BSidesCharm 2024 - Everything You Didn’t Want to Know About CVE - Paul Asadoorian

[Music] I'm just hello hi hey hi everyone so I guess we're just going to get started and um because I don't want Kevin introducing me I'm going to introduce myself I'm Paul asadorian uh my day job is I'm a principal security evangelist for a company called eclips uh which is a great place to work a lot of fun and we do cool firmware and supply chain things uh I do podcasts as well currently I do Paul security weekly uh which is like in its 19th year uh of doing a podcast so uh that's a lot of fun and you should check that out and this talk stemmed from me doing a podcast or two every week and observing

the news and things happening in our industry and I'm going wow that's kind of messed up and then I'm like well that's also kind of messed up and I'm like these things kind of relate and over time I'm like this could be a talk and so that's how I came up with this talk is everything you didn't want to know about cve because of all the kind of messed up things that I was observing in the wild doing my podcast and covering the stuff in the news so I just want to start start off with uh like how many people here have kids that you know of right it's my famous famous joke um and how many people have been on

vacation with kids and could you probably check all these boxes of bad things that have gone wrong on vacation so I just went on vacation with my family and uh thankfully we didn't lose a child I mean we have three so you know it's extras um and like illness wise we were good but like pretty much everything else was something a problem that we had to deal with now how each and every one of us in this room would rank these problems on a severity scale is probably different correct the person in your family who may have to do response to one of these things is probably different I had a whole conversation with my good friend

Jeff about puke over over lunch um about who responds to puke and telling stories about puke and I will spare you any of those details but the point is we would uh have a different severity of of response and how emergency level that response is for any of these things and it'll be all different and unique to our own environments which is the same thing with vulnerabilities and exploits um is the point and so a lot of this you know talk is going to focus on the problems I've observed and the my proposed solutions for dealing with with how we collectively as an industry deal with vulnerabilities so uh are are you the are you the kind are you the screw one

side in really tight both sides or not screw it in at all right yes every everyone's different isn't it yeah all right so I'm just going to run through the problems and solutions so one of the problems I've observed is cve lists the wrong version as being vulnerable so the data that's coming from uh what we know and love from cve is sometimes not very accurate so what happens is there are organizations that can so since anyone basically can create a cve these get reported into miter miter publishes them and it will state all versions up to and including are vulnerable often times especially with WordPress plugins this is just simply not true yet this data

exists in the cve database um and there's a lot of this data in the cve database from CNAs cve numbering authorities these are organizations that are authorized to issue their own cves you would be surprised the top companies that have issued cve the most cves issued by uh any particular CNA anyone want to venture to guess what the number one or even number two is who issued the cve yeah I heard Microsoft Google WordPress itself you're close the top ones do have something to do with WordPress um one of them is actually called patch stack uh and in their database today if you go through and look at um the vulnerabilities that they've reported they all have that uh

do I have a laser pointer on here yeah they all have that less than or equal to so that means all versions up to and including and you can see this is just a snapshot of their page and every single one of these here is listed now I didn't go check to make sure that that was actually true but based on what I've observed so far I think it's probably not entirely accurate and so then I started looking at well who is the number one it it turns out it's patch stack the second one on the list is vdi B now vbe has been around for uh a certain amount of time like a long

time basically they've got the whole company history there I I I didn't I started going down the rabbit hole of like investigating the whole company I'm like all right Paul like reel the rains in on it got other things to talk about the interesting part here is um that each of these uh top cve repository or reporters are not Microsoft Google or the ones you'd expect right it's patch stack it's VDB it's security advisories at GitHub right then we've got Microsoft we've also got word fence and WP scan in there as well I mean I think what we can glean from that is WordPress is really just a cesspool especially the plugins um but also there's a lot of people that

like to report those and use that as marketing on their websites is the other thing I've observed as well um which also I think like skews the data right like so how many vulnerabilities are reported what's the severity of all of the reported V abilities that data gets skewed you almost have to like remove WordPress plugins from that because of uh people who are reporting them and all the things that are wrong in the WordPress ecosystem right which is like an entirely different talk okay so just because it was reported doesn't mean it's accurate or up toate okay the next problem is dates to me when I look at the cve data which I do on almost a daily basis um and I'll

show you how I that actually the the dates are really confusing I want to know assigned like when a cve was assigned when it was published versus when it was updated and that information isn't always apparent or obvious right I believe there's ways to to dig in and get it um but I like I want to the year is an interesting kind of moner because we'll be in 2024 and someone will issue a cve from 2023 because they were a CNA and they had a pre-allocation of cve numbers and they're like oh that's just the next one in the queue so then you're like oh my God what did I miss how did I miss this vulnerability it was from 2023

no they're just like reusing it from older data so I want to see us keep better track of when a cve was assigned when it was made public and when it was updated because the other thing that's very elusive to me is they could be and I we'll go through this in context of Open Source projects but I want to know when it was reported when it was assigned a cve moniker and when that was made public and I don't think we have a great insight into like that time window of when it was made public right I want to know this the whole history behind uh the timeline for these um so I think I

talked about all that stuff um the next problem is anyone can score using CVSs right that's kind of in my little opening story about my vacation we all have a different opinion as to the severity level of various vulnerabilities or events and a different opinion on the context of those so what's interesting is there's actually a case where three different organizations scored a vulnerability now this happens to be the logo fail uh vulnerability that was disclosed by binly and um what we have is Bally says it's an 8.2 CVSs right CVSs is just a formula you plug in various um a aspects or data points on the vulnerability and you come up with a score so their score was 8.2

now nist runs nvd nvd enriches the data from cve one of the things they do is assign a CVSs score their CVSs score was a 7.8 now the CNA C CV numbering Authority in this case is Ami everyone seen the splash screen on their bios it flashes up Ami uh this is a vulnerability in Ami uh UEFI bios their score was 7.5 now we can you know they're the ones that wrote the software so you know don't want to call your baby ugly therefore their scores are much lower now the folks that found it want to say this is really super critical because we spent all this time finding it and I get that too and

then you know you got like somewhere in between so what do we do do we average these together do we calculate our own scores It all becomes very confusing but we don't want so what I don't want it's like a double-edged sword right I do want the openness that anyone can score it because I don't want the other end of the spectrum where only one organization is allowed to score it because then it's only their biases that we would inherit in all of these scores so uh I don't have like a great solution right here other than you have to score it yourself um and I've got some information towards the end about that okay not all vulnerabilities get a cve

what's interesting is Josh Corman and I both talked about this probably like 10 plus years ago we were just happen to be doing research into cve and uh we both came to the conclusion that wow like a lot of stuff doesn't get a cve um so I have some examples for you the squid proxy uh there was a I believe a person Andor group that looked at a bunch of vulnerabilities in Squid proxy does anyone want to admit they run squid proxy I mean you may be running it in your environment and you may not know it because it could be embedded inside of your Appliance uh which is even scarier um but there were uh a ton of

vulnerabilities found in the squid proxy that never got fixed they never got a cve and they never got fixed now they're working with the project is this the one that said it took years this the one that was just um they were all discovered in this version um nearly every single component was vulnerable um and if you go read the article like it basically says 80% of these vulnerabilities I believe were not addressed so they never got a cve free rgp is another one for a m like a time span of about two years these vulnerabilities were identified but not fixed which is also kind of scary cu because I'm going to show you some tips

and tricks on how to go find vulnerabilities maybe before they get a cve or before that cve becomes public um and these are the methods that I used to discover that someone had discovered a vulnerability in the Linux software shim um I believe I was like the first person to figure out that that had existed uh or at least publicized it and made kind of a big deal about it and it turned out to be kind of a big deal um and it falls in this category of yes it was identified like there was a g commit somewhere uh and there was a cve issued but like it hadn't been brought to light um this is a case where this stuff

wasn't being fixed for two years so like no cves existed because the bugs weren't being fixed and there's a whole article about uh free RDP that's really good that you should check out um this is an interesting one this vulnerability was uh discovered by researchers uh at eclips uh I had a little bit of a a hand in this as well uh as I started poking around and getting curious about ziil firmware uh and passed it off to our awesome research team and our research team says well there is this service called ztp it's like a a setup protocol for ziil firewalls and it turns out there was a vulnerability in a particular version of their firmware

with the ztp protocol now what zixo said was well we're not really they're going to they fixed it but they fixed it by removing that feature that software from their firmware and issuing new firmware and they said well we're not going to issue a cve for this I'm like hold on time out like can we all agree that if there's a vulnerability in a piece of software that it should get a cve that makes sense to everyone right vulnerability in software gets a cve apparently not to folks like zix because there's a vulnerability in their software now they fixed it by removing the component and never publicize that there was a cve like there's still a

vulnerability in that particular version of their firmware but there's no cve tied to it so uh that puts customers in my opinion uh at a disadvantage uh because you could see that there's an update available for your Appliance and go well it's just a minor bug fixes Tri AIT and go I'm not I'm not going to apply the update when lo and behold inside of that could be an important security update for your Appliance okay some other examples uh and I pull these from uh a lot of my time when I worked at tenable uh and we would have checks for things that didn't have a cve and it was kind of hard for me to determine like what's the best

coverage to uh for my network when I run a vulnerability scan um and it's hard to measure that because there are things that don't get cves like weaker default passwords back doors I mean sometimes uh back doors Mr Potato Head back doors are not Secrets anyone get get that reference um misconfigurations that are introduced by the user right sometimes a user configurable option won't get a cve because it's something that can be turned on or off um an unsupported hardware and software again common in iot appliances I've seen a trend recently where vulnerabilities are discovered in a particular version of firmware for mostly consumer-based iot devices an exploit is developed and published and the vendor's response is

we don't support that Hardware or firmware anymore and we're not going to issue a fix and the Bad actors go well that's great I'm just going to keep using my exploit like let's go to town build up marai and We're Off to the Races until someone replaces that Hardware okay so open-source patches are public this is kind of interesting and there are ways uh and I believe GitHub has a facility they do have a facility for open source projects um to be able to hide basically commits that are used uh to patch very visible or critical things but for the most part all patches to open- Source software are public there's somewhere in uh a poll request they're

somewhere in uh any kind of ticket uh PR issue or commit right so uh Aqua security did some research on this and produced tools and I thought this was really super interesting that they defined these uh you know zero day is the person who maintains the project doesn't know that the vulnerability exists a one day is that is known to the maintainer it may have a cve assigned which bless you may not be published or not um but there's typically uh a patch available right but it hasn't been published so that's a one day and then they describe a half day which is known to the maintainer the information publicly available on GitHub fixes may

be in the works and a cve may not be assigned so it's somewhere in between you know a zero day and a one day is a half day um if that is making any sense right and then got different scenarios that basically blend the vulnerability is known to the maintainer maybe a patches in the works maybe it's not maybe a cve is assigned or maybe it's not so all of these vulnerabilities fall in these different buckets and if you think about these buckets you should go well I can go look for that because G commits are are public so they wrote a tool and they called it cve half day Watcher and you can run this tool and it

will go through based on cve so I believe a cve has to be uh is issued for this particular project to work and it'll go point out and go you know what that commit right there I believe fixes a security vulnerability uh that hasn't been publicized yet um and so I've used that to find granted with not much success I do run this tool as part of my uh you know every week looking at vulnerabilities and I'm like oh that's kind of interesting um we can also look at uh and I don't know if this this particular project does it but I've seen other folks either propose or or start working on stuff that looks at commits

and looks at the language inside of the commit and goes that could be fixing a security vulnerability uh that maybe no one knew about before so obviously there's a lot of commits on GitHub and that's a huge Endeavor uh but certainly possible to look at these commits okay tracking supply chain vulnerabilities is super hard and we've had some examples recently of this right now I want to go back I mean obviously everyone has heard about XZ uh which was the recent one but I want to go back for a bit and the lib webp vulnerability was a very interesting one in this context and what happened was Google and Microsoft both realized that their products contained a vulnerable lib webp

Library they both fixed that issue and since they're both CNAs they were able to assign a separate cve for each of those products the problem is that cve is not not necessarily A vulnerability in Chrome it's a vulnerability in lib webp and in my opinion should be tracked as such now this is I'm not saying this is easy right but we should go the vulnerability and the cve issued for is for lib webp and all the software that's affected in the CPE or common platform enumeration I propose be updated to say this is yet another platform that's vulnerable because it includes this library right that's not how it works today however uh I think it we should

have a system to track these supply chain vulnerabilities so that we know what's vulnerable um based on the library not based on the platform that that library is included in now we did all agree previously right I have it on video we all agreed the cve should be issued for when there's a vulnerability and a piece of software except when it's a big enough back door and then we issue a cve for it so but if we did that for XZ which got a cve which is not a vulnerability it's a back door um we we should do it for all the back doors shouldn't we do we all agree may we can we can talk about over beers I like that

that's that's fun right okay how do we track severity and impact changes this this one is uh well this one's really funny cuz I get to make a joke cuz there was a vulnerability in the owl camera and I'm like that was a hoot get it uh but also and you thought Kevin's jokes were bad um so what happened with the owl vulnerability was uh sisa came out and said look there is a known exploited vulnerability in Owl Cameras I'm like well that's kind of interesting and then I started digging into it I'm like oh they're saying that Wi-Fi and Bluetooth vulnerabilities that were discovered by researchers that are referenced in that uh article were spotted in the wild as

being exploited and I'm I'm like legit excited at this point I'm like this is awesome like all the time mostly Larry and I have said if you've got Bluetooth or Wi-Fi and attacker's going to take over it they don't necessarily need physical proximity they can use other devices to jump you know jump over to those devices like this is awesome now we can say it's happening in the wild Like Larry this is great and then next couple days go by I'm like lar remember what I said about the owl thing or forget what I said sis came back and said no they really weren't observed in the wild so the severity and impact of this vulnerability changed and how did

how did we track that did the CVSs score change I mean the Kev was updated so that certainly did serve its purpose and track this change but for a while we thought all cameras were being exploited in the wild turns out there wasn't enough evidence of that um there was also an unauthenticated remote um vulnerability in a Asus Routers this one was super interesting because the researcher said look this is an unauthenticated remote code execution uh command injection I believe exploit right and it works and it's a very high severity because it's an unauthenticated rce and when the this particular uh researchers looked at it they said well that's only true if you're running an

emulation because the researchers who discover the original vulnerability discovered it by running the firmware and emulation when you run firmware and emulation one of the things you have to emulate is EnV Ram it's a piece of storage typically on the Spy flash that contains certain variables and configuration data when you run it emulation it it behaves differently when you run it on actual Hardware it turns out it's not an unauthenticated uh remote code execution vulnerability it's authenticated so the severity changed diff differently right severity can change in either direction uh and there are some examples of that and so it's a constant process now for us to track these changes in severity there's also a long history of

really popular vulnerabilities that have changed in their severity right we'd go back to Eternal blue I mean there was no public exploit so we all assumed well no public exploit I don't have to rush to patch that until there was a public exploit and then you really did have to rush to patch that uh and probably the only one on here that you didn't have to rush toat with Spectre and meltdown again I put that on there for academic purposes I haven't seen in the wild exploitation of specific Spectre and meltdown vulnerabilities if someone would like to correct me if I'm wrong I am all ears I'd love to have that conversation over beers okay the state of niss nvd program

I'm originally I was going to spend a lot of time on this and then uh uh you know my good friends Josh bressers and and others did like had a field day describing what's happening um at nist and so I don't want to knock nist I don't want to knock Miner that's not why I'm up here I think we all need to work together to solve the problems that I've outlined already right and so basically I'll summarize but you can go read all of these articles uh if you want they're all really good um but the summary is like basically we need this enriched data right we need miter to or someone to be able to handle the issuing of cves we

need yet another body perhaps to do the enrichment of that data to give it CVSs scores in an unbiased manner to assign CPE or common platform enumeration also to use uh to score it on epss exploit predictability scoring system which uses a machine learning algorithm to determine how exploitable what's the probability of an exploit being used against this vulnerability now I don't want to knock epss because I think the Al I think that's a great usage of machine learning quite frankly I don't think we should knock it because it's machine learning I think the program just doesn't get enough updates to it it doesn't have the resources it needs to be a valuable uh metric that we can use

to help us address and assess the severity of vulnerabilities and so what people are saying is we need more resources we need to appoint unbiased organizations that have enough resources to do this what we have right now is nvd program doesn't have enough resources in order to continue now there's two reasons for that do just don't think like oh my tax dollars are going to waste like they haven't hired enough people we've also gotten way better at finding vulnerabilities and producing more software which has more vulnerabilities so the problem is compounded by more vulnerabilities and resources uh resource constraints okay now we'll go through the proposed Solutions how much time do I have okay good okay so my proposed Solutions um

don't trust the version numbers ignore dates generate your own scores uh which it my favorite slide is coming up I'm just I'm so excited I'll tell you when we get there uh assume there's zero days find non cve vulnerabilities through intelligence and testing I'll actually show you some methods I use to do that um generate your own s bombs prove something is exploitable and we all need to work together to improve those various programs okay so affected versions and publication dates are important and I use a an open- Source tool called cve maker and I run the command within there called critical and this gives me uh now this data is kind of skewed when I took

the screenshot um I basically I try and run this tool like every other day um Qualcomm released a whole bunch of critical vulnerabilities on the day that I ran this so therefore you see that but what you get is the criticality uh of uh listed by criticality the last 20 or so cve by updated date not by when they were issued not by the publish not by any of those other dates so if someone goes back in and updates a cve entry from 2013 it will show up in my list when run this command so I kind of like now also it may show me stuff that I don't care about um but it's a useful tool and I

have full uh instructions and documentation on how to find this tool and set it up in a slide that's coming up I promise um cve map is another tool that I use to look at cve data this was published by project Discovery and it slices and dices you know a little different this is by when it was issued and it allows me to add certain Fields right so I can say show me all the latest critical cves and critical I believe is 8.0 or greater um and then I can say show me the fields for Kev if it has a cev associated with it and if you've observed a proof of concept right that's useful information as well gives

you a lot more context just rather than just a CVSs score it also tells you some extra information so I I like this tool as well okay now we get to the fun part it's my favorite slide because I thought about given all of these problems and all these data points and solutions how would you evaluate the severity of a particular vulnerability in your environment so what I came up with was Paul's vulnerability patching Matrix which I based on a really funny video that now is like highly inappropriate so I've cleaned it up so that it's appropriate and applicable to evaluating the vulnerability severity in your environment so what we end up with on the left hand side here is

vulnerability severity right the severity goes from four to 10 because basically if it's less than a four in my mind it's not a vulnerability then on the bottom uh we've got organizational impact on 0 to 10 and I put a little operational risk with a subtraction sign if there's operational risk you should kind of back that off lower your score a little bit right because if it's going to things up in production then you probably want to uh prioritize it a little differently right um so operational risk is a factor here so what then what we get is if you're between a zero and a five organizational impact it's you're in the no big deal

zone right if it doesn't matter if it's a CVSs 10.0 if you don't have that software in your environment if you don't use uh that particular configuration to make it vulnerable whatever the case may be that's no big deal right now if you're between a five to an eight organizational impact and you're in like the sevenish you know four to seven uh is Zone that's your patching fund zone right you can patch you can not patch you can kind of take your time and evaluate um where the patching danger zone comes in is if your organizational impact um is 5 to8 but the vulnerability severity is less than a seven you could be wasting your time

right you could be patching things that really just don't matter that much uh in terms of protecting against attackers now where this changes if you haven't figured out right now this is based on the hot crazy Matrix if you go back and and watch that you'll laugh at that and then hopefully also laugh at what I present here but uh and I've made uh changes that you know 8 to 10 is you basically want to patch now right like regardless uh if your organizational impact I'm sorry is 8 to 10 the vulnerability severity just doesn't matter if it's impactful to your organization if there's a a medium F five a medium six and a seven that can

be strung together which happens a lot um you you need to patch those right so patch now is based solely on organizational impact so that was my kind of take on how you should think about generating your own scores don't get too fancy um just use Paul's vulnerability patching Matrix which you can all have for free finding non cve vulnerabilities through intelligence um so we can use threat and vulnerability feeds um both open source and Commercial options do exist um we can use pen testing as a surface or attack surface management and many shape forms and flavors to constantly assess our attack surface independent of whether there's a cve or not uh and monitor your feeds on your

own to find things that are vulnerabilities that could impact your organization that don't have a cve well how do we do that uh I use a tool called feedle uh feedle is an RSS aggregator and I know a lot of people probably stopped using RSS aggregators when Google stopped theirs or maybe don't use them anymore I still use uh feely um as my RSS aggregator and I subscribed to a lot of different exploit and vulnerability feeds right I mean have basically spent 19 years curating this list I'm also giving uh all of my feeds uh away for free uh there's a link in the presentation you can download in an opml format all of my feeds that I

follow so if you're looking at this list going how do I recreate that you're just going to go to my website and download it and you can bring it into any RSS reader now I follow exploit feeds and vulnerability feeds not so much that I'm going to read every single one one of the powers of feedle even in the the business plan that isn't that expensive before you get to Enterprise um in this plan you can create uh AI searches uh inside of it and the AI searches will search your existing feeds so I basically load my feeds with a bunch of like really noisy things in hopes that my when I create a search for something

it'll pick out what I'm looking for from these feeds basically okay and so I've done this with appliances so I want to know network-based appliances any kind of vulnerability or research or exploit any security related thing to a network appliance that comes from a whole list of companies right that I list right here I want to know about them and often times I can find the disclosure of these first right so I'm feeding my um threat research team team at my day job I'm doing my podcast going yep there was another vulnerability in uh what was it before I went on vacation I think it was Palo Alto um which was the one before I went

on vacation right um and so I can see that here I also subscribe to the ones that have their own RSS feeds as well uh as typically that will be the early indicator I also use feedle uh to subscribe to mailing lists as well so it has this feature where you can subscribe to a mailing list through feedle it generates a a random email address and uh creates an RSS feed from that email list uh which is an awesome feature so sometimes like checkpoint says if you want information about our advisory subscribe to our mailing list well I just convert that into a feed okay uh you can also look for halfday vulnerabilities and this is how

I uh use the cve halfday scanner right is um you need to create a GitHub token so you need an API token from from G Hub and I'm just using some command line Kung Fu uh to dump that file out uh and I want to say I want to look at the last 10 days of commits and I only want projects that have at least 500 Stars so I'm doing some filtering uh to get the number down and then you know it comes in it goes oh well this one has a reference to a cve that maybe hasn't been publicized yet there's a g commit that exists for it there's a cve but maybe no one's talking about it yet

okay so this is my cheat sheet uh for how I keep tabs on this and again this presentation's already on my website if you go to security podcaster dcom 1M uh you SL presentations uh you can find the slides for this because you're going to want this slide so this is my current all of my RSS feeds uh that are there uh including now that I realized that there is a folder for cigars so I mean you can use that or not um then uh this is the cve maker uh project uh and this is how I use the cve maker project was a little cheat sheet notes cve map how to install that and

basically the command I run for it and then also the CVA half halfday Watcher so this is like a little cheat sheet of how to keep up with latest vulnerabilities and exploits okay now you should also assume that there are zero days right we can't possibly stand here and go we know about all the vulnerabilities that exist so what you're going to do is you're going to get the latest Next Generation AI enhanced multi-layered Cutting Edge ZJ threat protection solution then you're going to throw it in the trash and then you're going to build a solid infosec program which is a completely different talk which I haven't developed yet but if you want it I mean I can work on it

it's fine uh you also want to generate your own s bombs there's been some interesting work in critical infrastructure um there there was I forget which uh particular like sub sector and critical infrastructure said look we want to go to all of our vendors for all of our equipment in the OT part of our operation and we want to ask them for an s bomb and what most vendors said was well no and some said maybe and some said yes and so what they did was uh for those that said no they said well fine we're going to go generate our own s bomb like and they did and it and it works and it's totally

possible so for the vendors out there that are going well you can't possibly ask us to generate an s bomb like that's not possible well I don't even need you to generate an s bomb I can generate my own now I would like it if the vendors generated their own s bomb and I generated the s bomb and then I compared them because you know I don't trust a lot of people this is a trust issue we have here in our industry today right um so and one of the ways you know I work a lot with firmware working at eclips and uh one of the great projects uh is emba and EMA will take firmware and do all

kinds of things with it but one of the things it will do is create a is generate a s bomb and tell you what software packages are inside of that firmware so if you take a particular piece of firmware uh I can't give any Reas examples if you go find firmware on the internet over beers I can tell you more but uh if you go find firmware on the internet and you run it through EMA and it's like lifting up the you know the hood on like an old car lifting up the covers and you go ah and you put it back down that's basically my experience running firmware uh through things like EMA um there's a free from Anor uh

container s bomb there's Java s bombs um as well as an s bomb tool from Microsoft so there's lots of resources out there for you to uh generate s bombs you should use Google's osv now I was looking at Google's osv and I really liked it I looked at a lot of projects that could help with these problems that I outlined in the first half of the presentation seven minutes okay so in Google's osv was one that came up and uh as a valid source I thought because what they're doing is they're cataloging open- Source software and their vulnerabilities and they're doing it really well they're addressing many of the problems that I addressed in the

beginning and creating a database for open- Source software and libraries that is a affiliated with vulnerabilities and they've made it available in an API I believe mostly targeted at developers that you can build into your build process hey look I absorbed this Library go out to Google's osv go see if that library has vulnerabilities pull them back in and work it into your build plan so I was kind of digging Google's osv I thought and they released it a while ago uh when did it come out it came out a while ago um so definitely check that out um you need to prove something is exploitable right I think we kind of get hung up on this exploit thing and is it

known exploitable in the wild does an exploit exist have we observed a threat actor using the exploit is the exploit a proof of concept or does the exploit actually work how well does the exploit work should I only patch things that have an exploit or ones we've already just seen in the wild I think we just get kind of hung up on that I think we should go back to Paul's vulnerability Matrix and if it's an 8 to10 impact I think we should patch it and that's way more simplified than patching based on exploits however um looking for exploitable vulnerabilities using cve maker is really fun too um because you can do a search and it'll

search the cve catalog and it'll give you the last 20 or so results that contain that keyword and then it will go through all the exploit databases and look for exploits against those particular cves now this is not only useful for Defenders but if you're on the offensive side pretty useful as well um but I really I really like this particular uh search keyword term because I'll just kind of pop in cuz I A lot of times like I feel like I missed something like I was on vacation as an example like like I feel like I missed something so I'll go back in this tool and I'll go search BMC right baseboard management controllers uh run firmware

