cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3214
Views
0
Helpful
0
Comments
Omar Santos
Cisco Employee
Cisco Employee

As described in this article, the Vulnerability Exploitability eXchange (VEX) allows a software supplier or other parties to assert the status of specific vulnerabilities in a particular product. VEX serves as a way to convey the condition of a software product or component in relation to a vulnerability. A typical application of VEX is to specify whether the software is impacted by a vulnerability or not. VEX is a profile in the Common Security Advisory Framework (CSAF) standard.

The Cisco Vulnerability Repository (CVR) and VEX

The Cisco Vulnerability Repository (CVR) is a vulnerability search engine for CVEs that may impact Cisco products. CVR can help customers understand if their Cisco product is affected by a particular third-party software vulnerability. 

CVR disposition information is available for download in the CSAF format, and the tool also displays any associated Cisco Security Advisories. Any customer with a Cisco.com account can request or view VEX information.

Cisco provides the status for the following types of third-party vulnerabilities:

The following is an example of a VEX document that specifies that the Catalyst 9800 Series Wireless Controllers are not affected by the vulnerability described in CVE-2023-1234.

{
	"document": {
		"category": "csaf_vex",
		"csaf_version": "2.0",
		"publisher": {
			"category": "vendor",
			"name": "Cisco Systems, Inc.",
			"namespace": "https://www.cisco.com"
		},
		"title": "CVR data for version 17.12.1 of software Cisco IOS XE Software on platform Cisco Catalyst 9800 Series Wireless Controllers for CVE CVE-2023-1234",
		"tracking": {
			"current_release_date": "2023-09-13T05:45:43Z",
			"id": "cisco-vex-4.76.17.12.1:CVE-2023-1234",
			"initial_release_date": "2023-09-13T05:45:43Z",
			"revision_history": [
				{
					"date": "2023-09-13T05:45:43Z",
					"number": "1",
					"summary": "Initial"
				}
			],
			"status": "draft",
			"version": "1",
			"generator": {
				"date": "2023-09-13T05:45:43Z",
				"engine": {
					"name": "Cisco Vulnerability Repository (CVR)",
					"version": "0.4.0"
				}
			}
		}
	},
	"product_tree": {
		"branches": [
			{
				"category": "vendor",
				"name": "Cisco Systems, Inc.",
				"branches": [
					{
						"category": "product_family",
						"name": "IOS XE Software",
						"branches": [
							{
								"category": "product_version",
								"name": "17.12.1",
								"product": {
									"name": "Cisco Systems, Inc. IOS XE Software 17.12.1",
									"product_id": "IOS_XE_Software:17.12.1"
								}
							}
						]
					},
					{
						"category": "product_name",
						"name": "Catalyst 9800 Series Wireless Controllers",
						"product": {
							"name": "Cisco Systems, Inc. Catalyst 9800 Series Wireless Controllers",
							"product_id": "Catalyst_9800_Series_Wireless_Controllers"
						}
					}
				]
			}
		],
		"relationships": [
			{
				"product_reference": "IOS_XE_Software:17.12.1",
				"category": "installed_on",
				"relates_to_product_reference": "Catalyst_9800_Series_Wireless_Controllers",
				"full_product_name": {
					"product_id": "IOS_XE_Software:17.12.1:Catalyst_9800_Series_Wireless_Controllers",
					"name": "Cisco Systems, Inc. IOS XE Software 17.12.1 installed on Catalyst 9800 Series Wireless Controllers"
				}
			}
		]
	},
	"vulnerabilities": [
		{
			"cve": "CVE-2023-1234",
			"product_status": {
				"known_not_affected": [
					"IOS_XE_Software:17.12.1:Catalyst_9800_Series_Wireless_Controllers"
				]
			},
			"notes": [
				{
					"category": "description",
					"text": "Inappropriate implementation in Intents in Google Chrome on Android prior to 111.0.5563.64 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Low)"
				}
			],
			"threats": [
				{
					"category": "impact",
					"details": "Component not present",
					"product_ids": [
						"IOS_XE_Software:17.12.1:Catalyst_9800_Series_Wireless_Controllers"
					]
				}
			],
			"flags": [
				{
					"label": "component_not_present",
					"product_ids": [
						"IOS_XE_Software:17.12.1:Catalyst_9800_Series_Wireless_Controllers"
					]
				}
			]
		}
	]
}

 

CVR allows you to download the VEX document and a digital signature to verify that the VEX document came from Cisco. As described in the CVR/VEX FAQ, you can use the Cisco PSIRT PGP key to do this verification.

To verify the VEX document, you must install a PGP client and use the following instructions. PGP clients for multiple Operating Systems can be found at https://www.openpgp.org/.

Instructions

  1. Download the Cisco Product Security Incident Response Team (PSIRT) current public PGP key from https://cscrdr.cloudapps.cisco.com/cscrdr/security/center/files/Cisco_PSIRT_PGP_Public_Key.asc.
  2. Import the Cisco PSIRT’s PGP public key into your local PGP keyring by using the gpg --import command. This action should be performed once and only repeated when the imported key expires and needs to be replaced with a new one.

    In the following output example, the line imported: 1 indicates that the key has been successfully imported into the local keyring.
    user@hostname % gpg --import Cisco_PSIRT_PGP_Public_Key.asc
    gpg: key 07EDFB2C606E96B3: public key "Cisco Product Security Incident Response Team (Cisco PSIRT key 2021-2024) <psirt@cisco.com>" imported
    gpg: Total number processed: 1
    gpg:               imported: 1
    user@hostname %
  3. After unzipping the file downloaded from CVR, use the command gpg --verify <filename>.asc <filename>.json to verify that the Cisco PSIRT has signed the VEX document and that the document has not been modified or tampered with since it was signed.

Examples

Example: The VEX document has been signed with the Cisco PSIRT PGP key and has not been tampered with:

user@hostname % gpg --verify cisco-vex-4.134.17.9.3a_CVE-2023-2650.asc cisco-vex-4.134.17.9.3a_CVE-2023-2650.json
gpg: Signature made Tue Jun 13 10:20:50 2023 EDT
gpg:                using RSA key 5AFC84D8B5579F7ECB01293C07EDFB2C606E96B3
gpg: Good signature from "Cisco Product Security Incident Response Team (Cisco PSIRT key 2021-2024) <psirt@cisco.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5AFC 84D8 B557 9F7E CB01 293C 07ED FB2C 606E 96B3
user@hostname %

The message Good signature from "Cisco Product Security Incident Response Team (Cisco PSIRT key 2021-2024) <psirt@cisco.com>" indicates that the file was indeed signed with the Cisco PSIRT PGP key and has not been modified or tampered with since it was generated.

Example: The VEX document has been signed with the Cisco PSIRT PGP key, but it has been tampered with:

user@hostname % gpg --verify cisco-vex-4.134.17.9.3a_CVE-2023-2650.asc cisco-vex-4.134.17.9.3a_CVE-2023-2650.json
gpg: Signature made Tue Jun 13 10:20:50 2023 EDT
gpg:                using RSA key 5AFC84D8B5579F7ECB01293C07EDFB2C606E96B3
gpg: BAD signature from "Cisco Product Security Incident Response Team (Cisco PSIRT key 2021-2024) <psirt@cisco.com>" [unknown]
user@hostname %

The message BAD signature from "Cisco Product Security Incident Response Team (Cisco PSIRT key 2021-2024) <psirt@cisco.com>" indicates that while the file was signed with the valid Cisco PSIRT PGP key, it has been tampered with after it was signed.

For more information about VEX and how to use this tool, see the Frequently Asked Questions page.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: