Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
233
Views
1
Helpful
0
Comments

OS vs Application Vulnerabilities

ishgunarora
Cisco Employee
Cisco Employee

on ‎01-19-2024 06:22 AM

Cisco Vulnerability Management has the ability to identify & filter vulnerabilities by their classification like OS & Application. Full working process on how this can be done using the custom field option can be found below:
 
Summary of steps:
  • Create Custom Field within your Cisco Vulnerability Management Platform's (formerly Kenna) Vulnerabilities table.
  • Run the NVD_OS_vs_APP script on GitHub
 
1. Create Custom Field within your Kenna (CVM) Vulnerabilities table
A default feature of Cisco Vulnerability Management (formerly Kenna.VM) is the ability to create and use custom fields.  Custom fields allow you to track values that are specific to your vulnerability use case.  For this example, we can create a custom field named “Vuln Type” with Data Type: String (Long) and Faceted Search option enabled to see the values available as filter option.

 

Screenshot 2024-01-18 at 12.52.59 PM.png
 
Upon saving, you can see that the custom field was created with an ID:
 
Screenshot 2024-01-18 at 12.55.58 PM.png
 

 

2. Run the NVD_OS_vs_APP script on Github
The script taps into the NVD database to get the CVEs classified as OS, Application, Hardware or Network using the CPE information. Also, this script accesses customer’s environment to get the CVEs pertaining to their environment which need to get tagged/classified.
NVD database was referenced to get this information by following the steps below:
  • Access the CVE API of NVD to get the details - https://nvd.nist.gov/developers/vulnerabilities
  • For each CVE entry, check the 'criteria' field in the 'configurations' section. This field contains a URI that identifies the affected product and version. (explained below in CPE section)
  • The 'criteria' URI is composed of several components, each separated by a colon. The second component indicates the product type - an application ('a') or an operating system ('o').
  • By examining this component, categorize the CVE either as application-related or OS-related.
 
Types of 'product type':
  • a: (Application): This is used to denote that the component is an application. An example would be cpe:2.3:a:microsoft:internet_explorer:8.0.7600.16385:::::::*.
  • o: (Operating System): This is used to denote that the component is an operating system. An example would be cpe:2.3:o:microsoft:windows_7:-:::::::*.
  • h: (Hardware): This is used to denote that the component is a piece of hardware. An example would be cpe:2.3:h:dell:poweredge_2950:-:::::::*.
  • n: (Network): This is used to denote that the component is network. An example would be cpe:2.3:n:tls:example_tls:-:::::::*.
 
The script will tag all the CVEs with the ‘Type’ classification using the custom field created in step#1.
The custom field can then be used as a faceted search in UI and then can also be used in the API to export related data out from Cisco Vulnerability Management Platform:
 
UI:
Screenshot 2024-01-18 at 1.04.33 PM.png

 

API: https://apidocs.kennasecurity.com/reference/request-data-export

 

Screenshot 2024-01-18 at 1.08.19 PM.png

 

Useful links:
 
 
Disclaimer: "This script uses the NVD API but is not endorsed or certified by the NVD."
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents