If you are reading this blog post via a 3rd party source it is very likely that many parts of it will not render correctly. Please view the post on signalscorps.com for the full interactive viewing experience.
In this post I will show you how to analyse CPE combinations reported in CVEs to identify vulnerable products.
On the NVD website, each CVE contains Known Affected Software Configurations (inside the configurations section of the CVE API responses) that define combinations of CPEs required to make a product vulnerable.
For example, Apple Quicktime v7.71.80.42 running on Apple MacOS v12.0.1 might be vulnerable, but Apple Quicktime v7.71.80.42 running on Apple MacOS v11.0.1 might not be vulnerable. The Known Affected Software Configurations defines exactly the versions affected by a CVE.
For example;
GET https://services.nvd.nist.gov/rest/json/cves/2.0/?cveId=CVE-2019-1010218
As shown in the last post, the response returns data nested under vulnerabilities.cve.configurations.nodes that define the vulnerable products.
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:cherokee-project:cherokee_web_server:*:*:*:*:*:*:*:*",
"versionEndIncluding": "1.2.103",
"matchCriteriaId": "DCE1E311-F9E5-4752-9F51-D5DA78B7BBFA"
}
]
}
]
}
],
Inside the nodes object, the single cpeMatch object contains information about how the software is vulnerable. In addition to the CPE URI (criteria) and matchCriteriaId, there are 4 four properties that can be, but not required, used describe the version ranges of the product;
versionStartIncludingversionStartExcludingversionEndIncludingversionEndExcluding
Essentially this property makes it easy to see the last affected version, without having to query the CVE Match API. However to get all affected versions (as CPE URIs), you will need to use the CVE Match API.
GET https://services.nvd.nist.gov/rest/json/cvehistory/2.0/?matchCriteriaId=DCE1E311-F9E5-4752-9F51-D5DA78B7BBFA
Which returns one match;
{
"resultsPerPage": 1,
"startIndex": 0,
"totalResults": 1,
"format": "NVD_CPEMatchString",
"version": "2.0",
"timestamp": "2023-01-09T08:15:05.813",
"matchStrings": [
{
"matchString": {
"matchCriteriaId": "DCE1E311-F9E5-4752-9F51-D5DA78B7BBFA",
"criteria": "cpe:2.3:a:cherokee-project:cherokee_web_server:*:*:*:*:*:*:*:*",
"versionEndIncluding": "1.2.103",
"lastModified": "2019-10-08T16:44:34.360",
"cpeLastModified": "2019-10-08T16:44:34.377",
"created": "2019-10-08T16:44:34.360",
"status": "Active",
"matches": [
{
"cpeName": "cpe:2.3:a:cherokee-project:cherokee_web_server:1.0.12:*:*:*:*:*:*:*",
"cpeNameId": "946ED27F-93AB-4447-9F04-30FEE3EAA8E7"
},
{
"cpeName": "cpe:2.3:a:cherokee-project:cherokee_web_server:1.0.13:*:*:*:*:*:*:*",
"cpeNameId": "E706BE3F-8E91-48E4-8677-C94244016A67"
},
{
"cpeName": "cpe:2.3:a:cherokee-project:cherokee_web_server:1.0.14:*:*:*:*:*:*:*",
"cpeNameId": "FB6C0C33-D9B8-45C2-BE5E-E836AA912A29"
},
{
"cpeName": "cpe:2.3:a:cherokee-project:cherokee_web_server:1.0.15:*:*:*:*:*:*:*",
"cpeNameId": "8EFC2886-764E-427B-8A8E-ADE7B848A516"
},
{
"cpeName": "cpe:2.3:a:cherokee-project:cherokee_web_server:1.0.16:*:*:*:*:*:*:*",
"cpeNameId": "6E542416-8B7A-402E-AFF7-97FEC339BC39"
},
{
"cpeName": "cpe:2.3:a:cherokee-project:cherokee_web_server:1.0.17:*:*:*:*:*:*:*",
"cpeNameId": "5C22473B-9EBD-49B6-86D6-E15538291DE6"
},
{
"cpeName": "cpe:2.3:a:cherokee-project:cherokee_web_server:1.0.18:*:*:*:*:*:*:*",
"cpeNameId": "2AF60F33-AABE-4C14-BE86-668AADDEC011"
},
{
"cpeName": "cpe:2.3:a:cherokee-project:cherokee_web_server:1.0.21:*:*:*:*:*:*:*",
"cpeNameId": "A36E8601-4E38-47E0-B91D-65B42A0A7AE8"
},
{
"cpeName": "cpe:2.3:a:cherokee-project:cherokee_web_server:1.2.0:*:*:*:*:*:*:*",
"cpeNameId": "64DCAC28-ADF7-442A-8746-2C237C877D27"
},
{
"cpeName": "cpe:2.3:a:cherokee-project:cherokee_web_server:1.2.2:*:*:*:*:*:*:*",
"cpeNameId": "59CF5F3E-5158-4116-8733-F65859CB43C3"
},
{
"cpeName": "cpe:2.3:a:cherokee-project:cherokee_web_server:1.2.98:*:*:*:*:*:*:*",
"cpeNameId": "2274D1F6-911C-45D1-8ED5-89B63DA542AD"
},
{
"cpeName": "cpe:2.3:a:cherokee-project:cherokee_web_server:1.2.99:*:*:*:*:*:*:*",
"cpeNameId": "460FA01F-61D5-4B8E-9F0E-B98159A4F980"
},
{
"cpeName": "cpe:2.3:a:cherokee-project:cherokee_web_server:1.2.101:*:*:*:*:*:*:*",
"cpeNameId": "9163CD3B-EEED-4658-8CFD-944827E2B05E"
},
{
"cpeName": "cpe:2.3:a:cherokee-project:cherokee_web_server:1.2.102:*:*:*:*:*:*:*",
"cpeNameId": "45747884-B233-4095-AA7E-012698B4C6A5"
},
{
"cpeName": "cpe:2.3:a:cherokee-project:cherokee_web_server:1.2.103:*:*:*:*:*:*:*",
"cpeNameId": "6F607266-EFB1-4737-A579-AFF23B18E5B1"
}
]
}
}
]
}
In this case, 15 versions of cherokee_web_server are vulnerable to CVE-2019-1010218.
However, this is one of the most simplistic examples of a CPE node configuration inside a CVE.
In many cases product will only be vulnerable if it is being run in a certain way, or with other products. For example, Google Chrome 103.0.5060.114 might be vulnerable running on Apple MacOS 12.0.0 but not Apple MacOS 11.0.0 or any Windows OS.
Each CPE nodes in the CVE configuration has either an OR or an AND operator value (and in rare cases a negate boolean) to convey the logical relationship of the CPEs within the cpeMatch. For example, if the vulnerability exists only when both CPE products are present, the operator is AND. If the vulnerability exists if either CPE is present, then the operator is OR (as in the CVE-2019-1010218 example). Though the use of nodes and operators can create more complex relationships.
NVD describe three different types of configurations;
- Basic: A single node containing one or more sets of match criteria. This configuration type communicates that each CPE URI that matches the match criteria is considered vulnerable.
- Running On/With: A combination of nodes containing both vulnerable and non-vulnerable match criteria. This configuration type communicates that CPE URIs that match the match criteria from both nodes must be present before a vulnerability applies.
- Advanced: A complex combination of nodes with many enumerations based on the CPE 2.3 specification. Advanced configurations are displayed with the actual nodes and node values on the vulnerability detail page instead of in a simplified form such as the Basic and Running On/With configuration types.
Let me illustrate with some real examples.
1. Basic configurations
As the name would suggest, these are fairly simple.
CVE-2022-29098 offers a good example: https://nvd.nist.gov/vuln/detail/CVE-2022-29098
Querying via the API;
GET https://services.nvd.nist.gov/rest/json/cves/2.0/?cveId=CVE-2022-29098
Here is what the API returns (note the full response has been cut for brevity shown using ...);
{
"resultsPerPage": 1,
"startIndex": 0,
"totalResults": 1,
"format": "NVD_CVE",
"version": "2.0",
"timestamp": "2023-01-09T19:40:03.140",
"vulnerabilities": [
{
"cve": {
"id": "CVE-2022-29098",
"sourceIdentifier": "[email protected]",
"published": "2022-06-01T15:15:09.010",
"lastModified": "2022-06-08T19:14:09.453",
"vulnStatus": "Analyzed",
...
