Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Using the NIST Database and API to Keep Up with Vulnerabilities and Patches - Playing with Code (Part 2 of 3)

Published: 2021-01-08
Last Updated: 2021-01-08 15:35:20 UTC
by Rob VandenBrink (Version: 1)
0 comment(s)

Building on yesterday's story - now that we have an inventory built in CPE format, let's take an example CVE from that and write some code.  What's in the NVD database (and API) that you can access, then use in your organization?

First, let's play with CVE-2020-24436, which is an Acrobat Reader vulnerability.  In PowerShell, let's construct our query, then from the results pull out all the bits that we're interested in.

$request = "https://services.nvd.nist.gov/rest/json/cve/1.0/CVE-2020-24436"
$cvemetadata = ( (invoke-webrequest $request) | convertfrom-json)

Let's start with the Published Date.  Note again that there's also a "last modified" date - the idea being that if a CVE gets updated that the modified date will reflect that.  Even looking at that briefly though that "last modified" date seems to be programatic, so I think it's getting changed when folks don't intend it - my first check was a Peoplesoft vuln from 2017, it had a 2020 last modified date for no reason I could see.  Anyway, here's the published date:

$PublishedDate = $cvemetadata.result.cve_items.publishedDate
$PublishedDate

2020-11-05T20:15Z

Next, the text description.  This is where the "traditional" CVE delivery paths fall down - they generally give you get the CVE number, then this text description, maybe a severity score.  This is fine for news stories or your report to management, but it's not something you can "monitor" when hundreds of them fly by every day.  Sorry about the rant, but I guess that's why we're playing with this code, so that you can build your own delivery mechanism for your organization.  Anyway, back to the text description:

$CVEDesc = $cvemetadata.result.cve_items.cve.description.description_data.value

$CVEDesc
Acrobat Pro DC versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) are affected by an out-of-bounds write vulnerability that could result in writing past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. This vulnerability requires user interaction to exploit in that the victim must open a malicious document

The Reference URLs that may have more detail (usually there's a vendor URL in this list):

$CVEURLs=$cvemetadata.result.cve_items.cve.references.reference_data.url
$CVEURLs
https://helpx.adobe.com/security/products/acrobat/apsb20-67.html
https://www.zerodayinitiative.com/advisories/ZDI-20-1355/

The data on severity and scope.  This is what we used to call the CVSS score, but you can see there's a lot more detail in this metadata now:

$CVE_CVSSv3Data = $cvemetadata.result.CVE_items.impact.basemetricv3.cvssv3
$CVE_CVSSv3Data
version               : 3.1
vectorString          : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector          : LOCAL
attackComplexity      : LOW
privilegesRequired    : NONE
userInteraction       : REQUIRED
scope                 : UNCHANGED
confidentialityImpact : HIGH
integrityImpact       : HIGH
availabilityImpact    : HIGH
baseScore             : 7.8
baseSeverity          : HIGH

 

We know what's installed on our affected host, but what versions of the application are affected by this CVE?  Note that list gives you both vulnerable and unaffected versions (True or False in the "vulnerable" field):

$CVEAffectedApps=$cvemetadata.result.CVE_items.configurations.nodes.children.cpe_match

$CVEAffectedApps

vulnerable cpe23Uri                                                   versionEndIncluding
---------- --------                                                   -------------------
      True cpe:2.3:a:adobe:acrobat:*:*:*:*:classic:*:*:*              20.001.30005       
      True cpe:2.3:a:adobe:acrobat_dc:*:*:*:*:classic:*:*:*           17.011.30175       
      True cpe:2.3:a:adobe:acrobat_dc:*:*:*:*:continuous:*:*:*        20.012.20048       
      True cpe:2.3:a:adobe:acrobat_reader:*:*:*:*:classic:*:*:*       20.001.30005       
      True cpe:2.3:a:adobe:acrobat_reader_dc:*:*:*:*:classic:*:*:*    17.011.30175       
      True cpe:2.3:a:adobe:acrobat_reader_dc:*:*:*:*:continuous:*:*:* 20.012.20048       
     False cpe:2.3:o:apple:mac_os:-:*:*:*:*:*:*:*                                        
     False cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* 

Winnowing this down to just the vulnerable versions:

($cvemetadata.result.CVE_items.configurations.nodes.children.cpe_match) | where {$_.vulnerable -eq "true" }

vulnerable cpe23Uri                                                   versionEndIncluding
---------- --------                                                   -------------------
      True cpe:2.3:a:adobe:acrobat:*:*:*:*:classic:*:*:*              20.001.30005       
      True cpe:2.3:a:adobe:acrobat_dc:*:*:*:*:classic:*:*:*           17.011.30175       
      True cpe:2.3:a:adobe:acrobat_dc:*:*:*:*:continuous:*:*:*        20.012.20048       
      True cpe:2.3:a:adobe:acrobat_reader:*:*:*:*:classic:*:*:*       20.001.30005       
      True cpe:2.3:a:adobe:acrobat_reader_dc:*:*:*:*:classic:*:*:*    17.011.30175       
      True cpe:2.3:a:adobe:acrobat_reader_dc:*:*:*:*:continuous:*:*:* 20.012.20048       

 

Now with some code written, on Monday we'll string everything together into a useful, complete reporting tool that you can use.

===============
Rob VandenBrink
rob@coherentconsulting.com

Keywords:
0 comment(s)
Diary Archives