Groups | Search | Server Info | Login | Register
Groups > comp.sys.mac.apps > #47445
| From | Marion <mariond@facts.com> |
|---|---|
| Newsgroups | comp.sys.mac.apps, comp.sys.mac.advocacy, comp.sys.mac.system |
| Subject | Windows/macOS/Linux script to analyse CISA KEV for Apple zero-day holes |
| Date | 2025-11-06 08:07 -0700 |
| Organization | BWH Usenet Archive (https://usenet.blueworldhosting.com) |
| Message-ID | <10eidjc$f3c$1@nnrp.usenet.blueworldhosting.com> (permalink) |
Cross-posted to 3 groups.
Here's a Windows batch script I personally wrote to look at CISA KEV.
@echo off
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: This is kev.bat v1.0
:: Usage: C:\> kev.bat
:: Extensible Windows batch/powershell script to parse csv/json CISA KEV db
:: kev.ps1 must reside in same folder as kev.bat
:: kev.bat calls kev.ps1 using powershell with execution policy bypass
:: Output pauses so user can read results before window closes
:: The goal is to determine if Apple is telling the truth when Apple "says"
:: they locked iOS users into a walled prison garden "for their own safety".
:: As one step of that goal, the question to answer is simply thus:
:: Q: What are cumulative exploits between iPhone/iPad & Android flagships?
:: <https://github.com/cisagov/kev-data>
:: <https://www.cisa.gov/known-exploited-vulnerabilities>
:: <https://www.cisa.gov/known-exploited-vulnerabilities-catalog>
:: Note this db is only about 6% of all known vulnerabilities!
:: <medium.com/@yotamperkal/cisa-kev-a-balanced-perspective-ff3856e69ba9>
:: That's because the KEV db only contains exploits meeting these criteria:
:: 1. The exploit has a valid CVE ID.
:: 2. There is reliable evidence of active exploitation.
:: 3. A clear remediation action is already available to the general public.
:: The KEV database is in three files:
:: a. CSV (Comma-Separated Values)
:: <github.com/cisagov/kev-data/blob/develop/known_exploited_vulnerabilities.csv>
:: b. JSON (JavaScript Object Notation)
:: <github.com/cisagov/kev-data/blob/develop/known_exploited_vulnerabilities.json>
:: c. JSON Schema (Defines the structure of the JSON data)
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: REVISION HISTORY:
:: Version v1.0 20250929 (45L)
:: Invokes powershell to parse csv/json CISA database for iOS vs Android
:: Version 1.1 2025???? (??L)
:: TBD
:: Version 1.2 2025???? (??L)
:: TBD
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: 72 char 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 12
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
set "PS_SCRIPT=kev.ps1" REM iOS vs Android known patched exploits
powershell -ExecutionPolicy Bypass -File "%~dp0%PS_SCRIPT%"
pause
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: End of kev.bat
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
It works on macOS too!
###############################################################################
# Define script version
$scriptVersion = "kev.ps1 version 2.4 20250930"
## An Extensible cross-platform batch/powershell script to parse CISA KEV db
## Analyzes the CISA Known Exploited Vulnerabilities (KEV) database
## to compare iOS and Android-related security threats.
## a. Downloads lates KEV CSV or uses a local copy of the KEV CSV file
## b. Filters out irrelevant entries (e.g., smart appliances, printers)
## c. Uses keywords & vendor-product logic for platform-specific exploits
## d. Identifies shared vulnerabilities affecting both ecosystems
## e. Logs results to timestamped files in a clean ./logs directory
## f. Outputs Apple iOS vs Android exploit summaries to console & log files
## All logs are saved in the ./logs directory:
## A. ios_matches_YYYYMMDD_HHMMSS.log
## B. android_matches_YYYYMMDD_HHMMSS.log
## C. shared_matches_YYYYMMDD_HHMMSS.log
## D. kev_output_YYYYMMDD_HHMMSS.log (summary)
## Note the CISA KEV db lists only about 6% of all known vulnerabilities!
## <medium.com/@yotamperkal/cisa-kev-a-balanced-perspective-ff3856e69ba9>
## That's because the KEV db only contains exploits meeting these criteria:
## 1. The exploit has a valid CVE ID.
## 2. There is reliable evidence of active exploitation.
## 3. A clear remediation action is already available to the general public.
###############################################################################
## Windows Usage: C:\> kev.bat
## Where kev.bat is the following three lines of code:
## set "PS_SCRIPT=kev.ps1" REM iOS vs Android known patched exploits
## powershell -ExecutionPolicy Bypass -File "%~dp0%PS_SCRIPT%"
## pause
## Linux/macOS Usage: $ pwsh ./kev.ps1
## Requires PowerShell Core (pwsh) <https://github.com/PowerShell/PowerShell>
## Make sure execution policy allows script execution:
## $ pwsh -Command "Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass"
###############################################################################
## Version 1.0 20250829 (41L)
## Extensible Windows batch/powershell script to parse csv/json CISA KEV db
## Uses powershell to parse csv/json CISA database for iOS vs Android
## Added comment discipline rules for ASCII-only and no oxford comma
## CSV downloaded from GitHub mirror of CISA KEV database
## Keyword logic uses lowercase match on vendor, product, and vuln name
## Matching uses wildcard logic with simple substring detection
## Results printed to console with Write-Host
## Script can be extended to log output or refine keyword logic
## Verson 1.1 20250929 (56L)
## Adds time-stamped output file to current directory
## Uses Get-Date with custom format for filename
## Output file includes iOS and Android known exploit counts
## Output file UTF8 encoding for platform/editor compatibility
## Version 1.2 20250929 (68L)
## Expands keyword logic for iOS and Android ecosystems
## Adds ipad, watchos, macos, pixel, samsung, qualcomm, mediatek
## Improves platform distinction across shared components like WebKit
## Android common vendors & chipsets: pixel, samsung, qualcomm, mediatek
## iOS platforms: ipad, ipados, watchos, macos
## Used Join-Path to make filespecs usable on Windows/Linux/macOS
## Version 1.3 20250929 (87L)
## Added an output log to a separate file of each match with its source line
## Modified filespecs to enable macOS/Linux PowerCore portability
## Version 1.4 20250929 (97L)
## Included CVE ID in logs (Adds traceability & audit value)
## Added platform detection (Join-Path & $PWD)
## Add toggle for local file (avoid unnecessary d/l when testing)
## Version 1.5 20250929 (108L)
## Add exclusion filtering logic (e.g., samsung TVs)
## Exclusion filtering removes Apple smart home devices.
## Version 1.6 20250929 (130L)
## Added shared-match detection to avoid double counting overlapping attack
## surfaces in platform-specific summaries
## Version 1.7 20250929 (141L)
## Added vendor-product dictionary-style mapping to excluse false positives
## like "Samsung tv" or "refrigerator" or "Apple tv" or "homepod"
## Version 1.8 20250929 (148L)
## Refined keyword logic for deeper iOS & Android exploit detection
## around shared components like WebKit & cryptographic modules
## Apple includes subsystems like secure enclave, coremedia & launchd
## Android includes cryptographic modules & shared components like
## keymaster, webkit & play services.
## Version 1.9 20250929 (163L)
## Moved all log files into ./logs directory to reduce clutter
## Added usage instructions for macOS/Linux (pwsh)
## Version 2.0 20250929 (207L)
## Added toggle to include/exclude macOS from iOS counts
## Fixed platform detection (Join-Path & $PWD) console output
## Version 2.1 20250929 (212L)
## Added output of the1 PowerShell version (in case of mismatches)
## Version 2.2 20250930 (219L)
## Added date in the console output
## Version 2.3 20250930 (228L)
## Removed false positives from desktop and server-side CVEs
## Added 'chromium' & 'mojo' to iOS & Android keyword lists
## Improved detection of shared browser & sandbox escape exploits
## Added exclusion for Fortinet, Cisco, Oracle & Adobe using keywords of
## fortinet, fortios, fortiproxy, cisco, oracle, adobe, jenkins, mozilla,
## nagios, redis, qnap, crushftp
## Version 2.4 20250930 (231L)
## Added the script version to the console output for auditing purposes
###############################################################################
# Platform detection (v2.3)
$platform = $PSVersionTable.PSEdition
$version = $PSVersionTable.PSVersion
if ($platform -eq "Desktop") {
Write-Host "Running on platform: Windows PowerShell"
} elseif ($platform -eq "Core") {
if ($IsWindows) {
Write-Host "Running on platform: Windows (pwsh)"
} elseif ($IsLinux) {
Write-Host "Running on platform: Linux (pwsh)"
} elseif ($IsMacOS) {
Write-Host "Running on platform: macOS (pwsh)"
} else {
Write-Host "Running on platform: Unknown Core edition"
}
} else {
Write-Host "Running on platform: Unknown"
}
Write-Host "PowerShell version: $version"
# Download the KEV CSV from GitHub
$useLocalFile = $false # Set to $true for testing of existing downloads
$useLocalFile = $true # Set to $false to force download
$includeMacOS = $true # Set to $false to exclude macOS in iOS counts
$includeMacOS = $false # Set to $true to include macOS in iOS counts
if ($useLocalFile) {
$csvPath = Join-Path -Path $PWD -ChildPath "kev.csv"
Write-Host "Using local file: $csvPath"
} else {
$csvUrl = "https://raw.githubusercontent.com/cisagov/kev-data/develop/known_exploited_vulnerabilities.csv"
$csvPath = Join-Path -Path $PWD -ChildPath "kev.csv"
Invoke-WebRequest -Uri $csvUrl -OutFile $csvPath
Write-Host "Downloaded fresh file: $csvPath"
}
# Define keyword logic for iOS and Android
# iOS includes Apple platforms and WebKit-based browsers
$iosKeywords = @(
"apple", "ios", "ipados", "watchos", "webkit", "safari",
"secure enclave", "coregraphics", "coremedia", "corefoundation",
"springboard", "launchd", "sandbox", "chromium", "mojo"
)
if ($includeMacOS) {
$iosKeywords += "macos"
}
# Android includes Google platforms and common Android vendors
$androidKeywords = @(
"android", "google", "pixel", "samsung", "qualcomm", "mediatek",
"play services", "keymaster", "keystore", "secure element", "omapi",
"webkit", "chromium", "mojo"
)
# Initialize counters for each platform
$iosCount = 0
$androidCount = 0
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$logDir = Join-Path -Path "." -ChildPath "logs"
if (-not (Test-Path $logDir)) {
New-Item -ItemType Directory -Path $logDir | Out-Null
}
$iosLogPath = Join-Path -Path $logDir -ChildPath "ios_matches_$timestamp.log"
$androidLogPath = Join-Path -Path $logDir -ChildPath "android_matches_$timestamp.log"
$sharedLogPath = Join-Path -Path $logDir -ChildPath "shared_matches_$timestamp.log"
$outputFile = Join-Path -Path $logDir -ChildPath "kev_output_$timestamp.log"
# Parse KEV CSV and count keyword matches
$excludeKeywords = @(
"refrigerator", "tv", "washer", "dryer", "smart appliance", "iot", "industrial", "printer",
"apple tv", "homepod", "airtag", "fortinet", "fortios", "fortiproxy", "cisco",
"oracle", "adobe", "jenkins", "mozilla", "nagios", "redis", "qnap", "crushftp"
)
$vendorProductMap = @{
"samsung" = @("galaxy", "android", "mobile", "tablet")
"qualcomm" = @("snapdragon", "modem", "chipset")
"apple" = @("iphone", "ipad", "ios", "watchos", "macbook")
}
if ($includeMacOS) {
$vendorProductMap["apple"] += "macos"
}
Import-Csv $csvPath | ForEach-Object {
$text = ($_.vendorProject + " " + $_.product + " " + $_.vulnerabilityName).ToLower()
$vendor = $_.vendorProject.ToLower()
$product = $_.product.ToLower()
# Skip irrelevant matches
if ($excludeKeywords | Where-Object { $text -like "*$_*" }) {
return
}
# Skip mismatched vendor-product combos
if ($vendorProductMap.ContainsKey($vendor)) {
$validProducts = $vendorProductMap[$vendor]
if (-not ($validProducts | Where-Object { $product -like "*$_*" })) {
return
}
}
$logEntry = "$($_.cveID): $text"
$iosMatch = $iosKeywords | Where-Object { $text -like "*$_*" }
$androidMatch = $androidKeywords | Where-Object { $text -like "*$_*" }
if ($iosMatch -and $androidMatch) {
$iosCount++
$androidCount++
Add-Content -Path $iosLogPath -Value "$logEntry`n"
Add-Content -Path $androidLogPath -Value "$logEntry`n"
Add-Content -Path $sharedLogPath -Value "$logEntry`n"
} elseif ($iosMatch) {
$iosCount++
Add-Content -Path $iosLogPath -Value "$logEntry`n"
} elseif ($androidMatch) {
$androidCount++
Add-Content -Path $androidLogPath -Value "$logEntry`n"
}
}
# Output results to console
Write-Host "KEV vulnerability summary ($scriptVersion) for: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')"
Write-Host "Estimated Apple-iOS-related exploits: $iosCount"
Write-Host "Estimated Android-related exploits: $androidCount"
if (Test-Path $sharedLogPath) {
$sharedCount = (Get-Content $sharedLogPath | Measure-Object).Count
Write-Host "Estimated shared exploits: $sharedCount"
Add-Content -Path $sharedLogPath -Value "Shared iOS/Android vulnerabilities:`n"
Add-Content -Path $sharedLogPath -Value "`nTotal shared matches: $sharedCount"
} else {
Write-Host "Estimated shared exploits: 0"
}
# Create time-stamped output file in current directory
# $outputFile = "kev_output_$timestamp.log"
# Allow for macOS/Linux PowerShell Core portability (filespec syntax)
# Write results to file
@(
"KEV vulnerability summary $timestamp",
"Estimated Apple-iOS-related exploits: $iosCount",
"Estimated Android-related exploits: $androidCount"
) | Out-File -FilePath $outputFile -Encoding UTF8
# Append a summary line to each match log (v1.4)
Add-Content -Path $iosLogPath -Value "`nTotal iOS matches: $iosCount"
Add-Content -Path $androidLogPath -Value "`nTotal Android matches: $androidCount"
###############################################################################
## end of kev.ps1
###############################################################################
Back to comp.sys.mac.apps | Previous | Next | Find similar
Windows/macOS/Linux script to analyse CISA KEV for Apple zero-day holes Marion <mariond@facts.com> - 2025-11-06 08:07 -0700
csiph-web