Jun 05, 2018

How to Describe Vulnerability Information?

Today, I would like to introduce an activity at the Vulnerability Coordination Group of JPCERT/CC.
It is a method to describe a vulnerability using Vulnerability Description Ontology (VDO).

JPCERT/CC receives software vulnerability information from domestic and overseas reporters, then coordinates them in between the vendor/developer and the reporter. While there is a vulnerability reporting template, vulnerability itself is described in a free format. Reporter can describe about a vulnerability in a way they like. From a vulnerability coordinator's perspective, the following are a few obstacles that we are facing:

1. It is necessary to "understand" the technical aspects

For example, the description in CVE for the vulnerability CVE-2014-8606 is as follows:

Directory traversal vulnerability in the XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! allows remote administrators to read arbitrary files via a .. (dot dot) in the file parameter in a json_return action in the xcloner_show page to wp-admin/admin-ajax.php.

When reading this information, the following technical details can be extracted:

  • (Affected) Products and Versions
    • Xcloner plugin 3.1.1 (for WordPress)
    • Xcloner plugin 3.5.1 (for Joomla!)
  • Vulnerability type: Directory traversal
    • Root cause: the parameter "file" is not validated
    • Attacker: Remote authenticated attacker
    • Impact: Arbitrary file read

There is no unique way to articulate the technical aspects of a vulnerability. A free format allows various reporters to describe a vulnerability using their own way. In some cases, there may be redundant information, or in other cases, not enough information.

2. When the vulnerability description is written in your non-native language, it can be extremely difficult to comprehend

A lot of vulnerability information is published in English, so organizations who do not have any English speaker may have a difficulty in comprehending a vulnerability due to the language barrier. In addition, various sources are now publishing vulnerability information, and lots of non-English vulnerability information are publicly available.
For example, CNNVD in China provides vulnerability information only in Chinese.

To overcome these issues, the National Institute of Standards and Technology (NIST) in US has proposed the creation of Vulnerability Description Ontology (VDO).

VDO provides basic building blocks to describe a vulnerability so that a vulnerability can be described without using a free format.
Below is an example of the vulnerability (CVE-2014-8606 from above) described using the VDO (taken from NIST IR 8138 - Appendix A)

Vulnerability: cve.mitre.org CVE-2014-8606
Provenance: http://www.vapid.dhs.org/advisories/wordpress/plugins/Xcloner-v3.1.1/
Scenario: 1
Type: cve.mitre.org CWE-22
Attack Theater: Remote
  Remote Type: Internet
Barriers: Privilege Required
  Privilege Level: Administrator
    Relating to Context: Application
Context: Application
Entity Roles: Primary Authorization
Entity Roles: Vulnerable
Impact Method: Trust Failure
  Trust Failure Type: Failure to Verify Content
Logical Impact: Read(Direct)
  Scope: Limited
    Criticality: Low
Context: HostOS
  Entity Roles: Secondary Authorization
Impact Method: Code Execution
Logical Impact: Read(Direct)
  Scope: Limited
    Criticality: High

While VDO is still in a draft phase. I believe that it has a huge potential to

  • Provide a common language for understanding and exchanging information on vulnerabilities
  • Provide a format to automatically manage vulnerability information

JPCERT/CC is currently attempting to see if describing vulnerabilities using VDO can make the vulnerability coordination operations more efficient.

The following shows how vulnerability information can be entered into the VDO format using an editor.
Currently, we have implemented a JSON Schema to enter the Noun Groups defined in NISTIR 8138 in a simple manner to test whether this can be used in a practical manner.


More details on this attempt to make vulnerability coordination more efficient through the VDO will be presented at the 30th Annual FIRST Conference.

If you are interested in VDO and its application, please contact us at vultures [at] jpcert.or.jp.

- Masanobu Katagi