Threat intelligence often contains references to the vulnerabilities that threat actors are targeting. When those vulnerabilities have been formally disclosed and identified (i.e., are not 0-day or unknown vulnerabilites) they are almost always identified via a Common Vulnerabilities and Exposures (CVE®) identifier. This idiom describes how to use the STIX Exploit Target element to represent a disclosed vulnerability via its CVE ID.
In this scenario, we’ll describe CVE-2013-3893 using the STIX exploit target element.
The relevant STIX component, Exploit Target, is used to represent potential targets of cyber threat activity. This idiom describes using the exploit target to represent a disclosed vulnerability via its CVE identifier. The advantage of doing this is easier correlation with the large set of existing tools and data sources that already work with CVE.
As you can see, this is a very simple idiom to represent. The Title field simply gives the exploit target a human-readable title. Similarly, Description and Short Description could be used to give it longer human-readable descriptions if desired.
The Vulnerability field is used to represent the vulnerability itself. This field is implemented via VulnerabilityType, which can be used to identify vulnerabilities via a CVE ID (as here), OSVDB ID, or even use Common Vulnerability Reporting Framework (CVRF) to characterize an undisclosed vulnerability.
Representing the CVE ID is as easy as filling out the CVE ID field with a property-formatted CVE identifier.
1
2
3
4
5
6
7
8
9
<stixCommon:Exploit_Target xsi:type="et:ExploitTargetType" id="example:et-48a276f7-a8d7-bba2-3575-e8a63fcd488" timestamp="2014-02-20T09:00:00.000000Z">
<et:Title>Javascript vulnerability in MSIE 6-11</et:Title>
<et:Vulnerability>
<et:CVE_ID>CVE-2013-3893</et:CVE_ID>
<et:References>
<stixCommon:Reference>https://technet.microsoft.com/library/security/2887505</stixCommon:Reference>
</et:References>
</et:Vulnerability>
</stixCommon:Exploit_Target>
1
2
3
4
5
6
7
8
9
10
11
from stix.core import STIXPackage
from stix.exploit_target import ExploitTarget, Vulnerability
vuln = Vulnerability()
vuln.cve_id = "CVE-2013-3893"
vuln.add_reference("https://technet.microsoft.com/library/security/2887505")
et = ExploitTarget(title="Javascript vulnerability in MSIE 6-11")
et.add_vulnerability(vuln)
print et.to_xml(encoding=None)
1
2
3
4
5
6
print("== VULNERABILITY ==")
for target in pkg.exploit_targets:
print("---")
print("Title : " + target.title)
for vuln in target.vulnerabilities:
print("CVE: " + vuln.cve_id)
Full XML | Python Producer | Python Consumer
See the full documentation for the relevant types for further information that may be provided: