Incoming feed - NVD - Vulnerability Intelligence Feed
This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Configure incoming feeds general options.
|
|
Specifications |
|
Transport types |
NVD - Vulnerability Intelligence Feed |
|
Content type |
NVD JSON |
|
Endpoint(s) |
https://services.nvd.nist.gov/rest/json/cves/1.0 |
|
Processed data |
See Data mapping. |
Overview
The NVD (National Vulnerability Database) Vulnerability Intelligence Feed retrieves CVEs (Common Vulnerability and Exploits) from the NVD CVE API.
NVD timeout errors
The feed may sometimes fail with this error message:
"NVD CVE API service temporarily unavailable. Please try again in 20 minutes.This means that the platform cannot contact the NVD CVE API service, and must wait for the service to become available again.
When this happens:
Wait for the service to become available again.
Manually run the feed.
The feed will start retrieving records published since the last time packages were successfully downloaded from the API service.
Configure the incoming feed
Create or edit an incoming feed.
Under Transport and content, fill out these fields:
Required fields are marked with an asterisk (*).
Required fields are marked with an asterisk (*).
Field
Description
Transport type*
Select NVD - Vulnerability Intelligence Feed from the drop-down menu.
Content type*
Select NVD JSON from the drop-down menu.
API URL*
Set to https://services.nvd.nist.gov/rest/json/cves/1.0 by default.
SSL verification
Selected by default. Select this option to enable SSL for this feed.
Path to SSL certificate file.
Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.
For more information, see SSL certificates.
Store your changes by selecting Save.
SSL certificates
To use an SSL certificate with the platform, it must be:
Accessible on the EclecticIQ Platform host.
Placed in a location that can be accessed by the eclecticiq user.
Owned by eclecticiq:eclecticiq.
To make sure that the platform can access the SSL certificate:
Upload the SSL certificate to a location on the platform host.
On the platform host, open the terminal.
Change ownership of the SSL certificate by running as root in the terminal:
chown eclecticiq:eclecticiq/path/to/cert.pemWhere /path/to/cert.pem is the location of the SSL certificate the platform needs to access.
Data mapping
Overview
The NVD - Vulnerability Intelligence Feed ingests CVEs from the NVD CVE API as Exploit target entities.
Relationships:
Exploit target -> Observables
Map CVE to exploit target
|
Exploit target field name |
Mapped from feed source |
Example value |
Description |
|
Title |
.CVE_Items[].cve.CVE_data_meta.ID |
CVE-2020-29592 |
CVE ID of the vulnerability. |
|
Analysis |
|
An issue was discovered in Orchard before 1.10. A broken access control issue in Orchard components that use the TinyMCE HTML editor’s file upload allows an attacker to upload dangerous executables that bypass the file types allowed (regardless of the file types allowed list in Media settings). References: - https://burninatorsec.blogspot.com/2021/[…] - https://github.com/OrchardCMS/[…] CVSS Version 3.x: Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector: NETWORK Attack Complexty: LOW Privileges Required: NONE User Interaction: NONE Scope: UNCHANGED Confidentiality Impact: HIGH Integrity Impact: HIGH Availability Impact: HIGH Base Severity: CRITICAL Base Score: 9.8 CVSS Version 2.0 Vector String: AV:N/AC:L/Au:N/C:P/I:P/A:P Authentication: NONE Confidentiality Impact: PARTIAL Integrity Impact: PARTIAL Availability Impact: PARTIAL Base Score: 7.5 Metrics V2: Severity: HIGH Exploitability Score: 10.0 Impact Score: 6.4 |
Where available for the CVE, the description field of the entity contains the following information ingested from the NVD:
For more information on ingested CVSS scores, see CVSS Score. |
|
Characteristics |
|
|
See Characteristics. |
|
Tags |
|
|
Individual CVSS 3.x and 2.0 vectors are added to the entity as tags. For more information on ingested CVSS scores, see CVSS Score. |
|
Estimated time |
|
Various |
See Map timestamps. |
|
Information source |
|
Various |
See Information source. |
Characteristics
Weakness
The Weakness section maps to WeaknessType object in the STIX 1.2 Exploit Target schema.
Weaknesses describe vulnerabilities in software as per the MITRE CWE (Common Weakness Enumeration Specification) and CAPEC (Common Attack Pattern Enumeration and Classification) frameworks.
|
Field name |
Mapped from NVD JSON |
Description |
|
CWE-ID |
.CVE_Items[].cve.problemtype.problemtype_data[].description[].value |
The CWE ID of the weakness. Example: CWE- 434 |
Vulnerability
The Vulnerability entity characteristic maps to the STIX 1.2 VulnerabilityType.
Characteristics - Vulnerability
|
Field name |
Mapped from NVD JSON |
Description |
|
Title |
.CVE_Items[].cve.CVE_data_meta.ID |
CVE ID of the vulnerability. |
|
Is known |
N/A |
Selected by default. All published CVEs are treated as ‘known’. |
|
Is publicly acknowledged. |
N/A |
Not selected by default. |
|
Description |
.CVE_Items[].cve.description.description_data[] |
Description of the vulerability. |
|
Published date/time |
.CVE_Items[].publishedDate |
Date CVE was published on the NVD. |
|
CVE-ID |
.CVE_Items[].cve.CVE_data_meta.ID |
CVE ID of the vulnerability. |
|
CVSS Score |
Various |
See CVSS Score table. |
|
Affected software |
Various |
See Affected software table. |
|
References |
References to advisories, solutions, and tools provided in the original CVE report on NVD. |
CVSS Score
The CVSS Score section in entity characteristics maps to the CVSSVectorType object in the STIX 1.2, and only supports CVSS 2.0.
The NVD publishes both CVSS 3.x and CVSS 2.0 scores for each vulnerability. However, the Vulnerability characteristic only supports CVSS 2.0 properties, as per the STIX 1.2 specification.
To accomodate CVSS 3.x data, this extension ingests CVSS 3.x information and places it in the Analysis and Tags sections of the entity. For more information, see Map CVE to exploit target.
CVSS Score
|
Field name |
Mapped from NVD JSON |
Description |
|
Overall score |
.CVE_Items[].impact.baseMetricV2.cvssV2.baseScore |
CVSS 2.0 base score for the CVE. |
Affected software
The Affected Software section maps to AffectedSoftwareType object in the STIX 1.2 Exploit Target schema, and includes fields that are compatible with the CPE (Common Platform Enumeration) specification.
The following table describes the Affected software section of a Vulnerability characteristic in the entity builder.
Affected software
|
Field name |
Mapped from NVD JSON |
Description |
|
Product |
.CVE_items[].configurations.nodes[].cpe_match |
orchard |
|
Vendor |
.CVE_items[].configurations.nodes[].cpe_match |
orchardproject |
Map timestamps
The following table describes how NVD JSON timestamps are mapped to Indicator and Incident timestamps on the platform.
|
Indicator estimated time field |
NVD JSON field |
|
Estimated threat start time |
.CVE_Items[].publishedDate |
|
Estimated observed time |
.CVE_Items[].publishedDate |
|
Ingested |
Date and time ingested. |
Information source
Producer (in Indicators) or Information Source (in Incidents or TTPs) sections contains information about the entity author.
|
Field name |
Mapped from <vendor> JSON |
Example value |
Description |
|
Identity |
N/A |
NVD |
Name of organization or person that created the information. |
|
References |
.CVE_Items[].cve.references.reference_data[] |
Sources of information for the CVE as published by NVD. |