cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1001
Views
20
Helpful
7
Replies

NX-OS PSIRT OpenVuln API missing versions and hardware

abunn-r7
Level 1
Level 1

When I recently saw NX-OS API support had been added to the PSIRT I started using the openVulnQuery tool to aid in assessing NX-OS devices for security vulnerabilities. After some difficulty (see my PR here) I was able to get some responses from the API. However it appears the information in the responses is missing a significant amount of useful information.

 

I am having trouble identifying versions of NX-OS affected by the following advisories:

  • cisco-sa-20171129-nxos8
  • cisco-sa-20160504-openssl
  • cisco-sa-20160302-openssl
  • cisco-sa-20171129-nxos4
  • cisco-sa-20171129-nxos5
  • Cisco-SA-20120810-CVE-2012-1340
  • cisco-sa-20180620-nxos-rbaccess
  • cisco-sa-20180117-nxos
  • cisco-sa-20190306-info-poap
  • cisco-sa-20171129-nxos9
  • cisco-sa-20171129-nxos2
  • cisco-sa-20171129-nss
  • cisco-sa-20160603-ntpd
  • cisco-sa-20160927-openssl
  • cisco-sa-20080610-snmpv3
  • cisco-sa-20160203-apic
  • cisco-sa-20110907-nexus
  • cisco-sa-20171129-nxos3
  • cisco-sa-20090908-tcp24
  • cisco-sa-20091109-tls
  • cisco-sa-20150128-ghost
  • cisco-sa-20141015-poodle
  • cisco-sa-20171129-nxos1
  • cisco-sa-20171129-nxos
  • cisco-sa-20171129-fxnx
  • cisco-sa-20120215-nxos
  • cisco-sa-20180117-nxos1
  • cisco-sa-20171129-switch
  • cisco-sa-20171018-ppe
  • cisco-sa-20171129-nxos10
  • Cisco-SA-20131106-CVE-2013-5566
  • cisco-sa-20160218-glibc
  • cisco-sa-20171129-nxos6
  • cisco-sa-20161102-n9kapic
  • cisco-sa-20171129-nxos7
  • cisco-sa-20150320-openssl
  • cisco-sa-20160129-openssl
  • cisco-sa-20160428-ntpd

The JSON for these advisories only includes something similar to 

 

        "product_names": [
            "Cisco NX-OS Software "
        ],

I am expecting the JSON to define a list of versions, as seen with other advisories.

 

 

I see that some of these advisories suggest visiting the bug pages linked in the bug_ids, but I have not found a way to access these pages via the API. I have also tried looking at the CVRF documents for these advisories but they too are missing this information.

 

Can someone please point me in the right direction for finding the affected versions for these advisories using the API?

7 Replies 7

Sergiu.Daniluk
VIP Alumni
VIP Alumni

Hi @abunn-r7 

You should better try directly the api, rather then the wrapper.

import requests, json
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

token_url = "https://cloudsso.cisco.com/as/token.oauth2"
test_api_url = "https://api.cisco.com/security/advisories/{platform}?version={version}"

platforms = {
'ios': [],
'iosxe': [],
'nxos': ['8.3(1)'],
'aci': ['14.1(1j)']
}

client_id = "your_clientId"
client_secret = "your_clientSecret"

#step A, B - single call with client credentials as the basic auth header - will return access_token
data = {'grant_type': 'client_credentials'}

access_token_response = requests.post(token_url,
data=data, verify=False,
allow_redirects=False,
auth=(client_id, client_secret))
tokens = json.loads(access_token_response.text)

#step B - with the returned access_token we can make as many calls as we want
api_call_headers = {'Authorization': 'Bearer ' + tokens['access_token']}

for platform, versions in platforms.items():
for version in versions:
api_call_response = requests.get(test_api_url.format(platform=platform,
version=version),
headers=api_call_headers,
verify=False)
advisories = api_call_response.json()

if 'advisories' in advisories:
print("Advisory board for {} version {}".format(platform, version))
for advisory in advisories['advisories']:
print("{} - {} - {}".format(advisory['advisoryId'], advisory['platforms'], advisory['publicationUrl']))
else:
print(api_call_response.text)

 

Result:

(venv) python ciscoapi.py
Advisory board for nxos version 8.3(1)
cisco-sa-20200226-nxos-arp - [{'id': '265088', 'name': 'Cisco Nexus 7000 Series Switches', 'firstFixes': [{'id': '277193', 'name': '8.4(2)'}], 'vulnerabilityState': 'vulnerable'}] - https://tools.cisco.com/securit
y/center/content/CiscoSecurityAdvisory/cisco-sa-20200226-nxos-arp
...
Advisory board for aci version 14.1(1j)
cisco-sa-20200226-fxos-nxos-cdp - [{'id': '265096', 'name': 'Cisco Nexus 9000 Series Switches', 'firstFixes': [{'id': '273945', 'name': '14.2(1j)'}], 'vulnerabilityState': 'vulnerable'}] - https://tools.cisco.com/
security/center/content/CiscoSecurityAdvisory/cisco-sa-20200226-fxos-nxos-cdp

hope it helps,

Sergiu

Sergiu.Daniluk
VIP Alumni
VIP Alumni

@abunn-r7

PS:  you can generate client_id and client_secret here:https://apiconsole.cisco.com/ 

 

regards,

Sergiu

Thanks for the example @Sergiu.Daniluk, but that only provides me with a first fix version for a given version. The rest of the advisories provide a list of affected versions which is what I am looking for. Instead of querying by advisory, should I build something to store every version available and query every possible version in order to collect which versions are vulnerable to each advisory where this information is missing? I would think that would greatly increase the number of calls I need to make.

 

Additionally, will the advisories I listed show up in the query you posted? Why is the information available through one API call but not another which should display the same data?

 

I have checked with https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nxos1 and one of the affected versions from the bug page https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg21120

Using the script you provided I added the affected version from above:

'nxos': ['7.0(3)I6(1)']

But the output does not include the advisory cisco-sa-20180117-nxos1. This is a false negative, which means I will be vulnerable to CVE-2018-0092 but I will not know it because the API is missing information for this advisory.

 

