AnsweredAssumed Answered

Cool API Trick - Out of Sync QIDs

Question asked by Busby on Jun 21, 2016

Developers out in the world using the Qualys API, I developed this little script/technique to deal with an issue I had in Qualys.  To be clear; I created the issue.  So sit back take a read and see if this makes sense.  Please let me know if you have any questions about this and I will try to answer as time permits.

 

CONTEXT: In the Qualys Knowledge Base (KB); you can alter a vulnerability.  For instance you can take QID 38603 (SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POODLE)).  In the KB this is considered a RISK or severity of 3; in our scenario we change the risk to a 4 due to other factors such as the number of public exploits and other internal politics.

 

PROBLEM: If Qualys was to update QID 38603 then Qualys would not update the signatures in my account because I had altered the QID in some way.  I needed a way to detect when a QID that I had altered had been re-published/updated by Qualys so that I could fix the issue.

 

I did a download of the Qualys KB as an XML file.

     Example Call: curl.exe --silent --tlsv1 --insecure --compressed --header "X-Requested-With: Powershell" --cookie ".\Gather-Certificate-Data.cookies" --data "action=list&details=All&last_modified_after=2011-09-01" "https://qualysapi.qualys.com/api/2.0/fo/knowledge_base/vuln/" > ".\kb.xml"

 

This would give us a large XML which I used Powershell to parse the file.  If you review the structure of the xml you would see this.

 

Now this is NOT the entire XML for one QID but for this here is the part you should look at.

<VULN>

        <QID>38603</QID>

<VULN_TYPE>Vulnerability</VULN_TYPE>

<SEVERITY_LEVEL>4</SEVERITY_LEVEL>

        <TITLE><![CDATA[SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POODLE)]]></TITLE>

        <CATEGORY>General remote services</CATEGORY>

        <LAST_CUSTOMIZATION>

<DATETIME>2016-06-14T14:34:54Z</DATETIME>

<USER_LOGIN>schum_db1</USER_LOGIN>

        </LAST_CUSTOMIZATION>

<LAST_SERVICE_MODIFICATION_DATETIME>2016-01-06T21:57:28Z</LAST_SERVICE_MODIFICATION_DATETIME>

<PUBLISHED_DATETIME>2014-10-16T21:05:59Z</PUBLISHED_DATETIME>

        <BUGTRAQ_LIST>

          <BUGTRAQ>

<ID><![CDATA[70574]]></ID>

<URL><![CDATA[http://www.securityfocus.com/bid/70574]]></URL>

          </BUGTRAQ>

        </BUGTRAQ_LIST>

        <PATCHABLE>0</PATCHABLE>

        <SOFTWARE_LIST>

          <SOFTWARE>

<PRODUCT><![CDATA[solaris_cluster]]></PRODUCT>

<VENDOR><![CDATA[oracle]]></VENDOR>

          </SOFTWARE>

        </SOFTWARE_LIST>

        <VENDOR_REFERENCE_LIST>

          <VENDOR_REFERENCE>

<ID><![CDATA[POODLE]]></ID>

<URL><![CDATA[https://www.openssl.org/~bodo/ssl-poodle.pdf]]></URL>

          </VENDOR_REFERENCE>

        </VENDOR_REFERENCE_LIST>

        <CVE_LIST>

          <CVE>

<ID><![CDATA[CVE-2014-3566]]></ID>

<URL><![CDATA[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566]]></URL>

          </CVE>

        </CVE_LIST>

        <DIAGNOSIS>REMOVED FOR BREVITY</DIAGNOSIS>

        <DIAGNOSIS_COMMENT>REMOVED FOR BREVITY</DIAGNOSIS_COMMENT>

        <CONSEQUENCE>REMOVED FOR BREVITY</CONSEQUENCE>

        <SOLUTION REMOVED FOR BREVITY </SOLUTION>

        <CORRELATION> REMOVED FOR BREVITY</CORRELATION>

        <CVSS>REMOVED FOR BREVITY</CVSS>

        <PCI_FLAG>1</PCI_FLAG>

        <DISCOVERY>

          <REMOTE>1</REMOTE>

        </DISCOVERY>

</VULN>

 

If you look at the there are several dates that are of importance here.

  • LAST_CUSTOMIZATION
  • LAST_SERVICE_MODIFICATION_DATETIME
  • PUBLISHED_DATETIME

 

The LAST_CUSTOMIZATION will only show on QID entries that have been modified outside of the normal Qualys updates.  So this would help you if you just wanted to know what QIDs have been edited.

But I wanted to know if I need to update the record not just have they been altered.  So look at the LAST_SERVICE_MODIFICATION_DATETIME; this is the last time the QID would have been modified by Qualys; if you have edited yours this will still be updated even though the rest of the QID is not.

Now you can basically do a date diff between the LAST_SERVICE_MODIFICATION_DATETIME and the LAST_CUSTOMIZATION date if it exists.  If this is a negative number then you have nothing to worry about; the LAST_CUSTOMIZATION date is after the LAST_SERVICE_MODIFICATION_DATETIME. However; if the LAST_SERVICE_MODIFICATION_DATETIME is AFTER the LAST_CUSTOMIZATION date for the QID then that means Qualys has updated the signature.

 

Now to correct the issue is straight forward; you login to Qualys and reset the QID to the defaults. This will update the QID to the latest version from Qualys.  Then you can re-modify the QID such as changing the risk or adding additional information to the QID in Qualys.

 

I hope this has been of some value to you.  I may try to write a single powershell script that can download the entries from the KB in your account and perform this check for you; just a time issue.  I hope you found this of some value.

 

Let me know what you think, @David

Thanks to jleggett for his support.

Outcomes