CVE scanning woes

rubbishfoo · June 28, 2019, 4:02pm

Hey folks.

Kind of new to GB, but have a long history in various IT areas.

I am trying to get a CVE scan functioning on GCE.

Here is a quick layout of what I’ve done:

• Created VM on Hyper-V.
• Performed initial setup.
• Opened port TCP 873 for Community Feed.
• Waited a long time (note that it is mentioned a few times in here to be patient. Yeah, be patient. Come back tomorrow kind of patient. Data needs to be pulled, then built into databases - you don’t see this happening nor any kind of feedback)
• Created a target (lets call it Server1)
• Created a Task (Full and Very Deep)
• Performed the scan
• Reviewed the report

This is pretty darn helpful… but where I’m struggling is performing a CVE scan. My understanding is that I must have the data from a normal ‘full and fast’ or other ‘FULL and whatever’ scan to run a CVE scan.

I’ve created a separate task & set it for CVE scanning against Server1, but when I launch the task, it completes the moment it has started and there are no results.

I can view the CVEs under SecInfo & they are there…

Is there some troubleshooting I can perform to get this working properly?

Great tools. Thank you.

Lukas · June 28, 2019, 4:32pm

Did you add the results from your previous scan to the asset database ?

CVE scan happens only on the database and not on the target machine.

rubbishfoo · June 28, 2019, 4:42pm

Thanks for the reply Lukas,

I looked at the task just now. Is that the same as ‘Edit Task > Add results to Asset Management’?

If so, then yes - the task was created & run that way.

cfi · July 2, 2019, 7:40am

The CVE scanner is also only working if applications are detected with a version and a related CPE registered in the NVD database.

So basically if the scan against Server1 is detecting a CPE like the following with a “Full scan”:

cpe:/a:apache:http_server (without a version)

the CVE scanner won’t return any results / vulnerabilities. It would require a CPE like e.g.:

cpe:/a:apache:http_server:2.4.20

with a version where a CPE <-> CVE reference / matching is registered within the NVD database.

rubbishfoo · July 2, 2019, 2:29pm

That is helpful information, thank you!

I’ve run the ‘Full and Fast’ scans against a few of our internal and public facing IPs & came back with a report I am happy with (not a CVE report) - I was exploring the options I suppose & wanted to see all the angles.

Would like to express my thanks to Lukas, cfi, and of course any who may happen read this & work on these tools.

cfi · July 2, 2019, 2:42pm

One update to this as the NVD page was down this morning and i wasn’t able to provide an example.

Basically the CVE scanner is doing a search like e.g.:

https://nvd.nist.gov/vuln/search/results?form_type=Advanced&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ahttp_server%3A2.4.20

and shows all vulnerabilities listed there. If there is e.g. a current Apache HTTP Server 2.4.39 detected the CVE scanner currently won’t return any results as seen here:

https://nvd.nist.gov/vuln/search/results?form_type=Advanced&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ahttp_server%3A2.4.39

cfi · May 26, 2020, 11:13am

A post was split to a new topic: CVE scanner and results for CPEs without a version