cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

2907
Views
25
Helpful
18
Replies
Highlighted
Cisco Employee

Cisco PSIRT openVuln API and Cisco IOS Software Checker

You can use the Cisco PSIRT openVuln API to perform queries similar to the Cisco IOS Checker. You can search for Cisco Security Advisories that apply to specific Cisco IOS and IOS XE Software releases and have a Security Impact Rating (SIR) of Critical or High. Note that the tool does not provide information about security advisories that have a SIR of Medium. In addition, the tool does not support Cisco IOS XR Software or interim builds of Cisco IOS Software.

Method  REST API URL
GEThttps://api.cisco.com/security/advisories/ios?version=<<IOS version>>
GEThttps://api.cisco.com/security/advisories/iosxe?version=<<IOS XE version>>

The results include the traditional fields in the openVuln API and also the first fixed release information. The following is an example of the results:

{

  "advisories": [

    {

      "advisoryId": "cisco-sa-20160928-dns",

      "sir": "High",

      "firstPublished": "2016-09-28T16:00:00-0500",

      "lastUpdated": "2016-09-28T16:00:00-0500",

      "iosRelease": "15.2(4)M11",

      "firstFixed": "15.2(4)M11",

      "cves": [

        "CVE-2016-6380"

      ],

      "bugIDs": [

        "CSCup90532"

      ],

      "cvssBaseScore": "8.3",

      "advisoryTitle": "Cisco IOS and IOS XE Software DNS Forwarder Denial of Service Vulnerability",

      "publicationUrl": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-dns",

      "cwe": [

        "CWE-20"

      ],

      "productNames": [

        "Cisco IOS Software Release 12.2(4)T1",

        "Cisco IOS Software Release 12.1(9)E2",

        "Cisco IOS Software Release 12.2(11)BC2",

        "Cisco IOS Software Release 12.2 SCB",

        "Cisco IOS Software Releases 12.0 T",

        "Cisco IOS Software Release 12.0(3)T",

        "Cisco IOS Software Release 12.0(4)T",

        "Cisco IOS Software Release 12.0(5)T",

        "Cisco IOS Software Release 12.0(5)XK",

        "Cisco IOS Software Release 12.0(7)T",

...  <output omitted for brevity>

        "Cisco IOS XE 3.14S",

        "Cisco IOS Software Release 15.5(2)T",

        "Cisco IOS XE 3.7E",

        "Cisco IOS XE 3.15S",

        "Cisco IOS 15.5S",

      ],

      "summary": "A vulnerability in the DNS forwarder functionality of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to cause the device to reload, corrupt the information present in the device's local DNS cache, or read part of the process memory.<br />\n<br />\nThe vulnerability is due to a flaw in handling crafted DNS response messages. An attacker could exploit this vulnerability by intercepting and crafting a DNS response message to a client DNS query that was forwarded from the affected device to a DNS server. A successful exploit could cause the device to reload, resulting in a denial of service (DoS) condition or corruption of the local DNS cache information.<br />\n<br />\nCisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. <br />\n<br />\nThis advisory is available at the following link:<br />\n<a href=\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-dns\">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-dns</a><br />\n<br />\nThis advisory is part of the September 28, 2016, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 10 Cisco Security Advisories that describe 11 vulnerabilities. All the vulnerabilities have a Security Impact Rating of &ldquo;High.&rdquo; For a complete list of the advisories and links to them, see <a href=\"http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-56513\">Cisco Event Response: September 2016 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication</a>.",

      "cvrfUrl": "https://tools.cisco.com/security/center/contentxml/CiscoSecurityAdvisory/cisco-sa-20160928-dns/oval/cisco-sa-20160928-dns_oval.xml",

      "ovalUrl": "NA"

    },

    {

      "advisoryId": "cisco-sa-20160928-h323",

      "sir": "High",

      "firstPublished": "2016-09-28T16:00:00-0500",

      "lastUpdated": "2016-09-28T16:00:00-0500",

      "iosRelease": "12.4(24)T3e,12.4(24)T4a",

      "firstFixed": "15.2(4)M11",

      "cves": [

        "CVE-2016-6384"

      ],

      "bugIDs": [

        "CSCux04257"

      ],

      "cvssBaseScore": "7.8",

      "advisoryTitle": "Cisco IOS and IOS XE Software H.323 Message Validation Denial of Service Vulnerability",

      "publicationUrl": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-h323",

      "cwe": [

        "CWE-399"

      ],

      "productNames": [

        "Cisco IOS Software Releases 12.2 T",

        "Cisco IOS Software Releases 12.2 B",

        "Cisco IOS Software Release 12.2(11)T",

        "Cisco IOS Software Releases 12.2 MC",

        "Cisco IOS Software Release 12.2(8)YJ",

        "Cisco IOS Software Release 12.2(4)YH",

        "Cisco IOS Software Release 12.2(8)YL",

        "Cisco IOS Software Release 12.2(8)YM",

        "Cisco IOS Software Release 12.2(8)YN",

        "Cisco IOS Software Release 12.2(11)YT",

        "Cisco IOS Software Release 12.2 T",

        "Cisco IOS Software Release 12.2(13)T",

        "Cisco Catalyst Switch Manager",

        "Cisco IOS Software Release 12.2(11)YU",

        "Cisco IOS Software Releases 12.2 Special and Early Deployments",

        "Cisco IOS Software Release 12.2(11)YV",

...  <output omitted for brevity>

        "Cisco IOS XE 3.14S",

        "Cisco IOS Software Release 15.5(2)T",

        "Cisco IOS XE 3.15S",

        "Cisco IOS 15.5S",

        "Cisco IOS Software Release 15.5(2)S",

      ],

      "summary": "A vulnerability in the H.323 subsystem of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition on an affected device.<br />\n<br />\nThe vulnerability is due to a failure to properly validate certain fields in an H.323 protocol suite message. When processing the malicious message, the affected device may attempt to access an invalid memory region, resulting in a crash. An attacker who can submit an H.323 packet designed to trigger the vulnerability could cause the affected device to crash and restart.<br />\n<br />\nCisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.<br />\n<br />\nThis advisory is available at the following link:<br />\n<a href=\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-h323\">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-h323</a><br />\n<br />\nThis advisory is part of the September 28, 2016, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 10 Cisco Security Advisories that describe 11 vulnerabilities. All the vulnerabilities have a Security Impact Rating of &ldquo;High.&rdquo; For a complete list of the advisories and links to them, see <a href=\"http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-56513\">Cisco Event Response: September 2016 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication</a>.<br />",

      "cvrfUrl": "https://tools.cisco.com/security/center/contentxml/CiscoSecurityAdvisory/cisco-sa-20160928-h323/oval/cisco-sa-20160928-h323_oval.xml",

      "ovalUrl": "NA"

    },

18 REPLIES 18
Cisco Employee

Re: Cisco PSIRT openVuln API and Cisco IOS Software Checker

Hi Omar,

Thank you very much. One quick question: looks like no info for IOS 15.5(3)S4 / IOS-XE 3.16.4S: "HTTP Error 406: Not Acceptable." At the same time, IOS 15.5(3)S3 / IOS-XE 3.16.3S is just fine. Could you please check?

Cisco Employee

Re: Cisco PSIRT openVuln API and Cisco IOS Software Checker

Hi Andrei!

The reason that you are seeing that is because there are no current advisories that affect that release. This is the error message you should see coming back...

  "errorCode": "NO_IOS_AFFECTING_ADVISORIES_FOUND",

  "errorMessage": "No Cisco Security Advisories affect the Cisco IOS Software release"

}

Hope this helps!

Regards,

Omar

Beginner

Re: Cisco PSIRT openVuln API and Cisco IOS Software Checker

H iOmar,

this inclines the next question:

The query:

"https://api.cisco.com/security/advisories/iosxe.json?version=3.6.5E"


results in:

{

  "errorCode": "NO_IOSXE_AFFECTING_ADVISORIES_FOUND",

  "errorMessage": "No Cisco Security Advisories affect the Cisco IOSXE Software release"

}

while the same sw in IOS checker appears different:

3.6.5e.png

hard to trust the API reponse.

Gyula

Cisco Employee

Re: Cisco PSIRT openVuln API and Cisco IOS Software Checker

Hi Gyula,

We had a synchronization problem yesterday between a few of our tools. This issue should be fixed now.

Please let us know if you still experience this problem.

Thanks!

Omar

Beginner

Re: Cisco PSIRT openVuln API and Cisco IOS Software Checker

Confirmed, it's much better now, same result on both platform.

Thanks

Gyula

Cisco Employee

Re: Cisco PSIRT openVuln API and Cisco IOS Software Checker

Is there a websocket that we can subscribe to to identify when a PSIRT is updated?

 

The only method Im seeing right now is cache the data and compare against it daily.

