Knowledge Base

Ask A Question

Questions

1

Nexpose: What is Vulnerability PCI Compliance Status?

Can anyone explain what determines the Pass/Fail status of the Vulnerability PCI Compliance Status? Specifically I'm talking about the "Vulnerability PCI Compliance Status" data field available within a CSV report template. The obvious answer is CVSS >= 4 = Fail but that is not a complete answer. DoS vulns and PCI deemed "automatic failure" vulnerabilities can affect the field. But I'm also finding that vulnerabilities with an approved exception will also cause a Fail to turn into a Pass. What other factors will alter this field? Is there any way to determine what caused the change in setting? For example, if I generate a CSV export report of devices in a particular asset group, how can I demonstrate to an auditor or a QSA WHY a particular vulnerability is set to "Pass"? Two examples of vulnerabilities that are unexplainably set to pass include VMSA-2012-0018: Update to ESX glibc package (CVE-2012-3405) (Vulnerability ID: 12966) and VMSA-2012-0013: VMSA-2012-0013 Update to ESX/ESXi userworld OpenSSL library (CVE-2011-4577) (Vulnerability ID: 13203). They have a Vulnerability Severity Level of 5 and 4 respectively. They have a Vulnerability CVSS score of 5 and 4.3 respectively. Neither have an exception. I would think they would be Fail. Yet they're both Vulnerability PCI Compliance Status = Pass. About the only thing I can find to justify the score is in the dim_vulnerability table there is pci_severity_score of 2 for both vulnerabilities. But I have no idea how pci_severity_score is calculated or why that is used instead of Vulnerability Severity Level or CVSS Score.

Posted by Thao Doan about a year ago

1

Scheduled SQL Report Distribution changes overnight

Is anyone else seeing their scheduled SQL reports change to "no email source" after being set to a global email source? New SQL reports on the current release do not seem to have the issue, until a new content update or new release (still undecided and untraceable). The working reports become broken and the only way to fix it is to build the report from scratch (copies break too!) which, as you can expect, not a viable option. I can duplicate this every day, yet there is no way to capture the change to the db setting that swithes between email sources. Steps to reproduce: find older SQL report (Pre-current release) change query to: SELECT DISTINCT ON (da.ip_address) da.ip_address, da.host_name, da.mac_address, dos.description AS operating_system, to_char(fas.scan_finished, 'MM/DD/YYYY HH24:MI:SS') as scan_finished FROM dim_asset da JOIN dim_operating_system dos USING (operating_system_id) JOIN dim_host_type dht USING (host_type_id) JOIN fact_asset_scan fas USING (asset_id) JOIN dim_tag_asset dta USING (asset_id) JOIN dim_tag dt USING (tag_id) WHERE scan_finished > NOW() - INTERVAL '30 days' set data model to 2.3.0 (yet another issue) set scope (currently 1 tag) set frequency to run daily @8:30 am set the report owner as you no other report viewers are necessary set the email source to global email source send report to owner attach report as file Save and/or run report Check back in the morning to find the report did run but didn't send and the distribution settings are reverted back to "no email source".

Posted by kbruce about a year ago

1

SQL Help: Remediated Query with vuln first found on asset

Can any SQL gurus here add "Vulnerability first found on asset" to the query below? We are using a modified version of the New/Remediated query that ignores new and shows remediated or present on both. Thanks! WITH assets_vulns AS ( SELECT fasv.asset_id, fasv.vulnerability_id, baselineComparison (fasv.scan_id, current_scan) AS baseline, s.baseline_scan, s.current_scan FROM fact_asset_scan_vulnerability_instance fasv JOIN ( SELECT asset_id, previousScan (asset_id) AS baseline_scan, lastScan (asset_id) AS current_scan FROM dim_asset ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id = s.baseline_scan OR fasv.scan_id = s.current_scan) GROUP BY fasv.asset_id, fasv.vulnerability_id, s.baseline_scan, s.current_scan HAVING baselineComparison (fasv.scan_id, current_scan) = 'Same' OR baselineComparison (fasv.scan_id, current_scan) = 'New' OR baselineComparison (fasv.scan_id, current_scan) = 'Old' ), baseline_scan_date AS ( SELECT av.asset_id, finished FROM assets_vulns av LEFT JOIN dim_scan ds ON ds.scan_id = av.baseline_scan GROUP BY av.asset_id, finished ), current_scan_date AS ( SELECT av.asset_id, finished FROM assets_vulns av LEFT JOIN dim_scan ds ON ds.scan_id = av.current_scan GROUP BY av.asset_id, finished ), new_vulns AS ( SELECT av.asset_id, av.vulnerability_id, COUNT (av.vulnerability_id) AS new_vulns FROM assets_vulns AS av WHERE av.baseline = 'New' GROUP BY av.asset_id, av.vulnerability_id ), vulns_in_both AS ( SELECT av.asset_id, av.vulnerability_id, COUNT (av.vulnerability_id) AS vulns_in_both FROM assets_vulns AS av WHERE av.baseline = 'Old' OR av.baseline = 'Same' GROUP BY av.asset_id, av.vulnerability_id ), remediated_vulns AS ( SELECT av.asset_id, av.vulnerability_id, COUNT (av.vulnerability_id) AS remediated_vulns FROM assets_vulns AS av WHERE av.baseline = 'Old' GROUP BY av.asset_id, av.vulnerability_id ), vuln_exploit_count AS ( SELECT CASE WHEN ec1.vulnerability_id IS NOT NULL THEN ec1.vulnerability_id ELSE ec2.vulnerability_id END as vulnerability_id, metasploit, exploitdb FROM ( SELECT av.vulnerability_id, COUNT(dve.source) AS metasploit FROM assets_vulns av JOIN dim_vulnerability_exploit dve ON av.vulnerability_id = dve.vulnerability_id WHERE dve.source = 'Metasploit' GROUP BY av.vulnerability_id ) ec1 FULL JOIN ( SELECT av.vulnerability_id, COUNT(dve.source) AS exploitdb FROM assets_vulns av JOIN dim_vulnerability_exploit dve ON av.vulnerability_id = dve.vulnerability_id WHERE dve.source = 'Exploit DB' GROUP BY av.vulnerability_id ) ec2 ON ec2.vulnerability_id = ec1.vulnerability_id ) SELECT 'Remediated' AS status, da1.ip_address AS ip_address, da1.host_name AS hostname, da1.sites AS sites, bsd.finished AS baseline_scan_datetime, csd.finished AS current_scan_datetime, dv1.vulnerability_id, dv1.title, CAST(dv1.cvss_score AS decimal(10,2))AS cvss_score, CAST(dv1.riskscore AS decimal(10,0)) AS riskscore, dv1.malware_kits, CASE WHEN vec.metasploit IS NULL THEN 0 ELSE vec.metasploit END as metasploit, CASE WHEN vec.exploitdb IS NULL THEN 0 ELSE vec.exploitdb END as exploitdb FROM remediated_vulns rv JOIN dim_asset da1 ON da1.asset_id = rv.asset_id LEFT JOIN baseline_scan_date bsd ON bsd.asset_id = da1.asset_id LEFT JOIN current_scan_date csd ON csd.asset_id = da1.asset_id JOIN dim_vulnerability dv1 ON dv1.vulnerability_id = rv.vulnerability_id LEFT JOIN vuln_exploit_count vec ON vec.vulnerability_id = rv.vulnerability_id UNION ALL SELECT 'New' as status, da2.ip_address AS ip_address, da2.host_name AS hostname, da2.sites AS sites, bsd.finished AS baseline_scan_datetime, csd.finished AS current_scan_datetime, dv2.vulnerability_id, dv2.title, CAST(dv2.cvss_score AS decimal(10,2)) AS cvss_score, CAST(dv2.riskscore AS decimal(10,0)) as riskscore, dv2.malware_kits, CASE WHEN vec.metasploit IS NULL THEN 0 ELSE vec.metasploit END as metasploit, CASE WHEN vec.exploitdb IS NULL THEN 0 ELSE vec.exploitdb END as exploitdb FROM new_vulns nv JOIN dim_asset AS da2 ON da2.asset_id = nv.asset_id JOIN dim_asset_operating_system AS daos ON da2.asset_id = daos.asset_id LEFT JOIN baseline_scan_date bsd ON bsd.asset_id = da2.asset_id LEFT JOIN current_scan_date csd ON csd.asset_id = da2.asset_id JOIN dim_vulnerability dv2 ON dv2.vulnerability_id = nv.vulnerability_id LEFT JOIN vuln_exploit_count vec ON vec.vulnerability_id = nv.vulnerability_id WHERE daos.certainty = 1 UNION ALL SELECT 'Present In Both' as status, da2.ip_address AS ip_address, da2.host_name AS hostname, da2.sites AS sites, bsd.finished AS baseline_scan_datetime, csd.finished AS current_scan_datetime, dv2.vulnerability_id, dv2.title, CAST(dv2.cvss_score AS decimal(10,2)) AS cvss_score, CAST(dv2.riskscore AS decimal(10,0)) as riskscore, dv2.malware_kits, CASE WHEN vec.metasploit IS NULL THEN 0 ELSE vec.metasploit END as metasploit, CASE WHEN vec.exploitdb IS NULL THEN 0 ELSE vec.exploitdb END as exploitdb FROM vulns_in_both nv JOIN dim_asset AS da2 ON da2.asset_id = nv.asset_id JOIN dim_asset_operating_system AS daos ON da2.asset_id = daos.asset_id LEFT JOIN baseline_scan_date bsd ON bsd.asset_id = da2.asset_id LEFT JOIN current_scan_date csd ON csd.asset_id = da2.asset_id JOIN dim_vulnerability dv2 ON dv2.vulnerability_id = nv.vulnerability_id LEFT JOIN vuln_exploit_count vec ON vec.vulnerability_id = nv.vulnerability_id WHERE daos.certainty = 1 ORDER BY status DESC, ip_address, hostname, title

Posted by Leslie Castex about a year ago