Affected product data missing from API responses

[abunn-r7]

Describe the bug There appears to be a significant number of advisories without version information. These advisories sometimes have linked bug pages with some affected versions on them, but this data is not available via the API.

Additionally when one of these affected versions is queried for vulnerabilities via the API the advisories in question do not appear in the API response. This is a false negative (Cisco indicates a version is not affected by a vulnerability via the API, but in fact the version is affected).

This issue extends past the API to the CVRF available for download on the advisory webpages.

To Reproduce Steps to reproduce the behavior:

1. Use the API to retrieve affected versions for one of the following advisories:

   Cisco-SA-20120810-CVE-2012-1340
   Cisco-SA-20131106-CVE-2013-5566
   cisco-sa-20080610-snmpv3
   cisco-sa-20090908-tcp24
   cisco-sa-20091109-tls
   cisco-sa-20110907-nexus
   cisco-sa-20120215-nxos
   cisco-sa-20141015-poodle
   cisco-sa-20150128-ghost
   cisco-sa-20150320-openssl
   cisco-sa-20160129-openssl
   cisco-sa-20160203-apic
   cisco-sa-20160218-glibc
   cisco-sa-20160302-openssl
   cisco-sa-20160428-ntpd
   cisco-sa-20160504-openssl
   cisco-sa-20160603-ntpd
   cisco-sa-20160927-openssl
   cisco-sa-20161102-n9kapic
   cisco-sa-20171018-ppe
   cisco-sa-20171129-fxnx
   cisco-sa-20171129-nss
   cisco-sa-20171129-nxos
   cisco-sa-20171129-nxos1
   cisco-sa-20171129-nxos10
   cisco-sa-20171129-nxos2
   cisco-sa-20171129-nxos3
   cisco-sa-20171129-nxos4
   cisco-sa-20171129-nxos5
   cisco-sa-20171129-nxos6
   cisco-sa-20171129-nxos7
   cisco-sa-20171129-nxos8
   cisco-sa-20171129-nxos9
   cisco-sa-20171129-switch
   cisco-sa-20180117-nxos
   cisco-sa-20180117-nxos1
   cisco-sa-20180620-nxos-rbaccess
   cisco-sa-20190306-info-poap

2. Observe product_names attribute only includes "Cisco NX-OS Software " without version information. Example:

   $ openVulnQuery --config cisco-api.json --advisory cisco-sa-20180117-nxos1
   [
   {
       "advisory_id": "cisco-sa-20180117-nxos1",
       "advisory_title": "Cisco NX-OS System Software Unauthorized User Account Deletion Vulnerability",
       "bug_ids": [
           "CSCvg21120"
       ],
       "cves": [
           "CVE-2018-0092"
       ],
       "cvrfUrl": "https://tools.cisco.com/security/center/contentxml/CiscoSecurityAdvisory/cisco-sa-20180117-nxos1/cvrf/cisco-sa-20180117-nxos1_cvrf.xml",
       "cvss_base_score": "6.1",
       "cwe": [
           "CWE-264"
       ],
       "first_published": "2018-01-17T16:00:00-0800",
       "ips_signatures": [
           "NA"
       ],
       "last_updated": "2018-01-17T16:00:00-0800",
       "product_names": [
           "Cisco NX-OS Software "
       ],
       "publication_url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nxos1",
       "sir": "Medium",
       "summary": "A vulnerability in the <em>network-operator</em> user role implementation for Cisco NX-OS System Software could allow an authenticated, local attacker to improperly delete valid user accounts. The <em>network-operator</em> role should not be able to delete other configured users on the device.<br />\n<br />\nThe vulnerability is due to a lack of proper role-based access control (RBAC) checks for the actions that a user with the <em>network-operator</em> role is allowed to perform. An attacker could exploit this vulnerability by authenticating to the device with user credentials that give that user the <em>network-operator</em> role. Successful exploitation could allow the attacker to impact the integrity of the device by deleting configured user credentials. The attacker would need valid user credentials for the device.<br />\n<br />\nThere are no workarounds that address this vulnerability.<br />\n<br />\nThis advisory is available at the following link:<br />\n<a href=\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nxos1\">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nxos1</a>"
   }

3. Manually retrieve an affected version from a bug page attached to one of these advisories (eg 7.0(3)I6(1) from CSCvg21120 via cisco-sa-20180117-nxos1. A browser must be used to access this data.

4. Make a call to the API looking for advisories that affect that version

5. Observe the advisory is not in the response from the API.

   $ openVulnQuery --config cisco-api.json --nxos="7.0(3)I6(1)" | grep 'advisory_id'
       "advisory_id": "cisco-sa-20200205-fxnxos-iosxr-cdp-dos",
       "advisory_id": "cisco-sa-20190828-nxos-fsip-dos",
       "advisory_id": "cisco-sa-20190828-fxnxos-snmp-dos",
       "advisory_id": "cisco-sa-20190828-nxos-memleak-dos",
       "advisory_id": "cisco-sa-20190828-nxos-ntp-dos",
       "advisory_id": "cisco-sa-20190925-vman",
       "advisory_id": "cisco-sa-20190925-nxos-vman-cmd-inj",
       "advisory_id": "cisco-sa-20190828-nxos-api-dos",

6. Observe data is also missing from CVRF: cisco-sa-20180117-nxos1_cvrf.xml

   <ProductTree xmlns="http://docs.oasis-open.org/csaf/ns/csaf-cvrf/v1.2/prod">
   <Branch Name="Cisco" Type="Vendor">
     <Branch Name="Cisco NX-OS Software" Type="Product Name">
       <FullProductName ProductID="CVRFPID-80720">Cisco NX-OS Software </FullProductName>
     </Branch>
   </Branch>
   </ProductTree>

Expected behavior

1. Affected products data should include vulnerable versions on all advisories.
2. Querying for advisories which apply to a specific version should not omit advisories which affect that version.

Screenshots Please see API responses above.

Client Info

$ pip show openVulnQuery
Name: OpenVulnQuery
Version: 1.30
Summary: A python-based module(s) to query the Cisco PSIRT openVuln API.
Home-page: https://github.com/CiscoPSIRT/openVulnAPI/tree/master/openVulnQuery
Author: Omar Santos
Author-email: os@cisco.com
License: The MIT License (MIT)
Location: /Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/OpenVulnQuery-1.30-py3.8.egg
Requires: argparse, requests
Required-by:

Additional context I made a post on the Cisco Community about this issue and was directed to create an issue here. Please see this discussion for additional context

[abunn-r7]

@santosomar Is there a better way to get in contact with the team responsible for the backend data?

[santosomar]

Hi,

You can always contact psirt@cisco.com to reach our team.

The reason that you are experiencing those symptoms is because we started supporting NX-OS on the software checker and API this year.

The new search capabilities will allow examination of vulnerabilities that were disclosed on or after 01 Jul 2019.

Hope this helps.