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:dell:powerscale_onefs:9.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "30687628-5C7F-4BB5-B990-93703294FDF0"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:dell:powerscale_onefs:9.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "68291D44-DBE1-4923-A848-04E64288DC23"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:dell:powerscale_onefs:9.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DCC55FA4-AD91-4DA6-B60E-A4E34DDAE95A"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:dell:powerscale_onefs:9.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B948CD53-3D17-4230-9B77-FCE8E0E548B9"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:dell:powerscale_onefs:9.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5AB99A1A-8DD3-4DDE-B70C-0E91D1D3B682"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:dell:powerscale_onefs:9.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "61F14753-D64C-4E8B-AA94-07E014848B4D"
}
]
}
]
}
],
...
}
}
]
}
There is only one nodes. The operator for the entire node is OR.
Therefore each cpeMatch object in is considered with the OR statement.
Basic configurations only consider individual products (and not combinations) so all CPEs are "vulnerable": true (meaning the product itself is always vulnerable).
In this case, the 6 configurations variations that lead to matches (note, the third, forth, and fifth nodes are omitted in the snippet above);
- Dell PowerScale OneFS version 9.0.0 (
"matchCriteriaId": "30687628-5C7F-4BB5-B990-93703294FDF0")OR, - Dell PowerScale OneFS version 9.1.0 (
"matchCriteriaId": "68291D44-DBE1-4923-A848-04E64288DC23")OR, - Dell PowerScale OneFS version 9.1.1 (
"matchCriteriaId": "DCC55FA4-AD91-4DA6-B60E-A4E34DDAE95A")OR, - Dell PowerScale OneFS (version 9.2.0) (
"matchCriteriaId": "B948CD53-3D17-4230-9B77-FCE8E0E548B9")OR, - Dell PowerScale OneFS (version 9.2.1) (
"matchCriteriaId": "5AB99A1A-8DD3-4DDE-B70C-0E91D1D3B682")OR, - Dell PowerScale OneFS (version 9.3.0) (
"matchCriteriaId": "61F14753-D64C-4E8B-AA94-07E014848B4D")
In this example, each matchCriteriaId returns the same CPE URI as shown in the CVE, e.g.
GET https://services.nvd.nist.gov/rest/json/cvehistory/2.0/?matchCriteriaId=30687628-5C7F-4BB5-B990-93703294FDF0
"matches": [
{
"cpeName": "cpe:2.3:a:dell:powerscale_onefs:9.0.0:*:*:*:*:*:*:*",
"cpeNameId": "2B8F2852-98F4-44E1-BBF2-6597C2481DB1"
}
]
However, keep in mind as I move on that this is not always the case (more CPEs might be returned by a matchCriteriaId).
2. Running On/With
This type of configuration is defined using a combination of products that have a relationship (Running On/With) that makes at least one of these products vulnerable.
In this example, nodes can now contain both vulnerable and non-vulnerable products.
To explain this I will use CVE-2022-27948 as a an example: https://nvd.nist.gov/vuln/detail/CVE-2022-27948
Querying via the API;
GET https://services.nvd.nist.gov/rest/json/cves/2.0/?cveId=CVE-2022-27948
Here is what the API returns (note 3 nodes have been cut for brevity shown using ...);
{
"resultsPerPage": 1,
"startIndex": 0,
"totalResults": 1,
"format": "NVD_CVE",
"version": "2.0",
"timestamp": "2023-01-10T07:37:08.677",
"vulnerabilities": [
{
"cve": {
"id": "CVE-2022-27948",
"sourceIdentifier": "[email protected]",
"published": "2022-03-27T13:15:13.573",
"lastModified": "2022-04-06T03:39:12.913",
"vulnStatus": "Analyzed",
...
"configurations": [
{
"operator": "AND",
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:tesla:model_3_firmware:*:*:*:*:*:*:*:*",
"versionEndIncluding": "2022-03-26",
"matchCriteriaId": "86619D7A-ACB6-489C-9C29-37C6018E5B4B"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:tesla:model_s_firmware:*:*:*:*:*:*:*:*",
"versionEndIncluding": "2022-03-26",
"matchCriteriaId": "FD68704D-C711-491F-B278-B02C6866738C"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:tesla:model_x_firmware:*:*:*:*:*:*:*:*",
"versionEndIncluding": "2022-03-26",
"matchCriteriaId": "C3517683-8493-4D0D-9792-5C9034B1F0B3"
}
]
},
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": false,
"criteria": "cpe:2.3:h:tesla:model_3:-:*:*:*:*:*:*:*",
"matchCriteriaId": "825A79FD-C872-4564-9782-83BEEADDF5D9"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:tesla:model_s:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8D28E699-B843-4641-9BA6-406D88231E7C"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:tesla:model_x:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C550FF8A-58ED-4265-B33F-10AFDEA95519"
}
]
}
]
}
],
...
}
}
]
}
Note in this response, the top nodes object has an operator property (in the previous response, this was only at the cpeMatch level).
"operator": "AND",
"nodes": [
This allows for more complex Running On/With combinations where each cpeMatch within a node can be considered using this addition operator.
The top level operator in this example is AND. In total there are two cpeMatches in this nodes
Each cpeMatch itself has an OR operator, and each of these cpeMatch has three CPE URI’s within it. The first contains only Tesla operating system (o) CPEs. The second contains only Tesla hardware (h) CPEs.
Logically, it is saying any entry from the first cpeMatch AND any entry from the second cpeMatch nested in the nodes will create a match.
It’s also important to point out here that each matchCriteriaId returns more versions of the product. For example,
{
"vulnerable": true,
"criteria": "cpe:2.3:o:tesla:model_3_firmware:*:*:*:*:*:*:*:*",
"versionEndIncluding": "2022-03-26",
"matchCriteriaId": "86619D7A-ACB6-489C-9C29-37C6018E5B4B"
},
GET https://services.nvd.nist.gov/rest/json/cvehistory/2.0/?matchCriteriaId=86619D7A-ACB6-489C-9C29-37C6018E5B4B
"matches": [
{
"cpeName": "cpe:2.3:o:tesla:model_3_firmware:-:*:*:*:*:*:*:*",
"cpeNameId": "979F9EB6-C9F6-49EE-9FED-2ED17E400E86"
},
{
"cpeName": "cpe:2.3:o:tesla:model_3_firmware:11.0:*:*:*:*:*:*:*",
"cpeNameId": "62DCA7AD-A796-486F-8FB6-DEACC078D402"
},
{
"cpeName": "cpe:2.3:o:tesla:model_3_firmware:2022-03-26:*:*:*:*:*:*:*",
"cpeNameId": "F010C8B7-83E9-45FB-A5D4-26EDF34EC312"
}
]
Here I can see this CPE URI in the node actually covers 3 CPE URI’s.
Looking at all six matchCriteriaIds;
86619D7A-ACB6-489C-9C29-37C6018E5B4B: 3 CPE URIs (shown above)FD68704D-C711-491F-B278-B02C6866738C: 2 CPE URIsC3517683-8493-4D0D-9792-5C9034B1F0B3: 3 CPE URIs825A79FD-C872-4564-9782-83BEEADDF5D9: 1 CPE URI8D28E699-B843-4641-9BA6-406D88231E7C: 1 CPE URIC550FF8A-58ED-4265-B33F-10AFDEA95519: 1 CPE URI
In this example you also need to consider the value of the vulnerable property. You’ll see in the first node, but for all entries this is true. In the second, they’re all false.
This is essentially describing the combinations of products, and which of them are actually affected by a vulnerability when running in this way.
It’s easier to explain this by writing it all out, as there are a lot of combinations in this CVE.
- Tesla Model 3 Firmware (
86619D7A-ACB6-489C-9C29-37C6018E5B4B– 3 CPEs) and Tesla Model 3 Hardware (825A79FD-C872-4564-9782-83BEEADDF5D9– 1 CPE) (ONLY FIRMWARE VULNERABLE)OR, - Tesla Model 3 Firmware (
86619D7A-ACB6-489C-9C29-37C6018E5B4B– 3 CPEs) and Tesla Model S Hardware (8D28E699-B843-4641-9BA6-406D88231E7C– 1 CPE) (ONLY FIRMWARE VULNERABLE)OR, - Tesla Model 3 Firmware (
86619D7A-ACB6-489C-9C29-37C6018E5B4B– 3 CPEs) and Tesla Model X Hardware (C550FF8A-58ED-4265-B33F-10AFDEA95519– 1 CPE) (ONLY FIRMWARE VULNERABLE)OR, - Tesla Model S Firmware (
FD68704D-C711-491F-B278-B02C6866738C– 2 CPEs) and Tesla Model 3 Hardware (825A79FD-C872-4564-9782-83BEEADDF5D9– 1 CPE) (ONLY FIRMWARE VULNERABLE)OR, - Tesla Model S Firmware (
FD68704D-C711-491F-B278-B02C6866738C– 2 CPEs) and Tesla Model S Hardware (8D28E699-B843-4641-9BA6-406D88231E7C– 1 CPE) (ONLY FIRMWARE VULNERABLE)OR, - Tesla Model S Firmware (
FD68704D-C711-491F-B278-B02C6866738C– 2 CPEs) and Tesla Model X Hardware (C550FF8A-58ED-4265-B33F-10AFDEA95519– 1 CPE) (ONLY FIRMWARE VULNERABLE)OR, - Tesla Model X Firmware (
C3517683-8493-4D0D-9792-5C9034B1F0B3– 3 CPEs) and Tesla Model 3 Hardware (825A79FD-C872-4564-9782-83BEEADDF5D9– 1 CPE) (ONLY FIRMWARE VULNERABLE)OR, - Tesla Model X Firmware (
C3517683-8493-4D0D-9792-5C9034B1F0B3– 3 CPEs) and Tesla Model S Hardware (8D28E699-B843-4641-9BA6-406D88231E7C– 1 CPE) (ONLY FIRMWARE VULNERABLE)OR, - Tesla Model X Firmware (
C3517683-8493-4D0D-9792-5C9034B1F0B3– 3 CPEs) and Tesla Model X Hardware (C550FF8A-58ED-4265-B33F-10AFDEA95519– 1 CPE) (ONLY FIRMWARE VULNERABLE)
In total there are 24 possible product combinations that are vulnerable in this CVE (((3*1)+(3*1)+(3*1))+((2*1)+(2*1)+(2*1))+((3*1)+(3*1)+(3*1))).
Note, this is not the most perfectly written nodes cpeMatch, though this is good to understand that not all CPE matches in a CVE will be as concise as they could be. In the real world, Tesla Model 3 firmware will always, as far as I’m aware, only be running Model 3 firmware. Therefore the matches comparing Model 3 OSs to Model X firmware, etc., are redundant.
3. Advanced
The operators and structure in the previous configuration types are no different in advanced configurations. It is the number of nodes returned in the response that allows them to become more advanced.
To illustrate this, I will use CVE-2019-18939: https://nvd.nist.gov/vuln/detail/CVE-2019-18939
Querying via the API;
GET https://services.nvd.nist.gov/rest/json/cves/2.0/?cveId=CVE-2019-18939
Here is what the API returns (note 3 nodes have been cut for brevity shown using ...);
{
"resultsPerPage": 1,
"startIndex": 0,
"totalResults": 1,
"format": "NVD_CVE",
"version": "2.0",
"timestamp": "2023-01-10T08:23:24.183",
"vulnerabilities": [
{
"cve": {
"id": "CVE-2019-18939",
"sourceIdentifier": "[email protected]",
"published": "2019-11-14T19:15:13.410",
"lastModified": "2021-07-21T11:39:23.747",
"vulnStatus": "Analyzed",
...
"configurations": [
{
"nodes": [
{
"operator": "AND",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:hm-print_project:hm-print:1.2a:*:*:*:*:*:*:*",
"matchCriteriaId": "286DA904-5631-4AAF-86DE-97C23982D2C5"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:eq-3:homematic_ccu2:-:*:*:*:*:*:*:*",
"matchCriteriaId": "9C2CF19C-7EDE-4E3C-A736-E6736FF03FDC"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:eq-3:homematic_ccu2_firmware:2.47.20:*:*:*:*:*:*:*",
"matchCriteriaId": "38BE17DA-7C5E-427E-B824-151EB27CFF26"
}
]
}
]
},
{
"nodes": [
{
"operator": "AND",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:hm-print_project:hm-print:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F5D8290F-3541-4452-99CB-0766CDC59073"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:eq-3:homematic_ccu3:-:*:*:*:*:*:*:*",
"matchCriteriaId": "33113AD0-F378-49B2-BCFC-C57B52FD3A04"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:eq-3:homematic_ccu3_firmware:3.47.18:*:*:*:*:*:*:*",
"matchCriteriaId": "285F4E29-E299-4F83-9F7E-BB19933AD654"
}
]
}
]
},
{
"nodes": [
{
"operator": "AND",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:hm-print_project:hm-print:1.2a:*:*:*:*:*:*:*",
"matchCriteriaId": "286DA904-5631-4AAF-86DE-97C23982D2C5"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:eq-3:homematic_ccu3:-:*:*:*:*:*:*:*",
"matchCriteriaId": "33113AD0-F378-49B2-BCFC-C57B52FD3A04"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:eq-3:homematic_ccu3_firmware:3.47.18:*:*:*:*:*:*:*",
"matchCriteriaId": "285F4E29-E299-4F83-9F7E-BB19933AD654"
}
]
}
]
},
{
"nodes": [
{
"operator": "AND",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:hm-print_project:hm-print:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F5D8290F-3541-4452-99CB-0766CDC59073"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:eq-3:homematic_ccu2:-:*:*:*:*:*:*:*",
"matchCriteriaId": "9C2CF19C-7EDE-4E3C-A736-E6736FF03FDC"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:eq-3:homematic_ccu2_firmware:2.47.20:*:*:*:*:*:*:*",
"matchCriteriaId": "38BE17DA-7C5E-427E-B824-151EB27CFF26"
}
]
}
]
}
],
...
}
}
]
}
The key difference here being there are now multiple nodes objects (four nodes in this example). In the two previous examples, there was one nodes, with multiple cpeMatches nested.
As such, combinations of CPEs can be written in more ways (though they’re not necessarily more “advanced”).
The response above has four separate nodes. Each is considered in isolation.
Each element inside a cpeMatch node is considered with an AND statement, as defined in the its operator field values.
Looking at the CPEs inside each matchCriteriaId returns a single CPE URI:
- Node 1
286DA904-5631-4AAF-86DE-97C23982D2C5: 1 CPE9C2CF19C-7EDE-4E3C-A736-E6736FF03FDC: 1 CPE38BE17DA-7C5E-427E-B824-151EB27CFF26: 1 CPE
- Node 2
F5D8290F-3541-4452-99CB-0766CDC59073: 1 CPE33113AD0-F378-49B2-BCFC-C57B52FD3A04: 1 CPE285F4E29-E299-4F83-9F7E-BB19933AD654: 1 CPE
- Node 3
286DA904-5631-4AAF-86DE-97C23982D2C5: 1 CPE33113AD0-F378-49B2-BCFC-C57B52FD3A04: 1 CPE285F4E29-E299-4F83-9F7E-BB19933AD654: 1 CPE
- Node 4
F5D8290F-3541-4452-99CB-0766CDC59073: 1 CPE9C2CF19C-7EDE-4E3C-A736-E6736FF03FDC: 1 CPE38BE17DA-7C5E-427E-B824-151EB27CFF26: 1 CPE
Note, the same CPEs appear in multiple nodes, hence there are only six unique matchCriteriaIds above.
With this information, I know there are exactly 4 CPE combinations that lead to a match (one for each nodes);
- eQ-3 Homematic CCU2 (hardware) (version unspecified
-)ANDEQ-3 HomeMatic CCU2 version 2.47.20 (firmware)ANDHM Print Project HM Print version 1.2a (application) (FIRMWARE AND APPLICATION VULNERABLE),OR, - eQ-3 Homematic CCU3 (hardware) (version unspecified
-)ANDEQ-3 HomeMatic CCU3 version 3.47.18 (firmware)ANDHM Print Project HM Print version 1.2 (application) (FIRMWARE AND APPLICATION VULNERABLE),OR, - eQ-3 Homematic CCU3 (hardware) (version unspecified
-)ANDEQ-3 HomeMatic CCU3 version 3.47.18 (firmware)ANDHM Print Project HM Print version 1.2a (application) (FIRMWARE AND APPLICATION VULNERABLE),OR, - eQ-3 Homematic CCU2 (hardware) (version unspecified
-)ANDEQ-3 HomeMatic CCU2 version 2.47.20 (firmware)ANDHM Print Project HM Print version 1.2 (application) (FIRMWARE AND APPLICATION VULNERABLE)
In summary
The examples covered above are most representative of the way match criteria are written in CVEs.
Of course, there is room for nodes structured in other ways, but the nested structure and operators remains the same – there can be one or more nodes with one of more cpeMatches.
Next time: Turning CVEs and CPEs into STIX 2.1 Object
Now I have demonstrated how to obtain CVE and CPE data, the logic of CPE configurations, and how to match user selected products to CVEs, all this data now needs to be stored.
cve2stix is based on the STIX 2.1 specification. In the next post I will show how to model CVE and CPE data shown in this post as rich STIX 2.1 Objects (including how to turn CPE matches shown in today’s post into STIX Patterns).
Discuss this post
Never miss an update
Sign up to receive new articles in your inbox as they published.