- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 05-18-2023 10:19 AM
Kenna Security (now Cisco) released the new Kenna.VM (now Cisco Vulnerability Management) Premier tier offering on November 15th. One of the features in the Premier tier is a Cisco Talos zero day vulnerability intelligence integration. This is discussed in more detail in Monica White's blog on "Kenna.VM (now Cisco Vulnerability Management) Premier: Accelerate Vulnerability Management with Cisco Talos Intel and Remediation Analytics". And for even more details about the Talos Detail page in the Kenna (now Cisco) UI, check out Diane Robles's help article, "Zero Day Vulnerability Intelligence powered by Talos". However, both blogs do not detail how to obtain the zero day Talos information via Kenna (now Cisco) APIs. This blog will rectify that.
I kind of know what zero day vulnerabilities are, but let's get some solid definition verbiage.
Wikipedia: A zero-day is a computer-software vulnerability previously unknown to those who should be interested in its mitigation, like the vendor of the target software. Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, additional computers or a network. An exploit taking advantage of a zero-day vulnerability is called a zero-day exploit.
Trend Micro: is a little more succinct: A zero-day vulnerability is a vulnerability in a system or device that has been disclosed but is not yet patched. An exploit that attacks a zero-day vulnerability is called a zero-day exploit.
These zero-day vulnerabilities pose a high risk because they are not patched; and therefore, cybercriminals can easily exploit them. Once a vulnerability is known and there is a patch, it moves off the zero-day vulnerability list. Currently, the Talos information is collected once a day.
Obtaining Talos Zero Day Information
Obtaining zero day vulnerability information is a three-step process:
- Invoke the "Search Vulnerability" API, filtering for zero_day.
- For each vulnerability returned from the search, invoke the "Show Vulnerability" API.
- Extract zero day vulnerability information from the "Show Vulnerability" API response.
The related code is in blog_zero_day_vuln_search.py.
Search Vulnerability
Let's look at the "Search Vulnerability" code:
35 # Performs a search for vulnerabilities with zero day information.
36 def search_vulns_for_zero_day(base_url, headers):
37 search_vulns_url = f"{base_url}/vulnerabilities/search"
38
39 query_params = "?zero_day[]=true&fields=id,created_at,identifiers,last_seen_time,cve_id,description"
40 search_vulns_url += query_params
41
42 response = requests.get(search_vulns_url, headers=headers)
43 if response.status_code != 200:
44 process_http_error(f"Vulnerability Search API Error", response, search_vulns_url)
45 sys.exit(1)
46
47 return response.json()
The search filter, zero_day[]=true, is used to return vulnerabilities only with zero day information. Note that if you like using q=, you can also code q=zero_day:true. They work the same. I would use q= if I had more filters in the q string.
Notice that query_params also contains fields=id,created_at,identifiers,last_seen_time,cve_id,description. This reduces the amount of data returned. See API Document Updates, "Vulnerability Fields Query Parameter" for more details. Also if you just wanted this information and nothing more, you would done.
Show Vulnerability
Now that we have a list of zero-day vulnerabilities, we need to invoke "Show Vulnerability" for each item in the list to obtain the Talos information.
140 for vuln_count, vuln_data in enumerate(zero_day_vulns, start=1):
141
142 vuln_data = get_vuln_data(base_url, headers, vuln_data['id'])
143
144 print(f"---{vuln_count}----------------------------------------------")
145 print_vuln_info(vuln_data)
146 print_talos_data(vuln_data)
147 print_cvss3_info(vuln_data)
Above is a for loop calling get_vuln_data with a vulnerability ID and return all the vulnerability data. Then the appropriate information is displayed.
The "Show Vulnerability" code is straight-forward.
49 # Obtains the Talos zero day data.
50 def get_vuln_data(base_url, headers, vuln_id):
51 show_vuln_url = f"{base_url}/vulnerabilities/{vuln_id}"
52
53 response = requests.get(show_vuln_url, headers=headers)
54 if response.status_code != 200:
55 process_http_error(f"Show Vulnerability API Error", response, show_vuln_url)
56 sys.exit(1)
57
58 vuln_resp = response.json()
59 return vuln_resp['vulnerability']
Extraction
Now let's look at the provided Talos data and where to obtain it.
92 def print_talos_data(vuln_data):
93 if not "talos_zero_day" in vuln_data:
94 print_warning(f"Talos zero day data is not present for {vuln_data['id']}")
95 return
96
97 zero_day_data = vuln_data['talos_zero_day']
98 print(f"Talos ID: {zero_day_data['talos_id']}, CVE ID: {zero_day_data['cve']}, {zero_day_data['cvss']}")
99 for cpe in zero_day_data['cpes']:
100 print(f"cpe: {cpe}")
101 for snort_rule in zero_day_data['snort_rules']:
102 print(f"snort_rule: {snort_rule}")
103 if not (talos_url := talos_url_exists(zero_day_data['talos_id'])) is None:
104 print(f"Talos Report URL: {talos_url}")
105
You can conclude from lines 93 and 97 that the Talos zero-day data is located in the talos_zero_day field or key. Just like the UI, you can extract the Talos ID, the CVE ID, CVSS information, CPE information, and snort rules. The code also provides a link to a Talos Report on the zero-day vulnerability if the report exists. (Unfortunately, since this is not a GUI, you will have to copy and paste the link into a browser.)
Here is an output example for one zero-day vulnerability.
---6----------------------------------------------
Vuln ID: 12535, Created at: 2022-11-09T22:29:23Z, Last Seet at: 2022-11-09T22:29:23.000Z
CVE ID: Zero-Day: TALOS-2022-1528: CVE-2022-32573: lansweeper - lansweeper
Identifiers: TALOS-2022-1528
Description: Cisco Talos has discovered a vulnerability in this product, they are currently working with the vendor to get this issue resolved. We recommend enabling Snort rules 60054-60056 which provide coverage for this issue. We also recommend updating to the newest version of this software, when available.
Asset ID: 905
Talos ID: TALOS-2022-1528, CVE ID: CVE-2022-32573, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
cpe: cpe:2.3:a:lansweeper:lansweeper:10.1.1.0:*:*:*:*:*:*:*
snort_rule: 60054
snort_rule: 60055
snort_rule: 60056
Talos Report URL: https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1528
Conclusion
Now you know how to obtain Talos zero-day intelligence via Kenna (now Cisco) APIs. The code presented above could use some enhancements like keeping historical information, or providing an alert when there is a new zero-day vulnerability.
Until next time,
API Evangelist
Reference
This blog was originally written for Kenna Security, which has been acquired by Cisco Systems.
Learn more about Cisco Vulnerability Management.