Hello!
I’m trying to create a script that generates an excel version of the top25 report, and the superseding of Microsofts KB patches confuse me greatly.
For example, let’s have a look at CVE-2017-0146. (I’m using the python rapid7vmconsole api)
>>> vuln_api.get_vulnerability_solutions('msft-cve-2017-0146').resources
['msft-kb4012212-13c36c25-fee4-429f-933e-f93ebfbb91f5', 'msft-kb4012212-36e1591a-f6d3-44d2-aa25-540234b7eb36', 'msft-kb4012212-4ee6f09d-38d9-47ef-8ba9-dd802352b8ee', 'msft-kb4012212-652eea96-c2e8-4548-8f9a-40964e5e6a74', 'msft-kb4012212-c682d11d-fc2e-4852-9da7-c2198958bf6c', 'msft-kb4012212-fb31138f-b6a5-499c-9eb6-5b5f9fff6bfd', 'msft-kb4012213-317ca43c-7dfe-4e04-8a21-2c6c4ab4fbb9', 'msft-kb4012213-5d351df3-6efb-4b17-93e0-b0e3a5babbc3', 'msft-kb4012213-80bc2b42-a953-4096-8595-130e9a9c9fb9', 'msft-kb4012214-1949e6d5-95b0-4e90-acfb-73c9d295fbbf', 'msft-kb4012214-57dbd57f-89b2-4abb-8582-14fc17870bb8', 'msft-kb4012214-b4d71d8b-1f2d-4958-ad08-e379293d71e8', 'msft-kb4012598-22699699-94c3-4677-99e5-38cb4fb66401', 'msft-kb4012598-324162d3-2d68-4a64-93fc-948caad3b45c', 'msft-kb4012598-43db2dfd-c320-436a-94bf-5f094498fe68', 'msft-kb4012598-4d0386a5-2707-4e40-9d57-92e1f523c465', 'msft-kb4012598-5680ca8f-be92-4d13-8e4e-587aa462e838', 'msft-kb4012598-69eadaea-9a25-4cb4-8c6f-5f4603311eda', 'msft-kb4012598-6e52528b-7754-49ba-b39e-2a2a2b7c8c3a', 'msft-kb4012598-86ac3cc3-e972-41a8-ac78-45bc5a950faa', 'msft-kb4012598-9e189800-f354-4dc8-8170-7bd0ad7ca09a', 'msft-kb4012598-a679cafc-d8da-4c2a-9709-17a6e6a93f4f', 'msft-kb4012598-d4d15d30-e775-4f6f-b838-d3caca05a5e9', 'msft-kb4012598-ec4f955a-2fe7-45e6-bde1-1de91cbe874f', 'msft-kb4012598-fdb0df5f-8994-4e43-a37b-82544a1eff68', 'msft-kb4012606-384d5679-3c34-433f-8564-66fc5136a5e9', 'msft-kb4012606-6a38fe85-98ba-4ce2-b4eb-aed947d5c203', 'msft-kb4013198-477b54b9-913d-4c4e-8da8-01e0b4cf15ce', 'msft-kb4013198-6d9f75f7-d998-4188-a935-7603f4e51a4d', 'msft-kb4013429-724ee219-b949-4d44-9e02-e464c6062ae4', 'msft-kb4013429-74b1fe65-bd6b-4b76-a624-8674748898f2', 'msft-kb4013429-e29d1b22-493d-44dd-8857-7c6c7cb6d84c']
These solutions apply to different operating systems, so let’s filter out the ones for Windows Server 2016:
>>> for sol_id in vuln_api.get_vulnerability_solutions('msft-cve-2017-0146').resources:
... sol = vuln_api.get_solution(sol_id)
... if 'windows server 2016' in sol.applies_to.lower():
... print(sol.id)
...
msft-kb4013429-74b1fe65-bd6b-4b76-a624-8674748898f2
Notably, KB4013429 is no longer available on https://www.catalog.update.microsoft.com/.
Now we can get the superseding solutions, of which there are more than one:
>>> for sol in vuln_api.get_superseding_solutions('msft-kb4013429-74b1fe65-bd6b-4b76-a624-8674748898f2').resources:
... if 'windows server 2016' in sol.applies_to.lower():
... print(sol.id)
...
msft-kb4038782-e895239d-88ad-4ac3-b68f-8abb6b489d19-cve-2017-8529
msft-kb4103723-99a0b90d-2519-4700-be0c-e6c7b5bd04ec-cve-2018-0886
msft-kb4284880-fa8b8608-4925-4c9b-871f-a3e5d0b082fa
msft-kb4601318-c9f46838-f8fd-4cf9-9d56-a7908273fb6b
msft-kb5004238-2ed6cabd-625f-4543-b546-b2423632e94a-manual
msft-kb5006669-ff623435-c638-4c25-a907-843fa16c22b3
msft-kb5006669-ff623435-c638-4c25-a907-843fa16c22b3-manual
We went from one solution, to multiple superseding solutions.
And now we have a smorgasbord of no longer available and available KB articles:
- kb4038782 is no longer available
- kb4103723 is available but replaced with kb5006669
- kb4284880 is available and has not been replaced
- kb4601318 is no longer available
- kb5004238 is available but replaced with kb5006669
- kb5006669 is available
So, my goal is to go from this mess to one solution to msft-cve-2017-0146 - and right now it seems that going by highest KB number may work. Do you have any better ideas or thoughts? Please let me know
Ofcourse the “best” solution can be retrieved by simply calling the Remediation API, which makes me question the use of this get_superseding_solutions
API functionality (atleast in this particular case) -