Now with a firm approach to or putting an inventory and using the NVD API (https://isc.sans.edu/forums/diary/Using+the+NIST+Database+and+API+to+Keep+Up+with+Vulnerabilities+and+Patches+Part+1+of+3/26958/ and https://isc.sans.edu/forums/diary/Using+the+NIST+Database+and+API+to+Keep+Up+with+Vulnerabilities+and+Patches+Playing+with+Code+Part+2+of+3/26964/), for any client I typically create 4 inventories:
As we've noted, you can use nmap as a short-cut for a first draft of any products that have listening ports. It's not perfect, but it gives you a decent starting point, or something to "diff" against from one scan to the next. To just get your the CPE list for a subnet or range of IPs, this does the trick nicely:
(-F gives the delimiter, the print command prints the $NF field. Since $NF is the number of fields, it prints the last one, which happens to be the CPE). For a recent client, a scan of just the server subnet gave me this:
.. so a decent starting point, printers, UPS's, iLo or idrac are almost never patched for instance, or sadly very often not hypervisors either. Note that nmap didn't give me CPEs for any of the 3 different databases on that subnet. Let's focus on the first one of these four target lists - perimeter services for an actual customer.
Since this is such a lengthy (and version-specific) list, let's try to consolidate. From cisco's download site, the latest and recommended version (as of today) is 6.6.1. Knowing that this client will be "close to current" on this, a quick look for FTD 6.6:
gives us these hits:
So our final input data file has the following (hostname followed by the cpe "blanket" query):
Let's add in the Citrix Netscaler Gateway (now called ADC). The ADC is a pretty versatile appliance, it can be a load balancer, a firewall, a front-end for a Citrix farm, or (just like everyone else these days) and SD-WAN solution. In our case it's a front-end for a Citrix XenServer farm.
Finally, this client also has an application that uses Apache Struts, which they have been very particular about monitoring since the Equifax breach:
So our perimeter input file will look like this (again, the fields are hostname,cpe):
We'll call our code with (note the input filename):
This will give us the CVEs for the indicated platforms, for the last 90 days, sorted from high severity to low. And our code will look like the listing below (maintained at https://github.com/robvandenbrink/CVEScan ):
Our output is dumped into: Customername.Perimeter-dateandtime-days.html, so for this example and today's date: Customername.Perimeter2021-01-11_09-50_90-days.html (note that the output filename mirrors the input filename - change that if you need) Note also in the output that I had to un-escape all of the line breaks that were in the output (sometimes the quick and dirty methods win over perfect code) Looking at that file, our output (truncated) looks as below. The lead in is the customer and date range info, followed by the CVE's found on which host. The final table contains all the CVE details, in descending / unique order of "Base Score" of Severity:
If you were able to head off a "situation" in your environment, or if that nmap trick finds something unexpected in your environment, please do post to our comment form (subject to NDA's of course) =============== |
Rob VandenBrink 563 Posts ISC Handler Jan 11th 2021 |
|||||||||||
Thread locked Subscribe |
Jan 11th 2021 3 months ago |
Sign Up for Free or Log In to start participating in the conversation!