CVE Reporting Tool
In version 6.9.8
of the ipfabric
Python SDK a new ipf_cve_report
CLI tool was added which creates an Excel report
of CVEs and EoL for devices in IP Fabric. The
cve-report project will no longer be maintained as all
functionality has been migrated into the SDK.
Definitions
- NIST: The National Institute of Standards and Technology (NIST) is a non-regulatory agency that develops technology, metrics, and standards to drive innovation and economic competitiveness at U.S.-based organizations in the science and technology industry.
- CPE: Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages. Based on the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name.
- CVE: Common Vulnerabilities and Exposures (CVE) is a list of entries—each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities. CVE Entries are used in numerous cybersecurity products and services from around the world, including the U.S. National Vulnerability Database (NVD).
Data Collection
It was determined in the previous cve-report
project that some CVE data was missing which has caused the migration to
the new process as defined below:
- Query NISTs API for CPEs that match the device’s vendor, family, and version.
- Iterate through the CPEs and query NISTs API for CVEs that match the CPE.
- Create the report which may contain duplicate CVEs if multiple CPEs are found. A new column in the report shows the matching CPE.
Since the number of calls to the NIST API has now doubled the time to generate the report has increased compared to the previous versions.
Important Caveats
Please note the following:
- The IP Fabric team cannot guarantee the accuracy of the data and this is provided as best effort. Please ensure you are subscribed to security alerts from your vendors and other sources.
- At this time we are unable to report on CVEs that are not associated with a exact CPE match. Examples include:
- A CVE defined with “affected versions” instead of being associated with a CPE
(
before|prior to X.X.X
orbetween X.X.X and Y.Y.Y
). - CVE of an underlying component that is not directly associated with the device (e.g. NTP, OpenSSL, etc). Vendors will send notifications about these but will not always associate their CPE to the CVE.
- A CVE defined with “affected versions” instead of being associated with a CPE
(
- Our team is unable to determine if a vulnerability is applicable to a device based on the CVE alone. This requires a manual review of the CVE, vendor’s documentation, and the device’s configuration.
- Not all vendors and families are supported. If our team was unable to determine how to query for the CPEs for a vendor or family then it will not be included in the report.
If any bugs are found or you have any feature requests please open an issue in GitLab or report it to your Solution Architect.
Requirements
Required environment variables exported (IPF_URL
and IPF_TOKEN
or IPF_USERNAME & IPF_PASSWORD
) or a
.env
file located in the current working directory or your home directory.
Requires:
pandas
andopenpyxl
pip install pandas openpyxl
orpip install ipfabric[cli]
NVD_API_KEY
from NIST- Can be exported as an environment variable
NVD_API_KEY
or passed as an argument.
- Can be exported as an environment variable
Documentation
# ipf_cve_report -h
usage: ipf_cve_report [-h] [-s SNAPSHOT] [-b BASE_URL] [-t TOKEN] [-u USERNAME] [-p PASSWORD] [-n NVD_API_KEY] [-f FILENAME] [-to TIMEOUT] [-l SITE_NAME] [-j]
Creates an Excel report of CVEs and EoL for devices in IP Fabric; requires:
Python Packages: 'pandas' and 'openpyxl' (`pip install ipfabric[cve]` or `pip install pandas openpyxl`)
NVD_API_KEY: See https://nvd.nist.gov/developers/request-an-api-key
optional arguments:
-h, --help show this help message and exit
-s SNAPSHOT, --snapshot SNAPSHOT
Snapshot to use which can be a UUID or one of ['last', 'prev', 'lastLocked']with or without `$` for *nix compatability.
-b BASE_URL, --base-url BASE_URL
Base URL for IPFabric API or IPF_URL env variable.
-t TOKEN, --token TOKEN
IP Fabric API Token or IPF_TOKEN env variable.
-u USERNAME, --username USERNAME
IP Fabric username (requires --password) or IPF_USERNAME env variable.
-p PASSWORD, --password PASSWORD
IP Fabric password or IPF_PASSWORD env variable.
-n NVD_API_KEY, --nvd-api-key NVD_API_KEY
NVD_API_KEY from https://nvd.nist.gov/developers/request-an-api-key
-f FILENAME, --filename FILENAME
Filename to save, defaults to CVE_report.(xlsx|json). Extension will always be corrected to either '.xlsx' or '.json'.
-to TIMEOUT, --timeout TIMEOUT
Timeout for NIST API (Int, Float, or None); default 60 seconds.
-l SITE_NAME, --site-name SITE_NAME
Filter on a specific site name (location); case-insensitive equals search.
-j, --json Save as JSON output instead of Excel; default is Excel output.
Usage
Excel
# ipf_cve_report -n NVD_API_KEY -s last -f CVE_report.xlsx
# ls
CVE_report.xlsx
End of Life Report
CVE Report
CVE Errors Report
JSON
# ipf_cve_report -n NVD_API_KEY -s last -f CVE_report.json -j -l hwlab
# ls
CVE_report.json
JSON Output
{
"CVE": [
{
"device": "HWLAB",
"site": "HWLAB",
"serial": "3RK4-20R2",
"ip": "10.64.128.1/32",
"vendor": "mikrotik",
"family": "routeros",
"version": "6.45.3",
"cpe_name": "cpe:2.3:o:mikrotik:routeros:6.45.3:*:*:*:*:*:*:*",
"cve_id": "CVE-2019-15055",
"cve_base_score": 6.5,
"cve_description": "MikroTik RouterOS through 6.44.5 and 6.45.x through 6.45.3 improperly handles the disk name...",
"cve_url": "https://fortiguard.com/zeroday/FG-VD-19-108"
}
],
"No CVE": [],
"CVE Error": [
{
"device": "HWLAB-SGE300",
"site": "HWLAB",
"serial": "PSZ21111F8D",
"ip": "10.64.128.16/32",
"vendor": "cisco",
"family": "sg",
"version": "1.4.8.6",
"cpe_name": null,
"error": "Unsupported"
}
],
"EoL": [
{
"hostname": "HWLAB-SGE300",
"siteName": "HWLAB",
"deviceSn": "PSZ21111F8D",
"vendor": "cisco",
"pid": "SG300-10PP-K9",
"replacement": "SG350-10P-K9-AU",
"sn": "PSZ21111F8D",
"endSale": "2018-05-10T00:00:00.000",
"endMaintenance": null,
"endSupport": "2023-05-31T00:00:00.000",
"url": "https://www.cisco.com/c/en/us/products/collateral/switches/small-business-300-series-managed-switches/eos-eol-notice-c51-739973.html",
"dscr": "SG300-10PP 10-port Gigabit PoE+ Managed Switch"
}
]
}