System vulnerabilities change day by day, making it of critical importance for your security operators to be able to act not only responsively but also proactively to any potential threats. 

Numerous tools and integrations can help your organization stay on top of threats like this.

As such, we're happy to announce the latest addition to the Splunk ecosystem: the NVD-CVE Fetcher App. It's currently LIVE on Splunkbase and FREE!

The NVD-CVE Fetcher App 1.0.0 is a Splunk AddOn that helps your organization keep your IT infrastructure secure and updated for known CVEs (Common Vulnerabilities and Exposures).

In the following post, we’ll detail this add-on and how your team can make the best use of it.

What is the Fetcher App?

The NVD-CVE Fetcher App v1.0.0 is a Splunk AddOn that helps you to keep your IT infrastructure secure and updated for the known CVEs (Common Vulnerabilities and Exposures). As the name of the app suggests, it fetches the CVEs from the NVD (National Vulnerability Database) portal.

The fetched CVE information can then be utilized by the Splunk users to search and relate with their existing IT infrastructure synchronized with their Splunk instance.

How the Fetcher App functions

To function, the app performs the following steps:

1. The Splunk admin installs the NVD-CVE Fetcher App. This can be done from Splunkbase.
2. Once the app is installed users can configure it to fetch the vulnerabilities on a specified cadence.
3. The data is then fetched in the form of raw JSON text.
4. The app has been designed to tag these JSON events so that they are categorized as Vulnerabilities by using the CIM (Common Information Model). The app normalizes the CVE JSON data to the Vulnerability Datamodel.
5. This in turn allows the fetched data to be described as vulnerability detection data.

Who can use the NVD-CVE Fetcher App?

Multiple users could make use of this tool.

• If you are a Security Admin who wants a ticket to be created, whenever a vulnerability is detected in your IT/IoT/OT assets 
• If you are a Security Auditor who wants to check the quantity of vulnerable devices in your network, the NVD-CVE Fetcher app can help detect vulnerabilities in your infrastructure too.

Note: As the AddOn keeps the Splunk instance updated with a list of vulnerabilities, you can always search the vulnerable items in your network by comparing based on the Model number, OS, Applications, Versions, and other details.

The Architecture of the NVD CVE Fetcher App

Use Cases:

The NVD-CVE Fetcher is a Splunk add-on and is typically used in conjunction with other Splunk add-ons or apps. Following is one of the many use cases where the NVD-CVE Fetcher app can be very useful.

Sample Scenario:

You have a Splunk instance that manages most of the critical operations of your business. You would like there to be an alert whenever a vulnerability is identified on your Splunk instance.

The following are some vulnerabilities detected in the past for Splunk:

1. CVE-2023-40595: In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can execute a specially crafted query that they can then use to serialize untrusted data. The attacker can use the query to execute arbitrary code.
2. CVE-2023-40594: In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can use the `printf` SPL function to perform a denial of service (DoS) against the Splunk Enterprise instance.

As a Security Admin you ideally want to raise a ticket to patch the vulnerabilities as soon as possible, but doing so is not always possible.

Sample Solution:

The Splunk admin installs the NVD-CVE Fetcher App in their Splunk Instance and configures the app to fetch the latest vulnerabilities daily. 

Your team then leverages the information fetched by the NVD-CVE Fetcher App, allowing you to create an alert definition that triggers whenever a vulnerability matching your Splunk version is created. 

These actions can be configured based on your needs, such as sending an email to Admin or creating an ITSM ticket to take action for remediating the vulnerable Splunk instance.

Conclusion

The NVD-CVE Fetcher App can protect your IT/IoT/OT infrastructure from becoming vulnerable by informing you and your team about the latest vulnerabilities.

Proactive actions against these vulnerabilities prevent your team from having to chase and resolve them after the fact, saving time and money in the process. In other words, the NVD0-CVE Fetcher App effectively provides your organization with the knowledge that can help you fix any backdoors your system may have. 

The app is available for download over at SplunkBase.

Considering building an integration with Splunk or any other product within Splunk? Metron is a Splunk Technical Alliance partner and has experience building scalable integration with Splunk products.

If you are considering any custom cybersecurity solution that focuses on the resources and needs of your organization, please send a note to connect@metronlabs.com.