A big part of our work here at Sprocket Security is identifying new vulnerabilities and using them against our client base. The infosec community loves to overhype non-exploitable vulnerabilities. CVE’s will often be released with a risk score of 9.9 and are then subsequently spammed throughout Twitter as the next big risk to your organization even when exploitation is never going to be viable.

While we love doing research and development here at Sprocket and will often generate our own proof of concepts, we need to move fast and show value to our clients before they apply patches for a particular exploit.

This led Sprocket to ask, how can we sift through the mud and find the things that we can actually use to hack right now, in this moment. That’s where cvetrends comes in.

card-image

CVE Trends - Crowdsourced CVE Intel

Monitor trending CVEs in real-time; crowdsourced intel. Sourced from Twitter, NIST NVD, Reddit, and GitHub.

Overview

CVE Trends is an excellent site built by Simon J. Bell to track and identify high-risk vulnerabilities using crowdsourced data.

card-image

Simon J. Bell—@SimonByte

Cyber Security Researcher | Engineer | Building @CVEtrends | Runs honeypot @SecureHoney | PhD in CyberSecurity | Alum @RoyalHolloway(@ISGNews) & @SussexUni

CVE Trends as a site tracks several variables to identify risk:

  • Social media posts across Twitter and Reddit
  • GitHub repositories associated with a specific CVE value
  • NIST’s vulnerability database

All of this information together results in a simple, but beautiful dashboard that allows hackers and defenders alike to identify real high risk vulnerabilities.

Scrolling through each column reveals high level information about a vulnerability. If you scroll far enough in each column, you may find a proof of concept for a CVE that could potentially be leveraged to attack our client base.

This is insanely useful and an excellent resource for the Sprocket team.

The Great API Hunt

I set out to see if the web application for CVE Trends revealed any sort of API. Nowhere on the site does the author mention the existence of one, but I thought, hey why not, might as well look right?

Looking more closely at my dev tools console revealed something interesting:

See that URL above? It looks we do have an API endpoint. Requesting this URL with cURL gave me back everything I could have hoped for:

Even better, we also have an endpoint that allows us to query CVE Trends for the last seven days:

Doing it With Code

Okay, awesome, now we have an API endpoint. How do we turn this into something useful for us here at Sprocket. I fell in love with Python not that long ago, so let’s go ahead and automate the crap out of this. In comes cvetrends, the Python command line utility I built for querying the discovered API endpoints:

card-image

Sprocket-Security / cvetrends

cvet can be installed from PyPi. If this tool is not yet availible via PyPi, you can install it directly from the repository. For development, clone the repository and install it locally using poetry.

To prevent essentially replicating Simon’s great work, our team asked themselves, “what metrics are most important to us here?”

icon-github:

We found that the number of GitHub repositories available was the datapoint most indicative of an exploitable vulnerability with a public proof of concept exploit.

Installation

To install the cvetrends command line tool for now, simply clone the repo and install it with pip:

git clone https://github.com/Sprocket-Security/cvetrends.git
cd cvetrends && pip3 install .

Once installed, you can call the tool using cvet:

icon-help-circle:

If anyone is wondering, I'm using the library rich-click here to show that pretty help menu.

cvet does not care about any vulnerabilities that don’t have at least one GitHub repo available for it and sets the repo-threshold value to one by default. You can modify this value on the fly as needed. Regardless, you can easily run the tool with the subcommand day or week to get results:

The example above shows that a potential PoC exists for CVE-2022-27925. Looking more closely, we will find this is the case:

card-image

vnhacker1337 / CVE-2022-27925-PoC/zimbra-exploit.py

vnhacker1337 / CVE-2022-27925-PoC/zimbra-exploit.py published August 13th, 2022 by vnhacker1337.

icon-alert-triangle:

Keep in mind that these PoC’s may not work and could easily be malicious so do your due diligence before running the code.

Slack Notifications

Here at Sprocket we love our Slack notifications. It seems like I add them to nearly every tool I work on. If desired, you can specify a webhook on the command line that will send results to Slack for review.

icon-refresh-cw:

We have cvetrends running on a cron to send us results every morning!

Running the tool with a webhook looks something like this:

cvet day -n <https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX>
icon-server:

Note that their is no table output displayed when a webhook is specified!

An example Slack notification that will come through to your workspace when used is shown below:

Wrapping up

Keeping an eye on what is exploitable is critical for continuous penetration testing, defenders and bug bounty hunters. Prior to CVE Trends, we had to sort through Twitter hype to find what we are looking for. Thankfully, this is not longer the case. On top of this, the cvetrends command line tool that we built makes things even easier.

We strive here at Sprocket to make sure our clients know about new vulnerabilities before they do. As an industry we need to beat Nessus and NIST newsletters to exploitation and patching. Real hackers sure as hell do.

If you are interested in continuous penetration testing and Sprocket Security, please feel free to reach out to me directly to chat about how we can help expose risk at your organization.