Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6272
Views
25
Helpful
18
Replies

Cisco PSIRT openVuln API and Cisco IOS Software Checker

Omar Santos
Cisco Employee
Cisco Employee

‎01-09-2017 10:57 PM

You can use the Cisco PSIRT openVuln API to perform queries similar to the Cisco IOS Checker. You can search for Cisco Security Advisories that apply to specific Cisco IOS and IOS XE Software releases and have a Security Impact Rating (SIR) of Critical or High. Note that the tool does not provide information about security advisories that have a SIR of Medium. In addition, the tool does not support Cisco IOS XR Software or interim builds of Cisco IOS Software.

Method  REST API URL
GEThttps://api.cisco.com/security/advisories/ios?version=<<IOS version>>
GEThttps://api.cisco.com/security/advisories/iosxe?version=<<IOS XE version>>

The results include the traditional fields in the openVuln API and also the first fixed release information. The following is an example of the results:

{


  "advisories": [


    {


      "advisoryId": "cisco-sa-20160928-dns",


      "sir": "High",


      "firstPublished": "2016-09-28T16:00:00-0500",


      "lastUpdated": "2016-09-28T16:00:00-0500",


      "iosRelease": "15.2(4)M11",


      "firstFixed": "15.2(4)M11",


      "cves": [


        "CVE-2016-6380"


      ],


      "bugIDs": [


        "CSCup90532"


      ],


      "cvssBaseScore": "8.3",


      "advisoryTitle": "Cisco IOS and IOS XE Software DNS Forwarder Denial of Service Vulnerability",


      "publicationUrl": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-dns",


      "cwe": [


        "CWE-20"


      ],


      "productNames": [


        "Cisco IOS Software Release 12.2(4)T1",


        "Cisco IOS Software Release 12.1(9)E2",


        "Cisco IOS Software Release 12.2(11)BC2",


        "Cisco IOS Software Release 12.2 SCB",


        "Cisco IOS Software Releases 12.0 T",


        "Cisco IOS Software Release 12.0(3)T",


        "Cisco IOS Software Release 12.0(4)T",


        "Cisco IOS Software Release 12.0(5)T",


        "Cisco IOS Software Release 12.0(5)XK",


        "Cisco IOS Software Release 12.0(7)T",


...  <output omitted for brevity>


        "Cisco IOS XE 3.14S",


        "Cisco IOS Software Release 15.5(2)T",


        "Cisco IOS XE 3.7E",


        "Cisco IOS XE 3.15S",


        "Cisco IOS 15.5S",


      ],


      "summary": "A vulnerability in the DNS forwarder functionality of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to cause the device to reload, corrupt the information present in the device's local DNS cache, or read part of the process memory.<br />\n<br />\nThe vulnerability is due to a flaw in handling crafted DNS response messages. An attacker could exploit this vulnerability by intercepting and crafting a DNS response message to a client DNS query that was forwarded from the affected device to a DNS server. A successful exploit could cause the device to reload, resulting in a denial of service (DoS) condition or corruption of the local DNS cache information.<br />\n<br />\nCisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. <br />\n<br />\nThis advisory is available at the following link:<br />\n<a href=\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-dns\">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-dns</a><br />\n<br />\nThis advisory is part of the September 28, 2016, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 10 Cisco Security Advisories that describe 11 vulnerabilities. All the vulnerabilities have a Security Impact Rating of &ldquo;High.&rdquo; For a complete list of the advisories and links to them, see <a href=\"http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-56513\">Cisco Event Response: September 2016 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication</a>.",


      "cvrfUrl": "https://tools.cisco.com/security/center/contentxml/CiscoSecurityAdvisory/cisco-sa-20160928-dns/oval/cisco-sa-20160928-dns_oval.xml",


      "ovalUrl": "NA"


    },


    {


      "advisoryId": "cisco-sa-20160928-h323",


      "sir": "High",


      "firstPublished": "2016-09-28T16:00:00-0500",


      "lastUpdated": "2016-09-28T16:00:00-0500",


      "iosRelease": "12.4(24)T3e,12.4(24)T4a",


      "firstFixed": "15.2(4)M11",


      "cves": [


        "CVE-2016-6384"


      ],


      "bugIDs": [


        "CSCux04257"


      ],


      "cvssBaseScore": "7.8",


      "advisoryTitle": "Cisco IOS and IOS XE Software H.323 Message Validation Denial of Service Vulnerability",


      "publicationUrl": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-h323",


      "cwe": [


        "CWE-399"


