Saturday, September 16, 2023

The SIEM Project: 02 - Verifying CVE Vulnerability in Affected Software Part 2

 This is a continuation of my previous post, if you have not read it yet, you may check it here

Item 4: Check for Updates/Patches

Visit the official website of the software vendor (e.g., Microsoft for Windows) and look for security updates or patches related to the CVE. Most vendors provide a list of security bulletins or advisories.

My Approach:

Since I am developing a siem software, my main goal is to scan my Windows 10 OS for installed patches. Then as I have chosen a particular CVE already, I will check if my OS is still vulnerable by checking the affected Windows patch or perhaps the required patch that addresses the mentioned vulnerability in the CVE. I would do this by going to the url found in the CVE Reference field as mentioned on the first part of my siem project post, if you have not read it yet, you may check it here.

The following program scans the patches I have installed on my OS:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
import wmi

# Connect to the Windows Management Instrumentation (WMI) service
c = wmi.WMI()

# Query for installed Windows updates
installed_updates = c.Win32_QuickFixEngineering()

# Print information about each update
for update in installed_updates:
    print(f"Description: {update.Description}")
    print(f"HotFixID: {update.HotFixID}")
    print(f"InstalledOn: {update.InstalledOn}")
    print(f"InstalledBy: {update.InstalledBy}")
    print("\n")

# Close the WMI connection
c = None

Now that I know already the patches installed, what I need to do is to get the patch that needs to be installed to address the vulnerability as indicated in the CVE. This is the hard part, the information I need is found on a Microsoft URL, see screenshot below:


To retrieve this information, I have prepared the following code snippet:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import requests

# Replace 'CVE-2015-2426' with the specific CVE you are interested in
cve_id = 'CVE-2015-2426'
base_url = 'https://services.nvd.nist.gov/rest/json/cve/1.0/'

# Fetch CVE data
response = requests.get(f'{base_url}/{cve_id}')
cve_data = response.json()

# Check if the CVE data contains CVE items
if 'CVE_Items' in cve_data['result']:
    cve_items = cve_data['result']['CVE_Items']
    
    # Initialize lists to store the URLs with "Third Party Advisory" and "VDB Entry" tags
    third_party_advisory_urls = []
    vdb_entry_urls = []
    
    # Iterate through the CVE items
    for cve_item in cve_items:
        references = cve_item['cve']['references']['reference_data']
        for reference in references:
            tags = reference.get('tags', [])
            if 'Vendor Advisory' in tags and 'Patch' in tags:
                print(reference['url'])

And if I navigate through the resulting url, I will get the KB Number see the picture below which is also the patch number or KB Number:

So I got the the list of patches(KB numbers) installed on my OS and selected the CVE to be examined and was able to identify the KB number. And that is it for now, I will create the code snippet that retrieves the KB Number in the resulting URL gathered from the chosen CVE on my next post and more...



By at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)