Using the NIST Database and API to Keep Up with Vulnerabilities and Patches – Playing with Code (Part 2 of 3), (Fri, Jan 8th)

This post was originally published on this site

Building on yesterday's story – now that we have an inventory built in CPE format, let's take an example CVE from that and write some code, what's in the NVD database (and API) that you can access, then use in your organization?

First, let's play with CVE-2020-24436, which is an Acrobat Reader vulnerability.  In PowerShell, let's construct our query, then from the results pull out all the bits that we're interested in.

$request = "https://services.nvd.nist.gov/rest/json/cve/1.0/CVE-2020-24436"
$cvemetadata = ( (invoke-webrequest $request) | convertfrom-json)

Let's start with the Published Date.  Note again that there's also a "last modified" date – the idea being that if a CVE gets updated that the modified date will reflect that.  Even looking at that briefly though that "last modified" date seems to be programatic, so I think it's getting changed when folks don't intend it – my first check was a Peoplesoft vuln from 2017, it had a 2020 last modified date for no reason I could see.  Anyway, here's the published date:

$PublishedDate = $cvemetadata.result.cve_items.publishedDate
$PublishedDate

2020-11-05T20:15Z

Next, the text description.  This is where the "traditional" CVE delivery paths fall down – they generally give you get the CVE number, then this text description, maybe a severity score.  This is fine for news stories or your report to management, but it's not something you can "monitor" when hundreds of them fly by every day.  Sorry about the rant, but I guess that's why we're playing with this code, so that you can build your own delivery mechanism for your organization.  Anyway, back to the text description:

$CVEDesc = $cvemetadata.result.cve_items.cve.description.description_data.value

$CVEDesc
Acrobat Pro DC versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) are affected by an out-of-bounds write vulnerability that could result in writing past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. This vulnerability requires user interaction to exploit in that the victim must open a malicious document

The Reference URLs that may have more detail (usually there's a vendor URL in this list):

$CVEURLs=$cvemetadata.result.cve_items.cve.references.reference_data.url
$CVEURLs
https://helpx.adobe.com/security/products/acrobat/apsb20-67.html
https://www.zerodayinitiative.com/advisories/ZDI-20-1355/

The data on severity and scope (what we used to call the CVSS score):

$CVE_CVSSv3Data = $cvemetadata.result.CVE_items.impact.basemetricv3.cvssv3
$CVE_CVSSv3Data
version               : 3.1
vectorString          : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector          : LOCAL
attackComplexity      : LOW
privilegesRequired    : NONE
userInteraction       : REQUIRED
scope                 : UNCHANGED
confidentialityImpact : HIGH
integrityImpact       : HIGH
availabilityImpact    : HIGH
baseScore             : 7.8
baseSeverity          : HIGH

 

We know what's installed on our affected host, but what versions of the application are affected by this CVE?  Note that list gives you vulnerable versions ($_.vulnerable = "True") and versions that are not affected ($_.vulnerabile = "False")

$CVEAffectedApps=$cvemetadata.result.CVE_items.configurations.nodes.children.cpe_match

$CVEAffectedApps

vulnerable cpe23Uri                                                   versionEndIncluding
———- ——–                                                   ——————-
      True cpe:2.3:a:adobe:acrobat:*:*:*:*:classic:*:*:*              20.001.30005       
      True cpe:2.3:a:adobe:acrobat_dc:*:*:*:*:classic:*:*:*           17.011.30175       
      True cpe:2.3:a:adobe:acrobat_dc:*:*:*:*:continuous:*:*:*        20.012.20048       
      True cpe:2.3:a:adobe:acrobat_reader:*:*:*:*:classic:*:*:*       20.001.30005       
      True cpe:2.3:a:adobe:acrobat_reader_dc:*:*:*:*:classic:*:*:*    17.011.30175       
      True cpe:2.3:a:adobe:acrobat_reader_dc:*:*:*:*:continuous:*:*:* 20.012.20048       
     False cpe:2.3:o:apple:mac_os:-:*:*:*:*:*:*:*                                        
     False cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* 

Winnowing this down to just the vulnerable versions:

($cvemetadata.result.CVE_items.configurations.nodes.children.cpe_match) | where {$_.vulnerable -eq "true" }

vulnerable cpe23Uri                                                   versionEndIncluding
———- ——–                                                   ——————-
      True cpe:2.3:a:adobe:acrobat:*:*:*:*:classic:*:*:*              20.001.30005       
      True cpe:2.3:a:adobe:acrobat_dc:*:*:*:*:classic:*:*:*           17.011.30175       
      True cpe:2.3:a:adobe:acrobat_dc:*:*:*:*:continuous:*:*:*        20.012.20048       
      True cpe:2.3:a:adobe:acrobat_reader:*:*:*:*:classic:*:*:*       20.001.30005       
      True cpe:2.3:a:adobe:acrobat_reader_dc:*:*:*:*:classic:*:*:*    17.011.30175       
      True cpe:2.3:a:adobe:acrobat_reader_dc:*:*:*:*:continuous:*:*:* 20.012.20048       

 

Now with some code written, on Monday we'll string everything together into a useful, complete reporting tool that you can use.

===============
Rob VandenBrink
rob@coherentconsulting.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.