Friday, December 17, 2004

Open Vulnerability Assessment Language

Jay Beale's excellent new article "Big O" for Testing brought MITRE's Open Vulnerability Assessment Language project to my attention. I didn't understand how this project was different from MITRE's Common Vulnerabilities and Exposures project until I looked at OVAL's details.

Consider CAN-2003-1048. This is Microsoft Security Bulletin MS04-025, which described multiple problems with vulnerable versions of Internet Explorer. If you look at the CVE entry, you'll see the following information:

- Name: CAN-2003-1048 (under review)
- Description: Double-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image.
- References:
-- FULLDISC:20030902 New Microsoft Internet Explorer mshtml.dll Denial of Service?
-- URL:http://marc.theaimsgroup.com/?l=full-disclosure&m=106248836920737&w=2
-- FULLDISC:20040902 AW: [Full-Disclosure] New Microsoft Internet Explorer mshtml.dll
-- URL:http://marc.theaimsgroup.com/?l=full-disclosure&m=106251714116250&w=2
...edited...
Phase: Assigned (20040720)
Votes:
Comments:

We see that the CVE entry is a way to link together all of the different references and names for this particular vulnerability.

If we check the OVAL-ID, we see information on how to check for the presence of that vulnerability:

Status: ACCEPTED
CVE-ID: CAN-2003-1048
Platform(s): Microsoft Windows ME, Microsoft Windows NT, Microsoft Windows 2000, Microsoft Windows XP
Version: 1
Summary: Refer to CVE-ID
Description: Double-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image.
Definition Synopsis:
-- Vulnerable software exists
* Internet Explorer 6 Service Pack 1 is installed
* the version of mshtml.dll is less than 6.00.2800.1458
* NOT the patch kb832894 is installed (Installed Components key)
-- Vulnerable configuration
Your machine is vulnerable if ...

vulnerable software section:
Internet Explorer 6 Service Pack 1 is installed
------------------------------------------------------
-- registry_test:
+ the hive 'HKEY_LOCAL_MACHINE' exists
+ the key 'SOFTWARE\Microsoft\Internet Explorer' exists
+ the name 'Version' exists
+ the value equals '6.00.2800.1106'

AND

the version of mshtml.dll is less than 6.00.2800.1458
------------------------------------------------------
-- file_test:
+ the file %WinDir% \system32\mshtml.dll exists
+ the version is less than '6.0.2800.1458'

AND NOT

the patch kb832894 is installed (Installed Components key)
------------------------------------------------------
-- registry_test:
+ the hive 'HKEY_LOCAL_MACHINE' exists
+ the key 'SOFTWARE\Microsoft\Active Setup\Installed Components\{2298d453-bcae-4519-bf33-1cbf3faf1524}' exists
+ the name 'IsInstalled' exists
+ the value equals 1

Besides the "pseudocode" above, SQL and XML renditions of the vulnerability are available.

This language seems incredibly useful. Just seeing the pseudocode helps me understand what needs to happen to resolve the specified vulnerability. In July Javier Fernandez-Sanguino mentioned OVAL on the nessus-announce mailing list, but I wasn't able to track down any more recent references to integrating OVAL into Nessus.

No comments: