Modern networks are constantly at risk, from the external threat of hackers, to internal threats like rogue devices that slip through the cracks and go undocumented. Teams must ensure there are no security gaps in their network, including in their devices. Common network vulnerabilities that affect network devices (CVEs) are one such example of an internal network threat that can cause long-lasting damage to network resilience and operational stability.

In November 2024, Palo Alto devices were found to be at risk to two separate CVEs. We saw a similar CVE vulnerability case earlier this year in April with a command injection vulnerability which targeted the GlobalProtect feature of Palo Alto firewalls.

Teams need a way to document, monitor and proactively identify whether their devices are exposed to network vulnerabilities or CVEs. Something like IP Fabric.

CVE vulnerability self-defense 101

One key tool in the fights against CVEs is the Mitre Corporation Common Vulnerability and Exposure (CVE) database. This database is a catalogue of records pertaining to publicly disclosed device vulnerabilities in software and infrastructure. Once a CVE is identified, it is classified, assessed and added to the central database hosted by NIST.

Where does IP Fabric fit into this?

REST API calls to give peace of mind

Through network discovery, teams obtain a complete overview of their network inventory, including rogue devices that might have previously gone undetected. The inventory information collected in this process includes End of Life (EoL), End of Sale (EoS) and End of Support information, as well as currently applied OS and code versions. All of this information is presented in tables, making it easier to read and understand the information presented.

Using IP Fabric's REST API, an engineer can easily find out whether a particular network environment is exposed to a CVE vulnerability:

1. Create an API token
2. Issue a POST request to the API endpoint 'tables/inventory/devices' on the IP Fabric server to obtain the inventory from the required snapshot:
   • (e.g.) curl "https://demoX.ipfabric.io/api/v1/tables/inventory/devices" -X POST -H "X-API-Token: XXXXXXXXXXXX" -d '{"columns":["hostname","vendor","family","version"],"snapshot":"$last"}'
3. After this, loop the list of devices returned from this POST request and assemble a request to search the CVE database:
   • (e.g.) curl "http://services.nvd.nist.gov/rest/json/cves/1.0?cpeMatchString=cpe:2.3:*:<vendor>:<family>:<version>"

After completing these steps, a JSON data structure containing the list of CVE's applying to the queried devices will be returned. Each CVE item contains:

1. A description of the CVE
2. The source of the CVE report
3. A threat level classification relating to the impact and exploitability of the CVE

All of this information can be used to ascertain whether there are any devices in the network that are susceptible to a CVE vulnerability, allowing teams to take immediate steps to troubleshoot and/or replace the impacted component.

Network vulnerabilities supplemented with context

Having access to this information is a great asset in keeping a network secure. With IP Fabric, this can be taken further though. The ability to discover and map out a network environment into detailed network topologies gives engineers more of what they need to secure their network - context. A topological overview of the network provides the location of the affected device and displays its interconnectivity and interdependence to other devices.

This allows for further classification of the threat that a CVE-impacted device poses to the network, such as how many users are connected on the affected component. This also provides additional context around the potential impact of upgrading or replacing devices, given that engineers will have an overview of the role that the device plays within the network topology, and can see whether replacements of certain vendor types would be suitable replacements.

If you would like to try IP Fabric for yourself and see how it can protect you from network vulnerabilities, try our free, self-guided demo here. Make sure to follow us on LinkedIn for the latest developments from the world of Network Assurance, and on our blog, where we regularly post new content.