Automated CVE Information Lookup

A friend was going through Nessus output and checking the CVEs that were mentioned in each entry against the CVE database looking for false positives and other things he could add to his report. He was doing this by hand, individually pasting each CVE into the NIST NDV and I thought, there has to be an easier way.

So here is a quick script which takes a list of CVEs in the format found in Nessus, does a look up on each one and creates a CSV file containing the bits of information he was looking for. To add other bits should be simple, just add more regex lines.

Output is written to a file called cves.csv in the current directory.

#!/usr/bin/env ruby
 
require 'net/http'
require "csv"
 
# A comma separated list of CVEs, typically found in Nessus output
cves = "CVE-2007-0455, CVE-2007-1001, CVE-2007-1375"
 
site = "web.nvd.nist.gov"
url = "/view/vuln/detail?vulnId="
params = {'User-Agent' => "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"}
port = 80
 
csv_writer = CSV.open "cves.csv", "w"
 
csv_writer << ["CVE", "Overview", "Impact Subscore", "Exploitability Subscore", "Access Vector"]
 
http = Net::HTTP.new(site, port)
cves.each(",") { |cve|
    cve.strip!
    cve.delete!(",")
    puts "Checking " + cve
    request = Net::HTTP::Get.new(url + cve, params)
    response = http.request(request)
    next_overview = false
    next_impact_score = false
    next_exploitable_score = false
    overview = nil
    impact_score = nil
    exploitable_score = nil
    access_vector = nil
    response.body.each{ |line|
        if next_exploitable_score
            exploitable_score = line.gsub(/<\/?[^>]*>/, "").strip
            next_exploitable_score = false
        end
        if next_impact_score
            impact_score = line.gsub(/<\/?[^>]*>/, "").strip
            next_impact_score = false
        end
        if next_overview
            overview = line.gsub(/<\/?[^>]*>/, "").strip
            next_overview = false
        end
        if line =~ /<h4>Overview<\/h4>/
            next_overview = true
        end
        if line =~ /Exploitability Subscore:/
            next_exploitable_score = true
        end
        if line =~ /Impact Subscore:/
            next_impact_score = true
        end
        if /Access Vector:<\/span>\s*(Network exploitable)/.match(line)
            access_vector = $1
        end
    }
    #puts overview
    #puts impact_score
    #puts exploitable_score
    #puts access_vector
 
    csv_writer << [cve,overview,impact_score,exploitable_score,access_vector]
}
csv_writer.close

Here is a sample output

CVE,Overview,Impact Subscore,Exploitability Subscore,Access Vector
CVE-2007-0455,Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font.,6.4,10.0,Network exploitable
CVE-2007-1001,Multiple integer overflows in the (1) createwbmp and (2) readwbmp functions in wbmp.c in the GD library (libgd) in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allow context-dependent attackers to execute arbitrary code via Wireless Bitmap (WBMP) images with large width or height values.,6.4,8.6,Network exploitable
CVE-2007-1375,"Integer overflow in the substr_compare function in PHP 5.2.1 and earlier allows context-dependent attackers to read sensitive memory via a large value in the length argument, a different vulnerability than CVE-2006-1991.",2.9,10.0,Network exploitable

Submitted by Robin Wood