Sunday, December 13, 2020

How to obtain PSIRT data programmatically via API, based on Platform and Version combination?

Hi, I am looking for a way to query the Cisco PSIRT database (or any vulnerability database) in a programmatic way and print a list of exploits affecting an OS version of interest.
Example:
- I run IOS-XE v 15.x: tell me the vulns affecting the version
- I run ASA v 9.12.x: tell me the vulns affecting the version

Seems reasonable.

I have been playing with the OpenVuln REST API via this nifty python script, and I partially succeded: https://github.com/CiscoPSIRT/openVulnAPI

Why partially? Let's see.

Searching by OS version is possible, at least for IOS, IOS-XE:

$ openVulnQuery --config credentials.json usage: openVulnQuery [-h] (--all | --advisory <advisory-id> | --cve <CVE-id> | --latest number | --severity [critical, high, medium, low] | --year year | --product product_name | --ios_xe iosxe_version | --ios ios_version | --nxos nxos_version | --aci aci_version) [--csv filepath | --json filepath] [--first_published YYYY-MM-DD:YYYY-MM-DD | --last_published YYYY-MM-DD:YYYY-MM-DD] [-c] [-f [...]] [--user-agent string] [--config filepath] openVulnQuery: error: one of the arguments --all --advisory --cve --latest --severity --year --product --ios_xe --ios --nxos --aci is required 

Let's pass the version:

openVulnQuery --config credentials.json --ios_xe 16.12.1s [ { "advisory_id": "cisco-sa-profinet-J9QMCHPB", "advisory_title": "Cisco IOS and IOS XE Software PROFINET Denial of Service Vulnerability", "bug_ids": [ "CSCvr83393", "CSCvs48147" ], "cves": [ "CVE-2020-3409" ], "cvrfUrl": "https://tools.cisco.com/security/center/contentxml/CiscoSecurityAdvisory/cisco-sa-profinet-J9QMCHPB/cvrf/cisco-sa-profinet-J9QMCHPB_cvrf.xml", "cvss_base_score": "7.4", "cwe": [ "CWE-20" ], "first_fixed": [ "16.12.3" ], "first_published": "2020-09-24T16:00:00", "ios_release": [ "16.12.1s" ], "last_updated": "2020-12-09T15:09:18", "product_names": [ "Cisco IOS ", "Cisco IOS XE Software ", "Cisco IOS 12.2(55)SE", "Cisco IOS 12.2(55)SE3", "Cisco IOS 12.2(52)SE", "Cisco IOS 12.2(58)SE", "Cisco IOS 12.2(52)SE1" <snip> 

ASA/Firepower have no dedicated version parameters, but searching by product work:

$ openVulnQuery --config credentials.json --product "Firepower Threat Defense" <snip> { "advisory_id": "cisco-sa-20181003-asa-acl-bypass", "advisory_title": "Cisco Adaptive Security Appliance Access Control List Bypass Vulnerability", "bug_ids": [ "CSCvj91858" ], "cves": [ "CVE-2018-15398" ], "cvrfUrl": "https://tools.cisco.com/security/center/contentxml/CiscoSecurityAdvisory/cisco-sa-20181003-asa-acl-bypass/cvrf/cisco-sa-20181003-asa-acl-bypass_cvrf.xml", "cvss_base_score": "5.8", "cwe": [ "CWE-284" ], "first_published": "2018-10-03T16:00:00", "ips_signatures": [ "NA" ], "last_updated": "2018-10-03T16:00:00", "product_names": [ "Cisco Adaptive Security Appliance (ASA) Software ", "Cisco Firepower Threat Defense Software " ], <snip> 

This makes searching by ASA/Firepower AND specific version impossible.

Same issue for version+severity for supported platforms:

openVulnQuery --config credentials.json --ios_xe 16.12.1s --severity critical usage: openVulnQuery [-h] (--all | --advisory <advisory-id> | --cve <CVE-id> | --latest number | --severity [critical, high, medium, low] | --year year | --product product_name | --ios_xe iosxe_version | --ios ios_version | --nxos nxos_version | --aci aci_version) [--csv filepath | --json filepath] [--first_published YYYY-MM-DD:YYYY-MM-DD | --last_published YYYY-MM-DD:YYYY-MM-DD] [-c] [-f [...]] [--user-agent string] [--config filepath] openVulnQuery: error: argument --severity: not allowed with argument --ios_xe 

Am I expecting more than the API supports?

As a side note I kindly ask: would this be the right approach for obtaining this kind of infos, and am I reinventing the wheel? If not, how do you keep track of what vulns affect your devices, apart from email security advisories?

Thank you!



No comments:

Post a Comment