Advisory board for nxos version 7.0(3)I6(1)
cisco-sa-20200205-fxnxos-iosxr-cdp-dos - [{u'vulnerabilityState': u'vulnerable', u'firstFixes': [{u'id': u'277096', u'name': u'7.0(3)I7(8)'}], u'id': u'265091', u'name': u'Cisco Nexus 3000 Series Switches'}, {u'vulnerabilityState': u'vulnerable', u'firstFixes': [{u'id': u'277096', u'name': u'7.0(3)I7(8)'}], u'id': u'265096', u'name': u'Cisco Nexus 9000 Series Switches'}] - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-fxnxos-iosxr-cdp-dos
cisco-sa-20190828-nxos-fsip-dos - [{u'vulnerabilityState': u'vulnerable', u'firstFixes': [{u'id': u'248792', u'name': u'7.0(3)I7(4)'}], u'id': u'265091', u'name': u'Cisco Nexus 3000 Series Switches'}, {u'vulnerabilityState': u'vulnerable', u'firstFixes': [{u'id': u'248792', u'name': u'7.0(3)I7(4)'}], u'id': u'265096', u'name': u'Cisco Nexus 9000 Series Switches'}] - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-fsip-dos
cisco-sa-20190828-fxnxos-snmp-dos - [{u'vulnerabilityState': u'vulnerable', u'firstFixes': [{u'id': u'265114', u'name': u'7.0(3)I7(6)'}], u'id': u'265091', u'name': u'Cisco Nexus 3000 Series Switches'}, {u'vulnerabilityState': u'vulnerable', u'firstFixes': [{u'id': u'265114', u'name': u'7.0(3)I7(6)'}], u'id': u'265096', u'name': u'Cisco Nexus 9000 Series Switches'}] - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-fxnxos-snmp-dos
cisco-sa-20190828-nxos-memleak-dos - [{u'vulnerabilityState': u'vulnerable', u'firstFixes': [{u'id': u'248792', u'name': u'7.0(3)I7(4)'}], u'id': u'265091', u'name': u'Cisco Nexus 3000 Series Switches'}, {u'vulnerabilityState': u'vulnerable', u'firstFixes': [{u'id': u'248792', u'name': u'7.0(3)I7(4)'}], u'id': u'265096', u'name': u'Cisco Nexus 9000 Series Switches'}] - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-memleak-dos
cisco-sa-20190828-nxos-ntp-dos - [{u'vulnerabilityState': u'vulnerable', u'firstFixes': [{u'id': u'265114', u'name': u'7.0(3)I7(6)'}], u'id': u'265091', u'name': u'Cisco Nexus 3000 Series Switches'}, {u'vulnerabilityState': u'vulnerable', u'firstFixes': [{u'id': u'265114', u'name': u'7.0(3)I7(6)'}], u'id': u'265096', u'name': u'Cisco Nexus 9000 Series Switches'}] - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-ntp-dos
cisco-sa-20190925-vman - [{u'vulnerabilityState': u'vulnerable', u'firstFixes': [{u'id': u'239476', u'name': u'7.0(3)I6(2)'}], u'id': u'265091', u'name': u'Cisco Nexus 3000 Series Switches'}, {u'vulnerabilityState': u'vulnerable', u'firstFixes': [{u'id': u'239476', u'name': u'7.0(3)I6(2)'}], u'id': u'265096', u'name': u'Cisco Nexus 9000 Series Switches'}] - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-vman
cisco-sa-20190925-nxos-vman-cmd-inj - [{u'vulnerabilityState': u'vulnerable', u'firstFixes': [{u'id': u'265114', u'name': u'7.0(3)I7(6)'}], u'id': u'265091', u'name': u'Cisco Nexus 3000 Series Switches'}, {u'vulnerabilityState': u'vulnerable', u'firstFixes': [{u'id': u'265114', u'name': u'7.0(3)I7(6)'}], u'id': u'265096', u'name': u'Cisco Nexus 9000 Series Switches'}] - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-nxos-vman-cmd-inj
cisco-sa-20190828-nxos-api-dos - [{u'vulnerabilityState': u'vulnerable', u'firstFixes': [{u'id': u'265114', u'name': u'7.0(3)I7(6)'}], u'id': u'265091', u'name': u'Cisco Nexus 3000 Series Switches'}, {u'vulnerabilityState': u'vulnerable', u'firstFixes': [{u'id': u'265114', u'name': u'7.0(3)I7(6)'}], u'id': u'265096', u'name': u'Cisco Nexus 9000 Series Switches'}] - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-api-dos

 

 

Hi @abunn-r7 

Correct my bad. I queried by CVE cisco-sa-20180117-nxos1/advisory CVE-2018-0092 and there is no affected version listed.

                 'productNames': ['Cisco NX-OS Software '],

So it looks to me that the problem is not with the wrapper, but the CVE backend db not having the information.

You mentioned: Instead of querying by advisory, should I build something to store every version available and query every possible version in order to collect which versions are vulnerable to each advisory where this information is missing?

Depends on how you want to build your script. In my scenario, I know what versions I am running in my DC, so I am querying only using those specific versions. If you have a list of CVEs which you want to run against your devices, then definitely you should send the requests by cve:

"https://api.cisco.com/security/advisories/cve/{cve}"

Anyway, the wrapper works just fine, it's the stored info about the bugs which are not working. Opening an issue on github about this is a step in the right direction. 

 

Cheers,

Sergiu

 

abunn-r7
Level 1
Level 1

According to the response I have received from the PSIRT team here:https://github.com/CiscoPSIRT/openVulnAPI/issues/76

 

The API will only be accurate for NX-OS advisories after 01 Jul 2019. 

 

It is my interpretation that any advisory before this date will not be accurate and therefore the API should not be used for any advisories before that date. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: