Incoming feed - NVD - Vulnerability Intelligence Feed#

Note

This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.

Specifications

Transport types

NVD - Vulnerability Intelligence Feed

Content type

NVD JSON

Endpoint(s)

https://services.nvd.nist.gov/rest/json/cves/2.0

Processed data

See Data mapping.

Overview#

The NVD (National Vulnerability Database) Vulnerability Intelligence Feed retrieves CVEs (Common Vulnerability and Exploits) from the NVD CVE API.

NVD API 1.0 removed#

NVD has retired API 1.0 on 15 December 2023. This extension now uses API 2.0.

NVD API key#

Enter your API key when configuring this extension to raise API rate limits.

For more information on NVD’s rate limits, see https://nvd.nist.gov/developers/start-here

Request an API key from NVD here: https://nvd.nist.gov/developers/request-an-api-key

NVD timeout errors#

The feed may sometimes fail with this error message:

"NVD CVE API service temporarily unavailable. Please try again in 20 minutes.

This means that the platform cannot contact the NVD CVE API service, and must wait for the service to become available again.

When this happens:

  1. Wait for the service to become available again.

  2. Manually run the feed.

    The feed will start retrieving records published since the last time packages were successfully downloaded from the API service.

Configure the incoming feed#

  1. Create or edit an incoming feed.

  2. Under Transport and content, fill out these fields:

    Note

    Required fields are marked with an asterisk (*).

    Field

    Description

    Transport type*

    Select NVD - Vulnerability Intelligence Feed from the drop-down menu.

    Content type*

    Select NVD JSON from the drop-down menu.

    API URL*

    Set to https://services.nvd.nist.gov/rest/json/cves/2.0 by default.

    API Key

    Enter your NVD API key. See NVD API key.

    SSL verification

    Selected by default. Select this option to enable SSL for this feed.

    Path to SSL certificate file.

    Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.

    For more information, see SSL certificates.

  3. Store your changes by selecting Save.

SSL certificates#

To use an SSL certificate, it must be:

  • Accessible on the EclecticIQ Intelligence Center host.

  • Placed in a location that can be accessed by the eclecticiq user.

  • Owned by eclecticiq:eclecticiq.

To make sure that EclecticIQ Intelligence Center can access the SSL certificate:

  1. Upload the SSL certificate to a location on the EclecticIQ Intelligence Center host.

  2. On the EclecticIQ Intelligence Center host, open the terminal.

  3. Change ownership of the SSL certificate by running as root in the terminal:

    chown eclecticiq:eclecticiq /path/to/cert.pem
    

    Where /path/to/cert.pem is the location of the SSL certificate EclecticIQ Intelligence Center needs to access.

x_nvd custom field#

This extension creates Exploit Target entities with a data.x_nvd custom field that allows you to query these Exploit Targets via additional fields.

Example queries#

  • Search for Exploit Targets that represent vulnerabilities that contain:

    Note

    You must query version numbers and number values with regular expression queries. For more information, see “Numbers” cannot be used with comparison operators for search.

    • a CPE name with a version section matching 20.xy.

    • a CPE with versionStartIncluding or versionStartExcluding field that matches a version 20.xy.

    • a CPE with versionEndIncluding or versionEndExcluding field that matches a version 20.xy.

    (
    data.x_nvd.cpeMatches.version_criteria_match: /20\.[0-9]{2}/ OR (
    (data.x_nvd.cpeMatches.versionStartIncluding: /20\.[0-9]{2}/ OR data.x_nvd.cpeMatches.version_start_excluding: /20\.[0-9]{2}/) AND
    (data.x_nvd.cpeMatches.versionEndIncluding: /20\.[0-9]{2}/ OR data.x_nvd.cpeMatches.version_end_excluding: /20\.[0-9]{2}/)
    )
    )
    
  • Search for Exploit Targets that represent vulnerabilitites that contain:

    • a CVSS 3.1 base score of more than 7.0, or

    • a CVSS 3.0 base score of more than 7.0

    data.x_nvd.cvssMetricV31.cvssData.baseScore: /[7-9].[0-9]{2}/ OR data.x_nvd.cvssMetricV30.cvssData.baseScore: /[7-9].[0-9]{2}/
    

x_nvd fields#

data.x_nvd contains the following fields. These fields can be searched in EclecticIQ Intelligence Center.

@dataclasses.dataclass
class NVD_CUSTOM_FIELD:
    """x_nvd schema.
    """
    cvssMetricV30: List[dict] = dataclasses.field(default_factory=list)
    cvssMetricV31: List[dict] = dataclasses.field(default_factory=list)
    cpeMatches: List[CPEMatchItem] = dataclasses.field(default_factory=list)

@dataclasses.dataclass
class CPEMatchItem:
    """A cpeMatch entry in NVD CVE API response.
    """
    vendor: str
    product: str
    version_criteria_match: str
    versionEndIncluding: Optional[str] = None
    versionEndExcluding: Optional[str] = None
    versionStartIncluding: Optional[str] = None
    versionStartExcluding: Optional[str] = None

Known issues with querying x_nvd field#

Only displays 1 affected software in Vulnerability characteristic#

Exploit Target entities only display one Affected Software property per Vulnerability characteristic, while API response contains multiple affected software objects.

This only affects the UI. The affected software objects are ingested and retained as part of the resulting Exploit Target entity.

Queries match more Exploit Target entities than expected#

Search queries always match the entire Exploit Target entity. This means that with a query like

data.x_nvd.cpeMatches.vendor: "canonical" AND data.x_nvd.cpeMatches.version_criteria_match: /20\.[0-9]{2}.*/

returns an Exploit Target entity as a match as long as at least one of its cpeMatches items matches this query.

To get a narrower set of results, exclude items with regular expressions, or by excluding the keyword (-keyword).

For more information on search query syntax, see Search | Query Syntax.

Data mapping#

Overview#

The NVD - Vulnerability Intelligence Feed ingests CVEs from the NVD CVE API as Exploit target entities.

Relationships:

  • Exploit target -> Observables

Map CVE to exploit target#

Exploit target field name

Mapped from feed source

Example value

Description

Title

.CVE_Items[].cve.CVE_data_meta.ID

CVE-2020-29592

CVE ID of the vulnerability.

Analysis

  • .CVE_Items[].cve.description.description_data[]

  • .CVE_Items[].cve.references.reference_data[]

  • .CVE_Items[].cve.impact.baseMetricV3

  • .CVE_Items[].cve.impact.baseMetricV2

An issue was discovered in Orchard before 1.10. A broken access control issue in Orchard components that use the TinyMCE HTML editor’s file upload allows an attacker to upload dangerous executables that bypass the file types allowed (regardless of the file types allowed list in Media settings).

References:

- https://burninatorsec.blogspot.com/2021/[…]

- https://github.com/OrchardCMS/[…]

CVSS Version 3.x: Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector: NETWORK Attack Complexty: LOW Privileges Required: NONE User Interaction: NONE Scope: UNCHANGED Confidentiality Impact: HIGH Integrity Impact: HIGH Availability Impact: HIGH Base Severity: CRITICAL Base Score: 9.8

CVSS Version 2.0 Vector String: AV:N/AC:L/Au:N/C:P/I:P/A:P Authentication: NONE Confidentiality Impact: PARTIAL Integrity Impact: PARTIAL Availability Impact: PARTIAL Base Score: 7.5

Metrics V2:

Severity: HIGH Exploitability Score: 10.0 Impact Score: 6.4

Where available for the CVE, the description field of the entity contains the following information ingested from the NVD:

  • The description of the vulnerability as published on the NVD

  • References for external resources published by NVD

  • CVSS 3.x scores

  • CVSS 2.0 scores

For more information on ingested CVSS scores, see CVSS Score.

Characteristics

See Characteristics.

Tags

  • .CVE_Items[].cve.impact.baseMetricV3

  • .CVE_Items[].cve.impact.baseMetricV2

  • CVSS v3 - Attack Vector - NETWORK

  • CVSS v3 - Attack Complexty - LOW

  • CVSS v3 - Privileges Required - NONE

  • CVSS v3 - User Interaction - NONE

  • CVSS v3 - Scope - UNCHANGED

  • CVSS v3 - Confidentiality Impact - HIGH

  • CVSS v3 - Integrity Impact - HIGH

  • CVSS v3 - Availability Impact - HIGH

  • CVSS v3 - Base Severity - CRITICAL

  • […]

Individual CVSS 3.x and 2.0 vectors are added to the entity as tags.

For more information on ingested CVSS scores, see CVSS Score.

Estimated time

  • Various

Various

See Map timestamps.

Information source

  • Various

Various

See Information source.

Characteristics#

Weakness#

Tip

The Weakness section maps to WeaknessType object in the STIX 1.2 Exploit Target schema.

Weaknesses describe vulnerabilities in software as per the MITRE CWE (Common Weakness Enumeration Specification) and CAPEC (Common Attack Pattern Enumeration and Classification) frameworks.

Field name

Mapped from NVD JSON

Description

CWE-ID

.CVE_Items[].cve.problemtype.problemtype_data[].description[].value

The CWE ID of the weakness.

Example: CWE- 434

Vulnerability#

Tip

The Vulnerability entity characteristic maps to the STIX 1.2 VulnerabilityType.

Characteristics - Vulnerability#

Field name

Mapped from NVD JSON

Description

Title

.CVE_Items[].cve.CVE_data_meta.ID

CVE ID of the vulnerability.

Is known

N/A

Selected by default.

All published CVEs are treated as ‘known’.

Is publicly acknowledged.

N/A

Not selected by default.

Description

.CVE_Items[].cve.description.description_data[]

Description of the vulerability.

Published date/time

.CVE_Items[].publishedDate

Date CVE was published on the NVD.

CVE-ID

.CVE_Items[].cve.CVE_data_meta.ID

CVE ID of the vulnerability.

CVSS Score

Various

See CVSS Score table.

Affected software

Various

See Affected software table.

References

  • https://burninatorsec.blogspot.com/2021/[…]

  • https://github.com/OrchardCMS/[…]

References to advisories, solutions, and tools provided in the original CVE report on NVD.

CVSS Score#

Tip

The CVSS Score section in entity characteristics maps to the CVSSVectorType object in the STIX 1.2, and only supports CVSS 2.0.

The NVD publishes both CVSS 3.x and CVSS 2.0 scores for each vulnerability. However, the Vulnerability characteristic only supports CVSS 2.0 properties, as per the STIX 1.2 specification.

To accomodate CVSS 3.x data, this extension ingests CVSS 3.x information and places it in the Analysis and Tags sections of the entity. For more information, see Map CVE to exploit target.

CVSS Score#

Field name

Mapped from NVD JSON

Description

Overall score

.CVE_Items[].impact.baseMetricV2.cvssV2.baseScore

CVSS 2.0 base score for the CVE.

Affected software#

Tip

The Affected Software section maps to AffectedSoftwareType object in the STIX 1.2 Exploit Target schema, and includes fields that are compatible with the CPE (Common Platform Enumeration) specification.

The following table describes the Affected software section of a Vulnerability characteristic in the entity builder.

Affected software#

Field name

Mapped from NVD JSON

Description

Product

.CVE_items[].configurations.nodes[].cpe_match

orchard

Vendor

.CVE_items[].configurations.nodes[].cpe_match

orchardproject

Map timestamps#

The following table describes how NVD JSON timestamps are mapped to Indicator and Incident timestamps on the platform.

Indicator estimated time field

NVD JSON field

Estimated threat start time

.CVE_Items[].publishedDate

Estimated observed time

.CVE_Items[].publishedDate

Ingested

Date and time ingested.

Information source#

Producer (in Indicators) or Information Source (in Incidents or TTPs) sections contains information about the entity author.

Field name

Mapped from <vendor> JSON

Example value

Description

Identity

N/A

NVD

Name of organization or person that created the information.

References

.CVE_Items[].cve.references.reference_data[]

  • https://burninatorsec.blogspot.com/2021/[…]

  • https://github.com/OrchardCMS/[…]

Sources of information for the CVE as published by NVD.