Vulnerable OS: Ubuntu Linux 22.04
Vulnerable software installed: Azul Systems JRE 17.54.22 (/root/infaagent/jdk/lib/jrt-fs.jar)
", + "protocol": null, + "reintroduced": null, + "solution_fix": "\n Download and upgrade to the latest version of Azul Zulu from here.
", + "solution_id": "azul-zulu-upgrade-latest", + "solution_summary": "Upgrade Azul Zulu to the latest version", + "solution_type": "workaround", + "status": "VULNERABLE_VERS", + "vulnerability_id": "azul-zulu-cve-2025-21502" + }, + { + "check_id": null, + "first_found": "2025-05-13T13:25:40Z", + "key": "", + "last_found": "2025-05-27T19:54:43.777Z", + "nic": null, + "port": null, + "proof": "Grub config with no password found.
Set a password in the GRUB configuration file. This\n is often located in one of several locations, but can really be\n anywhere:
\n /etc/grub.conf\n /boot/grub/grub.conf\n /boot/grub/grub.cfg\n /boot/grub/menu.lst\n
For all files mentioned above ensure that a password is set or that the files do not exist.
To set a plain-text password, edit your GRUB configuration file\n and add the following line before the first uncommented line:
password <password>
To set an encrypted password, run grub-md5-crypt and use its\n output when adding the following line before the first\n uncommented line:
password --md5 <encryptedpassword>
For either approach, choose an appropriately strong password.
", + "solution_id": "linux-grub-missing-passwd", + "solution_summary": " Enable GRUB password ", + "solution_type": "workaround", + "status": "VULNERABLE_EXPL", + "vulnerability_id": "linux-grub-missing-passwd" + }, + { + "check_id": null, + "first_found": "2025-05-13T13:25:40Z", + "key": "", + "last_found": "2025-05-27T19:54:43.777Z", + "nic": null, + "port": null, + "proof": "Grub config with no password found.
Set a password in the GRUB configuration file. This\n is often located in one of several locations, but can really be\n anywhere:
\n /etc/grub.conf\n /boot/grub/grub.conf\n /boot/grub/grub.cfg\n /boot/grub/menu.lst\n
For all files mentioned above ensure that a password is set or that the files do not exist.
To set a plain-text password, edit your GRUB configuration file\n and add the following line before the first uncommented line:
password <password>
To set an encrypted password, run grub-md5-crypt and use its\n output when adding the following line before the first\n uncommented line:
password --md5 <encryptedpassword>
For either approach, choose an appropriately strong password.
", + "solution_id": "linux-grub-missing-passwd", + "solution_summary": " Enable GRUB password ", + "solution_type": "workaround", + "status": "VULNERABLE_EXPL", + "vulnerability_id": "id-not-enriched" + } + ] + }, + { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "credential_assessments": [ + { + "port": 135, + "protocol": "TCP", + "status": "NO_CREDS_SUPPLIED" + }, + { + "port": 445, + "protocol": "TCP", + "status": "NO_CREDS_SUPPLIED" + } + ], + "critical_vulnerabilities": 119, + "exploits": 4, + "host_name": "Win11-50-13-52", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "ip": "10.50.13.52", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00:00:5E:00:53:00", + "malware_kits": 0, + "moderate_vulnerabilities": 8, + "os_architecture": "x86_64", + "os_description": "Microsoft Windows 11 22H2", + "os_family": "Windows", + "os_name": "Windows 11", + "os_system_name": "Microsoft Windows", + "os_type": "Workstation", + "os_vendor": "Microsoft", + "os_version": "22H2", + "risk_score": 181622, + "severe_vulnerabilities": 241, + "tags": [ + { + "name": "USA", + "type": "LOCATION" + }, + { + "name": "test", + "type": "SITE" + }, + { + "name": "rapid7 insight agents", + "type": "SITE" + } + ], + "total_vulnerabilities": 368, + "type": "guest", + "unique_identifiers": [ + { + "id": "F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050", + "source": "CSPRODUCT" + }, + { + "id": "c5cf46abcdef0123456789291c7d554a", + "source": "R7 Agent" + } + ], + "same": [ + { + "check_id": null, + "first_found": "2025-04-30T06:21:05Z", + "key": "", + "last_found": "2025-05-27T19:54:43.777Z", + "nic": null, + "port": 3389, + "proof": "The subject common name found in the X.509 certificate does not seem to match the scan target:
\n The subject's common name (CN) field in the X.509 certificate should be fixed\nto reflect the name of the entity presenting the certificate (e.g., the\nhostname). This is done by generating a new certificate usually signed by a\nCertification Authority (CA) trusted by both the client and server.\n
", + "solution_id": "certificate-common-name-mismatch", + "solution_summary": "Fix the subject's Common Name (CN) field in the certificate", + "solution_type": "workaround", + "status": "VULNERABLE_EXPL", + "vulnerability_id": "certificate-common-name-mismatch" + }, + { + "check_id": "microsoft-windows-cve-2025-21204-windows_11-22h2-kb5055528", + "first_found": "2025-05-13T07:25:34Z", + "key": "", + "last_found": "2025-05-27T19:54:43.777Z", + "nic": null, + "port": null, + "proof": "Vulnerable OS: Microsoft Windows 11 22H2
Download and apply the patch from: https://support.microsoft.com/help/5058405
", + "solution_id": "microsoft-windows-windows_11-22h2-kb5058405", + "solution_summary": "2025-05 Cumulative Update for Microsoft Windows 11, version 22H2 (KB5058405)", + "solution_type": "patch", + "status": "VULNERABLE_EXPL", + "vulnerability_id": "microsoft-windows-cve-2025-21204" + }, + { + "check_id": "WINDOWS-HOTFIX-MS13-098-x64", + "first_found": "2025-05-13T07:25:34Z", + "key": "", + "last_found": "2025-05-27T19:54:43.777Z", + "nic": null, + "port": null, + "proof": "Vulnerable OS: Microsoft Windows 11 22H2
Download and apply the patch from: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900
", + "solution_id": "windows-hotfix-ms13-098", + "solution_summary": "Enable Certificate Padding Check for Windows Systems", + "solution_type": "patch", + "status": "VULNERABLE_EXPL", + "vulnerability_id": "windows-hotfix-ms13-098" + } + ] + } + ], + "metadata": { + "number": 0, + "size": 2, + "totalResources": 3, + "totalPages": 2, + "cursor": "1542252837:::_S:::81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1" + }, + "links": [ + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/assets?includeSame=true&includeUniqueIdentifiers=true&page=0&size=2&sort=id,asc", + "rel": "first" + }, + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/assets?includeSame=true&includeUniqueIdentifiers=true&page=0&size=2&sort=id,asc", + "rel": "self" + }, + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/assets?includeSame=true&includeUniqueIdentifiers=true&page=1&size=2&sort=id,asc&cursor=1542252837:::_S:::81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "rel": "next" + }, + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/assets?includeSame=true&includeUniqueIdentifiers=true&page=8&size=2&sort=id,asc", + "rel": "last" + } + ] + } + `}} + - path: /vm/v4/integration/assets + methods: ['POST'] + query_params: + size: 2 + includeUniqueIdentifiers: true + includeSame: true + comparisonTime: null + cursor: 1542252837:::_S:::81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1 + request_headers: + X-Api-Key: + - api_key + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "credential_assessments": [ + { + "port": 22, + "protocol": "TCP", + "status": "NO_CREDS_SUPPLIED" + } + ], + "critical_vulnerabilities": 3, + "exploits": 0, + "host_name": "computer-test", + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6", + "ip": "10.50.5.112", + "last_assessed_for_vulnerabilities": "2025-05-27T18:21:36.279Z", + "last_scan_end": "2025-05-27T18:21:36.279Z", + "last_scan_start": "2025-05-27T18:20:41.505Z", + "mac": "00:00:5E:00:53:02", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os_architecture": "x86_64", + "os_description": "Red Hat Enterprise Linux 7.9", + "os_family": "Linux", + "os_name": "Enterprise Linux", + "os_system_name": "Red Hat Linux", + "os_type": "", + "os_vendor": "Red Hat", + "os_version": "7.9", + "risk_score": 18250, + "severe_vulnerabilities": 48, + "tags": [ + { + "name": "Ahmedabad", + "type": "LOCATION" + }, + { + "name": "test", + "type": "SITE" + }, + { + "name": "rapid7 insight agents", + "type": "SITE" + } + ], + "total_vulnerabilities": 52, + "type": "guest", + "unique_identifiers": [ + { + "id": "CEF12345-ABCD-1234-ABCD-95ABCDEF1234", + "source": "dmidecode" + }, + { + "id": "e80644e940123456789abcdef66a8b16", + "source": "R7 Agent" + } + ], + "same": [ + { + "check_id": null, + "first_found": "2025-05-12T16:25:35Z", + "key": "", + "last_found": "2025-05-27T18:21:36.279Z", + "nic": null, + "port": null, + "proof": "Following entries in /etc/securetty \n may allow anonymous root logins:
Remove all the entries in /etc/securetty except console,\n tty[0-9]* and vc\\[0-9]*
Note: ssh does not use /etc/securetty. To disable root login\n through ssh, use the "PermitRootLogin" setting in /etc/ssh/sshd_config\n and restart the ssh daemon.
", + "solution_id": "unix-anonymous-root-logins", + "solution_summary": "Edit '/etc/securetty' entries", + "solution_type": "workaround", + "status": "VULNERABLE_EXPL", + "vulnerability_id": "unix-anonymous-root-logins" + }, + { + "check_id": null, + "first_found": "2025-05-14T13:52:10Z", + "key": "", + "last_found": "2025-05-27T18:21:36.279Z", + "nic": null, + "port": null, + "proof": "The following world writable files were found.
For each world-writable file, determine whether there is a good reason for\n it to be world writable. If not, remove world write permissions for the file.\n The output here is limited to 50 files. In order to find all of these files without needing to\n run another Nexpose scan run the following command:
find / -type f -perm -02
Please note; it may be necessary exclude particular paths or file share types, run 'man find' for information.
", + "solution_id": "unix-world-writable-files", + "solution_summary": "Remove world write permissions", + "solution_type": "workaround", + "status": "VULNERABLE_EXPL", + "vulnerability_id": "unix-world-writable-files" + } + ] + } + ], + "metadata": { + "number": 0, + "size": 2, + "totalResources": 3, + "totalPages": 2, + "cursor": "1542252837:::_S:::8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6" + }, + "links": [ + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/assets?includeSame=true&includeUniqueIdentifiers=true&page=0&size=2&sort=id,asc", + "rel": "first" + }, + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/assets?includeSame=true&includeUniqueIdentifiers=true&page=0&size=2&sort=id,asc&cursor=1542252837:::_S:::81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "rel": "self" + }, + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/assets?includeSame=true&includeUniqueIdentifiers=true&page=1&size=2&sort=id,asc&cursor=1542252837:::_S:::8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6", + "rel": "next" + }, + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/assets?includeSame=true&includeUniqueIdentifiers=true&page=8&size=2&sort=id,asc", + "rel": "last" + } + ] + } + `}} + - path: /vm/v4/integration/assets + methods: ['POST'] + query_params: + size: 2 + includeUniqueIdentifiers: true + includeSame: true + comparisonTime: null + cursor: 1542252837:::_S:::8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6 + request_headers: + X-Api-Key: + - api_key + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [], + "metadata": { + "number": 0, + "size": 2, + "totalResources": 0, + "totalPages": 0, + "cursor": null + }, + "links": [ + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/assets?includeSame=true&includeUniqueIdentifiers=true&page=0&size=2&sort=id,asc&cursor=1542252837:::_S:::8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6", + "rel": "self" + } + ] + } + `}} + - path: /vm/v4/integration/vulnerabilities + methods: ['POST'] + query_params: + size: 500 + cursor: null + request_headers: + X-Api-Key: + - api_key + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "added": "2025-02-05T00:00:00Z", + "categories": "Azul Systems,Azul Zulu,Java,Web", + "cves": "CVE-2025-21502", + "cvss_v2_access_complexity": "high", + "cvss_v2_access_vector": "network", + "cvss_v2_authentication": "none", + "cvss_v2_availability_impact": "none", + "cvss_v2_confidentiality_impact": "partial", + "cvss_v2_exploit_score": 4.927999973297119, + "cvss_v2_impact_score": 4.938243839970231, + "cvss_v2_integrity_impact": "partial", + "cvss_v2_score": 4, + "cvss_v2_vector": "(AV:N/AC:H/Au:N/C:P/I:P/A:N)", + "cvss_v3_attack_complexity": "high", + "cvss_v3_attack_vector": "network", + "cvss_v3_availability_impact": "none", + "cvss_v3_confidentiality_impact": "low", + "cvss_v3_exploit_score": 2.2211673, + "cvss_v3_impact_score": 2.5140719999999996, + "cvss_v3_integrity_impact": "low", + "cvss_v3_privileges_required": "none", + "cvss_v3_scope": "unchanged", + "cvss_v3_score": 4.8, + "cvss_v3_user_interaction": "none", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "denial_of_service": false, + "description": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM for JDK: 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM Enterprise Edition: 20.3.16 and 21.3.12. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).", + "exploits": [], + "id": "azul-zulu-cve-2025-21502", + "links": [ + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2025-21502", + "id": "CVE-2025-21502", + "source": "cve" + }, + { + "href": "https://www.azul.com/downloads/", + "id": "https://www.azul.com/downloads/", + "source": "url" + } + ], + "malware_kits": [], + "modified": "2025-02-18T00:00:00Z", + "pci_cvss_score": 4, + "pci_fail": true, + "pci_severity_score": 3, + "pci_special_notes": "", + "pci_status": "fail", + "published": "2025-01-21T00:00:00Z", + "references": "cve:CVE-2025-21502,url:https://www.azul.com/downloads/", + "risk_score": 321, + "severity": "low", + "severity_score": 4, + "title": "Azul Zulu: CVE-2025-21502: Vulnerability in the Azul Zulu OpenJDK component" + }, + { + "added": "2004-11-30T00:00:00Z", + "categories": "CVSS Score Predicted with Rapid7 AI,UNIX", + "cves": "", + "cvss_v2_access_complexity": "low", + "cvss_v2_access_vector": "local", + "cvss_v2_authentication": "none", + "cvss_v2_availability_impact": "partial", + "cvss_v2_confidentiality_impact": "partial", + "cvss_v2_exploit_score": 3.948735978603363, + "cvss_v2_impact_score": 6.442976653521584, + "cvss_v2_integrity_impact": "partial", + "cvss_v2_score": 4.6, + "cvss_v2_vector": "(AV:L/AC:L/Au:N/C:P/I:P/A:P)", + "cvss_v3_attack_complexity": "low", + "cvss_v3_attack_vector": "local", + "cvss_v3_availability_impact": "none", + "cvss_v3_confidentiality_impact": "high", + "cvss_v3_exploit_score": 2.515145325, + "cvss_v3_impact_score": 5.177088, + "cvss_v3_integrity_impact": "high", + "cvss_v3_privileges_required": "none", + "cvss_v3_scope": "unchanged", + "cvss_v3_score": 7.7, + "cvss_v3_user_interaction": "none", + "cvss_v3_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "denial_of_service": false, + "description": "GRUB bootloader is not password protected. An attacker can use the GRUB editor interface to change its configuration or to gather information using the cat command. It can also be exploited to boot into single user mode as root or boot into an insecure operating system.", + "exploits": [], + "id": "linux-grub-missing-passwd", + "links": [], + "malware_kits": [], + "modified": "2025-02-18T00:00:00Z", + "pci_cvss_score": 4.6, + "pci_fail": true, + "pci_severity_score": 3, + "pci_special_notes": "", + "pci_status": "fail", + "published": "1999-01-01T00:00:00Z", + "references": "", + "risk_score": 515, + "severity": "critical", + "severity_score": 5, + "title": "No password for Grub" + }, + { + "added": "2007-08-03T00:00:00Z", + "categories": "CVSS Score Predicted with Rapid7 AI,HTTP,Web", + "cves": "", + "cvss_v2_access_complexity": "high", + "cvss_v2_access_vector": "network", + "cvss_v2_authentication": "none", + "cvss_v2_availability_impact": "none", + "cvss_v2_confidentiality_impact": "complete", + "cvss_v2_exploit_score": 4.927999973297119, + "cvss_v2_impact_score": 7.843935219030975, + "cvss_v2_integrity_impact": "partial", + "cvss_v2_score": 6.1, + "cvss_v2_vector": "(AV:N/AC:H/Au:N/C:C/I:P/A:N)", + "cvss_v3_attack_complexity": "high", + "cvss_v3_attack_vector": "network", + "cvss_v3_availability_impact": "none", + "cvss_v3_confidentiality_impact": "high", + "cvss_v3_exploit_score": 2.2211673, + "cvss_v3_impact_score": 5.177088, + "cvss_v3_integrity_impact": "high", + "cvss_v3_privileges_required": "none", + "cvss_v3_scope": "unchanged", + "cvss_v3_score": 7.4, + "cvss_v3_user_interaction": "none", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "denial_of_service": false, + "description": "The subject common name (CN) field in the X.509 certificate does not match the name of the entity presenting the certificate.\n\nBefore issuing a certificate, a Certification Authority (CA) must check the identity of the entity requesting the certificate, as specified in the CA's Certification Practice Statement (CPS). Thus, standard certificate validation procedures require the subject CN field of a certificate to match the actual name of the entity presenting the certificate. For example, in a certificate presented by \"https://www.example.com/\", the CN should be \"www.example.com\". \n\nIn order to detect and prevent active eavesdropping attacks, the validity of a certificate must be verified, or else an attacker could then launch a man-in-the-middle attack and gain full control of the data stream. Of particular importance is the validity of the subject's CN, that should match the name of the entity (hostname).\n\nA CN mismatch most often occurs due to a configuration error, though it can also indicate that a man-in-the-middle attack is being conducted.", + "exploits": [], + "id": "certificate-common-name-mismatch", + "links": [], + "malware_kits": [], + "modified": "2025-02-18T00:00:00Z", + "pci_cvss_score": 6.1, + "pci_fail": true, + "pci_severity_score": 4, + "pci_special_notes": "", + "pci_status": "fail", + "published": "2007-08-03T00:00:00Z", + "references": "", + "risk_score": 495, + "severity": "none", + "severity_score": 6, + "title": "X.509 Certificate Subject CN Does Not Match the Entity Name" + }, + { + "added": "2025-04-08T00:00:00Z", + "categories": "Microsoft,Microsoft Patch,Microsoft Windows,Privilege Escalation", + "cves": "CVE-2025-21204", + "cvss_v2_access_complexity": "low", + "cvss_v2_access_vector": "local", + "cvss_v2_authentication": "single", + "cvss_v2_availability_impact": "complete", + "cvss_v2_confidentiality_impact": "complete", + "cvss_v2_exploit_score": 3.141040013372898, + "cvss_v2_impact_score": 10.000845454680942, + "cvss_v2_integrity_impact": "complete", + "cvss_v2_score": 6.8, + "cvss_v2_vector": "(AV:L/AC:L/Au:S/C:C/I:C/A:C)", + "cvss_v3_attack_complexity": "low", + "cvss_v3_attack_vector": "local", + "cvss_v3_availability_impact": "high", + "cvss_v3_confidentiality_impact": "high", + "cvss_v3_exploit_score": 1.8345765900000002, + "cvss_v3_impact_score": 5.873118720000001, + "cvss_v3_integrity_impact": "high", + "cvss_v3_privileges_required": "low", + "cvss_v3_scope": "unchanged", + "cvss_v3_score": 7.8, + "cvss_v3_user_interaction": "none", + "cvss_v3_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "denial_of_service": false, + "description": "Microsoft Windows: CVE-2025-21204: Windows Process Activation Elevation of Privilege Vulnerability", + "exploits": [], + "id": "microsoft-windows-cve-2025-21204", + "links": [ + { + "href": "https://support.microsoft.com/help/5055557", + "id": "https://support.microsoft.com/help/5055557", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055547", + "id": "https://support.microsoft.com/help/5055547", + "source": "url" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2025-21204", + "id": "CVE-2025-21204", + "source": "cve" + }, + { + "href": "https://support.microsoft.com/help/5055526", + "id": "https://support.microsoft.com/help/5055526", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055527", + "id": "https://support.microsoft.com/help/5055527", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055521", + "id": "https://support.microsoft.com/help/5055521", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055523", + "id": "https://support.microsoft.com/help/5055523", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055528", + "id": "https://support.microsoft.com/help/5055528", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055518", + "id": "https://support.microsoft.com/help/5055518", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055519", + "id": "https://support.microsoft.com/help/5055519", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055581", + "id": "https://support.microsoft.com/help/5055581", + "source": "url" + } + ], + "malware_kits": [], + "modified": "2025-04-14T00:00:00Z", + "pci_cvss_score": 6.8, + "pci_fail": true, + "pci_severity_score": 4, + "pci_special_notes": "", + "pci_status": "fail", + "published": "2025-04-08T00:00:00Z", + "references": "cve:CVE-2025-21204,url:https://support.microsoft.com/help/5055518,url:https://support.microsoft.com/help/5055519,url:https://support.microsoft.com/help/5055521,url:https://support.microsoft.com/help/5055523,url:https://support.microsoft.com/help/5055526,url:https://support.microsoft.com/help/5055527,url:https://support.microsoft.com/help/5055528,url:https://support.microsoft.com/help/5055547,url:https://support.microsoft.com/help/5055557,url:https://support.microsoft.com/help/5055581", + "risk_score": 522, + "severity": "informational", + "severity_score": 7, + "title": "Microsoft Windows: CVE-2025-21204: Windows Process Activation Elevation of Privilege Vulnerability" + }, + { + "added": "2013-12-10T00:00:00Z", + "categories": "CISA KEV,Exploited in the Wild,Microsoft,Microsoft Patch,Microsoft Windows,Remote Execution", + "cves": "CVE-2013-3900", + "cvss_v2_access_complexity": "medium", + "cvss_v2_access_vector": "local", + "cvss_v2_authentication": "none", + "cvss_v2_availability_impact": "none", + "cvss_v2_confidentiality_impact": "none", + "cvss_v2_exploit_score": 3.392575981616974, + "cvss_v2_impact_score": 6.870600273013115, + "cvss_v2_integrity_impact": "complete", + "cvss_v2_score": 4.7, + "cvss_v2_vector": "(AV:L/AC:M/Au:N/C:N/I:C/A:N)", + "cvss_v3_attack_complexity": "low", + "cvss_v3_attack_vector": "local", + "cvss_v3_availability_impact": "none", + "cvss_v3_confidentiality_impact": "none", + "cvss_v3_exploit_score": 1.8345765900000002, + "cvss_v3_impact_score": 3.5952, + "cvss_v3_integrity_impact": "high", + "cvss_v3_privileges_required": "none", + "cvss_v3_scope": "unchanged", + "cvss_v3_score": 5.5, + "cvss_v3_user_interaction": "required", + "cvss_v3_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", + "denial_of_service": false, + "description": "This vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system. Note that this vulnerability was originally published by Microsoft as MS13-098, but has now been republished as CVE-2013-3900. Microsoft provides current information on the CVE-2013-3900 advisory.", + "exploits": [], + "id": "windows-hotfix-ms13-098", + "links": [ + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2013-3900", + "id": "CVE-2013-3900", + "source": "cve" + }, + { + "href": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900", + "id": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900", + "source": "url" + } + ], + "malware_kits": [], + "modified": "2025-04-22T00:00:00Z", + "pci_cvss_score": 4.7, + "pci_fail": true, + "pci_severity_score": 3, + "pci_special_notes": "", + "pci_status": "fail", + "published": "2013-12-10T00:00:00Z", + "references": "cve:CVE-2013-3900,url:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900", + "risk_score": 450, + "severity": "severe", + "severity_score": 5, + "title": "CVE-2013-3900: MS13-098: Vulnerability in Windows Could Allow Remote Code Execution" + }, + { + "added": "2004-11-30T00:00:00Z", + "categories": "CVSS Score Predicted with Rapid7 AI,UNIX", + "cves": "", + "cvss_v2_access_complexity": "low", + "cvss_v2_access_vector": "network", + "cvss_v2_authentication": "single", + "cvss_v2_availability_impact": "partial", + "cvss_v2_confidentiality_impact": "partial", + "cvss_v2_exploit_score": 7.9520000338554375, + "cvss_v2_impact_score": 6.442976653521584, + "cvss_v2_integrity_impact": "partial", + "cvss_v2_score": 6.5, + "cvss_v2_vector": "(AV:N/AC:L/Au:S/C:P/I:P/A:P)", + "cvss_v3_attack_complexity": "low", + "cvss_v3_attack_vector": "local", + "cvss_v3_availability_impact": "high", + "cvss_v3_confidentiality_impact": "high", + "cvss_v3_exploit_score": 2.515145325, + "cvss_v3_impact_score": 5.873118720000001, + "cvss_v3_integrity_impact": "high", + "cvss_v3_privileges_required": "none", + "cvss_v3_scope": "unchanged", + "cvss_v3_score": 8.4, + "cvss_v3_user_interaction": "none", + "cvss_v3_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "denial_of_service": false, + "description": "Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \"su\" to become root.", + "exploits": [], + "id": "unix-anonymous-root-logins", + "links": [], + "malware_kits": [], + "modified": "2025-02-18T00:00:00Z", + "pci_cvss_score": 6.5, + "pci_fail": true, + "pci_severity_score": 4, + "pci_special_notes": "", + "pci_status": "fail", + "published": "2004-11-30T00:00:00Z", + "references": "", + "risk_score": 562, + "severity": "severe", + "severity_score": 7, + "title": "Anonymous root login is allowed" + }, + { + "added": "2005-01-15T00:00:00Z", + "categories": "CVSS Score Predicted with Rapid7 AI,UNIX", + "cves": "", + "cvss_v2_access_complexity": "low", + "cvss_v2_access_vector": "local", + "cvss_v2_authentication": "none", + "cvss_v2_availability_impact": "none", + "cvss_v2_confidentiality_impact": "partial", + "cvss_v2_exploit_score": 3.948735978603363, + "cvss_v2_impact_score": 4.938243839970231, + "cvss_v2_integrity_impact": "partial", + "cvss_v2_score": 3.6, + "cvss_v2_vector": "(AV:L/AC:L/Au:N/C:P/I:P/A:N)", + "cvss_v3_attack_complexity": "low", + "cvss_v3_attack_vector": "local", + "cvss_v3_availability_impact": "none", + "cvss_v3_confidentiality_impact": "low", + "cvss_v3_exploit_score": 2.515145325, + "cvss_v3_impact_score": 1.4123999999999999, + "cvss_v3_integrity_impact": "none", + "cvss_v3_privileges_required": "none", + "cvss_v3_scope": "unchanged", + "cvss_v3_score": 4, + "cvss_v3_user_interaction": "none", + "cvss_v3_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "denial_of_service": false, + "description": "World writable files were found on the system. A file that can be written by any user on the system could be a serious security flaw.", + "exploits": [], + "id": "unix-world-writable-files", + "links": [], + "malware_kits": [], + "modified": "2025-02-18T00:00:00Z", + "pci_cvss_score": 3.6, + "pci_fail": false, + "pci_severity_score": 2, + "pci_special_notes": "", + "pci_status": "pass", + "published": "2005-01-15T00:00:00Z", + "references": "", + "risk_score": 268, + "severity": "severe", + "severity_score": 4, + "title": "World writable files exist" + } + ], + "metadata": { + "number": 0, + "size": 500, + "totalResources": 7, + "totalPages": 1, + "cursor": "-2034101655:::_L:::1748390400000:::_S:::unix-world-writable-files" + }, + "links": [ + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/vulnerabilities?page=0&size=500&sort=modified,asc", + "rel": "first" + }, + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/vulnerabilities?page=0&size=500&sort=modified,asc", + "rel": "self" + }, + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/vulnerabilities?page=1&size=500&sort=modified,asc&cursor=-2034101655:::_L:::1748390400000:::_S:::unix-world-writable-files", + "rel": "next" + }, + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/vulnerabilities?page=2&size=500&sort=modified,asc", + "rel": "last" + } + ] + } + `}} + - path: /vm/v4/integration/vulnerabilities + methods: ['POST'] + query_params: + size: 500 + cursor: -2034101655:::_L:::1748390400000:::_S:::unix-world-writable-files + request_headers: + X-Api-Key: + - api_key + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [], + "metadata": { + "number": 0, + "size": 500, + "totalResources": 0, + "totalPages": 0, + "cursor": null + }, + "links": [ + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/vulnerabilities?page=1&size=500&sort=modified,asc&cursor=-2034101655:::_L:::1748390400000:::_S:::unix-world-writable-files", + "rel": "self" + } + ] + } + `}} - path: /vm/v4/integration/assets methods: ["POST"] responses: diff --git a/packages/rapid7_insightvm/changelog.yml b/packages/rapid7_insightvm/changelog.yml index 3b184554348..06b9c2fae70 100644 --- a/packages/rapid7_insightvm/changelog.yml +++ b/packages/rapid7_insightvm/changelog.yml @@ -1,4 +1,15 @@ # newer versions go on top +- version: "2.0.0" + changes: + - description: | + Add `asset_vulnerability` datastream support for the Cloud Detection and Response (CDR) vulnerability workflow. + This will require a transform node, the necessary permissions to use the transform, and specified source and destination indices. + It also stores the latest copy of vulnerabilities in the destination indices, which will require additional storage. + type: breaking-change + link: https://github.com/elastic/integrations/pull/14079 + - description: Add temporary processor to remove the fields added by the Agentless policy. + type: bugfix + link: https://github.com/elastic/integrations/pull/14079 - version: "1.16.0" changes: - description: Update Kibana constraint to support 9.0.0. diff --git a/packages/rapid7_insightvm/data_stream/asset/_dev/test/pipeline/test-asset.log-expected.json b/packages/rapid7_insightvm/data_stream/asset/_dev/test/pipeline/test-asset.log-expected.json index 72495111434..d94cd892b88 100644 --- a/packages/rapid7_insightvm/data_stream/asset/_dev/test/pipeline/test-asset.log-expected.json +++ b/packages/rapid7_insightvm/data_stream/asset/_dev/test/pipeline/test-asset.log-expected.json @@ -177,4 +177,4 @@ }, null ] -} \ No newline at end of file +} diff --git a/packages/rapid7_insightvm/data_stream/asset/elasticsearch/ingest_pipeline/default.yml b/packages/rapid7_insightvm/data_stream/asset/elasticsearch/ingest_pipeline/default.yml index 3facf5cda33..3f71fd9db75 100644 --- a/packages/rapid7_insightvm/data_stream/asset/elasticsearch/ingest_pipeline/default.yml +++ b/packages/rapid7_insightvm/data_stream/asset/elasticsearch/ingest_pipeline/default.yml @@ -13,11 +13,30 @@ processors: - set: field: event.type value: [info] + - remove: + field: + - organization + - division + - team + ignore_missing: true + if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String + tag: remove_agentless_tags + description: >- + Removes the fields added by Agentless as metadata, + as they can collide with ECS fields. - rename: field: message + tag: rename_message_to_event_original target_field: event.original ignore_missing: true + description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document. if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null - json: field: event.original tag: 'json_decoding' diff --git a/packages/rapid7_insightvm/data_stream/asset/manifest.yml b/packages/rapid7_insightvm/data_stream/asset/manifest.yml index 1c2f1245029..446718503bc 100644 --- a/packages/rapid7_insightvm/data_stream/asset/manifest.yml +++ b/packages/rapid7_insightvm/data_stream/asset/manifest.yml @@ -1,10 +1,11 @@ -title: Collect Asset logs from Rapid7 InsightVM +title: Collect Asset logs from Rapid7 InsightVM (Deprecated) type: logs streams: - input: httpjson - title: Asset logs + title: Asset logs (Deprecated) description: Collect Asset logs via API. template_path: httpjson.yml.hbs + enabled: false vars: - name: interval type: text diff --git a/packages/rapid7_insightvm/data_stream/asset/sample_event.json b/packages/rapid7_insightvm/data_stream/asset/sample_event.json index ae8e306a6f3..7ef0024c98a 100644 --- a/packages/rapid7_insightvm/data_stream/asset/sample_event.json +++ b/packages/rapid7_insightvm/data_stream/asset/sample_event.json @@ -1,33 +1,33 @@ { - "@timestamp": "2023-05-23T16:17:06.996Z", + "@timestamp": "2025-05-30T11:10:37.869Z", "agent": { - "ephemeral_id": "163d2260-4499-492b-bbd5-4d90487865b9", - "id": "c157ef08-38bb-40dd-bae1-c6bc8c8f02fa", - "name": "docker-fleet-agent", + "ephemeral_id": "6545769f-e426-4e1c-9549-44bd7f788ee4", + "id": "afb159d9-5bc3-429a-b8a7-3cda969112a5", + "name": "elastic-agent-88629", "type": "filebeat", - "version": "8.9.0" + "version": "8.18.0" }, "data_stream": { "dataset": "rapid7_insightvm.asset", - "namespace": "ep", + "namespace": "81787", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "c157ef08-38bb-40dd-bae1-c6bc8c8f02fa", - "snapshot": true, - "version": "8.9.0" + "id": "afb159d9-5bc3-429a-b8a7-3cda969112a5", + "snapshot": false, + "version": "8.18.0" }, "event": { "agent_id_status": "verified", "category": [ "host" ], - "created": "2023-05-23T16:17:06.996Z", + "created": "2025-05-30T11:10:37.869Z", "dataset": "rapid7_insightvm.asset", - "ingested": "2023-05-23T16:17:08Z", + "ingested": "2025-05-30T11:10:40Z", "kind": "state", "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"critical_vulnerabilities\":0,\"exploits\":0,\"id\":\"452534235-25a7-40a3-9321-28ce0b5cc90e-default-asset-199\",\"ip\":\"10.1.0.128\",\"last_assessed_for_vulnerabilities\":\"2020-03-20T19:19:42.611Z\",\"last_scan_end\":\"2020-03-20T19:19:42.611Z\",\"last_scan_start\":\"2020-03-20T19:18:13.611Z\",\"malware_kits\":0,\"moderate_vulnerabilities\":2,\"new\":[],\"os_architecture\":\"x86_64\",\"os_description\":\"CentOS Linux 2.6.18\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"CentOS Linux\",\"os_type\":\"General\",\"os_vendor\":\"CentOS\",\"os_version\":\"2.6.18\",\"remediated\":[],\"risk_score\":0,\"severe_vulnerabilities\":0,\"tags\":[{\"name\":\"lab\",\"type\":\"SITE\"}],\"total_vulnerabilities\":2}", "type": [ @@ -100,4 +100,4 @@ "forwarded", "rapid7_insightvm-asset" ] -} \ No newline at end of file +} diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log new file mode 100644 index 00000000000..0e734808ce4 --- /dev/null +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log @@ -0,0 +1,25 @@ +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vulnerability":{"check_id":null,"first_found":"2025-05-14T13:52:10Z","key":"/root/infaagent/jdk/lib/jrt-fs.jar","last_found":"2025-05-27T19:54:43.777Z","nic":null,"port":null,"proof":"Vulnerable OS: Ubuntu Linux 22.04
Vulnerable software installed: Azul Systems JRE 17.54.22 (/root/infaagent/jdk/lib/jrt-fs.jar)
","protocol":null,"reintroduced":null,"solution_fix":"\n Download and upgrade to the latest version of Azul Zulu from here.
