Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
2375
Views
0
Helpful
0
Comments

Extracting Talos Zero Day Information via Kenna APIs

AdvocateRick
Cisco Employee
Cisco Employee

on ‎05-18-2023 10:19 AM

Kenna Security (now Cisco) released the new Kenna.VM (now Cisco Vulnerability Management) Premier tier offering on November 15th. One of the features in the Premier tier is a Cisco Talos zero day vulnerability intelligence integration. This is discussed in more detail in Monica White's blog on "Kenna.VM (now Cisco Vulnerability Management) Premier: Accelerate Vulnerability Management with Cisco Talos Intel and Remediation Analytics". And for even more details about the Talos Detail page in the Kenna (now Cisco) UI, check out Diane Robles's help article, "Zero Day Vulnerability Intelligence powered by Talos". However, both blogs do not detail how to obtain the zero day Talos information via Kenna (now Cisco) APIs. This blog will rectify that.

I kind of know what zero day vulnerabilities are, but let's get some solid definition verbiage.

Wikipedia: A zero-day is a computer-software vulnerability previously unknown to those who should be interested in its mitigation, like the vendor of the target software. Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, additional computers or a network. An exploit taking advantage of a zero-day vulnerability is called a zero-day exploit.

Trend Micro: is a little more succinct: A zero-day vulnerability is a vulnerability in a system or device that has been disclosed but is not yet patched. An exploit that attacks a zero-day vulnerability is called a zero-day exploit.

These zero-day vulnerabilities pose a high risk because they are not patched; and therefore, cybercriminals can easily exploit them. Once a vulnerability is known and there is a patch, it moves off the zero-day vulnerability list.  Currently, the Talos information is collected once a day.

Obtaining Talos Zero Day Information

Obtaining zero day vulnerability information is a three-step process:

  1. Invoke the "Search Vulnerability" API, filtering for zero_day.
  2. For each vulnerability returned from the search, invoke the "Show Vulnerability" API.
  3. Extract zero day vulnerability information from the "Show Vulnerability" API response.

The related code is in blog_zero_day_vuln_search.py.

Search Vulnerability

Let's look at the "Search Vulnerability" code:

35 # Performs a search for vulnerabilities with zero day information. 
36 def search_vulns_for_zero_day(base_url, headers): 
37     search_vulns_url = f"{base_url}/vulnerabilities/search" 
38  
39     query_params = "?zero_day[]=true&fields=id,created_at,identifiers,last_seen_time,cve_id,description" 
40     search_vulns_url += query_params 
41  
42     response = requests.get(search_vulns_url, headers=headers) 
43     if response.status_code != 200: 
44         process_http_error(f"Vulnerability Search API Error", response, search_vulns_url) 
45         sys.exit(1) 
46  
47     return response.json()

The search filter, zero_day[]=true, is used to return vulnerabilities only with zero day information. Note that if you like using q=, you can also code q=zero_day:true. They work the same. I would use q= if I had more filters in the q string.

Notice that query_params also contains fields=id,created_at,identifiers,last_seen_time,cve_id,description. This reduces the amount of data returned. See API Document Updates, "Vulnerability Fields Query Parameter" for more details. Also if you just wanted this information and nothing more, you would done.

Show Vulnerability

Now that we have a list of zero-day vulnerabilities, we need to invoke "Show Vulnerability" for each item in the list to obtain the Talos information.

140     for vuln_count, vuln_data in enumerate(zero_day_vulns, start=1): 
141  
142         vuln_data = get_vuln_data(base_url, headers, vuln_data['id']) 
143  
144         print(f"---{vuln_count}----------------------------------------------") 
145         print_vuln_info(vuln_data) 
146         print_talos_data(vuln_data) 
147         print_cvss3_info(vuln_data)

Above is a for loop calling get_vuln_data with a vulnerability ID and return all the vulnerability data. Then the appropriate information is displayed.

The "Show Vulnerability" code is straight-forward.

49 # Obtains the Talos zero day data. 
50 def get_vuln_data(base_url, headers, vuln_id): 
51     show_vuln_url = f"{base_url}/vulnerabilities/{vuln_id}" 
52  
53     response = requests.get(show_vuln_url, headers=headers) 
54     if response.status_code != 200: 
55         process_http_error(f"Show Vulnerability API Error", response, show_vuln_url) 
56         sys.exit(1) 
57  
58     vuln_resp = response.json() 
59     return vuln_resp['vulnerability']

Extraction

Now let's look at the provided Talos data and where to obtain it.

 92 def print_talos_data(vuln_data): 
 93     if not "talos_zero_day" in vuln_data: 
 94         print_warning(f"Talos zero day data is not present for {vuln_data['id']}") 
 95         return 
 96  
 97     zero_day_data = vuln_data['talos_zero_day'] 
 98     print(f"Talos ID: {zero_day_data['talos_id']}, CVE ID: {zero_day_data['cve']}, {zero_day_data['cvss']}") 
 99     for cpe in zero_day_data['cpes']: 
100         print(f"cpe: {cpe}") 
101     for snort_rule in zero_day_data['snort_rules']: 
102         print(f"snort_rule: {snort_rule}") 
103     if not (talos_url := talos_url_exists(zero_day_data['talos_id'])) is None: 
104         print(f"Talos Report URL: {talos_url}") 
105

You can conclude from lines 93 and 97 that the Talos zero-day data is located in the talos_zero_day field or key. Just like the UI, you can extract the Talos ID, the CVE ID, CVSS information, CPE information, and snort rules. The code also provides a link to a Talos Report on the zero-day vulnerability if the report exists. (Unfortunately, since this is not a GUI, you will have to copy and paste the link into a browser.)

Here is an output example for one zero-day vulnerability.

---6---------------------------------------------- 
Vuln ID: 12535, Created at: 2022-11-09T22:29:23Z, Last Seet at: 2022-11-09T22:29:23.000Z 
CVE ID: Zero-Day: TALOS-2022-1528: CVE-2022-32573: lansweeper - lansweeper 
Identifiers: TALOS-2022-1528 
Description: Cisco Talos has discovered a vulnerability in this product, they are currently working with the vendor to get this issue resolved. We recommend enabling Snort rules 60054-60056 which provide coverage for this issue. We also recommend updating to the newest version of this software, when available. 
Asset ID: 905 
Talos ID: TALOS-2022-1528, CVE ID: CVE-2022-32573, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 
cpe: cpe:2.3:a:lansweeper:lansweeper:10.1.1.0:*:*:*:*:*:*:* 
snort_rule: 60054 
snort_rule: 60055 
snort_rule: 60056 
Talos Report URL: https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1528

Conclusion

Now you know how to obtain Talos zero-day intelligence via Kenna (now Cisco) APIs. The code presented above could use some enhancements like keeping historical information, or providing an alert when there is a new zero-day vulnerability.

Until next time,

Rick Ehrhart

API Evangelist

Reference

This blog was originally written for Kenna Security, which has been acquired by Cisco Systems.
Learn more about Cisco Vulnerability Management.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents