as an easy application. You don’t need any logic further to help identify the application. If the 11th index is filed then this is almost exclusively a platform or operating system. Thus calling it the Operating System Included. You can also not that this includes the versionStart/End/Including/Excluding keys. You have at least one of these of which 90+ will be versionEndExcluding. Which helps declare the fixed version.

If you are looking at this from the lens of the operating system of “I am checking for this vulnerability on a specific platform” this is becomes really helpful. Because it is declarative and not ambiguous. Thus easier to detect and easier to resolve.

There are other methods that they may include either Operating System or Hardware designations in to the mix. IE only Intel MacBooks or Only the M2 Mac Pro, both examples given in later blog posts.

Thanks for reading

100 Detections in 100 Days: Part 1 Wireshark

Fri, 30 Aug 2024 21:50:04 GMT

The Starting place

I started my professional career of in networking and there are a set of applications that have been near and dear to me in that. one of those is Wireshark. Wireshark is a network TCP/UDP and other protocols analyzer that helps you make sorts of what is going on.

You can use it many ways both as an administrator or a nefarious agent looking to escrow some data to attempt to crack it later.

In this case though I am going to talk about why Wireshark is a good starting point to talk about Application Vulnerability detection.

Wireshark has easy Application Detection

Wireshark is installed into the ~/Applications directory which makes it easy to detect either through terminal commands such as system profiler, OSQuery an industry leading software on helping discover system metrics, or MDM tools whether using the MDM specification or are agent based like Jamf. The application has a consistent and easy to detect BundleID, Name, and version strings.

Wireshark has Semantic Versioning

One of the best things about Wireshark is they have a solid semantic versioning system. You don't get any curve balls like other applications. They use the primary version strings which can be found via your system terminal, OSQuery, or your MDM of choice. Not many people are aware there are multiple version strings in MDM but Wireshark is an example of an easy one to work with.

Wiresharks Vulnerability Versions Match their System Versions

This will be covered in a future blog post * Cough Microsoft *. One issue that comes up often when attempting to find vulnerabilities in NVD

``` NVD CPE String

cpe:2.3:wireshark:wireshark:*:*:*:*:*:*:*:*

```

``` NVD CPE String

cpe:2.3:wireshark:wireshark:$YOURVERSION$:*:*:*:*:*:*:*

```

Wireshark Freely hosts older versions

This one is pretty rare in this space and you would often have to rely on a 3rd party packaging service to acquire older version such as Jamf's Patch Defintions or Alectrona. If you are developing a vulnerability detection system it is trivially easy to give yourself past versions to verify that your detections work.

This will also become a big issue when you deal with the major App Store distributed apps such as Apple or Google's official App Stores.

Wireshark has consistent NVD Reporting

Wireshark reports the app name consistently to the NIST Vulnerability Database. In this case it is an application. Whether you are using LoonSecIO's, NVD's, or VulnCheck's API it is really consistent to find the versions both new and older to understand any risks based on a vulnerability report. Below is some examples of how they are reported.

``` NVD CPE String

cpe:2.3:a:wireshark:wireshark:*:*:*:*:*:*:*:*

```

``` NVD CPE String

cpe:2.3:a:wireshark:wireshark:$YOURVERSION$:*:*:*:*:*:*:*

```

One thing they could do better

Follow the likes of Maven and others and if you are hosting previous versions clearly layout the vulnerabilities you inherit with the downloads.

What did we learn

The very basics of what an application is, what a CVE is, and why Wireshark is an important app. This blog has a long way to go so we will dive into each of these individual concepts in depth later.

Link to the Detections