Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Affected product data missing from API responses #76

Closed
abunn-r7 opened this issue Apr 29, 2020 · 2 comments
Closed

Affected product data missing from API responses #76

abunn-r7 opened this issue Apr 29, 2020 · 2 comments
Assignees
@santosomar
Labels
back-end-data Backend data issue

Comments

@abunn-r7
Copy link
Contributor

Describe the bug
There appears to be a significant number of advisories without version information. These advisories sometimes have linked bug pages with some affected versions on them, but this data is not available via the API.

Additionally when one of these affected versions is queried for vulnerabilities via the API the advisories in question do not appear in the API response. This is a false negative (Cisco indicates a version is not affected by a vulnerability via the API, but in fact the version is affected).

This issue extends past the API to the CVRF available for download on the advisory webpages.

To Reproduce
Steps to reproduce the behavior:

  1. Use the API to retrieve affected versions for one of the following advisories:
Cisco-SA-20120810-CVE-2012-1340
Cisco-SA-20131106-CVE-2013-5566
cisco-sa-20080610-snmpv3
cisco-sa-20090908-tcp24
cisco-sa-20091109-tls
cisco-sa-20110907-nexus
cisco-sa-20120215-nxos
cisco-sa-20141015-poodle
cisco-sa-20150128-ghost
cisco-sa-20150320-openssl
cisco-sa-20160129-openssl
cisco-sa-20160203-apic
cisco-sa-20160218-glibc
cisco-sa-20160302-openssl
cisco-sa-20160428-ntpd
cisco-sa-20160504-openssl
cisco-sa-20160603-ntpd
cisco-sa-20160927-openssl
cisco-sa-20161102-n9kapic
cisco-sa-20171018-ppe
cisco-sa-20171129-fxnx
cisco-sa-20171129-nss
cisco-sa-20171129-nxos
cisco-sa-20171129-nxos1
cisco-sa-20171129-nxos10
cisco-sa-20171129-nxos2
cisco-sa-20171129-nxos3
cisco-sa-20171129-nxos4
cisco-sa-20171129-nxos5
cisco-sa-20171129-nxos6
cisco-sa-20171129-nxos7
cisco-sa-20171129-nxos8
cisco-sa-20171129-nxos9
cisco-sa-20171129-switch
cisco-sa-20180117-nxos
cisco-sa-20180117-nxos1
cisco-sa-20180620-nxos-rbaccess
cisco-sa-20190306-info-poap
  1. Observe product_names attribute only includes "Cisco NX-OS Software " without version information.
    Example:
$ openVulnQuery --config cisco-api.json --advisory cisco-sa-20180117-nxos1
[
    {
        "advisory_id": "cisco-sa-20180117-nxos1",
        "advisory_title": "Cisco NX-OS System Software Unauthorized User Account Deletion Vulnerability",
        "bug_ids": [
            "CSCvg21120"
        ],
        "cves": [
            "CVE-2018-0092"
        ],
        "cvrfUrl": "https://tools.cisco.com/security/center/contentxml/CiscoSecurityAdvisory/cisco-sa-20180117-nxos1/cvrf/cisco-sa-20180117-nxos1_cvrf.xml",
        "cvss_base_score": "6.1",
        "cwe": [
            "CWE-264"
        ],
        "first_published": "2018-01-17T16:00:00-0800",
        "ips_signatures": [
            "NA"
        ],
        "last_updated": "2018-01-17T16:00:00-0800",
        "product_names": [
            "Cisco NX-OS Software "
        ],
        "publication_url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nxos1",
        "sir": "Medium",
        "summary": "A vulnerability in the <em>network-operator</em> user role implementation for Cisco NX-OS System Software could allow an authenticated, local attacker to improperly delete valid user accounts. The <em>network-operator</em> role should not be able to delete other configured users on the device.<br />\n<br />\nThe vulnerability is due to a lack of proper role-based access control (RBAC) checks for the actions that a user with the <em>network-operator</em> role is allowed to perform. An attacker could exploit this vulnerability by authenticating to the device with user credentials that give that user the <em>network-operator</em> role. Successful exploitation could allow the attacker to impact the integrity of the device by deleting configured user credentials. The attacker would need valid user credentials for the device.<br />\n<br />\nThere are no workarounds that address this vulnerability.<br />\n<br />\nThis advisory is available at the following link:<br />\n<a href=\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nxos1\">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nxos1</a>"
    }
  1. Manually retrieve an affected version from a bug page attached to one of these advisories (eg 7.0(3)I6(1) from CSCvg21120 via cisco-sa-20180117-nxos1. A browser must be used to access this data.
  2. Make a call to the API looking for advisories that affect that version
  3. Observe the advisory is not in the response from the API.
$ openVulnQuery --config cisco-api.json --nxos="7.0(3)I6(1)" | grep 'advisory_id'
        "advisory_id": "cisco-sa-20200205-fxnxos-iosxr-cdp-dos",
        "advisory_id": "cisco-sa-20190828-nxos-fsip-dos",
        "advisory_id": "cisco-sa-20190828-fxnxos-snmp-dos",
        "advisory_id": "cisco-sa-20190828-nxos-memleak-dos",
        "advisory_id": "cisco-sa-20190828-nxos-ntp-dos",
        "advisory_id": "cisco-sa-20190925-vman",
        "advisory_id": "cisco-sa-20190925-nxos-vman-cmd-inj",
        "advisory_id": "cisco-sa-20190828-nxos-api-dos",
  1. Observe data is also missing from CVRF: cisco-sa-20180117-nxos1_cvrf.xml
  <ProductTree xmlns="http://docs.oasis-open.org/csaf/ns/csaf-cvrf/v1.2/prod">
    <Branch Name="Cisco" Type="Vendor">
      <Branch Name="Cisco NX-OS Software" Type="Product Name">
        <FullProductName ProductID="CVRFPID-80720">Cisco NX-OS Software </FullProductName>
      </Branch>
    </Branch>
  </ProductTree>

Expected behavior

  1. Affected products data should include vulnerable versions on all advisories.
  2. Querying for advisories which apply to a specific version should not omit advisories which affect that version.

Screenshots
Please see API responses above.

Client Info

$ pip show openVulnQuery
Name: OpenVulnQuery
Version: 1.30
Summary: A python-based module(s) to query the Cisco PSIRT openVuln API.
Home-page: https://github.com/CiscoPSIRT/openVulnAPI/tree/master/openVulnQuery
Author: Omar Santos
Author-email: os@cisco.com
License: The MIT License (MIT)
Location: /Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/OpenVulnQuery-1.30-py3.8.egg
Requires: argparse, requests
Required-by:

Additional context
I made a post on the Cisco Community about this issue and was directed to create an issue here. Please see this discussion for additional context
@abunn-r7
Copy link
Contributor Author

abunn-r7 commented May 1, 2020

@santosomar Is there a better way to get in contact with the team responsible for the backend data?

@santosomar santosomar self-assigned this May 18, 2020
@santosomar santosomar added the back-end-data Backend data issue label May 18, 2020
@santosomar
Copy link
Contributor

Hi,

You can always contact psirt@cisco.com to reach our team.

The reason that you are experiencing those symptoms is because we started supporting NX-OS on the software checker and API this year.

The new search capabilities will allow examination of vulnerabilities that were disclosed on or after 01 Jul 2019.

Hope this helps.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@santosomar santosomar

Labels
back-end-data Backend data issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@santosomar @abunn-r7