Vulners weekly digest #5

+1 integration for Vulners
Review fresh vulnerabilities without Microsoft
News without COVID-19 and ZOOM

This week the Vullners integrated with a new great project:

It is already available:

Vulnerabilities, exploits or PoCs

Is it possible to make a digest without vulnerabilities in microsoft products? Let’s try to do it!

Multiple vulnerabilities in the IQrouter

Information security researchers often like to deal with noname network devices and find all sorts of vulnerabilities in them. This week’s target was the IQrouter and its firmware version 3.3.1:

The researcher also made an example of exploiting all these vulnerabilities:

RCE PoC for Sysaid v20.1.11

Sysaid is a free Help Desk software for IT support. CVE-2020-10569 allows unauthenticated access to upload any files, which can be used to execute commands on the system by chaining it with a GhostCat attack. Attackers could read app configuration files and steal passwords or API tokens, or they could write files to a server, such as backdoors or web shells:

Oracle Solaris

CVE-2020-2944 in this UNIX OS for versions 10 and 11. Vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise it. Oracle has released a fix for all affected and supported versions of Solaris in the Critical Patch Update of April.


Multiple vulnerabilities in the QRadar Community Edition

QRadar one of the most famous SIEM system. Community edition is limited to 50 events per second and 5,000 network flows a minute, supports apps, but is based on a smaller footprint for non-enterprise use. Too many vulnerabilities were found in one of the latest releases of this version:

At the time of publication of this digest, the latest version of the QRadar is V7. 3. 3


Lulzbuster is a very fast and smart web directory and file enumeration tool written in C.

Get chromium browsers: passwords, credit cards, history, cookies, bookmarks.

Pwned is a simple command-line python script to check if you have a password that has been compromised in a data breach. The full scheme of the script:


MITRE releasing the results of evaluations
Apple zero-days in Mail app
The Incident Response Challenge 2020 – $$$

MITRE ATT&CK Evaluations

The main event of the week for many information security vendors – results of MITRE evaluation methodology based on APT29:

In late 2019, the ATT&CK Evaluations team evaluated 21 endpoint security vendors with their endpoint detection and response (EDR) products, using its now industry-standard open methodology, the ATT&CK framework.

For complete evaluation results, you can review the data published on the MITRE website.

VMware Carbon Black results:
Microsoft ATP results:



On April 22, ZecOps announced the use of two 0-day vulnerabilities in the Mail application in the wild, allowing full control of the correspondence of the attacked user on the entire line of iPad and iPhone devices.

Secops reported that it recorded the use of exploits in relation to:

  • employees of us companies from the Fortune 500 list;
  • Director of a carrier company from Japan;
  • German VIP;
  • MSSP (Managed Security Service Provider) from Saudi Arabia and Israel;
  • European journalist;
  • as well as suspicion of hacking the head of one of the Swiss companies.

To this Apple responds as expected “We have studied the zecops report and concluded that the identified errors do not pose a threat to users. We will close them in the next updates.”

ZecOps also promises to post more technical information about errors and the facts of their use after the patch is released.

The Incident Response Challenge 2020

Cybersecurity firm Cynet 21-st April announced the launch of a first of its kind challenge to enable Incident Response professionals to test their skills with 25 forensic challenges that were built by top researchers and analysts.

The challenge is available on and is open to anyone willing to test his or her investigation skills, between April 21st and May 15th.

Are you a hands-on forensic researcher, SOC analyst, or malware analyzer? Go to, get your hands dirty, and beat your peers to get the first prize!

Monthly Vulners Review #1

The first monthly vulners review.
Main Vulners events.
Only critical and important vulnerabilities.
Some intersting tools.
The most entertaining and flashy news.

Vulners events

There have been several events for Vulners this month:

  1. The revival of the blog;
  2. Translation of research Hidden Threat – Vulnerability Analysis using the news graph from Lydia Khramova;
  3. Intergated with Exploit Pack collection, which we mentioned last week;
  4. Appearance and description of the functionality OSS-Fuzz data in Vulners.

Vulnerabilities and Exploits

Of course we start with short review ‘The second Tuesday from Microsoft’.

This month’s Microsoft Patch Tuesday addresses 113 vulnerabilities and 19 of them – Critical.

0-day in font library

Microsoft patched two vulnerabilities (CVE-2020-0938 , CVE-2020-1020) in the Adobe Font Manager Library that were announced in March. We wrote about them at the beginning of the weekly digest #2.

For exploit these vulnerabilities, an attacker need to socially engineering, so that the user opens a malicious document or viewing the document in the Windows Preview pane.


If you use it, you will need to monitor for security updates. Microsoft released patches for SharePoint covering four RCE vulnerabilities (CVE-2020-0929, CVE-2020-0931, CVE-2020-0932, CVE-2020-0974). An attacker could exploit any of them by uploading a specially crafted SharePoint application package to an affected version of SharePoint. And one XSS CVE-2020-0927 that can be exploited by an authenticated attacker by sending a specially crafted request to an affected SharePoint server.

Kernel zero-day

The other zero-day is an elevation of privilege vulnerability CVE-2020-1027 in Windows kernel, discovered by the Google Project Zero team.

Hyper-V Escape

A remote code execution critical vulnerability CVE-2020-0910 is patched in Hyper-V, allowing a guest virtual machine to compromise the hypervisor, escaping from a guest virtual machine to the host.


HP ThinPro is a linux based operating system. This month we’re looking at two PoCs for two vulnerabilities for 6.x/7.x versions of this OS:

  1. PoC for CVE-2019-18910 Privileged Command Injection Vulnerability. The VPN does not safely handle user’s input data, it is therefore possible for an attacker to inject any commands to execute with root privileges on the device.
  2. PoC for CVE-2019-16286 Filter Bypass Attackers can btpass the restrictions that administrators set to run users’s applications to launch restricted applications and execute arbitrary commands on the device.

Centos Web panel
CWP is a free Web Hosting control panel designed for quick and easy management of (Dedicated & VPS) servers. CVE-2020-10230 or SQL injection in Centos Web Panel 7 and 6 via the /cwp_{SESSION_HASH}/admin/loader_ajax.php term parameter.


CVE-2020-1934 AND CVE-2020-1927 are some of the most popular vulnerabilities in the month.Vulnerable versions 2.4.x < 2.4.42. As history shows: If you find exploit for one of them, you will soon read about it in attacking news.

  • CVE-2020-1934: mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server;
  • CVE-2020-1927: redirects via mod_rewrite l might be fooled by encoded newlines and redirect instead to an unexpected (malicious) URL.

Exploit for Apache Solr <8.3.0 / CVE-2019-17558
Apache Solr is an open-source enterprise-search platform, written in Java, from the Apache Lucene project. Solr can run as a standalone full text search server.

Metasploit module allows RCE via custom Velocity remplate. After identifying a list of Solr core names an attacker can send a specially crafted HTTP POST request to the Config API. Enabling resource loader in the solrconfig.xml file to true allow an attacker to use the Velocity template parameter in a specially crafted Solr request, leading to RCE. Currently, this module only supports Solr basic authentication


Nexus Repository Manager
RCE in Nexus <3.21.2 – CVE-2020-10199. Nexus is a very popular repository manager from Sonatype. It allows you to raise such a small Maven Central within your project.

Metasploit module exploits a Java Expression Language (EL) injection in Nexus Repository Manager to execute code like Nexus user. It is a post-authentication vulnerability, so credentials are required to exploit it. Any user regardless of privilege level may be used

Liferay Portal < 7.2.1
Liferay Portal is an open-source solution designed for centralized access to several different corporate applications in one place. Exploit for CVE-2020-7961 allows to execute remote arbitary code via JSON web services (JSONWS).


PlaySMS is a free and open source SMS management software and in th version <1.4.3 does not sanitize inputs from a malicious string. The TPL( template language is vulnerable to PHP code injection. The vulnerability is triggered when an attacker provides a username with a malicious payload. This malicious payload stored in the TPL template, which when re-rendered leads to code execution.

Exploit tested on the machine from Hack the box (Forlic):

Horde CVE-2020-8518
Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, iCalendar, vCard, etc., leading to remote code execution. Vulnerability allows authenticated users to inject arbitrary PHP code thus achieving remote code execution the server hosting the web application.


ThinkPHP – two in one combo
ThinkPHP is a open-source PHP framework. The metasploit module contains CVE-218-20062 and CVE-2018-9082 and use one of them for code injection as the web user. The module will automatically attempt to detect the version of the software.


In this part, we will list the most popular tools of the month that have just appeared or received an update.



mssqlproxy is a toolkit for lateral movement through a compromised Microsoft SQL Server via socket reuse. The client requires impacket and sysadmin privileges on the SQL server.

Attacks on industrial MS SQL are not common. This attacking attack technique is used by advanced attackers. It is not surprising that someone came up with and wrote a kind of reverse proxy

Detailed report about MS SQL CLR (check presentaition in the video description):
Other nice research about this theme:

Puma Security Serverless Prey

Serverless Prey is a collection of serverless functions (FaaS), that, once launched to a cloud environment and invoked, establish a TCP reverse shell, enabling the user to introspect the underlying container. Usually attackers develop custom tools of this kind or significantly modify existing ones.

Jackdaw – Tool To Collect All Information In Your Domain And Show You Nice Graphs
Look for description Vulners weekly digest #3


Project iKy v2.4.0

The utility and functionality of the tool is in doubt. According to the authors this tool to collect information from an email and shows results in a visual interface

Look for description at Vulners weekly digest #4

uDork – Google Hacking Tool
Look for description Vulners weekly digest #1

Purple teaming

It’s a good idea to check the sensational exploit and write new correlation rules: CVE-2020-0796 Windows SMBv3 LPE Exploit


_______       _____________          
_______       _____________          
___    |___  _______  /__(_)___  __  
__  /| |  / / /  __  /__  /__  |/_/  
_  ___ / /_/ // /_/ / _  / __>  <    
/_/  |_\__,_/ \__,_/  /_/  /_/|_| 
Automation for Windows Event Audit Policies for monitoring & incident response.


Look at Vulners weekly digest #3


Monthly rockstarts: COVID-19, Trickbot and ZOOM

COVID-19 and attacks

Attacks on hospitals were detected between 24 and 26 March and were initiated as part of coronavirus-related phishing campaigns that have become widespread in recent months.

The disclosure from Palo Alto Networks comes as cyber attacks have been hit in the past few weeks by the US Department of health and human services (HHS), biotech firm 10x Genomics, Brno University hospital in the Czech Republic and Hammersmith Medicines Research.

The theme of the pandemic and COVID-19 is an ideal target for the threat actors and cybercrime will go to any extent, including targeting organizations that are in the front lines and responding to the pandemic on a daily basis.

Ransomware and Trickbot

The emails, sent from a spoofed WHO email address (noreply@who[.]int), contained a text format (RTF) file that purported to spread information about the pandemic. When opened, the RTF file attempted to deliver a ransomware payload that exploits a known vulnerability (CVE-2012-0158) in Microsoft Office, which allows attackers to execute arbitrary code.

When opened, the malicious attachment drops a ransomware binary to the victim’s disk and then executes it.

The ransomware binary then encrypts various files extensions, including “.DOC”, “.ZIP”, “.PPT” and more. Some hospitals have been targeted by the Ryuk ransomware, according to security researcher “PeterM” on Twitter:

Attackers will continue to use CAVID-19 theme for cyber attacks due to the global pandemic scare – including malware attacks, malicious URLS, and identity fraud.


Two zero-day vulnerabilities were discovered for the Zoom video conferencing platform, which will allow threat actors to spy on people’s private video conferences and additionally use the target system.

One of the 0-day vulnerabilities relates to the ZOOM client under Windows and allows remote code execution in the attacked system, but can only be used in conjunction with other existing errors. For data about this hole, hackers ask for 500 thousand dollars, but, according to experts, this price is inflated by half.

The second 0-day vulnerability is present in ZOOM under Mac, but does not lead to remote code execution. Accordingly, its value is much less.

In our lasin our last 2 reviews, we have already written about the achievements of ZOOM 🙂

OSS-Fuzz data in Vulners

This month, vulners collected Google’s open-source OSS-Fuzz data. OSS-Fuzz is a great tool for fuzz testing your projects to uncover different kinds of programming errors in software.

“OSS-Fuzz provides ‘fuzzing as a service’ for open source projects”


It’s amazing that this data is now available both for easy visual searching and via the Vulners scanner API. Examples for your requests:

<type:ossfuzz AND>


This critical RCE vulnerability is a prime example. Open-source library for image processing that lets users resize, scale, crop, watermarking and tweak images.

By uploading a booby-trapped selfie to a web service that uses ImageMagick, an attacker can execute malicious code on the website’s server and steal critical information. In other words, only those websites are vulnerable that use ImageMagick and allow their users to upload images.

The exploit for the vulnerability has been named: ImageTragick

The vulnerability patched in versions 7.0.1-1 and 6.9.3-10 of ImageMagick.

You can write code perfectly and securely, but you often use open-source libraries that may contain serious vulnerabilities. Why can developers be interested in checking information security in components of their own applications?

Supply chain attacks are kind of threat that target software developers. The main purpose is to access source codes, libraries or update mechanisms by infecting legitimate applications.

Software supply chain attacks explained

Attackers hunt for unsecure network protocols, unprotected server infrastructures, and unsafe coding practices. They break in, change source codes, and hide malware in build and update processes. One of the types of supply chain attacks is compromised software building tools or updated infrastructure.

Vulners OSS-Fuzz data is one of the components of solving these problems. You can use it for improve your information security and built automation checking process for your applications.

Examples of using via Vulners the proprietary API:

import vulners

vulners_api = vulners.Vulners(api_key="YOUR_API_KEY_HERE")

results = vulners_api.softwareVulnerabilities("httpd", "1.3")

You can get your API key after registration:

Open API keys tab and generate a new token
Keep it a secret and don’t show it to anyone

You can use the most popular python framework for automation testing – pytest. Extract all used packages from the development application and check with simple script.

import vulners
import pytest

vulners_api = vulners.Vulners(api_key="YOUR_API_KEY")

checking_packets = {
    "imagemagick": "7.0.10-2",
    "arrow": "0.17.0",
    "wireshark": "3.1.1"

@pytest.fixture(scope='module', params=[(k,v) for k, v in checking_packets.items()])
def vulners_checking(request):
    Checking packets.

    :param request: Pytest Request object.

    :return: result after checking packet via Vulners api.
    packet_name = request.param[0]
    packet_version = request.param[1]
    checking_result = vulners_api.softwareVulnerabilities(packet_name, packet_version)
    return packet_name, checking_result

def test_packets(vulners_checking):
    packet_name, checking_result = vulners_checking
    assert len(checking_result) == 0, f"{packet_name} packet is vulnerable, update it."

Comment: Pytest provides many biult-in features for creating report with results. for generation allure reports, pytest-html for further conversion to the pdf format or rendering a beautiful mail.

Script results with the default startup parameters:

by the <description> key in it can can get full detailed information and format it in your reports

For example, this approach can be integrated into a checking for all the used versions of your libraries when building your projects via CI/CD systems. According to our statistics, this functionality is already in demand – there are about 10 requests per second for checking library versions.

Current pricelist:

We provide up to 1000 free requests per month to the Vulners api. This is enough to check a typical project for 20-30 libraries every three days. It is possible to test now!

The Vulners platform is constantly improving and adding more and more new integrations that you can use in your projects. Follow our news and new research!

Vulners weekly digest #4

Your Exchange server stills sweety and other vulnerabilities.
Serious boost for pentest frameworks.
ZOOM continues to smoke and we continue write about it in our digest.

EXPLOITS and vulnerabilities

“If You Can’t Patch Your Email Server, You Should Not Be Running It”

CVE-2020-0688 becomes pupular. While the flaw was fixed as part of Microsoft’s February Patch Tuesday updates, researchers warned in a March advisory that unpatched servers are being exploited by APT actors. In one of the latest research from the RAPID7, it is reported that Exchange servers are still vulnerable to CVE-2020-0688. Researches observed attackers leverage the flaw to run system commands to conduct recon, deploy webshell backdoors and execute fileless frameworks for post-exploitation.

The exploit code that researchers from RAPID7 tested attempts show up in the Windows Application event log with source MSExchange Control Panel, level Error, and event ID 4. This log entry will include the compromised user account and long error message that includes thetext Invalid viewstate.

You can also review your IIS logs for requests to a path under /ecp (usually /ecp/default.aspx), which contain the string __VIEWSTATE and __VIEWSTATEGENERATOR. The long string in the middle of this request, as in the case of the Windows event log above, is a portion of the exploit payload. You will see the username of the compromised account name at the end of the log entry.

The update for CVE-2020-0688 should be installed on any mail server with the Exchange.


Vesta Control Panel Authenticated RCE

The vulnerability (CVE-2020-10808) was disclosed and fixed in late April. At the same time created pull request in metasploit repo. Vesta Control Panel is one of the most popular, simple and convenient panels for managing websites. Vesta Control Panel (VestaCP) through 0.9.8-26 allows Command Injection via the schedule/backup Backup Listing Endpoint.
The point of vulnerability is that an authenticated attacker with a low privileges can inject a payload in the file name starts with dot.

More detailed technical description with video POC:

LimeSurvey CVE-2020-11456

An open-source simple tool which you can install on your server for compile custom templates for surveys. You can use this tool to create custom templates for surveys using formatted text with image/video integration. LimeSurvey before 4.1.12+200324 has stored XSS in application/views/admin/surveysgroups/surveySettings.php and application/models/SurveysGroups.php




GitHound v1.1 helps to find sensitive information across all of GitHub, uploaded by any user. According to the author, this tool helped him earn money 🙂 Cool tool for Bug Bounty Hunters.


What if we’ll have a tool that can show us a terminal of active SSH connection? and… maybe… control it? Record it? Investigate?

Author of SSHPry 2.0 implemented technique to get ALL read() strings of connected ssh client in script that mirrors a terminal of connected SSH client.

Main features:

  • Control of target’s TTY
  • Built-In Keylogger
  • Console-Level phishing
  • Record & Replay previous sessions

The video better shows the functionality of the tool:


Have you ever needed to use tool like Process Explorer in your shell session? Ps-Tools provides such an opportunity. Why this if the same thing can be done through powershell? Powershell is currently under heavy security monitoring. The authors mention only Cobalt Strike in their research, but you can use it in any framework. For example: detects any security solutions (AV, EDR, etc.), collect more detailed information for compromise system or finding more opportunities for lateral movement.

This functional helps to better understand the systems and IT infrastructure from your target and periodically polling of this information allows a Red Team to react on possible changes within the IT environment (an investigation trigger, for example). Purple Teams should test it to develop new detection rules. It is assumed that this new functionality will be used in the most advanced penetration tests.

dangerous remote work

Due to the pandemic, many organizations began to work remotely. In this regard, APT groups increased their activity through phishing/spearfishing, using the COVID-19 context, and attempts to exploit zero-day vulnerabilities in many tools for remote work: video conferences, VPNs, remote acess tools and etc.

An April analysis from Kaspersky uncovered a total of 120,000 suspicious malware and adware packages in the wild masquerading as versions of the video calling app. The research found that among a total of 1,300 suspicious files not using the Skype name, 42 percent were disguised as Zoom, followed by WebEx (22 percent), GoToMeeting (13 percent), Flock (11 percent) and Slack (11 percent).

Example: Cisco ‘Critical Update’ Phishing Attack Steals Webex Credentials

CVE-2016-9223, a legitimate vulnerability in CloudCenter Orchestrator Docker Engine, which is Cisco management tool for applications in multiple data-center, private-cloud and public-cloud environments. This critical flaw allowed unauthenticated, remote attackers to install Docker containers with high privileges on affected systems. However, the vulnerability was fixed in the Cisco CloudCenter Orchestrator 4.6.2 patch release (also in 2016).

zoom, are you ok?

ZOOM is still the focus of a lot of news. Researchers have uncovered a database shared on an underground forum containing more than 2,300 compromised Zoom credentials. Compromised Zoom credentials could give cybercriminals access to web conference calls.

Attckers can join meeting and blast music or videos to interfere with the meeting. This practice, called “Zoom bombing,” has been spiking upwards over the past few weeks, despite the FBI cracking down on the issue and warning that those who take part in Zoom bombing could face jail time.

Researchers warn users to stay on the lookout for bad actors spoofing web conferencing and virtual collaboration apps. In general, attackers are taking advantage of the panic around the coronavirus with phishing emails around financial relief, promises of a cure and symptom information details.

Vulners weekly digest #3

Weekly overview of new vulnerabilities, exploits, tools and other news from the world of information security.

Vulners has officially integrated with EXPLOITPACK on this week. Now customers can get even more information centrally about the required vulnerabilities

All interest in the difference 🙂



Congratulations, this week there was an exloit for CVE-2020-0796. We wrote about this vulnerability in our previous digest:

Let’s start patching and test exploits (in own labs or for detecting purposes 🙂 )


A new module for DotNetNuke (versions 5.0.0 to 9.3.0-RC) was recently added in metasploit. Vulnerable versions store user profile information in the DNNPersonalization cookie in XML format. The expected structure includes the “type” attribute to sprcify the server which type of object to create during deserialization. It happens if the DNN is configured to handle 404 errors with its built-in error page (default configuration). Attacker can use this vulnerability for remote code execution on the target system.

Redis Replication Code Execution

Vulners sets own AI score for many exploits and vulnerabilities. Thus, exploit for Redis has gained a fairly high rating and becomes more popular due to a new bug fix. Extended functionality added after Redis 4.0.0 for executing arbitrary code has become vulnerable. To transmit the given extension it makes use of the feature of Redis which called replication between master and slave.

More research about Vulners AI score:



This tool help you help to collect information about domain, store it in a SQL database and show graph. It gain a better understanding of Active Directory objects interact with each-other . Main features:

  • Data acquisition;
  • Graph building;
  • Anomlaies detection

Webkiller v2.0

Simple tool for gathering infomation. If you don’t like to understand large and intricate OSINT frameworks, you will like this tool .


Pulsar is an automated framework with GUI for Red teams, pentesters and Bounty Hunters. If you like to know about full-scale and holistic tools, it will fascinate you for a long time and can become a permanent tool. This framework integrated several projects:

The full structure of the project:


Simple search tool to find files containing specific keywords. Main features:


If coronavirus is the number one topic in IT news, then ZOOM has definitely taken the second place in recent days.

The ZOOM client, when sending a URL to an internal chat, converts it into a hyperlink. However, along with this, it also converts the UNC paths that Windows uses to access network resources to hyperlinks.

When you click on such a hyperlink, Windows uses the SMB protocol and transfers the username and NTLM hash of the user’s password to the other side. The latter can be easily opened taking into account modern computing power.

Thus, an attacker, having sent a specially formed link to the application’s internal chat, can subsequently obtain a user login and password. In addition, a command to start a local application can be sent in UNC format. True, in this case, Windows will ask permission to run.

More detailed:

Based on low AI score of news about ZOOM vulnerabilities, we can conclude that most of them are hype and do not make much sense:

One of the most important events for all who try to detect APT attacks and analyse endpoint logs – MITRE Sub-Techniques (beta). The current one is still the October 2019 version.

The version of ATT&CK with sub-techniques is only in beta right now to allow enough time for feedback and for organizations to determine how to transition. We are expecting to make we make it the official version sometime in July 2020.

