Caveats
It is worth pointing out that is just checking software versions, so it will report back on vulnerabilities which may not have been exploitable on a given platform due to hardware/ licensing constraints. Also the suggested fixed versions may not be available for a given platform.
Some vulnerabilities are only live on a device if certain commands are present, therefore requiring a separate configuration audit to take place which is out of the scope of these scripts.
Currently the PSIRT API only supports IOS and IOS-XE software versions, as such there is no support for ASA, WLC or NX-OS. ***See update below***
Execution
inventoryCollect must be run by the Python3 interpreter. It will output a Python pickle file data.dmp.
inventoryAnalyse must be run by the Python2.7 interpreter due to the requirements of the Cisco OpenVulnQuery package. This will read in the data.dmp file and process it against the PSIRT database and output to the terminal.
An example of the output:
Platform: C3850
Running version: 03.06.06.E , 1 advisories, 1 devices
Devices effected: switch-xx01
cisco-sa-20170405-iosxe - Cisco IOS XE Software Startup Script Local Command Execution Vulnerability
BUGIDs:
CSCuz06639
CSCuz42122
First fixed
3.7.5E
Running version: 03.06.03.E , 14 advisories, 2 devices
Devices effected: switch-xx02, switch-xx03
cisco-sa-20170405-iosxe - Cisco IOS XE Software Startup Script Local Command Execution Vulnerability
BUGIDs:
CSCuz06639
CSCuz42122
First fixed
3.7.5E
cisco-sa-20170322-dhcpc - Cisco IOS and IOS XE Software DHCP Client Denial of Service Vulnerability
BUGIDs:
CSCuu43892
First fixed
3.6.5E
Update
I have changed the code to return CVRF results for NX-OS platforms, using the query:
https://api.cisco.com/security/advisories/cvrf/product?product=NX-OS
These results are further filtered on the ‘productNames’ attribute, so a N5K-5596T has a platform_id of 5000 in the PlatformObj class, and we search on that.
The CVRF does not contain any information on affected software versions so the results are fairly coarse and will include every result for a platform.
Also CVRF results are inconsistent with bugid. Take CVRF result for advisory cisco-sa-20161005-otv, which lists:
"productNames": [
"Cisco NX-OS Software",
"Cisco Nexus 5000 Series Switches",
"Cisco Nexus 6000 Series Switches",
"Cisco Nexus 93128TX Switch",
"Cisco Nexus 9000 Series Switches"
]
However if you check the corresponding bugID CSCuy95701 only the N7K platforms are listed.
Take the Nexus results with a pinch of scepticism.
Leave a Reply