APIC-EM – inventoryAnalyse

Continuing my set of frozenPony scripts I’ve now finished inventoryAnalyse. This script takes the data structures created by the inventoryCollect script, and checks the software versions against the Cisco PSIRT API OpenVulnQuery to produce an report of vulnerabilities effecting your network device estate.


It is worth pointing out that is just checking software versions, so it will report back on vulnerabilities which may not have been exploitable on a given platform due to hardware/ licensing constraints. Also the suggested fixed versions may not be available for a given platform.
Some vulnerabilities are only live on a device if certain commands are present, therefore requiring a separate configuration audit to take place which is out of the scope of these scripts.
Currently the PSIRT API only supports IOS and IOS-XE software versions, as such there is no support for ASA, WLC or NX-OS. ***See update below***


inventoryCollect must be run by the Python3 interpreter. It will output a Python pickle file data.dmp.
inventoryAnalyse must be run by the Python2.7 interpreter due to the requirements of the Cisco OpenVulnQuery package. This will read in the data.dmp file and process it against the PSIRT database and output to the terminal.

An example of the output:

Platform: C3850
  Running version: 03.06.06.E , 1 advisories, 1 devices
  Devices effected: switch-xx01
    cisco-sa-20170405-iosxe - Cisco IOS XE Software Startup Script Local Command Execution Vulnerability
      First fixed
  Running version: 03.06.03.E , 14 advisories, 2 devices
  Devices effected: switch-xx02, switch-xx03
    cisco-sa-20170405-iosxe - Cisco IOS XE Software Startup Script Local Command Execution Vulnerability
      First fixed
    cisco-sa-20170322-dhcpc - Cisco IOS and IOS XE Software DHCP Client Denial of Service Vulnerability
      First fixed
The latest versions of required files can be found here:


I have changed the code to return CVRF results for NX-OS platforms, using the query:
These results are further filtered on the ‘productNames’ attribute, so a N5K-5596T has a platform_id of 5000 in the PlatformObj class, and we search on that.
The CVRF does not contain any information on affected software versions so the results are fairly coarse and will include every result for a platform.
Also CVRF results are inconsistent with bugid. Take CVRF result for advisory cisco-sa-20161005-otv, which lists:

"productNames": [
                "Cisco NX-OS Software",
                "Cisco Nexus 5000 Series Switches",
                "Cisco Nexus 6000 Series Switches",
                "Cisco Nexus 93128TX Switch",
                "Cisco Nexus 9000 Series Switches"

However if you check the corresponding bugID CSCuy95701 only the N7K platforms are listed.
Take the Nexus results with a pinch of scepticism.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: