What's new in v0.19.0
TL;DR
- Cybersecurity & Infrastructure Security Agency (CISA) has released a list of CVE-IDs whose attack codes are publicly available and are actually used in real-world attacks (called the Known Exploited Vulnerabilities (KEV) Catalog).
- vulsio/go-kev now manages KEV Catalog information.
- Vuls v0.19.0 works with vulsio/go-kev to display alerts for CVE-IDs in the KEV Catalog.
How it works
vuls report
$ vuls report
...
vuls-target (debian10.11)
=========================
Total: 225 (Critical:20 High:79 Medium:95 Low:16 ?:15)
0/222 Fixed, 67 poc, 0 exploits, cisa: 2, uscert: 4, jpcert: 6 alerts
218 installed
+---------------------+------+--------+-----+-----------+---------+---------------------------------------------------+
| CVE-ID | CVSS | ATTACK | POC | ALERT | FIXED | NVD |
+---------------------+------+--------+-----+-----------+---------+---------------------------------------------------+
...
| CVE-2021-42013 | 9.8 | AV:N | POC | CISA/CERT | | https://nvd.nist.gov/vuln/detail/CVE-2021-42013 |
...
| CVE-2021-41524 | 7.5 | AV:N | | CERT | | https://nvd.nist.gov/vuln/detail/CVE-2021-41524 |
| CVE-2021-41773 | 7.5 | AV:N | POC | CISA/CERT | | https://nvd.nist.gov/vuln/detail/CVE-2021-41773 |
| CVE-2008-4609 | 7.1 | AV:N | | CERT | unfixed | https://nvd.nist.gov/vuln/detail/CVE-2008-4609 |
...vuls tui
What is the Known Exploited Vulnerabilities Catalog?
On November 3, 2021, Cybersecurity & Infrastructure Security Agency (CISA) released Binding Operational Directive 22-1 (BOD 22-1) for government agencies.
In BOD 22-1, Known Exploited Vulnerabilities (KEV) Catalog, which is "a list of CVE-IDs whose attack code is available and is actually used in real-world attacks", was published.
BOD22-1 requires that if a vulnerability listed in the KEV Catalog exists in a U.S. government system, it must be fixed within a specified period of time and in a specified method.
Currently, CVEs are scored under the Common Vulnerability Scoring System (CVSS). CVSS does not take into consideration whether a vulnerability has ever been used to exploit a system in the wild. The CVEs listed in the KEV Catalog are a collection of real threats that have been used to compromise systems in the real world.
Reference
- BOD 22-1: https://cyber.dhs.gov/bod/22-01/
- Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Changelog
0c6a892 style: fix lint (#1335)
89d94ad feat(detector): add known exploited vulnerabilities (#1331)
ffdb789 update dictionaries (#1326)
321dae3 chore: update readme
a31797a Merge branch 'sakura'
32999cf chore: udpate readme
88218f5 chore: update sponsor (#1325)
1576193 chore: update sponsor
0b62842 chore: fix go-sqlite3 deps (#1324)
6bcedde chore: update goval-dictionary (#1323)
2dcbff8 chore: sponsor (#1321)