Will the latest CVE be found?
Question
I've heard about the latest vulnerability in the news, how do I know if it will be found by Hexiosec ASM?
Answer
This will depend on if the CVE has been fully analysed (how old it is) and if Hexiosec ASM finds and identifies the component or library vulnerable to the CVE.
Hexiosec ASM gets its CVE information from NIST's NVD (National Vulnerability Database), and this information is updated in Hexiosec ASM on a daily basis.
CVEs are associated with versions of components which are vulnerable to exploits described by the CVE. Vulnerable components are identified using CPEs (common platform enumerations). i.e. CVEs are linked to components via CPEs. If Hexiosec ASM finds a version of a component or library, e.g. Lodash 3.9.3, and this version is known to be vulnerable to a CVE, Hexiosec ASM raises this as a risk in the scan results.
For example:
- The CVE, CVE-2018-16487, impacts various versions of Lodash (a library used for web development)
- CVE-2018-16487 is linked to impacted versions of Lodash via CPEs, e.g. version 3.9.3 is identified by cpe:2.3:a:lodash:lodash:3.9.3:*:*:*:*:node.js:*:*
- If Lodash v3.9.3 is found in a scan, a risk will be raised against CVE-2018-16487
For CPEs to be listed against CVEs, an analysis phase needs to be undertaken by NVD.
When a new CVE is published, it will be analysed by NVD staff before entering an analysed state, this can take 1-2 days. CVEs and CPEs can also be updated after the initial analysis as more information becomes available. Details of the process can be found here https://nvd.nist.gov/vuln/vulnerability-status.
Once the analysis is complete, the CPEs will be available.
If a vulnerable component can be found and versioned by attack surface scanning, such that it is publicly exposed, then Hexiosec ASM will mark this as a risk in scan results.