One good example of demonstrating the benefits of sub-techniques is T1003. The name was changed slightly to OS Credential Dumping and the technique kept:

Technique T1003
Sub-techniques of this techniques

The added granularity will allow you to represent different types of credential dumping that can happen at a more detailed level than just mapping to the broader OS Credential Dumping. MITRE’re asking for feedback on technique and sub-technique pairings as well as any additional techniques or sub-technique ideas that help organize remaining techniques without sub-techniques.

More detailed info in MITRE blog:

Attack matrix for Kubernetes

On this week, Microsoft crafted an ATT&CK-like matrix comprising the major techniques that are relevant to container orchestration security, with focus on Kubernetes:

Understanding the attack surface of containerized environments is the first step of building security solutions for these environments. This matrix can help organizations identify the current gaps in their defenses coverage against the different threats that target Kubernetes.

Hidden Threat – Vulnerability Analysis using the news graph

When you face to face a new vulnerability, what is the thought that comes first? Of course, respond as quickly as possible. However, speed is just one of the conditions for an effective fight against information security threats. When it comes to corporate security, it is equally important to determine without error what you should respond to first. An underestimated threat can cause serious damage or loss of reputation. But if the count of vulnerabilities is constantly growing, can you quickly assess their significance and not miss crucial details?

Vulnerability dynamics by CVSS group (source –

The CVSS Score (Common Vulnerability Scoring System) scale is typically used to rank vulnerabilities by various criteria, ranging from operational complexity to harm and other parameters.

It would seem why invent something else – but the CVSS Score has one weak point – it is based on expert evaluations not supported by real statistics. It would be much more effective to offer experts cases that were already selected according to certain quantitative criteria and make decisions based on verified data – but where to get this data and what to do next? It sounds like an unusual and interesting task for a data scientist – this challenge inspired Lydia Khramova and the Vulners team to create a new concept for assessing and classifying vulnerabilities based on a graph of related information.

Why graphs? In the case of social networks and the media, graph methods have been successfully used for a long time for various purposes: from analyzing the distribution of content in the news stream, to notes on the impact of top authors on the opinion of readers and clustering social network by interests. Any vulnerability can be presented as a graph containing data – news about changes in software or hardware and the effects caused by them.

About data

Lydia did not have to manually collect news about each update, all the necessary texts were found in the open vulnerability database. Visually, the data is as follows:

Each vulnerability, in addition to its name, publication date and description, has a family (NVD, scanner, exploit, etc.) already assigned to it (cve, nessus, etc.), a CVSS rating (CVSS v2 is used hereinafter), and also links on related news.

If you present these links schematically as a graph, one vulnerability will look like this: an orange circle indicates the original or parent publication, black circles – news that can be clicked on while on the parent page, and gray circles – linked news, which can only be reached by going through all the publications marked with black circles. Each color of the circles is a new level of the graph of related information, from zero – the initial vulnerability, to the first, second and so on.

Of course, when viewing one news item, we know only the zero and the first level, therefore, to get all the data, we used the method of traversing the graph in depth, which allows you to unravel the tangle of news from the beginning to the most recent connected nodes (hereinafter – the graph node). At this stage, optimization problems accur – graph assembly over a long period took a long time and had to apply magic with both the script and the data structure. At this stage, optimization problems arose – building a graph over a long period took too much time and had to apply magic with both the script and the data structure. By the way, it was decided to pack the final data into parquet for further work with them using spark sql, which facilitated the initial analysis.

What does graph data look like? Visualization will help us best understand their nature. The figure shows a graph of the well-known, but not very dangerous vulnerability Heart bleeds (only 5 out of 10 points on the cvss scale).

Looking at this lush set of points from related news and exploits, where the red dot is the original vulnerability, we realize that Heartbleed was significantly underestimated.

Based on this example we can conclude that consistency, duration, and other vulnerability parameters are well evaluated using graph metrics. Below are a couple of examples of metrics from the study that served as the basis for an alternative classification:

  • the count of nodes in the graph – is responsible for the “breadth” of the vulnerability and its fingerprints left in various systems;
  • the count of subgraphs (large clusters of news) – is responsible for the granularity of the problem or the presence of large problem areas within the vulnerability;
  • the count of related exploits and patches – indicates the explosive nature of the news and how many times it had to be fixed;
  • the count of unique news types and families in the graph is about systemicity, i.e. the count of subsystems affected by the vulnerability;
  • the duration from the first publication to the first exploit, the time from the first publication to the last related news – about the temporal nature of the vulnerability, whether it stretches with a large tail of consequences or quickly develops and fades.

Not all metrics are described here, under the hood of the research now there are about 30 indicators that complement the basic set of CVSS criterias, including the average increase between the levels of the news vulnerability graph, the percentage of exploits at the first level of the graph, and much more.

open up gray zone

And now a bit of data science and statistics — hypotheses need to be confirmed on data, right?

For the experiment with an alternative scale and new metrics, news published in January 2019 were selected. This is 2403 newsletters and about 150 thousand lines in the news column. All source vulnerabilities were divided into three groups according to CVSS Score:

  • High – from 8 points inclusive;
  • Medium – from 6 incl. to 8 points;
  • Low – less than 6 points.

Let’s see correlation the CVSS score with the number of related news in the graph, the number of news types and the number of exploits:

In the perfect situation, we should have seen a clear division of metrics into three clusters, but it did not happen, which indicated the possible presence of a gray area that CVSS Score does not define – this is our goal.

The next step was clustering vulnerabilities into homogeneous groups and building a new scale.

For the first iteration, a simple metric classifier k-means was chosen and a new matrix of estimates was obtained: the initial points (Medium, Low, High) are found on the Y axis, along the X, where 2 are the highest in the new vulnerability metrics, 1 are the new vulnerabilities, 0 are the smallest.

An oval-marked zone (Vulnerability Class 2 with an initial low & medium rating) —Potentially underestimated vulnerabilities. The division into new classes also looks clearer, which is what we achieved:

However, simply trusting the model is a bad idea, especially when it comes to unsupervised clustering, where the correct answer is not known in principle, and you can only rely on the separation metrics of the resulting classes.

And it is where expert knowledge is required – for testing and interpretation of the results, knowledge of the subject area is necessary. Therefore, it is advisable to point-check the model, for example, by pulling out a pair of vulnerabilities for detailed analysis.

Below are a few cases from the gray zone that have a low CVSS score, but a high graph score – which means potentially requiring a different priority for working with them. Here’s what they look like in a graph representation:

CVE-2019-0555 (CVSS score 4.4, graph class 2 – high)

SMB_NT_MS19_JAN_DOTNET.NASL (CVSS score 5.0, graph class 2 – high)

CVE-2019-1653 (CVSS score 5.0, graph class 2 – high)

RHSA-2019: 0130 (CVSS score 5.0, graph class 2 – high)

As you can see, the concept was confirmed by statistics and point verification, so in the nearest future we want to finalize and automate the collection of graph metrics, and – possible – the classifier itself. Of course, there is still a lot of work to do – from collecting a large count of new graphs for months not covered by the study, but this only adds enthusiasm, as does the essence of the task. According to Lydia, a data scientist, that the work on this research was an incredibly inspiring experience, both in terms of topic and complexity – even preparation engineering work with loosely structured data was very interesting.

In conclusion

After the study, it became clear that, first of all, a critical approach is needed not only to any metric or data, but to the process as a whole, because the world is too dynamic and changes faster than methodologies and documentation. Always evaluated in one way – why not try to shift the angle of view? As our example shows, even the most unusual hypotheses can be confirmed.

An important role is played by the availability of data for data scientists – it allows you to quickly check the most daring hypotheses and better understand the essence of your subject area in all its manifestations. Therefore, if you are not yet collecting or deleting “unnecessary” data, think about it, maybe there are a lot of discoveries lurking there. This case suggests that data driven and information security complement each other perfectly.


Author: Lydia Khramova (