Mac OS X,  Mac Security

Scripted Lookup Of CVEs For A Version of macOS

The Mac comes with a number of tools for querying version numbers of things like apps and operating systems. First, let’s look at operating systems. The quickest way to derive the version of an operating system would be 

sw_vers -productVersion

It then becomes trivial to pipe these into other language provided you can reach them from within a script. For example, if you import os into a python script, you can use the sw_vers command:

import os
os.system('sw_vers -productVersion')

Or to grab the version of the OS you could import a function just for that:

version = platform.mac_ver()

So in the following example, we’ll 

#!/usr/bin/python
import sys, urllib, json, platform

if len(sys.argv) > 1:
url = 'https://cve.circl.lu/api/search/apple/mac_os_x:{}'.format(sys.argv[1])
print([j['id'] for j in json.loads(urllib.urlopen(url).read().decode('utf-8'))])
else:
version = platform.mac_ver()
url = 'https://cve.circl.lu/api/search/apple/mac_os_x:{}'.format(version[0])
print([j['id'] for j in json.loads(urllib.urlopen(url).read().decode('utf-8'))])

This can be found at https://github.com/krypted/maccvecheck

So what might I want to do with it next? Well, you can also read the index of an app using mdls, using the -name option and the kMDItemVersion attribute, as follows for iTunes:

mdls -name kMDItemVersion /Applications/iTunes.app

And then you can lookup that up in the CVE database as well:

curl https://cve.circl.lu/api/search/apple/itunes:12.5

Or to merge the version check and the cve check:

curl -s https://cve.circl.lu/api/search/apple/itunes:`mdls -name kMDItemVersion /Applications/iTunes.app | cut -d '"' -f2`

Ultimately, Apple has a number of products that are tracked in the cve database and a library of each could easily be built and parsed to produce all cve hits encountered on a Mac. Obviously, you might not want to trust some random site from Luxembourg (those Luxembourgians are troublesome after all) and you can do this directly against the zip from NIST or create your own microservice that responds similarly to this site. 

Note: Special thanks to Yuresko for fixing my else statement.