      ],


      "productNames": [


        "Cisco IOS Software Releases 12.2 T",


        "Cisco IOS Software Releases 12.2 B",


        "Cisco IOS Software Release 12.2(11)T",


        "Cisco IOS Software Releases 12.2 MC",


        "Cisco IOS Software Release 12.2(8)YJ",


        "Cisco IOS Software Release 12.2(4)YH",


        "Cisco IOS Software Release 12.2(8)YL",


        "Cisco IOS Software Release 12.2(8)YM",


        "Cisco IOS Software Release 12.2(8)YN",


        "Cisco IOS Software Release 12.2(11)YT",


        "Cisco IOS Software Release 12.2 T",


        "Cisco IOS Software Release 12.2(13)T",


        "Cisco Catalyst Switch Manager",


        "Cisco IOS Software Release 12.2(11)YU",


        "Cisco IOS Software Releases 12.2 Special and Early Deployments",


        "Cisco IOS Software Release 12.2(11)YV",


...  <output omitted for brevity>


        "Cisco IOS XE 3.14S",


        "Cisco IOS Software Release 15.5(2)T",


        "Cisco IOS XE 3.15S",


        "Cisco IOS 15.5S",


        "Cisco IOS Software Release 15.5(2)S",


      ],


      "summary": "A vulnerability in the H.323 subsystem of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition on an affected device.<br />\n<br />\nThe vulnerability is due to a failure to properly validate certain fields in an H.323 protocol suite message. When processing the malicious message, the affected device may attempt to access an invalid memory region, resulting in a crash. An attacker who can submit an H.323 packet designed to trigger the vulnerability could cause the affected device to crash and restart.<br />\n<br />\nCisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.<br />\n<br />\nThis advisory is available at the following link:<br />\n<a href=\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-h323\">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-h323</a><br />\n<br />\nThis advisory is part of the September 28, 2016, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 10 Cisco Security Advisories that describe 11 vulnerabilities. All the vulnerabilities have a Security Impact Rating of &ldquo;High.&rdquo; For a complete list of the advisories and links to them, see <a href=\"http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-56513\">Cisco Event Response: September 2016 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication</a>.<br />",


      "cvrfUrl": "https://tools.cisco.com/security/center/contentxml/CiscoSecurityAdvisory/cisco-sa-20160928-h323/oval/cisco-sa-20160928-h323_oval.xml",


      "ovalUrl": "NA"


    },
18 Replies 18

Omar Santos
Cisco Employee
Cisco Employee
In response to ALBERT RAKOVSHIK

‎11-27-2017 09:09 AM

That is correct.   This will not work:

omar@omar:~$ openVulnQuery --ios_xe 3.08.04E

Traceback (most recent call last):

  File "/usr/local/bin/openVulnQuery", line 11, in <module>

    sys.exit(main())

  File "/usr/local/lib/python2.7/dist-packages/openVulnQuery/main.py", line 147, in main

    advisories = query_client_func(api_resource_value)

  File "/usr/local/lib/python2.7/dist-packages/openVulnQuery/query_client.py", line 110, in get_by_ios_xe

    raise requests.exceptions.HTTPError(e.response.status_code, e.response.text)

requests.exceptions.HTTPError: [Errno 406] {"errorCode":"INVALID_IOSXE_VERSION","errorMessage":"IOSXE version not found"}

omar@omar:~$ openVulnQuery --ios_xe 3.08.04.E

Traceback (most recent call last):

  File "/usr/local/bin/openVulnQuery", line 11, in <module>

    sys.exit(main())

  File "/usr/local/lib/python2.7/dist-packages/openVulnQuery/main.py", line 147, in main

    advisories = query_client_func(api_resource_value)

  File "/usr/local/lib/python2.7/dist-packages/openVulnQuery/query_client.py", line 110, in get_by_ios_xe

    raise requests.exceptions.HTTPError(e.response.status_code, e.response.text)

requests.exceptions.HTTPError: [Errno 406] {"errorCode":"INVALID_IOSXE_VERSION","errorMessage":"IOSXE version not found"}

However this will work.

omar@omar:~$ openVulnQuery --ios_xe 3.8.4E

[

    {

        "advisory_id": "cisco-sa-20171103-bgp",

        "advisory_title": "Cisco IOS XE Software Ethernet Virtual Private Network Border Gateway Protocol Denial of Service Vulnerability",

        "bug_ids": [

            "CSCui67191",

            "CSCvg52875"

        ],

        "cves": [

            "CVE-2017-12319"

        ],

        "cvrf_url": null,

        "cvss_base_score": "6.8",

        "cwe": [

            "CWE-20"

        ],

        "first_fixed": [

            "3.9.1E"

        ],

        "first_published": "2017-11-03T16:00:00-0500",

        "ios_release": [

            "3.8.4E"

        ],

        "last_updated": "2017-11-07T19:28:27-0600",

        "oval_url": "NA",

        "product_names": [

            "Cisco IOS XE Software 2.3 2.3.0",

            "Cisco IOS XE Software 2.3 2.3.0t",

            "Cisco IOS XE Software 2.3 2.3.1t",

            "Cisco IOS XE Software 2.3 2.3.2",

0 Helpful

ALBERT RAKOVSHIK
Level 1
Level 1
In response to Omar Santos

‎11-27-2017 11:06 AM

Interesting - there is some difference with your test:

curl -X GET -s -k -H "Accept: application/xml" -H "Authorization: Bearer <TOKEN>" 'https://api.cisco.com/security/advisories/iosxe?version=3.8.4s'

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><advisory><errorCode>INVALID_IOSXE_VERSION</errorCode><errorMessage>IOSXE version not found</errorMessage></advisory>

What is wrong ?

Probably we need to use an other API instead of

https://api.cisco.com/security/advisories/iosxe

0 Helpful

Gamaquifor
Level 1
Level 1

‎02-09-2018 06:36 AM

Hi Omar, do you know if there are plans to extend this to ASA devices? I found a script in the communities to pull all vulns for ASA but not by version.


Thank you,

0 Helpful

sebastian.weihele1
Level 1
Level 1
In response to Gamaquifor

‎07-26-2018 05:38 AM - edited ‎07-26-2018 06:24 AM

Hi,

 

Do you already have any new information about the ASA version polling?

This feature would be very interesting for me, too.

 

Thank you

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents