Sentnl CVE search API
The security of our backend and frontend applications are under constant threat. It’s a constant cat-and-mouse game, applications that are deemed safe today are not necessarily safe tomorrow.
Just the other day there a zero day exploit for Grafana was published, which would of allowed an attacker to achieve a full-read, unauthenticated, SSRF on Grafana instances ranging from version 3.0.1–7.0.1.
Now imagine your Grafana instance is 100% safe today, but the following day an attacker could possibly gain full access to your server. Most of us running Grafana would most likely be completely unaware of the risk until it was too late.
This is where our newly provided service may help you.
But before we continue it’s important to understand what is a CVE.
The Common Vulnerabilities and Exposures system provides a reference-method for publicly known information-security vulnerabilities and exposures.
Each new known vulnerability will be given a CVE reference and that CVE can be referenced to obtain information about the vulnerability. In the example of the Grafana exploit, this was given the CVE-2020–13379. It contains a multitude of information about the risk, including the exploitability ease and any write ups with examples on how to perform the exploit.
CVE Search Portal & API
The CVE search portal uses a open source platform called CVE-search from Circl, to provide a list of all the latest CVEs available and an API to query the CVEs.
The database is updated every 4 hours to ensure all the latest CVE’s are listed.
The portal is available at https://vuln.sentnl.io and the API documentation is accessible at https://vuln.sentnl.io/api_docs.
A simple example of using the API to look for all the CVE’s related to Grafana
https://vuln.sentnl.io/api/search/grafana/grafanaFree Query
More complicated and useful queries can be run by using the Free Query API.
Using the free-query you can for example look for any vulnerabilities that effect your Grafana instance with the version of 7.0.0 or lower.
curl -X POST -H “Content-Type: application/json” \
-d ‘{
“retrieve”: “cves”,
“dict_filter”: {
“vulnerable_configuration”: “cpe:2.3:a:grafana:grafana:7.0.0:-:*:*:*:*:*:*”
}
}’ \
https://vuln.sentnl.io/api/queryThe dict_filter can contain many other values, once you receive the JSON results from your POST request, you can see what other fields are available to use within your dict_filter.
Another Example is to query all the CVE’s available for Grafana as a whole, using the vulnerable_product_stems dict_filter.
curl -X POST -H “Content-Type: application/json” \
-d ‘{
“retrieve”: “cves”,
“dict_filter”: {
“vulnerable_product_stems”: “cpe:2.3:a:grafana:grafana”
}
}’ \
https://vuln.sentnl.io/api/queryYou can also include multiple queries to create a vulnerable_configuration stack for a particular application. Taking Hyperion as an example, we include the following software into our query:
- cpe:2.3:a:pivotal_software:rabbitmq:3.8.9:-:*:*:*:*:*:*
- cpe:2.3:a:elastic:elasticsearch:7.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:elastic:kibana:7.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:redislabs:redis:5.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:fastify:fastify:2.14.1:*:*:*:*:node.js:*:*
- cpe:2.3:a:lodash:lodash:4.17.12:*:*:*:*:node.js:*:*
- cpe:2.3:a:momentjs:moment:2.27.0:*:*:*:*:node.js:*:*
- cpe:2.3:a:node-fetch_project:node-fetch:3.0.0:beta8:*:*:*:node.js:*:*
- cpe:2.3:a:socket:engine.io-client:2.3.0:*:*:*:*:node.js:*:*
- cpe:2.3:a:yargs:yargs-parser:15.4.1:*:*:*:*:node.js:*:*
curl -X POST -H "Content-Type: application/json" \
-d '[
{ "retrieve": "cves", "dict_filter": { "vulnerable_configuration": "cpe:2.3:a:elastic:elasticsearch:7.10.1:*:*:*:*:*:*:*" } },
{ "retrieve": "cves", "dict_filter": { "vulnerable_configuration": "cpe:2.3:a:pivotal_software:rabbitmq:3.8.0:-:*:*:*:*:*:*" } },
{ "retrieve": "cves", "dict_filter": { "vulnerable_configuration": "cpe:2.3:a:elastic:kibana:7.10.1:*:*:*:*:*:*:*" } } ,
{ "retrieve": "cves", "dict_filter": { "vulnerable_configuration": "cpe:2.3:a:redislabs:redis:5.0.9:*:*:*:*:*:*:*" } } ,
{ "retrieve": "cves", "dict_filter": { "vulnerable_configuration": "cpe:2.3:a:fastify:fastify:2.14.1:*:*:*:*:node.js:*:*" } } ,
{ "retrieve": "cves", "dict_filter": { "vulnerable_configuration": "cpe:2.3:a:lodash:lodash:4.17.12:*:*:*:*:node.js:*:*" } } ,
{ "retrieve": "cves", "dict_filter": { "vulnerable_configuration": "cpe:2.3:a:momentjs:moment:2.27.0:*:*:*:*:node.js:*:*" } } ,
{ "retrieve": "cves", "dict_filter": { "vulnerable_configuration": "cpe:2.3:a:node-fetch_project:node-fetch:3.0.0:beta8:*:*:*:node.js:*:*" } } ,
{ "retrieve": "cves", "dict_filter": { "vulnerable_configuration": "cpe:2.3:a:socket:engine.io-client:2.3.0:*:*:*:*:node.js:*:*" } } ,
{ "retrieve": "cves", "dict_filter": { "vulnerable_configuration": "cpe:2.3:a:yargs:yargs-parser:15.4.1:*:*:*:*:node.js:*:*" } }
]' \
https://vuln.sentnl.io/api/queryAny additional technology stacks that are added, will be listed on our Wiki.
How to identify the vulnerable_configuration label for my product and version.
Question many might ask, how do I identify the version of my product as a vulnerable_configuration and what does it all mean. The vulnerable configuration is written using the CPE structure.
CPE is a structured naming scheme for information technology systems, software, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name
Breakdown of cpe:2.3:a:grafana:grafana:7.0.0:-:*:*:*:*:*:*
- cpe:2.3 ( version of CPE in use, there is also CPE 2.2)
- Vendor = Grafana
- Product = Grafana
- Version = 7.0.0
- Update = — (update version, use — for any)
The easiest way to achieve this is to perform a regex search on the website for a particular product.
Then click on a CVE ID that is related to your product. Using the rabbitMQ example we click on — CVE-2020–5419 and proceed to expand the vulnerable_configuration list, where you will see a long list of RabbitMQ versions. Let’s say you are running RabbitMQ 3.8.9 you would use:
- cpe:2.3:a:pivotal_software:rabbitmq:3.8.9:-:*:*:*:*:*:*
OR you can use the Official CPE website and look for your particular product.
Future Development
- Take requests from WAX Guilds to create additional vulnerable_configuration stack API Queries, similar to https://github.com/ankh2054/CVE-Search-Docker/blob/master/queries/hyperion.py
- Add a telegram alert script, which can be added to the vulnerable_stack queries. You then configure the queries to run via cron and get alerts