they're in our purview you know at eclips I'm like I want to know if there's been any new cves or exploits against anything that has a BMC in it because I might have missed it uh and this will bring it up so Props to whoever wrote cve maker uh I didn't get the person's name but I've been using it and I think it's a great uh great project okay so we all need to work together to help improve uh these programs uh I think a lot of the agencies and sectors within the government are working really hard thank you sir uh to address these problems and challenges uh you don't work for these in a different area but thank you uh so

we all need to support these programs we all need to figure out how we can help uh you know I've personally been reaching out to contacts that I know that work in these agencies and going like look how can we help um so there is going to be uh and I'll put this on my social media when it happens there's going to be like a call for a committee uh to help these things that'll be posted um there are job openings now uh that I learned about just this afternoon where they're looking for people to help and fill positions to help these programs right cve CVSs epss we need to have independent non-biased programs that run these because we rely on this

data too much to let it fall in the hands of commercial vendors now a lot of commercial vendor and look I don't want to knock the commercial vendors I don't blame them are coming up with their own scoring systems they're coming up with their own cve tracking and some of them are doing a great job quite frankly but we we don't want that biased right we want this in my opinion to be a community effort okay now some good news uh is that we see so these are like three things I observed that I think represent good news for us in this context given all the problems at hand one Microsoft is adopting the cwe

program if you noticed the last round of patches uh for April Microsoft's description of these vulnerabilities looked very different I it kind of took me some time to get used to but they also included um common weaknesses in numeration or cwe and so they've adopted some of that this I think is a positive thing right Microsoft's not running the cwe program but they're adopting that program for their vulnerabilities um there was also 34 vulnerabilities in Secure boot which they fixed in the latest uh Patch Tuesday update and I wrote a Blog on that which you should read uh so there uh but there is uh what if there's no patch available for end of Life Products um so there is the center

for cyber security policy that has released a paper that is uh advising companies on what to do for endof Life Products and so in one of the recommendations that they made I love this because this really grinds my gears uh is separate critical security fixes for customers and not bundle those patches with new product features or functionality changes hooray like please can we get here I guess I want to install version 4.2 but I want to do that in my own time if that contains security fixes I just want those security fixes I don't want to have to regression test and Implement a whole bunch of new features if I don't have to uh like you know iPhone yeah Apple's

notorious for that um so there are being improvements also um are are coming from uh Cena Institute oops um in improving the epss I really hope this goes through I really hope we get uh an organization to help keep this enrichment data up to date because I think it it definitely has has legs it just needs some a little tender love and care okay and that concludes the presentation you can get the slides Security podcaster 1 m.com presentations um and yeah that's it I guess I thank

you I got like one minute for questions does anyone have any beer no yes

yeah I I think that's an absolutely valid point and it depends on the audience right as a as a consumer we may you know if it's possible to skip those security patches we might in favor of the features right I think as consumers we gravitate towards features I think in an IT department we might look at that differently right we may say I want the security fixes I don't want to incur the operational risk of new features and security fixes in one I want to be able to separate them right so I I I I think your point is completely valid I think I would separate into different audiences right questions com

yes yeah I think I think largely I don't know I'm kind of biased I so I own a Tesla and I get new software all the time right like I and I but I think I've spoken with people about the overall security of all the vehicles you know that we have here in the US and Tesla has had a bug Bounty program for a long time and done a really good job at pushing out updates and responding to security vulnerabilities and pushing them out now they're not the only ones or are others as well but it's a spectrum just like anything else some are really good at dealing with updates and pushing them out and some are really

bad I think overall technology has evolved to uh to do that but we also see a lot of recalls uh in the automotive industry as well which we don't see like I want to recall for my network Appliance right that in like I think two different cases I won't name the vendors have said you need to replace your devices right I mean effectively that was a recall um so I think the recall model is is uh applicable all right uh I'll be around if anyone has questions 2 minutes over but thank you all for coming to my talk [Applause]