NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge

How to Correlate CVE Vulnerabilities to KB Patches via Automation

Here at NopSec our goal is to provide the most intelligent, automated way of managing cybersecurity risk in enterprise environments. One of the biggest challenges we face in automating vulnerability prioritization and remediation is finding and applying the right data at the right time. Our integration with Microsoft System Center Configuration Manager (SCCM) is a perfect example of how having the right data can enable the automation of everyday cybersecurity tasks.

MS SCCM background

Microsoft SCCM is a tool used by system administrators for software distribution and patch management in large enterprise IT environments. By integrating with SCCM, we automated the process of identifying and deploying the patches necessary to resolve existing vulnerabilities in an enterprise environment. In this blog post, I will explain how we used publicly available Microsoft patch data to automatically identify the patches necessary to resolve existing vulnerabilities detected by our various supported vulnerability scanners.

CVE to KB correlation

Cyber Security Vulnerabilities are usually identified using its unique CVE (Common Vulnerabilities and Exposures) number, and this is what vulnerability scanners use when specifying detected vulnerabilities. Microsoft provides patch information in the form of Knowledge Base (KB) Articles that are associated to one or more CVEs. Given a CVE number from a vulnerability, we need to be able to identify all the knowledge base articles ID’s associated with that CVE. We will later use those Knowledge Base Article IDs to find and build a patch package in Microsoft SCCM. Luckily, the Microsoft Security Update Guide provides patch information in CVRF (Common Vulnerabilities Reporting Framework) format, which makes it easy to build a lookup table of knowledge base articles given a unique CVE number.

Proof of concept

Below is a simple Python script to retrieve patch data from the Microsoft Security Update API for Eternal Blue (CVE-2017-0143) in CVRF format and extract all Knowledge Base Article ID’s associated with it. You will need your own API key which you can get by signing up for the Developer API here.

Python Code
*You can find the code here.

Next Steps

After correlating vulnerabilities to patches (MS to KB), the next step is downloading the patches to your patch management solution. This automation will save time from the manual correlation and downloading, which enables you to reduce your mean time to remediation (MTTR). Would love to hear what other steps in the vulnerability lifecycle you are automating.

Share your thoughts in our community!

Click Here

Schedule a Product Demo Today!

See how NopSec's end-to-end Cyber Exposure Management platform can organize your security chaos.