 

Beginner

Re: Cisco PSIRT openVuln API and Cisco IOS Software Checker

How do you put and Exception block if no Advisories are found

Traceback (most recent call last):

  File "/var/www/cgi-bin/venv/bin/openVulnQuery", line 9, in <module>

    load_entry_point('OpenVulnQuery==1.26', 'console_scripts', 'openVulnQuery')()

  File "/var/www/cgi-bin/venv/local/lib/python2.7/site-packages/openVulnQuery/main.py", line 147, in main

    advisories = query_client_func(api_resource_value)

  File "/var/www/cgi-bin/venv/local/lib/python2.7/site-packages/openVulnQuery/query_client.py", line 119, in get_by_ios

    raise requests.exceptions.HTTPError(e.response.status_code, e.response.text)

requests.exceptions.HTTPError: [Errno 406] {"errorCode":"NO_IOS_AFFECTING_ADVISORIES_FOUND","errorMessage":"No Cisco Security Advisories affect the Cisco IOS Software release"}

=============CODE==============

try:

        subprocess.call("(/var/www/cgi-bin/venv/bin/openVulnQuery --ios 15.4\(3\)M8 --fields advisory_title publication_url first_fixed ios_release)", shell=True)

    except Exception:

        print('test')

Re: Cisco PSIRT openVuln API and Cisco IOS Software Checker

Hello Omar

I am trying to run this curl command:

curl -v -1 -u a.user-id:password  'https://api.cisco.com/security/advisories/ios?version=15.1(2)SY9'

as a result I am getting

<h1>Not Authorized</h1>

I am using the user-id and password of the CISCO communities

What is wrong?

Please provide example to run this api command.

Cisco Employee

Re: Cisco PSIRT openVuln API and Cisco IOS Software Checker

Hi Albert,

The following are the instructions on how to use curl:

https://github.com/CiscoPSIRT/openVulnAPI/blob/master/example_code/curl_examples/

Step 1: Access the Cisco API console at: https://apiconsole.cisco.com

Step 2: Login with your CCO credentials (login is only available to registered Cisco customers and partners).

Step 3: Register your application and obtain your client credentials.

Step 4: Once you register your application and obtain your client ID and client secret, the next step is to obtain an authorization token. Authorization tokens in the Cisco PSIRT openVuln API are valid for one (1) hour. The following example demonstrates how to get the token using the curl utility.

curl -s -k -H "Content-Type: application/x-www-form-urlencoded" -X POST -d "client_id=<client_id>" -d "client_secret=<client_secret>" -d "grant_type=client_credentials" https://cloudsso.cisco.com/as/token.oauth2 

For example:

omar@omar:~$ curl -s -k -H "Content-Type: application/x-www-form-urlencoded" -X POST -d "client_id= XXXXXXXX" -d "client_secret=YYYYYYYY" -d "grant_type=client_credentials" https://cloudsso.cisco.com/as/token.oauth2 {"access_token":"ytuopLCGZxBFN5O0hnL1M2QX2QVp","token_type":"Bearer","expires_in":3599} 

Step 5: Make API calls to https://api.cisco.com/security/... The following example uses the curl command to retrieve CVRF files for all Cisco Security Advisories.

curl -X GET -s -k -H "Accept: application/json" -H "Authorization: Bearer uayEoKBrv0nfjrUavwix1ye8ZoNO" https://api.cisco.com/security/advisories/cvrf/all 

The following example demonstrates how to obtain the latest 10 advisories:

curl -X GET -s -k -H "Accept: application/json" -H "Authorization: Bearer uayEoKB rv0nfjrUavwix1ye8ZoNO" https://api.cisco.com/security/advisories/cvrf/latest/10 


Hope that helps.

Regards,

Omar

Beginner

Re: Cisco PSIRT openVuln API and Cisco IOS Software Checker

Hi Albert,

The -u parameter to curl uses basic access authentication. You need to first user your user credentials to get a client identifier on Cisco API Console - Welcome to the Cisco API Console that you will pass to curl.

General directions to get an OAUTH client identifier is at: https://developer.cisco.com/site/PSIRT/get-started/getting-started.gsp

Step by step instructions for curl are provided at: Accessing the Cisco PSIRT openVuln API Using curl

Let us know if this helps.

Thanks for using the API.

Re: Cisco PSIRT openVuln API and Cisco IOS Software Checker

Thank you Omar !

We followed your instruction to register Cisco PSIRT openVuln API for us.

After that we got a token and succeeded to run

curl -X GET -s -k -H "Accept: application/xml" -H "Authorization: Bearer <Token>" 'https://api.cisco.com/security/advisories/ios?version=15.1(2)SY11'

Besides the output formats json  and xml, is it available other format, like html ?

Re: Cisco PSIRT openVuln API and Cisco IOS Software Checker

Hi Omar

All queries of our registration work for

https://api.cisco.com/security/advisories/ios?version=<<IOS version>>

Unfortunately it does not work for iosxe:

curl -X GET -s -k -H "Accept: application/xml" -H "Authorization: Bearer <token>" 'https://api.cisco.com/security/advisories/iosxe?version=03.16.7S

The error code is "IOSXE version not found"

What is wrong?

Cisco Employee

Re: Cisco PSIRT openVuln API and Cisco IOS Software Checker

Hi Albert,

You are right. This appears to be an issue with a leading zero "0". For example, I also get the same error using the Python client (openVulnQuery).

omar@omar:~$ openVulnQuery --ios_xe 03\.16\.7S

Traceback (most recent call last):

  File "/usr/local/bin/openVulnQuery", line 11, in <module>

    sys.exit(main())

  File "/usr/local/lib/python2.7/dist-packages/openVulnQuery/main.py", line 147, in main

    advisories = query_client_func(api_resource_value)

  File "/usr/local/lib/python2.7/dist-packages/openVulnQuery/query_client.py", line 110, in get_by_ios_xe

    raise requests.exceptions.HTTPError(e.response.status_code, e.response.text)

requests.exceptions.HTTPError: [Errno 406] {"errorCode":"INVALID_IOSXE_VERSION","errorMessage":"IOSXE version not found"}

However, when I take out the leading zero, I get results (see below). I will file an enhancement request for the API to support any leading zero's in an IOS-XE version.

omar@omar:~$ openVulnQuery --ios_xe 3\.16\.7S

[

    {

        "advisory_id": "cisco-sa-20170726-aniacp",

        "advisory_title": "Cisco IOS and IOS XE Software Autonomic Control Plane Channel Information Disclosure Vulnerability",

        "bug_ids": [

            "CSCvd51214"

        ],

        "cves": [

            "CVE-2017-6665"

        ],

        "cvrf_url": null,

        "cvss_base_score": "7.4",

        "cwe": [

            "CWE-200"

        ],

        "first_fixed": [

            ""

        ],

        "first_published": "2017-07-26T16:00:00-0500",

        "ios_release": [

            "3.16.7S"

        ],

        "last_updated": "2017-07-26T16:00:00-0500",

        "oval_url": "NA",

        "product_names": [

            "Cisco IOS 15.3S 15.3(3)S",

            "Cisco IOS 15.3S 15.3(3)S1",

            "Cisco IOS 15.3S 15.3(3)S2",

            "Cisco IOS 15.3S 15.3(3)S3",

            "Cisco IOS 15.3S 15.3(3)S6",

            "Cisco IOS 15.3S 15.3(3)S4",

            "Cisco IOS 15.3S 15.3(3)S1a",

            "Cisco IOS 15.3S 15.3(3)S5",

            "Cisco IOS 15.3S 15.3(3)S7",

            "Cisco IOS 15.3S 15.3(3)S8",

            "Cisco IOS 15.3S 15.3(3)S9",

            "Cisco IOS 15.3S 15.3(3)S10",

            "Cisco IOS 15.3S 15.3(3)S8a",

            "Cisco IOS 15.2E 15.2(3)E",

            "Cisco IOS 15.2E 15.2(4)E",

            "Cisco IOS 15.2E 15.2(3)E1",

            "Cisco IOS 15.2E 15.2(3)E2",

            "Cisco IOS 15.2E 15.2(3a)E",

            "Cisco IOS 15.2E 15.2(3a)E1",

            "Cisco IOS 15.2E 15.2(3)E3",

            "Cisco IOS 15.2E 15.2(3m)E2",

            "Cisco IOS 15.2E 15.2(4)E1",

            "Cisco IOS 15.2E 15.2(3m)E3",

            "Cisco IOS 15.2E 15.2(4)E2",

            "Cisco IOS 15.2E 15.2(3m)E6",

            "Cisco IOS 15.2E 15.2(3)E4",

            "Cisco IOS 15.2E 15.2(5)E",

            "Cisco IOS 15.2E 15.2(4)E3",

            "Cisco IOS 15.2E 15.2(5a)E",

<output omitted for brevity>

Re: Cisco PSIRT openVuln API and Cisco IOS Software Checker

Hi Omar

Thank you for  sharing your experience.

Indeed, dropping of the leading "0" gave the result for this check version "3.16.7S".

Unfortunately in this way we got the same failure for version "3.08.04.E"

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here