OpenVas plugin creation date is before corresponding CVE publishing date

I am making a case for OpenVas 10, and one of the metrics I am interested is the average amount of days a given CVE takes to have a corresponding plugin on Openvas.

For the CVE publishing date, I used nvd feed (https://nvd.nist.gov/vuln/data-feeds#).

For Openvas10 plugin date, I used the get_nvts (https://docs.greenbone.net/API/OMP/omp.html#command_get_nvts) command to fetch the data about a given CVE plugin.

During my data processing, I found some interesting entries, like this:

CVE-2017-3106
openvas_creation: 2017-08-09T05:12:00Z publishing_time: 2017-08-11T19:29Z

Which basically told me that the plugin that deals with this CVE was made BEFORE (2-3 days) the publishing date for that CVE (https://nvd.nist.gov/vuln/detail/CVE-2017-3106):

<?xml version="1.0" encoding="UTF-8"?>

<get_nvts_response status=“200” status_text=“OK”>

Adobe Flash Player Security Updates( apsb17-23 )-Windows
<creation_time>2017-08-09T05:11:50Z</creation_time>
<modification_time>2019-07-17T11:14:11Z</modification_time>
3
General
<cvss_base>9.3</cvss_base>

97
registry

<cve_id>CVE-2017-3085, CVE-2017-3106</cve_id>
<bugtraq_id>NOBID</bugtraq_id>
<cert_refs>
<cert_ref type=“CERT-Bund” id=“CB-K17/1334” />
<cert_ref type=“DFN-CERT” id=“DFN-CERT-2017-1391” />
</cert_refs>
URL:https://helpx.adobe.com/security/products/flash-player/apsb17-23.html
cvss_base_vector=AV:N/AC:M/Au:N/C:C/I:C/A:C|summary=This host is installed with Adobe Flash Player
and is prone to multiple vulnerabilities.|vuldetect=Checks if a vulnerable version is present on the target host.|insight=The multiple flaws exists due to,

  • A security bypass vulnerability.

  • A type confusion.|impact=Successful exploitation of this
    vulnerability will allow remote attackers to execute remote code and can get
    sensitive information.|affected=Adobe Flash Player version before
    26.0.0.151 on Windows.|solution=Upgrade to Adobe Flash Player version
    26.0.0.151, or later.|solution_type=VendorFix|qod_type=registry
    <preference_count>-1</preference_count>

    <default_timeout />

    </get_nvts_response>

At first I thought it was a mistake from my part, but I doubled checked everything and it is actually the case (for this example, like other occurrences):

Given my findings are accurate, as per the sources cited, this either means that the creation date of these plugins are inaccurate or that OpenVas somehow knows about vulnerabilities beforehand. Which one would be it? Thanks in advance.

Maybe the NIST publishing date is not the most accurate parameter to look at since it doesn’t mean it is not known/made public beforehand. E.g. for your mentioned CVE if you look at https://helpx.adobe.com/security/products/flash-player/apsb17-23.html the publishing date is August 8, 2017 which means OpenVAS had a VTS the day after it got published but NIST made the entry a couple of days later.

4 Likes

Thanks for the quick response. So is there a trusted source to find out when a given CVE is made public? Thank you.

I don’t think there is such a trusted source because a CVE might made public on hundreds of different sources (blogposts, private homepages, twitter/other social media, vendor advisories, mailinglist, …)

Just take the following example of CVE-2018-19300 while not taking the availability of a plugin into account:

After the deadline expired the blogpost was published at:

  • 2019/03/17: Disclosure of the vulnerability in accordance

and at the same day MITRE was contacted to get the CVE published.

If you finally check the “NVD Published Date” of the https://nvd.nist.gov/vuln/detail/CVE-2018-19300 entry you can see that it took nearly a month (MITRE Publishing Date is normally just one day before the NVD Published Date) until the CVE was published there.

1 Like

I see. Thanks for the response.

So, I crunched the data and got some graphs. Just leaving some here, because it may be useful for someone else. Thanks for the awesome product.

1 Like