","solution_id":"azul-zulu-upgrade-latest","solution_summary":"Upgrade Azul Zulu to the latest version","solution_type":"workaround","status":"VULNERABLE_VERS","vulnerability_id":"azul-zulu-cve-2025-21502","added":"2025-02-05T00:00:00Z","categories":"Azul Systems,Azul Zulu,Java,Web","cves":"CVE-2025-21502","cvss_v2_access_complexity":"high","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"none","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":4.927999973297119,"cvss_v2_impact_score":4.938243839970231,"cvss_v2_integrity_impact":"partial","cvss_v2_score":4,"cvss_v2_vector":"(AV:N/AC:H/Au:N/C:P/I:P/A:N)","cvss_v3_attack_complexity":"high","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"low","cvss_v3_exploit_score":2.2211673,"cvss_v3_impact_score":2.5140719999999996,"cvss_v3_integrity_impact":"low","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":4.8,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N","denial_of_service":false,"description":"Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM for JDK: 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM Enterprise Edition: 20.3.16 and 21.3.12. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).","exploits":[],"id":"azul-zulu-cve-2025-21502","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2025-21502","id":"CVE-2025-21502","source":"cve"},{"href":"https://www.azul.com/downloads/","id":"https://www.azul.com/downloads/","source":"url"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":4,"pci_fail":true,"pci_severity_score":3,"pci_special_notes":"","pci_status":"fail","published":"2025-01-21T00:00:00Z","references":"cve:CVE-2025-21502,url:https://www.azul.com/downloads/","risk_score":321,"severity":"low","severity_score":4,"title":"Azul Zulu: CVE-2025-21502: Vulnerability in the Azul Zulu OpenJDK component"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vulnerability":{"check_id":null,"first_found":"2025-05-13T13:25:40Z","key":"","last_found":"2025-05-27T19:54:43.777Z","nic":null,"port":null,"proof":"Grub config with no password found.
Set a password in the GRUB configuration file. This\n is often located in one of several locations, but can really be\n anywhere:
\n /etc/grub.conf\n /boot/grub/grub.conf\n /boot/grub/grub.cfg\n /boot/grub/menu.lst\n
For all files mentioned above ensure that a password is set or that the files do not exist.
To set a plain-text password, edit your GRUB configuration file\n and add the following line before the first uncommented line:
password <password>
To set an encrypted password, run grub-md5-crypt and use its\n output when adding the following line before the first\n uncommented line:
password --md5 <encryptedpassword>
For either approach, choose an appropriately strong password.
","solution_id":"linux-grub-missing-passwd","solution_summary":" Enable GRUB password ","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"linux-grub-missing-passwd","added":"2004-11-30T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,UNIX","cves":"","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"local","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":3.948735978603363,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":4.6,"cvss_v2_vector":"(AV:L/AC:L/Au:N/C:P/I:P/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.515145325,"cvss_v3_impact_score":5.177088,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":7.7,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","denial_of_service":false,"description":"GRUB bootloader is not password protected. An attacker can use the GRUB editor interface to change its configuration or to gather information using the cat command. It can also be exploited to boot into single user mode as root or boot into an insecure operating system.","exploits":[],"id":"linux-grub-missing-passwd","links":[],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":4.6,"pci_fail":true,"pci_severity_score":3,"pci_special_notes":"","pci_status":"fail","published":"1999-01-01T00:00:00Z","references":"","risk_score":515,"severity":"critical","severity_score":5,"title":"No password for Grub"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":135,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":445,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":119,"exploits":4,"host_name":"Win11-50-13-52","id":"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1","ip":"10.50.13.52","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":8,"os_architecture":"x86_64","os_description":"Microsoft Windows 11 22H2","os_family":"Windows","os_name":"Windows 11","os_system_name":"Microsoft Windows","os_type":"Workstation","os_vendor":"Microsoft","os_version":"22H2","risk_score":181622,"severe_vulnerabilities":241,"tags":[{"name":"USA","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":368,"type":"guest","unique_identifiers":[{"id":"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050","source":"CSPRODUCT"},{"id":"c5cf46abcdef0123456789291c7d554a","source":"R7 Agent"}],"vulnerability":{"check_id":null,"first_found":"2025-04-30T06:21:05Z","key":"","last_found":"2025-05-27T19:54:43.777Z","nic":null,"port":3389,"proof":"The subject common name found in the X.509 certificate does not seem to match the scan target:
\n The subject's common name (CN) field in the X.509 certificate should be fixed\nto reflect the name of the entity presenting the certificate (e.g., the\nhostname). This is done by generating a new certificate usually signed by a\nCertification Authority (CA) trusted by both the client and server.\n
","solution_id":"certificate-common-name-mismatch","solution_summary":"Fix the subject's Common Name (CN) field in the certificate","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"certificate-common-name-mismatch","added":"2007-08-03T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,HTTP,Web","cves":"","cvss_v2_access_complexity":"high","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"none","cvss_v2_confidentiality_impact":"complete","cvss_v2_exploit_score":4.927999973297119,"cvss_v2_impact_score":7.843935219030975,"cvss_v2_integrity_impact":"partial","cvss_v2_score":6.1,"cvss_v2_vector":"(AV:N/AC:H/Au:N/C:C/I:P/A:N)","cvss_v3_attack_complexity":"high","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.2211673,"cvss_v3_impact_score":5.177088,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":7.4,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","denial_of_service":false,"description":"The subject common name (CN) field in the X.509 certificate does not match the name of the entity presenting the certificate.\n\nBefore issuing a certificate, a Certification Authority (CA) must check the identity of the entity requesting the certificate, as specified in the CA's Certification Practice Statement (CPS). Thus, standard certificate validation procedures require the subject CN field of a certificate to match the actual name of the entity presenting the certificate. For example, in a certificate presented by \"https://www.example.com/\", the CN should be \"www.example.com\". \n\nIn order to detect and prevent active eavesdropping attacks, the validity of a certificate must be verified, or else an attacker could then launch a man-in-the-middle attack and gain full control of the data stream. Of particular importance is the validity of the subject's CN, that should match the name of the entity (hostname).\n\nA CN mismatch most often occurs due to a configuration error, though it can also indicate that a man-in-the-middle attack is being conducted.","exploits":[],"id":"certificate-common-name-mismatch","links":[],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":6.1,"pci_fail":true,"pci_severity_score":4,"pci_special_notes":"","pci_status":"fail","published":"2007-08-03T00:00:00Z","references":"","risk_score":495,"severity":"none","severity_score":6,"title":"X.509 Certificate Subject CN Does Not Match the Entity Name"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":135,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":445,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":119,"exploits":4,"host_name":"Win11-50-13-52","id":"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1","ip":"10.50.13.52","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":8,"os_architecture":"x86_64","os_description":"Microsoft Windows 11 22H2","os_family":"Windows","os_name":"Windows 11","os_system_name":"Microsoft Windows","os_type":"Workstation","os_vendor":"Microsoft","os_version":"22H2","risk_score":181622,"severe_vulnerabilities":241,"tags":[{"name":"USA","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":368,"type":"guest","unique_identifiers":[{"id":"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050","source":"CSPRODUCT"},{"id":"c5cf46abcdef0123456789291c7d554a","source":"R7 Agent"}],"vulnerability":{"check_id":"microsoft-windows-cve-2025-21204-windows_11-22h2-kb5055528","first_found":"2025-05-13T07:25:34Z","key":"","last_found":"2025-05-27T19:54:43.777Z","nic":null,"port":null,"proof":"Vulnerable OS: Microsoft Windows 11 22H2
Download and apply the patch from: https://support.microsoft.com/help/5058405
","solution_id":"microsoft-windows-windows_11-22h2-kb5058405","solution_summary":"2025-05 Cumulative Update for Microsoft Windows 11, version 22H2 (KB5058405)","solution_type":"patch","status":"VULNERABLE_EXPL","vulnerability_id":"microsoft-windows-cve-2025-21204","added":"2025-04-08T00:00:00Z","categories":"Microsoft,Microsoft Patch,Microsoft Windows,Privilege Escalation","cves":"CVE-2025-21204","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"local","cvss_v2_authentication":"single","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"complete","cvss_v2_exploit_score":3.141040013372898,"cvss_v2_impact_score":10.000845454680942,"cvss_v2_integrity_impact":"complete","cvss_v2_score":6.8,"cvss_v2_vector":"(AV:L/AC:L/Au:S/C:C/I:C/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":1.8345765900000002,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"low","cvss_v3_scope":"unchanged","cvss_v3_score":7.8,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"Microsoft Windows: CVE-2025-21204: Windows Process Activation Elevation of Privilege Vulnerability","exploits":[],"id":"microsoft-windows-cve-2025-21204","links":[{"href":"https://support.microsoft.com/help/5055557","id":"https://support.microsoft.com/help/5055557","source":"url"},{"href":"https://support.microsoft.com/help/5055547","id":"https://support.microsoft.com/help/5055547","source":"url"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2025-21204","id":"CVE-2025-21204","source":"cve"},{"href":"https://support.microsoft.com/help/5055526","id":"https://support.microsoft.com/help/5055526","source":"url"},{"href":"https://support.microsoft.com/help/5055527","id":"https://support.microsoft.com/help/5055527","source":"url"},{"href":"https://support.microsoft.com/help/5055521","id":"https://support.microsoft.com/help/5055521","source":"url"},{"href":"https://support.microsoft.com/help/5055523","id":"https://support.microsoft.com/help/5055523","source":"url"},{"href":"https://support.microsoft.com/help/5055528","id":"https://support.microsoft.com/help/5055528","source":"url"},{"href":"https://support.microsoft.com/help/5055518","id":"https://support.microsoft.com/help/5055518","source":"url"},{"href":"https://support.microsoft.com/help/5055519","id":"https://support.microsoft.com/help/5055519","source":"url"},{"href":"https://support.microsoft.com/help/5055581","id":"https://support.microsoft.com/help/5055581","source":"url"}],"malware_kits":[],"modified":"2025-04-14T00:00:00Z","pci_cvss_score":6.8,"pci_fail":true,"pci_severity_score":4,"pci_special_notes":"","pci_status":"fail","published":"2025-04-08T00:00:00Z","references":"cve:CVE-2025-21204,url:https://support.microsoft.com/help/5055518,url:https://support.microsoft.com/help/5055519,url:https://support.microsoft.com/help/5055521,url:https://support.microsoft.com/help/5055523,url:https://support.microsoft.com/help/5055526,url:https://support.microsoft.com/help/5055527,url:https://support.microsoft.com/help/5055528,url:https://support.microsoft.com/help/5055547,url:https://support.microsoft.com/help/5055557,url:https://support.microsoft.com/help/5055581","risk_score":522,"severity":"informational","severity_score":7,"title":"Microsoft Windows: CVE-2025-21204: Windows Process Activation Elevation of Privilege Vulnerability"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":135,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":445,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":119,"exploits":4,"host_name":"Win11-50-13-52","id":"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1","ip":"10.50.13.52","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":8,"os_architecture":"x86_64","os_description":"Microsoft Windows 11 22H2","os_family":"Windows","os_name":"Windows 11","os_system_name":"Microsoft Windows","os_type":"Workstation","os_vendor":"Microsoft","os_version":"22H2","risk_score":181622,"severe_vulnerabilities":241,"tags":[{"name":"USA","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":368,"type":"guest","unique_identifiers":[{"id":"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050","source":"CSPRODUCT"},{"id":"c5cf46abcdef0123456789291c7d554a","source":"R7 Agent"}],"vulnerability":{"check_id":"WINDOWS-HOTFIX-MS13-098-x64","first_found":"2025-05-13T07:25:34Z","key":"","last_found":"2025-05-27T19:54:43.777Z","nic":null,"port":null,"proof":"Vulnerable OS: Microsoft Windows 11 22H2
Download and apply the patch from: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900
","solution_id":"windows-hotfix-ms13-098","solution_summary":"Enable Certificate Padding Check for Windows Systems","solution_type":"patch","status":"VULNERABLE_EXPL","vulnerability_id":"windows-hotfix-ms13-098","added":"2013-12-10T00:00:00Z","categories":"CISA KEV,Exploited in the Wild,Microsoft,Microsoft Patch,Microsoft Windows,Remote Execution","cves":"CVE-2013-3900","cvss_v2_access_complexity":"medium","cvss_v2_access_vector":"local","cvss_v2_authentication":"none","cvss_v2_availability_impact":"none","cvss_v2_confidentiality_impact":"none","cvss_v2_exploit_score":3.392575981616974,"cvss_v2_impact_score":6.870600273013115,"cvss_v2_integrity_impact":"complete","cvss_v2_score":4.7,"cvss_v2_vector":"(AV:L/AC:M/Au:N/C:N/I:C/A:N)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"none","cvss_v3_exploit_score":1.8345765900000002,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":5.5,"cvss_v3_user_interaction":"required","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N","denial_of_service":false,"description":"This vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system. Note that this vulnerability was originally published by Microsoft as MS13-098, but has now been republished as CVE-2013-3900. Microsoft provides current information on the CVE-2013-3900 advisory.","exploits":[],"id":"windows-hotfix-ms13-098","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2013-3900","id":"CVE-2013-3900","source":"cve"},{"href":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900","id":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900","source":"url"}],"malware_kits":[],"modified":"2025-04-22T00:00:00Z","pci_cvss_score":4.7,"pci_fail":true,"pci_severity_score":3,"pci_special_notes":"","pci_status":"fail","published":"2013-12-10T00:00:00Z","references":"cve:CVE-2013-3900,url:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900","risk_score":450,"severity":"severe","severity_score":5,"title":"CVE-2013-3900: MS13-098: Vulnerability in Windows Could Allow Remote Code Execution"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":22,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":3,"exploits":0,"host_name":"computer-test","id":"8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6","ip":"10.50.5.112","last_assessed_for_vulnerabilities":"2025-05-27T18:21:36.279Z","last_scan_end":"2025-05-27T18:21:36.279Z","last_scan_start":"2025-05-27T18:20:41.505Z","mac":"00:00:5E:00:53:02","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Red Hat Enterprise Linux 7.9","os_family":"Linux","os_name":"Enterprise Linux","os_system_name":"Red Hat Linux","os_type":"","os_vendor":"Red Hat","os_version":"7.9","risk_score":18250,"severe_vulnerabilities":48,"tags":[{"name":"Ahmedabad","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":52,"type":"guest","unique_identifiers":[{"id":"CEF12345-ABCD-1234-ABCD-95ABCDEF1234","source":"dmidecode"},{"id":"e80644e940123456789abcdef66a8b16","source":"R7 Agent"}],"vulnerability":{"check_id":null,"first_found":"2025-05-12T16:25:35Z","key":"","last_found":"2025-05-27T18:21:36.279Z","nic":null,"port":null,"proof":"Following entries in /etc/securetty \n may allow anonymous root logins:
Remove all the entries in /etc/securetty except console,\n tty[0-9]* and vc\\[0-9]*
Note: ssh does not use /etc/securetty. To disable root login\n through ssh, use the "PermitRootLogin" setting in /etc/ssh/sshd_config\n and restart the ssh daemon.
","solution_id":"unix-anonymous-root-logins","solution_summary":"Edit '/etc/securetty' entries","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"unix-anonymous-root-logins","added":"2004-11-30T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,UNIX","cves":"","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"single","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":7.9520000338554375,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":6.5,"cvss_v2_vector":"(AV:N/AC:L/Au:S/C:P/I:P/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.515145325,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":8.4,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \"su\" to become root.","exploits":[],"id":"unix-anonymous-root-logins","links":[],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":6.5,"pci_fail":true,"pci_severity_score":4,"pci_special_notes":"","pci_status":"fail","published":"2004-11-30T00:00:00Z","references":"","risk_score":562,"severity":"severe","severity_score":7,"title":"Anonymous root login is allowed"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":22,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":3,"exploits":0,"host_name":"computer-test","id":"8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6","ip":"10.50.5.112","last_assessed_for_vulnerabilities":"2025-05-27T18:21:36.279Z","last_scan_end":"2025-05-27T18:21:36.279Z","last_scan_start":"2025-05-27T18:20:41.505Z","mac":"00:00:5E:00:53:02","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Red Hat Enterprise Linux 7.9","os_family":"Linux","os_name":"Enterprise Linux","os_system_name":"Red Hat Linux","os_type":"","os_vendor":"Red Hat","os_version":"7.9","risk_score":18250,"severe_vulnerabilities":48,"tags":[{"name":"Ahmedabad","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":52,"type":"guest","unique_identifiers":[{"id":"CEF12345-ABCD-1234-ABCD-95ABCDEF1234","source":"dmidecode"},{"id":"e80644e940123456789abcdef66a8b16","source":"R7 Agent"}],"vulnerability":{"check_id":null,"first_found":"2025-05-14T13:52:10Z","key":"","last_found":"2025-05-27T18:21:36.279Z","nic":null,"port":null,"proof":"The following world writable files were found.
For each world-writable file, determine whether there is a good reason for\n it to be world writable. If not, remove world write permissions for the file.\n The output here is limited to 50 files. In order to find all of these files without needing to\n run another Nexpose scan run the following command:
find / -type f -perm -02
Please note; it may be necessary exclude particular paths or file share types, run 'man find' for information.
","solution_id":"unix-world-writable-files","solution_summary":"Remove world write permissions","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"unix-world-writable-files","added":"2005-01-15T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,UNIX","cves":"","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"local","cvss_v2_authentication":"none","cvss_v2_availability_impact":"none","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":3.948735978603363,"cvss_v2_impact_score":4.938243839970231,"cvss_v2_integrity_impact":"partial","cvss_v2_score":3.6,"cvss_v2_vector":"(AV:L/AC:L/Au:N/C:P/I:P/A:N)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"low","cvss_v3_exploit_score":2.515145325,"cvss_v3_impact_score":1.4123999999999999,"cvss_v3_integrity_impact":"none","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":4,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","denial_of_service":false,"description":"World writable files were found on the system. A file that can be written by any user on the system could be a serious security flaw.","exploits":[],"id":"unix-world-writable-files","links":[],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":3.6,"pci_fail":false,"pci_severity_score":2,"pci_special_notes":"","pci_status":"pass","published":"2005-01-15T00:00:00Z","references":"","risk_score":268,"severity":"severe","severity_score":4,"title":"World writable files exist"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vulnerability":{"check_id":null,"first_found":"2020-07-23T20:11:10Z","key":"Debian Linux 8.0","last_found":"2020-07-23T20:11:10.304Z","nic":null,"port":null,"proof":"Vulnerable OS: Debian Linux 8.0
","protocol":null,"reintroduced":null,"solution_fix":"\n See the Debian 9 release notes for instructions on upgrading to Debian GNU/Linux 9, alias "stretch".\n
","solution_id":"debian-upgrade-to-stretch","solution_summary":"Upgrade to Debian GNU/Linux 9 or later","solution_type":"workaround","status":"VULNERABLE_VERS","vulnerability_id":"debian-obsolete","added":"2013-01-29T00:00:00Z","categories":"Debian Linux,Obsolete OS,Obsolete Software","cves":"","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"complete","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":10.000845454680942,"cvss_v2_integrity_impact":"complete","cvss_v2_score":10,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:C/I:C/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":3.8870427750000003,"cvss_v3_impact_score":6.0477304915445185,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"changed","cvss_v3_score":10,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","denial_of_service":false,"description":"Debian terminated support for Debian GNU/Linux 9 \"stretch\" on Jun 30, 2022. All Debian versions prior to 10.0 \"buster\" may have unpatched security vulnerabilities.","exploits":[],"id":"debian-obsolete","links":[{"href":"https://wiki.debian.org/LTS","id":"https://wiki.debian.org/LTS","source":"url"}],"malware_kits":[],"modified":"2025-03-28T00:00:00Z","pci_cvss_score":10,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"This operating system version is no longer supported by the vendor, and results in an automatic failure. ","pci_status":"fail","published":"2006-06-30T00:00:00Z","references":"url:https://wiki.debian.org/LTS","risk_score":911.42,"severity":"critical","severity_score":10,"title":"Obsolete Debian GNU/Linux Version"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vulnerability":{"check_id":null,"first_found":"2018-11-25T09:20:27Z","key":"","last_found":"2023-05-23T18:16:30.836Z","nic":null,"port":null,"proof":"Vulnerable OS: Microsoft Windows Server 2003 SP1
Server responded with vulnerable error code: 2 and class: 1
","protocol":null,"reintroduced":null,"solution_fix":"Take a look at all possible solutions for vulnerability","solution_id":"unknown-windows-hotfix-ms06-035","solution_summary":"The solution is unknown for vuln windows-hotfix-ms06-035","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"windows-hotfix-ms06-035","added":"2006-07-12T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution","cves":"CVE-2006-1314,CVE-2006-1315","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":7.5,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:P/I:P/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.83525473,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"none","cvss_v3_privileges_required":"low","cvss_v3_scope":"unchanged","cvss_v3_score":6.5,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","denial_of_service":false,"description":"This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \"Vulnerability Details\" section of this bulletin. We recommend that customers apply the update immediately.","exploits":[{"description":"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)","id":"2057","name":"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module triggers a kernel pool corruption bug in SRV.SYS. Each\n call to the mailslot write function results in a two byte return value\n being written into the response packet. The code which creates this packet\n fails to consider these two bytes in the allocation routine, resulting in\n a slow corruption of the kernel memory pool. These two bytes are almost\n always set to \"\\xff\\xff\" (a short integer with value of -1).","id":"auxiliary/dos/windows/smb/ms06_035_mailslot","name":"Microsoft SRV.SYS Mailslot Write Corruption","rank":"normal","skill_level":"intermediate","source":"metasploit"}],"id":"windows-hotfix-ms06-035","links":[{"href":"http://www.kb.cert.org/vuls/id/189140","id":"189140","source":"cert-vn"},{"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/26818","id":"win-mailslot-bo(26818)","source":"xf"},{"href":"http://www.securityfocus.com/bid/18863","id":"18863","source":"bid"},{"href":"https://support.microsoft.com/en-us/kb/917159","id":"KB917159","source":"mskb"},{"href":"http://www.us-cert.gov/cas/techalerts/TA06-192A.html","id":"TA06-192A","source":"cert"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2006-1314","id":"CVE-2006-1314","source":"cve"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2006-1315","id":"CVE-2006-1315","source":"cve"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3","id":"3","source":"oval"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600","id":"600","source":"oval"},{"href":"http://www.osvdb.org/27155","id":"27155","source":"osvdb"},{"href":"http://www.osvdb.org/27154","id":"27154","source":"osvdb"},{"href":"http://technet.microsoft.com/security/bulletin/MS06-035","id":"MS06-035","source":"ms"},{"href":"http://www.securityfocus.com/bid/18891","id":"18891","source":"bid"},{"href":"http://technet.microsoft.com/en-us/security/bulletin/MS06-035","id":"http://technet.microsoft.com/en-us/security/bulletin/MS06-035","source":"url"},{"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/26820","id":"win-smb-information-disclosure(26820)","source":"xf"},{"href":"http://www.kb.cert.org/vuls/id/333636","id":"333636","source":"cert-vn"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":7.5,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"","pci_status":"fail","published":"2006-07-11T00:00:00Z","references":"bid:18863,bid:18891,cert-vn:189140,osvdb:27154,osvdb:27155,oval:3,cert-vn:333636,oval:600,cve:CVE-2006-1314,cve:CVE-2006-1315,mskb:KB917159,ms:MS06-035,cert:TA06-192A,url:http://technet.microsoft.com/en-us/security/bulletin/MS06-035,xf:win-mailslot-bo(26818),xf:win-smb-information-disclosure(26820)","risk_score":756.57,"severity":"critical","severity_score":8,"title":"MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vulnerability":{"check_id":null,"first_found":"2018-11-25T09:20:27Z","key":"","last_found":"2023-05-23T18:16:30.836Z","nic":null,"port":null,"proof":"Vulnerable OS: Microsoft Windows Server 2003 SP1
Based on the result of the "dcerpc-ms-netapi-netpathcanonicalize-dos" test, this node is applicable to this issue.
","protocol":null,"reintroduced":null,"solution_fix":"Take a look at all possible solutions for vulnerability","solution_id":"unknown-windows-hotfix-ms06-035","solution_summary":"The solution is unknown for vuln windows-hotfix-ms06-035","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"windows-hotfix-ms06-035","added":"2006-07-12T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution","cves":"CVE-2006-1314,CVE-2006-1315","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":7.5,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:P/I:P/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.83525473,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"none","cvss_v3_privileges_required":"low","cvss_v3_scope":"unchanged","cvss_v3_score":6.5,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","denial_of_service":false,"description":"This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \"Vulnerability Details\" section of this bulletin. We recommend that customers apply the update immediately.","exploits":[{"description":"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)","id":"2057","name":"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module triggers a kernel pool corruption bug in SRV.SYS. Each\n call to the mailslot write function results in a two byte return value\n being written into the response packet. The code which creates this packet\n fails to consider these two bytes in the allocation routine, resulting in\n a slow corruption of the kernel memory pool. These two bytes are almost\n always set to \"\\xff\\xff\" (a short integer with value of -1).","id":"auxiliary/dos/windows/smb/ms06_035_mailslot","name":"Microsoft SRV.SYS Mailslot Write Corruption","rank":"normal","skill_level":"intermediate","source":"metasploit"}],"id":"windows-hotfix-ms06-035","links":[{"href":"http://www.kb.cert.org/vuls/id/189140","id":"189140","source":"cert-vn"},{"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/26818","id":"win-mailslot-bo(26818)","source":"xf"},{"href":"http://www.securityfocus.com/bid/18863","id":"18863","source":"bid"},{"href":"https://support.microsoft.com/en-us/kb/917159","id":"KB917159","source":"mskb"},{"href":"http://www.us-cert.gov/cas/techalerts/TA06-192A.html","id":"TA06-192A","source":"cert"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2006-1314","id":"CVE-2006-1314","source":"cve"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2006-1315","id":"CVE-2006-1315","source":"cve"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3","id":"3","source":"oval"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600","id":"600","source":"oval"},{"href":"http://www.osvdb.org/27155","id":"27155","source":"osvdb"},{"href":"http://www.osvdb.org/27154","id":"27154","source":"osvdb"},{"href":"http://technet.microsoft.com/security/bulletin/MS06-035","id":"MS06-035","source":"ms"},{"href":"http://www.securityfocus.com/bid/18891","id":"18891","source":"bid"},{"href":"http://technet.microsoft.com/en-us/security/bulletin/MS06-035","id":"http://technet.microsoft.com/en-us/security/bulletin/MS06-035","source":"url"},{"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/26820","id":"win-smb-information-disclosure(26820)","source":"xf"},{"href":"http://www.kb.cert.org/vuls/id/333636","id":"333636","source":"cert-vn"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":7.5,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"","pci_status":"fail","published":"2006-07-11T00:00:00Z","references":"bid:18863,bid:18891,cert-vn:189140,osvdb:27154,osvdb:27155,oval:3,cert-vn:333636,oval:600,cve:CVE-2006-1314,cve:CVE-2006-1315,mskb:KB917159,ms:MS06-035,cert:TA06-192A,url:http://technet.microsoft.com/en-us/security/bulletin/MS06-035,xf:win-mailslot-bo(26818),xf:win-smb-information-disclosure(26820)","risk_score":756.57,"severity":"critical","severity_score":8,"title":"MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":135,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":445,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":119,"exploits":4,"host_name":"Win11-50-13-52","id":"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1","ip":"10.50.13.52","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":8,"os_architecture":"x86_64","os_description":"Microsoft Windows 11 22H2","os_family":"Windows","os_name":"Windows 11","os_system_name":"Microsoft Windows","os_type":"Workstation","os_vendor":"Microsoft","os_version":"22H2","risk_score":181622,"severe_vulnerabilities":241,"tags":[{"name":"USA","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":368,"type":"guest","unique_identifiers":[{"id":"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050","source":"CSPRODUCT"},{"id":"c5cf46abcdef0123456789291c7d554a","source":"R7 Agent"}],"vulnerability":{"check_id":"msft-cve-2022-37967-kb5021288-c2d89794-10f9-459d-a1a9-79847eac03fc","first_found":"2022-12-23T18:40:29Z","key":"","last_found":"2023-06-23T17:29:23.453Z","nic":null,"port":null,"proof":"Vulnerable OS: Microsoft Windows 7 Enterprise Edition SP1
Based on the following 2 results:
Download and apply the patch from: https://support.microsoft.com/kb/5021288
","solution_id":"msft-kb5021288-c2d89794-10f9-459d-a1a9-79847eac03fc","solution_summary":"2022-12 Security Only Quality Update for Windows 7 for x64-based Systems (KB5021288)","solution_type":"patch","status":"VULNERABLE_EXPL","vulnerability_id":"msft-cve-2022-37967","added":"2022-11-08T00:00:00Z","categories":"Microsoft,Microsoft Patch,Microsoft Windows,Privilege Escalation","cves":"CVE-2022-37967","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"multiple","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"complete","cvss_v2_exploit_score":6.389999830722808,"cvss_v2_impact_score":10.000845454680942,"cvss_v2_integrity_impact":"complete","cvss_v2_score":8.3,"cvss_v2_vector":"(AV:N/AC:L/Au:M/C:C/I:C/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":1.2347077050000002,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"high","cvss_v3_scope":"unchanged","cvss_v3_score":7.2,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"Windows Kerberos Elevation of Privilege Vulnerability.","exploits":[],"id":"msft-cve-2022-37967","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2022-37967","id":"CVE-2022-37967","source":"cve"},{"href":"https://support.microsoft.com/help/5031364","id":"https://support.microsoft.com/help/5031364","source":"url"},{"href":"https://support.microsoft.com/help/5031362","id":"https://support.microsoft.com/help/5031362","source":"url"},{"href":"https://support.microsoft.com/help/5031361","id":"https://support.microsoft.com/help/5031361","source":"url"},{"href":"https://support.microsoft.com/help/5031407","id":"https://support.microsoft.com/help/5031407","source":"url"},{"href":"https://support.microsoft.com/help/5031419","id":"https://support.microsoft.com/help/5031419","source":"url"},{"href":"https://support.microsoft.com/help/5031427","id":"https://support.microsoft.com/help/5031427","source":"url"}],"malware_kits":[],"modified":"2024-09-06T00:00:00Z","pci_cvss_score":8.3,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"","pci_status":"fail","published":"2022-11-08T00:00:00Z","references":"cve:CVE-2022-37967,url:https://support.microsoft.com/help/5031361,url:https://support.microsoft.com/help/5031362,url:https://support.microsoft.com/help/5031364,url:https://support.microsoft.com/help/5031407,url:https://support.microsoft.com/help/5031419,url:https://support.microsoft.com/help/5031427","risk_score":434.28,"severity":"critical","severity_score":8,"title":"Microsoft Windows: CVE-2022-37967: Windows Kerberos Elevation of Privilege Vulnerability"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":135,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":445,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":119,"exploits":4,"host_name":"Win11-50-13-52","id":"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1","ip":"10.50.13.52","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":8,"os_architecture":"x86_64","os_description":"Microsoft Windows 11 22H2","os_family":"Windows","os_name":"Windows 11","os_system_name":"Microsoft Windows","os_type":"Workstation","os_vendor":"Microsoft","os_version":"22H2","risk_score":181622,"severe_vulnerabilities":241,"tags":[{"name":"USA","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":368,"type":"guest","unique_identifiers":[{"id":"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050","source":"CSPRODUCT"},{"id":"c5cf46abcdef0123456789291c7d554a","source":"R7 Agent"}],"vulnerability":{"check_id":null,"first_found":"2022-12-23T18:40:29Z","key":"","last_found":"2023-06-23T17:29:23.453Z","nic":null,"port":null,"proof":"Vulnerable OS: Microsoft Windows 7 Enterprise Edition SP1
Based on the following 4 results:
Based on the following 2 results:
Verify that the latest version of the Microsoft Malware Protection Engine\nand definition updates are being actively downloaded and installed for their Microsoft antimalware products.\nFor more information on how to verify the version number for the Microsoft Malware Protection Engine that your\nsoftware is currently using, see the section Verifying Update Installation\nin Microsoft Knowledge Base Article 2510781 https://support.microsoft.com/kb/2510781
","solution_id":"windows-defender-upgrade-latest","solution_summary":"Upgrade Microsoft Defender to the latest version.","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"windows-defender-cve-2022-24548","added":"2022-04-14T00:00:00Z","categories":"Denial of Service,Microsoft Windows Defender","cves":"CVE-2022-24548","cvss_v2_access_complexity":"medium","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"none","cvss_v2_exploit_score":8.588799953460693,"cvss_v2_impact_score":2.862749751806259,"cvss_v2_integrity_impact":"none","cvss_v2_score":4.3,"cvss_v2_vector":"(AV:N/AC:M/Au:N/C:N/I:N/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"none","cvss_v3_exploit_score":1.8345765900000002,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"none","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":5.5,"cvss_v3_user_interaction":"required","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","denial_of_service":true,"description":"Microsoft Defender Denial of Service Vulnerability","exploits":[],"id":"windows-defender-cve-2022-24548","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2022-24548","id":"CVE-2022-24548","source":"cve"},{"href":"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548","id":"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548","source":"url"}],"malware_kits":[],"modified":"2023-12-13T00:00:00Z","pci_cvss_score":4.3,"pci_fail":false,"pci_severity_score":2,"pci_special_notes":"Denial-of-Service-only vulnerability marked as compliant. ","pci_status":"pass","published":"2022-04-14T00:00:00Z","references":"cve:CVE-2022-24548,url:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548","risk_score":124.28,"severity":"severe","severity_score":4,"title":"Microsoft Defender Denial of Service Vulnerability (CVE-2022-24548)"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":135,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":445,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":119,"exploits":4,"host_name":"Win11-50-13-52","id":"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1","ip":"10.50.13.52","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":8,"os_architecture":"x86_64","os_description":"Microsoft Windows 11 22H2","os_family":"Windows","os_name":"Windows 11","os_system_name":"Microsoft Windows","os_type":"Workstation","os_vendor":"Microsoft","os_version":"22H2","risk_score":181622,"severe_vulnerabilities":241,"tags":[{"name":"USA","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":368,"type":"guest","unique_identifiers":[{"id":"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050","source":"CSPRODUCT"},{"id":"c5cf46abcdef0123456789291c7d554a","source":"R7 Agent"}],"vulnerability":{"check_id":null,"first_found":"2018-11-25T09:10:10Z","key":"","last_found":"2019-02-14T21:39:25.312Z","nic":null,"port":445,"proof":"Vulnerable OS: Microsoft Windows Server 2008 Enterprise Edition SP2
System replied with a malformed SMB packet
","protocol":"TCP","reintroduced":null,"solution_fix":"Take a look at all possible solutions for vulnerability","solution_id":"unknown-windows-hotfix-ms09-050","solution_summary":"The solution is unknown for vuln windows-hotfix-ms09-050","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"windows-hotfix-ms09-050","added":"2009-10-13T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution","cves":"CVE-2009-2526,CVE-2009-2532,CVE-2009-3103","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"complete","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":10.000845454680942,"cvss_v2_integrity_impact":"complete","cvss_v2_score":10,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:C/I:C/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":3.8870427750000003,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":9.8,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"This security update resolves one publicly disclosed and two privately reported vulnerabilities in Server Message Block Version 2 (SMBv2). The most severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.","exploits":[{"description":"Microsoft Windows 7/2008 R2 - Remote Kernel Crash","id":"10005","name":"Microsoft Windows 7/2008 R2 - Remote Kernel Crash","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing\n an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.\n Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.","id":"auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff","name":"Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference","rank":"normal","skill_level":"intermediate","source":"metasploit"},{"description":"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)","id":"40280","name":"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service","id":"12524","name":"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\n without SP1 does not seem affected by this flaw.","id":"exploit/windows/smb/ms09_050_smb2_negotiate_func_index","name":"MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference","rank":"good","skill_level":"intermediate","source":"metasploit"},{"description":"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)","id":"14674","name":"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows\tVista\n without SP1 does not seem affected by this flaw.","id":"auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh","name":"Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference","rank":"normal","skill_level":"intermediate","source":"metasploit"},{"description":"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)","id":"9594","name":"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)","rank":"average","skill_level":"expert","source":"exploitdb"}],"id":"windows-hotfix-ms09-050","links":[{"href":"http://www.us-cert.gov/cas/techalerts/TA09-286A.html","id":"TA09-286A","source":"cert"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6489","id":"6489","source":"oval"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6336","id":"6336","source":"oval"},{"href":"http://www.securityfocus.com/bid/36299","id":"36299","source":"bid"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:5595","id":"5595","source":"oval"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2009-2526","id":"CVE-2009-2526","source":"cve"},{"href":"http://technet.microsoft.com/security/bulletin/MS09-050","id":"MS09-050","source":"ms"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2009-3103","id":"CVE-2009-3103","source":"cve"},{"href":"http://www.kb.cert.org/vuls/id/135940","id":"135940","source":"cert-vn"},{"href":"https://support.microsoft.com/en-us/kb/975517","id":"KB975517","source":"mskb"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2009-2532","id":"CVE-2009-2532","source":"cve"},{"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/53090","id":"53090","source":"xf"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":10,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"","pci_status":"fail","published":"2009-10-13T00:00:00Z","references":"cert-vn:135940,bid:36299,xf:53090,oval:5595,oval:6336,oval:6489,cve:CVE-2009-2526,cve:CVE-2009-2532,cve:CVE-2009-3103,mskb:KB975517,ms:MS09-050,cert:TA09-286A","risk_score":914.2,"severity":"critical","severity_score":10,"title":"MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vulnerability":{"check_id":null,"first_found":"2021-02-23T18:39:30Z","key":"","last_found":"2022-04-23T18:04:36.094Z","nic":null,"port":null,"proof":"Vulnerable OS: CentOS Linux 7.6.1810
Vulnerable OS: Microsoft Windows Server 2008 Enterprise Edition
\\BROWSER: WriteAndX succeeded with offset 77
","protocol":"TCP","reintroduced":null,"solution_fix":"Take a look at all possible solutions for vulnerability","solution_id":"unknown-windows-hotfix-ms09-001","solution_summary":"The solution is unknown for vuln windows-hotfix-ms09-001","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"windows-hotfix-ms09-001","added":"2009-10-13T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution","cves":"CVE-2009-2526,CVE-2009-2532,CVE-2009-3103","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"complete","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":10.000845454680942,"cvss_v2_integrity_impact":"complete","cvss_v2_score":10,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:C/I:C/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":3.8870427750000003,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":9.8,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"This security update resolves one publicly disclosed and two privately reported vulnerabilities in Server Message Block Version 2 (SMBv2). The most severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.","exploits":[{"description":"Microsoft Windows 7/2008 R2 - Remote Kernel Crash","id":"10005","name":"Microsoft Windows 7/2008 R2 - Remote Kernel Crash","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing\n an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.\n Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.","id":"auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff","name":"Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference","rank":"normal","skill_level":"intermediate","source":"metasploit"},{"description":"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)","id":"40280","name":"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service","id":"12524","name":"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\n without SP1 does not seem affected by this flaw.","id":"exploit/windows/smb/ms09_050_smb2_negotiate_func_index","name":"MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference","rank":"good","skill_level":"intermediate","source":"metasploit"},{"description":"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)","id":"14674","name":"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows\tVista\n without SP1 does not seem affected by this flaw.","id":"auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh","name":"Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference","rank":"normal","skill_level":"intermediate","source":"metasploit"},{"description":"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)","id":"9594","name":"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)","rank":"average","skill_level":"expert","source":"exploitdb"}],"id":"windows-hotfix-ms09-050","links":[{"href":"http://www.us-cert.gov/cas/techalerts/TA09-286A.html","id":"TA09-286A","source":"cert"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6489","id":"6489","source":"oval"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6336","id":"6336","source":"oval"},{"href":"http://www.securityfocus.com/bid/36299","id":"36299","source":"bid"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:5595","id":"5595","source":"oval"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2009-2526","id":"CVE-2009-2526","source":"cve"},{"href":"http://technet.microsoft.com/security/bulletin/MS09-050","id":"MS09-050","source":"ms"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2009-3103","id":"CVE-2009-3103","source":"cve"},{"href":"http://www.kb.cert.org/vuls/id/135940","id":"135940","source":"cert-vn"},{"href":"https://support.microsoft.com/en-us/kb/975517","id":"KB975517","source":"mskb"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2009-2532","id":"CVE-2009-2532","source":"cve"},{"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/53090","id":"53090","source":"xf"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":10,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"","pci_status":"fail","published":"2009-10-13T00:00:00Z","references":"cert-vn:135940,bid:36299,xf:53090,oval:5595,oval:6336,oval:6489,cve:CVE-2009-2526,cve:CVE-2009-2532,cve:CVE-2009-3103,mskb:KB975517,ms:MS09-050,cert:TA09-286A","risk_score":914.2,"severity":"critical","severity_score":10,"title":"MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vulnerability":{"check_id":null,"first_found":"2018-11-25T09:16:57Z","key":"","last_found":"2022-02-23T20:10:02.535Z","nic":null,"port":53,"proof":"Vulnerable OS: Debian Linux 6.0
\n More information about upgrading your version of ISC BIND is available on the ISC website.\n
","solution_id":"upgrade-isc-bind-latest","solution_summary":"Upgrade ISC BIND to latest version","solution_type":"workaround","status":"VULNERABLE_VERS","vulnerability_id":"dns-bind-cve-2015-4620","added":"2015-10-27T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,DNS,Denial of Service,ISC,ISC BIND","cves":"CVE-2015-4620","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"none","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":6.870600273013115,"cvss_v2_integrity_impact":"none","cvss_v2_score":7.8,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:N/I:N/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"none","cvss_v3_exploit_score":3.8870427750000003,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"none","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":7.5,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","denial_of_service":true,"description":"name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone.","exploits":[],"id":"dns-bind-cve-2015-4620","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2015-4620","id":"CVE-2015-4620","source":"cve"},{"href":"https://kb.isc.org/article/AA-01267/0","id":"https://kb.isc.org/article/AA-01267/0","source":"url"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":7.8,"pci_fail":false,"pci_severity_score":2,"pci_special_notes":"Denial-of-Service-only vulnerability marked as compliant. ","pci_status":"pass","published":"2015-07-08T00:00:00Z","references":"cve:CVE-2015-4620,url:https://kb.isc.org/article/AA-01267/0","risk_score":334.11,"severity":"critical","severity_score":8,"title":"ISC BIND: Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating (CVE-2015-4620)"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vulnerability":{"check_id":null,"first_found":"2023-03-23T19:23:01Z","key":"","last_found":"2023-06-23T19:36:17.715Z","nic":null,"port":445,"proof":"\n Configure the system to enable or require SMB signing as appropriate.\n The method and effect of doing this is system specific so please see\n this Microsoft article for\n details. Note: ensure that SMB signing configuration is done for \n incoming connections (Server).\n
","solution_id":"cifs-smb-signing-windows","solution_summary":"Configure SMB signing for Windows","solution_type":"workaround","status":"VULNERABLE_VERS","vulnerability_id":"cifs-smb2-signing-not-required","added":"2015-10-27T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,DNS,Denial of Service,ISC,ISC BIND","cves":"CVE-2015-4620","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"none","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":6.870600273013115,"cvss_v2_integrity_impact":"none","cvss_v2_score":7.8,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:N/I:N/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"none","cvss_v3_exploit_score":3.8870427750000003,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"none","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":7.5,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","denial_of_service":true,"description":"name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone.","exploits":[],"id":"dns-bind-cve-2015-4620","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2015-4620","id":"CVE-2015-4620","source":"cve"},{"href":"https://kb.isc.org/article/AA-01267/0","id":"https://kb.isc.org/article/AA-01267/0","source":"url"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":7.8,"pci_fail":false,"pci_severity_score":2,"pci_special_notes":"Denial-of-Service-only vulnerability marked as compliant. ","pci_status":"pass","published":"2015-07-08T00:00:00Z","references":"cve:CVE-2015-4620,url:https://kb.isc.org/article/AA-01267/0","risk_score":334.11,"severity":"critical","severity_score":8,"title":"ISC BIND: Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating (CVE-2015-4620)"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vulnerability":{"check_id":null,"first_found":"2022-12-23T19:25:13Z","key":"VMware ESX Server 4.0.0 GA","last_found":"2023-06-23T18:08:29.154Z","nic":null,"port":null,"proof":"Vulnerable OS: VMware ESX Server 4.0.0 GA
Download and apply the upgrade from: https://knowledge.broadcom.com/external/article?articleNumber=142814
","solution_id":"vmware-esx-upgrade-latest","solution_summary":"Upgrade VMware ESX to the latest version","solution_type":"rollup","status":"VULNERABLE_VERS","vulnerability_id":"vmsa-2012-0013-cve-2012-0815","added":"2012-09-17T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,Denial of Service,IAVM,Remote Execution,VMware,VMware ESX/ESXi","cves":"CVE-2012-0815","cvss_v2_access_complexity":"medium","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":8.588799953460693,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":6.8,"cvss_v2_vector":"(AV:N/AC:M/Au:N/C:P/I:P/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.515145325,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":8.4,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"The headerVerifyInfo function in lib/header.c in RPM before 4.9.1.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a negative value in a region offset of a package header, which is not properly handled in a numeric range comparison.","exploits":[],"id":"vmsa-2012-0013-cve-2012-0815","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2012-0815","id":"CVE-2012-0815","source":"cve"},{"href":"http://iase.disa.mil/stigs/iavm-cve.html","id":"V0033884","source":"disa_vmskey"},{"href":"http://iase.disa.mil/stigs/iavm-cve.html","id":"2012-A-0153","source":"iavm"},{"href":"http://www.vmware.com/security/advisories/VMSA-2012-0013.html","id":"http://www.vmware.com/security/advisories/VMSA-2012-0013.html","source":"url"},{"href":"http://iase.disa.mil/stigs/iavm-cve.html","id":"Category I","source":"disa_severity"},{"href":"http://iase.disa.mil/stigs/iavm-cve.html","id":"2012-A-0148","source":"iavm"},{"href":"http://iase.disa.mil/stigs/iavm-cve.html","id":"V0033794","source":"disa_vmskey"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":6.8,"pci_fail":true,"pci_severity_score":4,"pci_special_notes":"","pci_status":"fail","published":"2012-06-04T00:00:00Z","references":"iavm:2012-A-0148,iavm:2012-A-0153,cve:CVE-2012-0815,disa_severity:Category I,disa_vmskey:V0033794,disa_vmskey:V0033884,url:http://www.vmware.com/security/advisories/VMSA-2012-0013.html","risk_score":716.99,"severity":"severe","severity_score":7,"title":"VMSA-2012-0013: Update to ESX service console popt, rpm, rpm-libs, and rpm-python RPMS (CVE-2012-0815)"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vulnerability":{"check_id":null,"first_found":"2022-12-23T18:54:08Z","key":"","last_found":"2023-06-23T17:40:02.211Z","nic":null,"port":null,"proof":"Vulnerable software installed: Wordpress 3.0
","protocol":null,"reintroduced":null,"solution_fix":"\n Upgrade to the latest version of Wordpress from https://wordpress.org/download/release-archive/
","solution_id":"wordpress-upgrade-latest","solution_summary":"Upgrade to the latest version of Wordpress","solution_type":"workaround","status":"VULNERABLE_VERS","vulnerability_id":"wordpress-cve-2015-5731","added":"2017-05-16T00:00:00Z","categories":"CSRF,CVSS Score Predicted with Rapid7 AI,Denial of Service,WordPress","cves":"CVE-2015-5731","cvss_v2_access_complexity":"medium","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":8.588799953460693,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":6.8,"cvss_v2_vector":"(AV:N/AC:M/Au:N/C:P/I:P/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"none","cvss_v3_exploit_score":2.8352547300000004,"cvss_v3_impact_score":5.177088,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":8.1,"cvss_v3_user_interaction":"required","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H","denial_of_service":false,"description":"Cross-site request forgery (CSRF) vulnerability in wp-admin/post.php in WordPress before 4.2.4 allows remote attackers to hijack the authentication of administrators for requests that lock a post, and consequently cause a denial of service (editing blockage), via a get-post-lock action.","exploits":[],"id":"wordpress-cve-2015-5731","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2015-5731","id":"CVE-2015-5731","source":"cve"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":6.8,"pci_fail":true,"pci_severity_score":4,"pci_special_notes":"","pci_status":"fail","published":"2015-11-09T00:00:00Z","references":"cve:CVE-2015-5731","risk_score":676.67,"severity":"severe","severity_score":7,"title":"Wordpress: CVE-2015-5731: Cross-Site Request Forgery (CSRF)"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vulnerability":{"check_id":null,"first_found":"2022-12-23T18:55:39Z","key":"","last_found":"2023-06-23T17:41:50.071Z","nic":null,"port":80,"proof":"Download and apply the upgrade from: http://www.php.net/downloads.php
","solution_id":"php-upgrade-latest","solution_summary":"Upgrade to the latest version of PHP","solution_type":"rollup","status":"VULNERABLE_VERS","vulnerability_id":"php-cve-2016-3171","added":"2019-09-30T00:00:00Z","categories":"HTTP,PHP,Remote Execution","cves":"CVE-2016-3171","cvss_v2_access_complexity":"medium","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":8.588799953460693,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":6.8,"cvss_v2_vector":"(AV:N/AC:M/Au:N/C:P/I:P/A:P)","cvss_v3_attack_complexity":"high","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.2211673,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":8.1,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.","exploits":[],"id":"php-cve-2016-3171","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2016-3171","id":"CVE-2016-3171","source":"cve"}],"malware_kits":[],"modified":"2024-11-27T00:00:00Z","pci_cvss_score":6.8,"pci_fail":true,"pci_severity_score":4,"pci_special_notes":"","pci_status":"fail","published":"2016-04-12T00:00:00Z","references":"cve:CVE-2016-3171","risk_score":669.57,"severity":"severe","severity_score":7,"title":"PHP Vulnerability: CVE-2016-3171"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":161,"protocol":"UDP","status":"NO_CREDS_SUPPLIED"},{"port":161,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":22,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":9,"exploits":5,"host_name":"BIG-IP-16-1-0.dev.test.rapid7.com","id":"12123455-abcd-5678-1234-01234567890e-default-asset-4123","ip":"175.16.199.1","last_assessed_for_vulnerabilities":"2024-06-23T17:54:28.107Z","last_scan_end":"2024-06-23T17:54:28.107Z","last_scan_start":"2024-06-23T17:44:15.351Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":10,"new":[],"os_architecture":"","os_description":"F5 BIG-IP 16.1.0.0","os_family":"BIG-IP","os_name":"BIG-IP","os_system_name":"F5 BIG-IP","os_type":"Network management device","os_vendor":"F5","os_version":"16.1.0.0","remediated":[],"risk_score":35804.71185,"vulnerability":{"check_id":null,"first_found":"2022-05-23T19:03:38Z","key":"F5 BIG-IP 16.1.0.0","last_found":"2024-06-23T17:54:28.107Z","nic":null,"port":null,"proof":"Vulnerable OS: F5 BIG-IP 16.1.0.0
\n Upgrade to the latest available version of F5 BIG-IP. Refer to BIG-IP Hotfix Matrix for the latest hotfix information.\n
","solution_id":"f5-big-ip-upgrade-latest","solution_summary":"Upgrade to the latest available version of F5 BIG-IP","solution_type":"workaround","status":"VULNERABLE_VERS","vulnerability_id":"f5-big-ip-cve-2017-7656","added":"2022-04-20T00:00:00Z","categories":"F5,F5 BIG-IP,Web","cves":"CVE-2017-7656","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"none","cvss_v2_confidentiality_impact":"none","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":2.8627500620484354,"cvss_v2_integrity_impact":"partial","cvss_v2_score":5,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:N/I:P/A:N)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"none","cvss_v3_exploit_score":3.8870427750000003,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":7.5,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","denial_of_service":false,"description":"In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.","exploits":[],"id":"f5-big-ip-cve-2017-7656","links":[{"href":"https://my.f5.com/manage/s/article/K21054458","id":"https://my.f5.com/manage/s/article/K21054458","source":"url"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2017-7656","id":"CVE-2017-7656","source":"cve"}],"malware_kits":[],"modified":"2024-12-06T00:00:00Z","pci_cvss_score":5,"pci_fail":true,"pci_severity_score":3,"pci_special_notes":"","pci_status":"fail","published":"2018-06-26T00:00:00Z","references":"cve:CVE-2017-7656,url:https://my.f5.com/manage/s/article/K21054458","risk_score":229.89,"severity":"severe","severity_score":5,"title":"F5 Networks: CVE-2017-7656: K21054458: Eclipse Jetty vulnerability CVE-2017-7656"},"severe_vulnerabilities":94,"tags":[{"name":"snow_test","type":"CUSTOM"},{"name":"all_assets2","type":"CUSTOM"},{"name":"all_assets","type":"CUSTOM"},{"name":"my tag test","type":"CUSTOM"},{"name":"lab","type":"SITE"}],"total_vulnerabilities":113,"type":"guest","unique_identifiers":[]} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":1,"exploits":0,"id":"11111111-34a7-40a3-1111-28db0b5cc90e-default-asset-1049","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2022-08-23T18:31:27.909Z","last_scan_end":"2022-08-23T18:31:27.909Z","last_scan_start":"2022-08-23T18:30:49.674Z","malware_kits":0,"moderate_vulnerabilities":3,"risk_score":871.9886474609375,"severe_vulnerabilities":5,"tags":[{"name":"No_Hostname","type":"CUSTOM"},{"name":"all_assets2","type":"CUSTOM"},{"name":"all_assets","type":"CUSTOM"},{"name":"lab","type":"SITE"}],"total_vulnerabilities":9,"unique_identifiers":[],"vulnerability":{"added":"2013-05-06T00:00:00Z","categories":"Canonical,Obsolete OS,Obsolete Software,Ubuntu Linux,Web","check_id":null,"cves":"","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"complete","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":10.000845454680942,"cvss_v2_integrity_impact":"complete","cvss_v2_score":10,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:C/I:C/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":3.8870427750000003,"cvss_v3_impact_score":6.0477304915445185,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"changed","cvss_v3_score":10,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","denial_of_service":false,"description":"This release has passed its End of Life. There may be unpatched security vulnerabilities. Please check with https://wiki.ubuntu.com/Releases (https://wiki.ubuntu.com/Releases) for supported versions.","exploits":[],"first_found":"2018-11-25T09:27:44Z","id":"ubuntu-obsolete-version","key":"Ubuntu Linux 12.04","last_found":"2022-08-23T18:31:27.909Z","links":[],"malware_kits":[],"modified":"2025-03-28T00:00:00Z","nic":null,"pci_cvss_score":10,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"This operating system version is no longer supported by the vendor, and results in an automatic failure. ","pci_status":"fail","port":null,"proof":"\\u003cp\\u003e\\u003cp\\u003eVulnerable OS: Ubuntu Linux 12.04\\u003cp\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\\u003c/p\\u003e","protocol":null,"published":"2013-05-06T00:00:00Z","references":"","reintroduced":null,"risk_score":891.5,"severity":"critical","severity_score":10,"solution_fix":"\\u003cp\\u003eUpgrade to a supported version of Ubuntu Linux\\u003c/p\\u003e","solution_id":"ubuntu-obsolete-version","solution_summary":"Upgrade Ubuntu","solution_type":"workaround","status":"VULNERABLE_VERS","title":"Obsolete Version of Ubuntu","vulnerability_id":"ubuntu-obsolete-version"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":22,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":32,"exploits":17,"id":"12123455-1234-5678-0912-28dabcdefabe-default-asset-3709","ip":"175.16.199.2","last_assessed_for_vulnerabilities":"2022-04-23T18:04:36.094Z","last_scan_end":"2022-04-23T18:04:36.094Z","last_scan_start":"2022-04-23T17:56:27.286Z","malware_kits":0,"moderate_vulnerabilities":58,"os_architecture":"","os_description":"Linux LINUX 2.6.9 - 2.6.27 2.6.9","os_family":"Linux","os_name":"LINUX 2.6.9 - 2.6.27","os_system_name":"Linux","os_type":"General","os_vendor":"Linux","os_version":"2.6.9","risk_score":128750.1171875,"severe_vulnerabilities":307,"tags":[{"name":"No_Hostname","type":"CUSTOM"},{"name":"all_assets2","type":"CUSTOM"},{"name":"snow_test","type":"CUSTOM"},{"name":"all_assets","type":"CUSTOM"},{"name":"lab","type":"SITE"}],"total_vulnerabilities":397,"unique_identifiers":[],"vulnerability":{"added":"2019-10-16T00:00:00Z","categories":"CentOS","check_id":null,"cves":"CVE-2019-9506","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"adjacent","cvss_v2_authentication":"none","cvss_v2_availability_impact":"none","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":6.457932765007019,"cvss_v2_impact_score":4.938243839970231,"cvss_v2_integrity_impact":"partial","cvss_v2_score":4.8,"cvss_v2_vector":"(AV:A/AC:L/Au:N/C:P/I:P/A:N)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"adjacent","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.83525473,"cvss_v3_impact_score":5.177088,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":8.1,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","denial_of_service":false,"description":"The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka \"KNOB\") that can decrypt traffic and inject arbitrary ciphertext without the victim noticing.","exploits":[],"first_found":"2021-02-23T18:39:30Z","id":"centos_linux-cve-2019-9506","key":"","last_found":"2022-04-23T18:04:36.094Z","links":[{"href":"http://rhn.redhat.com/errata/RHSA-2019-3076.html","id":"RHSA-2019:3076","source":"redhat"},{"href":"http://rhn.redhat.com/errata/RHSA-2019-3055.html","id":"RHSA-2019:3055","source":"redhat"},{"href":"http://rhn.redhat.com/errata/RHSA-2019-3165.html","id":"RHSA-2019:3165","source":"redhat"},{"href":"http://rhn.redhat.com/errata/RHSA-2019-3187.html","id":"RHSA-2019:3187","source":"redhat"},{"href":"http://rhn.redhat.com/errata/RHSA-2019-3220.html","id":"RHSA-2019:3220","source":"redhat"},{"href":"http://rhn.redhat.com/errata/RHSA-2019-3231.html","id":"RHSA-2019:3231","source":"redhat"},{"href":"http://www.kb.cert.org/vuls/id/918987","id":"918987","source":"cert-vn"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2019-9506","id":"CVE-2019-9506","source":"nvd"},{"href":"http://rhn.redhat.com/errata/RHSA-2019-3517.html","id":"RHSA-2019:3517","source":"redhat"},{"href":"http://rhn.redhat.com/errata/RHSA-2019-3309.html","id":"RHSA-2019:3309","source":"redhat"},{"href":"http://rhn.redhat.com/errata/RHSA-2020-0204.html","id":"RHSA-2020:0204","source":"redhat"},{"href":"http://rhn.redhat.com/errata/RHSA-2019-3218.html","id":"RHSA-2019:3218","source":"redhat"},{"href":"http://rhn.redhat.com/errata/RHSA-2019-3217.html","id":"RHSA-2019:3217","source":"redhat"},{"href":"http://rhn.redhat.com/errata/RHSA-2019-2975.html","id":"RHSA-2019:2975","source":"redhat"},{"href":"http://rhn.redhat.com/errata/RHSA-2019-3089.html","id":"RHSA-2019:3089","source":"redhat"}],"malware_kits":[],"modified":"2023-05-25T00:00:00Z","nic":null,"pci_cvss_score":4.8,"pci_fail":true,"pci_severity_score":3,"pci_special_notes":"","pci_status":"fail","port":null,"proof":"Vulnerable OS: CentOS Linux 7.6.1810
Vulnerable software installed: Linux kernel 3.10.0-957.el7
Vulnerable OS: Microsoft Windows Small Business Server 2008
Based on the result of the "windows-hotfix-ms09-050" test, this node is applicable to this issue.
","protocol":"TCP","published":"2011-04-13T00:00:00Z","references":"oval:12076,iavm:2011-A-0050,bid:47198,cve:CVE-2011-0661,disa_severity:Category I,mskb:KB2508429,ms:MS11-020,cert:TA11-102A,disa_vmskey:V0026521","reintroduced":null,"risk_score":900.45,"severity":"critical","severity_score":10,"solution_fix":"Take a look at all possible solutions for vulnerability","solution_id":"unknown-windows-hotfix-ms11-020","solution_summary":"The solution is unknown for vuln windows-hotfix-ms11-020","solution_type":"workaround","status":"VULNERABLE_VERS","title":"MS11-020: Vulnerability in SMB Server Could Allow Remote Code Execution (2508429)","vulnerability_id":"windows-hotfix-ms11-020"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":22,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":135,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":139,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":445,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":11,"exploits":37,"host_name":"SHOCKWAVE-P","id":"12123455-1234-5678-9012-abcdefabcd0e-default-asset-152","ip":"175.16.199.3","last_assessed_for_vulnerabilities":"2023-06-23T19:39:41.339Z","last_scan_end":"2023-06-23T19:39:41.339Z","last_scan_start":"2023-06-23T19:36:27.824Z","mac":"00:00:5E:00:53:00","malware_kits":1,"moderate_vulnerabilities":4,"os_architecture":"","os_description":"Microsoft Windows XP","os_family":"Windows","os_name":"Windows XP","os_system_name":"Microsoft Windows","os_type":"General","os_vendor":"Microsoft","risk_score":14912.1123046875,"severe_vulnerabilities":8,"tags":[{"name":"my tag test","type":"CUSTOM"},{"name":"Windows","type":"CUSTOM"},{"name":"SI","type":"CUSTOM"},{"name":"snow_test","type":"CUSTOM"},{"name":"all_assets","type":"CUSTOM"},{"name":"all_assets2","type":"CUSTOM"},{"name":"lab","type":"SITE"}],"total_vulnerabilities":23,"unique_identifiers":[],"vulnerability":{"added":"2006-07-12T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution","check_id":null,"cves":"CVE-2006-1314,CVE-2006-1315","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":7.5,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:P/I:P/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.83525473,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"none","cvss_v3_privileges_required":"low","cvss_v3_scope":"unchanged","cvss_v3_score":6.5,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","denial_of_service":false,"description":"This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \"Vulnerability Details\" section of this bulletin. We recommend that customers apply the update immediately.","exploits":[{"description":"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)","id":"2057","name":"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module triggers a kernel pool corruption bug in SRV.SYS. Each\n call to the mailslot write function results in a two byte return value\n being written into the response packet. The code which creates this packet\n fails to consider these two bytes in the allocation routine, resulting in\n a slow corruption of the kernel memory pool. These two bytes are almost\n always set to \"\\xff\\xff\" (a short integer with value of -1).","id":"auxiliary/dos/windows/smb/ms06_035_mailslot","name":"Microsoft SRV.SYS Mailslot Write Corruption","rank":"normal","skill_level":"intermediate","source":"metasploit"}],"first_found":"2018-11-25T08:24:37Z","id":"windows-hotfix-ms06-035","key":"","last_found":"2023-06-23T19:39:41.339Z","links":[{"href":"http://www.kb.cert.org/vuls/id/189140","id":"189140","source":"cert-vn"},{"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/26818","id":"win-mailslot-bo(26818)","source":"xf"},{"href":"http://www.securityfocus.com/bid/18863","id":"18863","source":"bid"},{"href":"https://support.microsoft.com/en-us/kb/917159","id":"KB917159","source":"mskb"},{"href":"http://www.us-cert.gov/cas/techalerts/TA06-192A.html","id":"TA06-192A","source":"cert"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2006-1314","id":"CVE-2006-1314","source":"cve"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2006-1315","id":"CVE-2006-1315","source":"cve"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3","id":"3","source":"oval"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600","id":"600","source":"oval"},{"href":"http://www.osvdb.org/27155","id":"27155","source":"osvdb"},{"href":"http://www.osvdb.org/27154","id":"27154","source":"osvdb"},{"href":"http://technet.microsoft.com/security/bulletin/MS06-035","id":"MS06-035","source":"ms"},{"href":"http://www.securityfocus.com/bid/18891","id":"18891","source":"bid"},{"href":"http://technet.microsoft.com/en-us/security/bulletin/MS06-035","id":"http://technet.microsoft.com/en-us/security/bulletin/MS06-035","source":"url"},{"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/26820","id":"win-smb-information-disclosure(26820)","source":"xf"},{"href":"http://www.kb.cert.org/vuls/id/333636","id":"333636","source":"cert-vn"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","nic":null,"pci_cvss_score":7.5,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"","pci_status":"fail","port":null,"proof":"Vulnerable OS: Microsoft Windows XP
Server responded with vulnerable error code: 2 and class: 1
","protocol":null,"published":"2006-07-11T00:00:00Z","references":"bid:18863,bid:18891,cert-vn:189140,osvdb:27154,osvdb:27155,oval:3,cert-vn:333636,oval:600,cve:CVE-2006-1314,cve:CVE-2006-1315,mskb:KB917159,ms:MS06-035,cert:TA06-192A,url:http://technet.microsoft.com/en-us/security/bulletin/MS06-035,xf:win-mailslot-bo(26818),xf:win-smb-information-disclosure(26820)","reintroduced":null,"risk_score":756.61,"severity":"critical","severity_score":8,"solution_fix":"Take a look at all possible solutions for vulnerability","solution_id":"unknown-windows-hotfix-ms06-035","solution_summary":"The solution is unknown for vuln windows-hotfix-ms06-035","solution_type":"workaround","status":"VULNERABLE_EXPL","title":"MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)","vulnerability_id":"windows-hotfix-ms06-035"}} diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log-expected.json b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log-expected.json new file mode 100644 index 00000000000..8bc3272473d --- /dev/null +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log-expected.json @@ -0,0 +1,5923 @@ +{ + "expected": [ + { + "@timestamp": "2025-05-27T19:54:43.777Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2025-05-14T13:52:10.000Z", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|azul-zulu-cve-2025-21502|2025-05-27T19:54:43.777Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2025-05-14T13:52:10Z\",\"key\":\"/root/infaagent/jdk/lib/jrt-fs.jar\",\"last_found\":\"2025-05-27T19:54:43.777Z\",\"nic\":null,\"port\":null,\"proof\":\"Vulnerable OS: Ubuntu Linux 22.04
Vulnerable software installed: Azul Systems JRE 17.54.22 (/root/infaagent/jdk/lib/jrt-fs.jar)
\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"\\n Download and upgrade to the latest version of Azul Zulu from here.
\",\"solution_id\":\"azul-zulu-upgrade-latest\",\"solution_summary\":\"Upgrade Azul Zulu to the latest version\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"azul-zulu-cve-2025-21502\",\"added\":\"2025-02-05T00:00:00Z\",\"categories\":\"Azul Systems,Azul Zulu,Java,Web\",\"cves\":\"CVE-2025-21502\",\"cvss_v2_access_complexity\":\"high\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"none\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":4.927999973297119,\"cvss_v2_impact_score\":4.938243839970231,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":4,\"cvss_v2_vector\":\"(AV:N/AC:H/Au:N/C:P/I:P/A:N)\",\"cvss_v3_attack_complexity\":\"high\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"low\",\"cvss_v3_exploit_score\":2.2211673,\"cvss_v3_impact_score\":2.5140719999999996,\"cvss_v3_integrity_impact\":\"low\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":4.8,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"denial_of_service\":false,\"description\":\"Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM for JDK: 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM Enterprise Edition: 20.3.16 and 21.3.12. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).\",\"exploits\":[],\"id\":\"azul-zulu-cve-2025-21502\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2025-21502\",\"id\":\"CVE-2025-21502\",\"source\":\"cve\"},{\"href\":\"https://www.azul.com/downloads/\",\"id\":\"https://www.azul.com/downloads/\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":4,\"pci_fail\":true,\"pci_severity_score\":3,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2025-01-21T00:00:00Z\",\"references\":\"cve:CVE-2025-21502,url:https://www.azul.com/downloads/\",\"risk_score\":321,\"severity\":\"low\",\"severity_score\":4,\"title\":\"Azul Zulu: CVE-2025-21502: Vulnerability in the Azul Zulu OpenJDK component\"}}", + "severity": 4, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": [ + "10.50.6.126" + ], + "mac": [ + "00-00-5E-00-53-01" + ], + "name": "ub22-50-6-126", + "os": { + "family": "Linux", + "full": "Ubuntu Linux 22.04", + "name": "Linux", + "platform": "linux", + "type": "linux", + "version": "22.04" + }, + "risk": { + "static_score": 5656.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "fixed_version": "latest", + "name": "Azul Systems JRE 17.54.22 (/root/infaagent/jdk/lib/jrt-fs.jar)", + "version": "Azul Systems JRE 17.54.22 (/root/infaagent/jdk/lib/jrt-fs.jar)" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 5, + "exploits": 0, + "host_name": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": "10.50.6.126", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-01", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os": { + "architecture": "x86_64", + "description": "Ubuntu Linux 22.04", + "family": "Linux", + "name": "Linux", + "system_name": "Ubuntu Linux", + "vendor": "Ubuntu", + "version": "22.04" + }, + "risk_score": 5656.0, + "severe_vulnerabilities": 6, + "total_vulnerabilities": 12, + "type": "guest", + "unique_identifiers": [ + { + "id": "B7123456-5678-1234-ABCD-6F6ABCDEFA91", + "source": "dmidecode" + }, + { + "id": "cababcdefabcd0123456789f16d7061a", + "source": "R7 Agent" + }, + { + "id": "cab682b411e200123456789ab6d7061a", + "source": "Endpoint Agent" + } + ], + "vulnerability": { + "added": "2025-02-05T00:00:00.000Z", + "categories": [ + "Azul Systems", + "Azul Zulu", + "Java", + "Web" + ], + "cves": [ + "CVE-2025-21502" + ], + "cvss_v2": { + "access_complexity": "high", + "access_vector": "network", + "authentication": "none", + "availability_impact": "none", + "confidentiality_impact": "partial", + "exploit_score": 4.927999973297119, + "impact_score": 4.938243839970231, + "integrity_impact": "partial", + "score": 4.0, + "vector": "(AV:N/AC:H/Au:N/C:P/I:P/A:N)" + }, + "cvss_v3": { + "attack_complexity": "high", + "attack_vector": "network", + "availability_impact": "none", + "confidentiality_impact": "low", + "exploit_score": 2.2211673, + "impact_score": 2.5140719999999996, + "integrity_impact": "low", + "privileges_required": "none", + "scope": "unchanged", + "score": 4.8, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" + }, + "denial_of_service": false, + "description": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM for JDK: 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM Enterprise Edition: 20.3.16 and 21.3.12. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).", + "first_found": "2025-05-14T13:52:10.000Z", + "id": "azul-zulu-cve-2025-21502", + "key": "/root/infaagent/jdk/lib/jrt-fs.jar", + "last_found": "2025-05-27T19:54:43.777Z", + "links": [ + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2025-21502", + "id": "CVE-2025-21502", + "source": "cve" + }, + { + "href": "https://www.azul.com/downloads/", + "id": "https://www.azul.com/downloads/", + "source": "url" + } + ], + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 4.0, + "fail": true, + "severity_score": 3, + "status": "fail" + }, + "proof": "Vulnerable OS: Ubuntu Linux 22.04\n\n\n\nVulnerable software installed: Azul Systems JRE 17.54.22 (/root/infaagent/jdk/lib/jrt-fs.jar)", + "published": "2025-01-21T00:00:00.000Z", + "references": "cve:CVE-2025-21502,url:https://www.azul.com/downloads/", + "risk_score": 321.0, + "severity": "low", + "severity_score": 4, + "solution": { + "fix": "Download and upgrade to the latest version of Azul Zulu from here.", + "id": "azul-zulu-upgrade-latest", + "summary": "Upgrade Azul Zulu to the latest version", + "type": "workaround" + }, + "status": "VULNERABLE_VERS", + "title": "Azul Zulu: CVE-2025-21502: Vulnerability in the Azul Zulu OpenJDK component" + } + } + }, + "related": { + "hosts": [ + "ub22-50-6-126", + "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7" + ], + "ip": [ + "10.50.6.126" + ] + }, + "resource": { + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "name": "ub22-50-6-126" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "Azul Systems", + "Azul Zulu", + "Java", + "Web" + ], + "classification": "CVSS", + "description": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM for JDK: 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM Enterprise Edition: 20.3.16 and 21.3.12. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).", + "enumeration": "CVE", + "id": [ + "CVE-2025-21502" + ], + "published_date": "2025-01-21T00:00:00.000Z", + "reference": [ + "http://nvd.nist.gov/vuln/detail/CVE-2025-21502", + "https://www.azul.com/downloads/" + ], + "scanner": { + "name": "cababcdefabcd0123456789f16d7061a", + "vendor": "Rapid7" + }, + "score": { + "base": 4.8, + "version": "3.0" + }, + "severity": "Low", + "title": "Vulnerability in the Azul Zulu OpenJDK component" + } + }, + { + "@timestamp": "2025-05-27T19:54:43.777Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2025-05-13T13:25:40.000Z", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|linux-grub-missing-passwd|2025-05-27T19:54:43.777Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2025-05-13T13:25:40Z\",\"key\":\"\",\"last_found\":\"2025-05-27T19:54:43.777Z\",\"nic\":null,\"port\":null,\"proof\":\"Grub config with no password found.
Set a password in the GRUB configuration file. This\\n is often located in one of several locations, but can really be\\n anywhere:
\\n /etc/grub.conf\\n /boot/grub/grub.conf\\n /boot/grub/grub.cfg\\n /boot/grub/menu.lst\\n
For all files mentioned above ensure that a password is set or that the files do not exist.
To set a plain-text password, edit your GRUB configuration file\\n and add the following line before the first uncommented line:
password <password>
To set an encrypted password, run grub-md5-crypt and use its\\n output when adding the following line before the first\\n uncommented line:
password --md5 <encryptedpassword>
For either approach, choose an appropriately strong password.
\",\"solution_id\":\"linux-grub-missing-passwd\",\"solution_summary\":\" Enable GRUB password \",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"linux-grub-missing-passwd\",\"added\":\"2004-11-30T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,UNIX\",\"cves\":\"\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"local\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":3.948735978603363,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":4.6,\"cvss_v2_vector\":\"(AV:L/AC:L/Au:N/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.515145325,\"cvss_v3_impact_score\":5.177088,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":7.7,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"denial_of_service\":false,\"description\":\"GRUB bootloader is not password protected. An attacker can use the GRUB editor interface to change its configuration or to gather information using the cat command. It can also be exploited to boot into single user mode as root or boot into an insecure operating system.\",\"exploits\":[],\"id\":\"linux-grub-missing-passwd\",\"links\":[],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":4.6,\"pci_fail\":true,\"pci_severity_score\":3,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"1999-01-01T00:00:00Z\",\"references\":\"\",\"risk_score\":515,\"severity\":\"critical\",\"severity_score\":5,\"title\":\"No password for Grub\"}}", + "severity": 5, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": [ + "10.50.6.126" + ], + "mac": [ + "00-00-5E-00-53-01" + ], + "name": "ub22-50-6-126", + "os": { + "family": "Linux", + "full": "Ubuntu Linux 22.04", + "name": "Linux", + "platform": "linux", + "type": "linux", + "version": "22.04" + }, + "risk": { + "static_score": 5656.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 5, + "exploits": 0, + "host_name": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": "10.50.6.126", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-01", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os": { + "architecture": "x86_64", + "description": "Ubuntu Linux 22.04", + "family": "Linux", + "name": "Linux", + "system_name": "Ubuntu Linux", + "vendor": "Ubuntu", + "version": "22.04" + }, + "risk_score": 5656.0, + "severe_vulnerabilities": 6, + "total_vulnerabilities": 12, + "type": "guest", + "unique_identifiers": [ + { + "id": "B7123456-5678-1234-ABCD-6F6ABCDEFA91", + "source": "dmidecode" + }, + { + "id": "cababcdefabcd0123456789f16d7061a", + "source": "R7 Agent" + }, + { + "id": "cab682b411e200123456789ab6d7061a", + "source": "Endpoint Agent" + } + ], + "vulnerability": { + "added": "2004-11-30T00:00:00.000Z", + "categories": [ + "CVSS Score Predicted with Rapid7 AI", + "UNIX" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "local", + "authentication": "none", + "availability_impact": "partial", + "confidentiality_impact": "partial", + "exploit_score": 3.948735978603363, + "impact_score": 6.442976653521584, + "integrity_impact": "partial", + "score": 4.6, + "vector": "(AV:L/AC:L/Au:N/C:P/I:P/A:P)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "local", + "availability_impact": "none", + "confidentiality_impact": "high", + "exploit_score": 2.515145325, + "impact_score": 5.177088, + "integrity_impact": "high", + "privileges_required": "none", + "scope": "unchanged", + "score": 7.7, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" + }, + "denial_of_service": false, + "description": "GRUB bootloader is not password protected. An attacker can use the GRUB editor interface to change its configuration or to gather information using the cat command. It can also be exploited to boot into single user mode as root or boot into an insecure operating system.", + "first_found": "2025-05-13T13:25:40.000Z", + "id": "linux-grub-missing-passwd", + "last_found": "2025-05-27T19:54:43.777Z", + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 4.6, + "fail": true, + "severity_score": 3, + "status": "fail" + }, + "proof": "Grub config with no password found.\n\nVulnerable file: /boot/grub/grub.cfg", + "published": "1999-01-01T00:00:00.000Z", + "risk_score": 515.0, + "severity": "critical", + "severity_score": 5, + "solution": { + "fix": "Set a password in the GRUB configuration file. This\n is often located in one of several locations, but can really be\n anywhere:\n\n\n /etc/grub.conf\n /boot/grub/grub.conf\n /boot/grub/grub.cfg\n /boot/grub/menu.lst\n \n\nFor all files mentioned above ensure that a password is set or that the files do not exist.\n\nTo set a plain-text password, edit your GRUB configuration file\n and add the following line before the first uncommented line:\n\n passwordThe subject common name found in the X.509 certificate does not seem to match the scan target:
\\n The subject's common name (CN) field in the X.509 certificate should be fixed\\nto reflect the name of the entity presenting the certificate (e.g., the\\nhostname). This is done by generating a new certificate usually signed by a\\nCertification Authority (CA) trusted by both the client and server.\\n
\",\"solution_id\":\"certificate-common-name-mismatch\",\"solution_summary\":\"Fix the subject's Common Name (CN) field in the certificate\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"certificate-common-name-mismatch\",\"added\":\"2007-08-03T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,HTTP,Web\",\"cves\":\"\",\"cvss_v2_access_complexity\":\"high\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"none\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":4.927999973297119,\"cvss_v2_impact_score\":7.843935219030975,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.1,\"cvss_v2_vector\":\"(AV:N/AC:H/Au:N/C:C/I:P/A:N)\",\"cvss_v3_attack_complexity\":\"high\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.2211673,\"cvss_v3_impact_score\":5.177088,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":7.4,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"denial_of_service\":false,\"description\":\"The subject common name (CN) field in the X.509 certificate does not match the name of the entity presenting the certificate.\\n\\nBefore issuing a certificate, a Certification Authority (CA) must check the identity of the entity requesting the certificate, as specified in the CA's Certification Practice Statement (CPS). Thus, standard certificate validation procedures require the subject CN field of a certificate to match the actual name of the entity presenting the certificate. For example, in a certificate presented by \\\"https://www.example.com/\\\", the CN should be \\\"www.example.com\\\". \\n\\nIn order to detect and prevent active eavesdropping attacks, the validity of a certificate must be verified, or else an attacker could then launch a man-in-the-middle attack and gain full control of the data stream. Of particular importance is the validity of the subject's CN, that should match the name of the entity (hostname).\\n\\nA CN mismatch most often occurs due to a configuration error, though it can also indicate that a man-in-the-middle attack is being conducted.\",\"exploits\":[],\"id\":\"certificate-common-name-mismatch\",\"links\":[],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":6.1,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2007-08-03T00:00:00Z\",\"references\":\"\",\"risk_score\":495,\"severity\":\"none\",\"severity_score\":6,\"title\":\"X.509 Certificate Subject CN Does Not Match the Entity Name\"}}", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "Win11-50-13-52", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "ip": [ + "10.50.13.52" + ], + "mac": [ + "00-00-5E-00-53-00" + ], + "name": "Win11-50-13-52", + "os": { + "family": "Windows", + "full": "Microsoft Windows 11 22H2", + "name": "Windows 11", + "platform": "windows", + "type": "windows", + "version": "22H2" + }, + "risk": { + "static_score": 181622.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 119, + "exploits": 4, + "host_name": "Win11-50-13-52", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "ip": "10.50.13.52", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-00", + "malware_kits": 0, + "moderate_vulnerabilities": 8, + "os": { + "architecture": "x86_64", + "description": "Microsoft Windows 11 22H2", + "family": "Windows", + "name": "Windows 11", + "system_name": "Microsoft Windows", + "type": "Workstation", + "vendor": "Microsoft", + "version": "22H2" + }, + "risk_score": 181622.0, + "severe_vulnerabilities": 241, + "total_vulnerabilities": 368, + "type": "guest", + "unique_identifiers": [ + { + "id": "F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050", + "source": "CSPRODUCT" + }, + { + "id": "c5cf46abcdef0123456789291c7d554a", + "source": "R7 Agent" + } + ], + "vulnerability": { + "added": "2007-08-03T00:00:00.000Z", + "categories": [ + "CVSS Score Predicted with Rapid7 AI", + "HTTP", + "Web" + ], + "cvss_v2": { + "access_complexity": "high", + "access_vector": "network", + "authentication": "none", + "availability_impact": "none", + "confidentiality_impact": "complete", + "exploit_score": 4.927999973297119, + "impact_score": 7.843935219030975, + "integrity_impact": "partial", + "score": 6.1, + "vector": "(AV:N/AC:H/Au:N/C:C/I:P/A:N)" + }, + "cvss_v3": { + "attack_complexity": "high", + "attack_vector": "network", + "availability_impact": "none", + "confidentiality_impact": "high", + "exploit_score": 2.2211673, + "impact_score": 5.177088, + "integrity_impact": "high", + "privileges_required": "none", + "scope": "unchanged", + "score": 7.4, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" + }, + "denial_of_service": false, + "description": "The subject common name (CN) field in the X.509 certificate does not match the name of the entity presenting the certificate.\n\nBefore issuing a certificate, a Certification Authority (CA) must check the identity of the entity requesting the certificate, as specified in the CA's Certification Practice Statement (CPS). Thus, standard certificate validation procedures require the subject CN field of a certificate to match the actual name of the entity presenting the certificate. For example, in a certificate presented by \"https://www.example.com/\", the CN should be \"www.example.com\". \n\nIn order to detect and prevent active eavesdropping attacks, the validity of a certificate must be verified, or else an attacker could then launch a man-in-the-middle attack and gain full control of the data stream. Of particular importance is the validity of the subject's CN, that should match the name of the entity (hostname).\n\nA CN mismatch most often occurs due to a configuration error, though it can also indicate that a man-in-the-middle attack is being conducted.", + "first_found": "2025-04-30T06:21:05.000Z", + "id": "certificate-common-name-mismatch", + "last_found": "2025-05-27T19:54:43.777Z", + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 6.1, + "fail": true, + "severity_score": 4, + "status": "fail" + }, + "port": 3389, + "proof": "The subject common name found in the X.509 certificate does not seem to match the scan target:\n\nSubject CN Win11-50-13-52.testad.local does not match target name specified in the site.", + "protocol": "TCP", + "published": "2007-08-03T00:00:00.000Z", + "risk_score": 495.0, + "severity": "none", + "severity_score": 6, + "solution": { + "fix": "The subject's common name (CN) field in the X.509 certificate should be fixed\nto reflect the name of the entity presenting the certificate (e.g., the\nhostname). This is done by generating a new certificate usually signed by a\nCertification Authority (CA) trusted by both the client and server.", + "id": "certificate-common-name-mismatch", + "summary": "Fix the subject's Common Name (CN) field in the certificate", + "type": "workaround" + }, + "status": "VULNERABLE_EXPL", + "title": "X.509 Certificate Subject CN Does Not Match the Entity Name" + } + } + }, + "related": { + "hosts": [ + "Win11-50-13-52", + "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1" + ], + "ip": [ + "10.50.13.52" + ] + }, + "resource": { + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "name": "Win11-50-13-52" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "CVSS Score Predicted with Rapid7 AI", + "HTTP", + "Web" + ], + "classification": "CVSS", + "description": "The subject common name (CN) field in the X.509 certificate does not match the name of the entity presenting the certificate.\n\nBefore issuing a certificate, a Certification Authority (CA) must check the identity of the entity requesting the certificate, as specified in the CA's Certification Practice Statement (CPS). Thus, standard certificate validation procedures require the subject CN field of a certificate to match the actual name of the entity presenting the certificate. For example, in a certificate presented by \"https://www.example.com/\", the CN should be \"www.example.com\". \n\nIn order to detect and prevent active eavesdropping attacks, the validity of a certificate must be verified, or else an attacker could then launch a man-in-the-middle attack and gain full control of the data stream. Of particular importance is the validity of the subject's CN, that should match the name of the entity (hostname).\n\nA CN mismatch most often occurs due to a configuration error, though it can also indicate that a man-in-the-middle attack is being conducted.", + "enumeration": "CVE", + "published_date": "2007-08-03T00:00:00.000Z", + "scanner": { + "name": "c5cf46abcdef0123456789291c7d554a", + "vendor": "Rapid7" + }, + "score": { + "base": 7.4, + "version": "3.0" + }, + "severity": "None", + "title": "X.509 Certificate Subject CN Does Not Match the Entity Name" + } + }, + { + "@timestamp": "2025-05-27T19:54:43.777Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2025-05-13T07:25:34.000Z", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1|microsoft-windows-cve-2025-21204|2025-05-27T19:54:43.777Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":135,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":445,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":119,\"exploits\":4,\"host_name\":\"Win11-50-13-52\",\"id\":\"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1\",\"ip\":\"10.50.13.52\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":8,\"os_architecture\":\"x86_64\",\"os_description\":\"Microsoft Windows 11 22H2\",\"os_family\":\"Windows\",\"os_name\":\"Windows 11\",\"os_system_name\":\"Microsoft Windows\",\"os_type\":\"Workstation\",\"os_vendor\":\"Microsoft\",\"os_version\":\"22H2\",\"risk_score\":181622,\"severe_vulnerabilities\":241,\"tags\":[{\"name\":\"USA\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":368,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050\",\"source\":\"CSPRODUCT\"},{\"id\":\"c5cf46abcdef0123456789291c7d554a\",\"source\":\"R7 Agent\"}],\"vulnerability\":{\"check_id\":\"microsoft-windows-cve-2025-21204-windows_11-22h2-kb5055528\",\"first_found\":\"2025-05-13T07:25:34Z\",\"key\":\"\",\"last_found\":\"2025-05-27T19:54:43.777Z\",\"nic\":null,\"port\":null,\"proof\":\"Vulnerable OS: Microsoft Windows 11 22H2
Download and apply the patch from: https://support.microsoft.com/help/5058405
\",\"solution_id\":\"microsoft-windows-windows_11-22h2-kb5058405\",\"solution_summary\":\"2025-05 Cumulative Update for Microsoft Windows 11, version 22H2 (KB5058405)\",\"solution_type\":\"patch\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"microsoft-windows-cve-2025-21204\",\"added\":\"2025-04-08T00:00:00Z\",\"categories\":\"Microsoft,Microsoft Patch,Microsoft Windows,Privilege Escalation\",\"cves\":\"CVE-2025-21204\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"local\",\"cvss_v2_authentication\":\"single\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":3.141040013372898,\"cvss_v2_impact_score\":10.000845454680942,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":6.8,\"cvss_v2_vector\":\"(AV:L/AC:L/Au:S/C:C/I:C/A:C)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":1.8345765900000002,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"low\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":7.8,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Microsoft Windows: CVE-2025-21204: Windows Process Activation Elevation of Privilege Vulnerability\",\"exploits\":[],\"id\":\"microsoft-windows-cve-2025-21204\",\"links\":[{\"href\":\"https://support.microsoft.com/help/5055557\",\"id\":\"https://support.microsoft.com/help/5055557\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055547\",\"id\":\"https://support.microsoft.com/help/5055547\",\"source\":\"url\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2025-21204\",\"id\":\"CVE-2025-21204\",\"source\":\"cve\"},{\"href\":\"https://support.microsoft.com/help/5055526\",\"id\":\"https://support.microsoft.com/help/5055526\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055527\",\"id\":\"https://support.microsoft.com/help/5055527\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055521\",\"id\":\"https://support.microsoft.com/help/5055521\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055523\",\"id\":\"https://support.microsoft.com/help/5055523\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055528\",\"id\":\"https://support.microsoft.com/help/5055528\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055518\",\"id\":\"https://support.microsoft.com/help/5055518\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055519\",\"id\":\"https://support.microsoft.com/help/5055519\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055581\",\"id\":\"https://support.microsoft.com/help/5055581\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2025-04-14T00:00:00Z\",\"pci_cvss_score\":6.8,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2025-04-08T00:00:00Z\",\"references\":\"cve:CVE-2025-21204,url:https://support.microsoft.com/help/5055518,url:https://support.microsoft.com/help/5055519,url:https://support.microsoft.com/help/5055521,url:https://support.microsoft.com/help/5055523,url:https://support.microsoft.com/help/5055526,url:https://support.microsoft.com/help/5055527,url:https://support.microsoft.com/help/5055528,url:https://support.microsoft.com/help/5055547,url:https://support.microsoft.com/help/5055557,url:https://support.microsoft.com/help/5055581\",\"risk_score\":522,\"severity\":\"informational\",\"severity_score\":7,\"title\":\"Microsoft Windows: CVE-2025-21204: Windows Process Activation Elevation of Privilege Vulnerability\"}}", + "severity": 7, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "Win11-50-13-52", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "ip": [ + "10.50.13.52" + ], + "mac": [ + "00-00-5E-00-53-00" + ], + "name": "Win11-50-13-52", + "os": { + "family": "Windows", + "full": "Microsoft Windows 11 22H2", + "name": "Windows 11", + "platform": "windows", + "type": "windows", + "version": "22H2" + }, + "risk": { + "static_score": 181622.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "name": "Microsoft Windows 11 22H2", + "version": "Microsoft Windows 11 22H2" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 119, + "exploits": 4, + "host_name": "Win11-50-13-52", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "ip": "10.50.13.52", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-00", + "malware_kits": 0, + "moderate_vulnerabilities": 8, + "os": { + "architecture": "x86_64", + "description": "Microsoft Windows 11 22H2", + "family": "Windows", + "name": "Windows 11", + "system_name": "Microsoft Windows", + "type": "Workstation", + "vendor": "Microsoft", + "version": "22H2" + }, + "risk_score": 181622.0, + "severe_vulnerabilities": 241, + "total_vulnerabilities": 368, + "type": "guest", + "unique_identifiers": [ + { + "id": "F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050", + "source": "CSPRODUCT" + }, + { + "id": "c5cf46abcdef0123456789291c7d554a", + "source": "R7 Agent" + } + ], + "vulnerability": { + "added": "2025-04-08T00:00:00.000Z", + "categories": [ + "Microsoft", + "Microsoft Patch", + "Microsoft Windows", + "Privilege Escalation" + ], + "check_id": "microsoft-windows-cve-2025-21204-windows_11-22h2-kb5055528", + "cves": [ + "CVE-2025-21204" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "local", + "authentication": "single", + "availability_impact": "complete", + "confidentiality_impact": "complete", + "exploit_score": 3.141040013372898, + "impact_score": 10.000845454680942, + "integrity_impact": "complete", + "score": 6.8, + "vector": "(AV:L/AC:L/Au:S/C:C/I:C/A:C)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "local", + "availability_impact": "high", + "confidentiality_impact": "high", + "exploit_score": 1.8345765900000002, + "impact_score": 5.873118720000001, + "integrity_impact": "high", + "privileges_required": "low", + "scope": "unchanged", + "score": 7.8, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + "denial_of_service": false, + "description": "Microsoft Windows: CVE-2025-21204: Windows Process Activation Elevation of Privilege Vulnerability", + "first_found": "2025-05-13T07:25:34.000Z", + "id": "microsoft-windows-cve-2025-21204", + "last_found": "2025-05-27T19:54:43.777Z", + "links": [ + { + "href": "https://support.microsoft.com/help/5055557", + "id": "https://support.microsoft.com/help/5055557", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055547", + "id": "https://support.microsoft.com/help/5055547", + "source": "url" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2025-21204", + "id": "CVE-2025-21204", + "source": "cve" + }, + { + "href": "https://support.microsoft.com/help/5055526", + "id": "https://support.microsoft.com/help/5055526", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055527", + "id": "https://support.microsoft.com/help/5055527", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055521", + "id": "https://support.microsoft.com/help/5055521", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055523", + "id": "https://support.microsoft.com/help/5055523", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055528", + "id": "https://support.microsoft.com/help/5055528", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055518", + "id": "https://support.microsoft.com/help/5055518", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055519", + "id": "https://support.microsoft.com/help/5055519", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055581", + "id": "https://support.microsoft.com/help/5055581", + "source": "url" + } + ], + "modified": "2025-04-14T00:00:00.000Z", + "pci": { + "cvss_score": 6.8, + "fail": true, + "severity_score": 4, + "status": "fail" + }, + "proof": "Vulnerable OS: Microsoft Windows 11 22H2\n\n\n\n\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\n\nUBR - contains 4317", + "published": "2025-04-08T00:00:00.000Z", + "references": "cve:CVE-2025-21204,url:https://support.microsoft.com/help/5055518,url:https://support.microsoft.com/help/5055519,url:https://support.microsoft.com/help/5055521,url:https://support.microsoft.com/help/5055523,url:https://support.microsoft.com/help/5055526,url:https://support.microsoft.com/help/5055527,url:https://support.microsoft.com/help/5055528,url:https://support.microsoft.com/help/5055547,url:https://support.microsoft.com/help/5055557,url:https://support.microsoft.com/help/5055581", + "risk_score": 522.0, + "severity": "informational", + "severity_score": 7, + "solution": { + "fix": "Download and apply the patch from: https://support.microsoft.com/help/5058405", + "id": "microsoft-windows-windows_11-22h2-kb5058405", + "summary": "2025-05 Cumulative Update for Microsoft Windows 11, version 22H2 (KB5058405)", + "type": "patch" + }, + "status": "VULNERABLE_EXPL", + "title": "Microsoft Windows: CVE-2025-21204: Windows Process Activation Elevation of Privilege Vulnerability" + } + } + }, + "related": { + "hosts": [ + "Win11-50-13-52", + "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1" + ], + "ip": [ + "10.50.13.52" + ] + }, + "resource": { + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "name": "Win11-50-13-52" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "Microsoft", + "Microsoft Patch", + "Microsoft Windows", + "Privilege Escalation" + ], + "classification": "CVSS", + "description": "Microsoft Windows: CVE-2025-21204: Windows Process Activation Elevation of Privilege Vulnerability", + "enumeration": "CVE", + "id": [ + "CVE-2025-21204" + ], + "published_date": "2025-04-08T00:00:00.000Z", + "reference": [ + "https://support.microsoft.com/help/5055557", + "https://support.microsoft.com/help/5055547", + "http://nvd.nist.gov/vuln/detail/CVE-2025-21204", + "https://support.microsoft.com/help/5055526", + "https://support.microsoft.com/help/5055527", + "https://support.microsoft.com/help/5055521", + "https://support.microsoft.com/help/5055523", + "https://support.microsoft.com/help/5055528", + "https://support.microsoft.com/help/5055518", + "https://support.microsoft.com/help/5055519", + "https://support.microsoft.com/help/5055581" + ], + "scanner": { + "name": "c5cf46abcdef0123456789291c7d554a", + "vendor": "Rapid7" + }, + "score": { + "base": 7.8, + "version": "3.0" + }, + "severity": "Low", + "title": "Windows Process Activation Elevation of Privilege Vulnerability" + } + }, + { + "@timestamp": "2025-05-27T19:54:43.777Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2025-05-13T07:25:34.000Z", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1|windows-hotfix-ms13-098|2025-05-27T19:54:43.777Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":135,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":445,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":119,\"exploits\":4,\"host_name\":\"Win11-50-13-52\",\"id\":\"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1\",\"ip\":\"10.50.13.52\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":8,\"os_architecture\":\"x86_64\",\"os_description\":\"Microsoft Windows 11 22H2\",\"os_family\":\"Windows\",\"os_name\":\"Windows 11\",\"os_system_name\":\"Microsoft Windows\",\"os_type\":\"Workstation\",\"os_vendor\":\"Microsoft\",\"os_version\":\"22H2\",\"risk_score\":181622,\"severe_vulnerabilities\":241,\"tags\":[{\"name\":\"USA\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":368,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050\",\"source\":\"CSPRODUCT\"},{\"id\":\"c5cf46abcdef0123456789291c7d554a\",\"source\":\"R7 Agent\"}],\"vulnerability\":{\"check_id\":\"WINDOWS-HOTFIX-MS13-098-x64\",\"first_found\":\"2025-05-13T07:25:34Z\",\"key\":\"\",\"last_found\":\"2025-05-27T19:54:43.777Z\",\"nic\":null,\"port\":null,\"proof\":\"Vulnerable OS: Microsoft Windows 11 22H2
Download and apply the patch from: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900
\",\"solution_id\":\"windows-hotfix-ms13-098\",\"solution_summary\":\"Enable Certificate Padding Check for Windows Systems\",\"solution_type\":\"patch\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"windows-hotfix-ms13-098\",\"added\":\"2013-12-10T00:00:00Z\",\"categories\":\"CISA KEV,Exploited in the Wild,Microsoft,Microsoft Patch,Microsoft Windows,Remote Execution\",\"cves\":\"CVE-2013-3900\",\"cvss_v2_access_complexity\":\"medium\",\"cvss_v2_access_vector\":\"local\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"none\",\"cvss_v2_confidentiality_impact\":\"none\",\"cvss_v2_exploit_score\":3.392575981616974,\"cvss_v2_impact_score\":6.870600273013115,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":4.7,\"cvss_v2_vector\":\"(AV:L/AC:M/Au:N/C:N/I:C/A:N)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"none\",\"cvss_v3_exploit_score\":1.8345765900000002,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":5.5,\"cvss_v3_user_interaction\":\"required\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\",\"denial_of_service\":false,\"description\":\"This vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system. Note that this vulnerability was originally published by Microsoft as MS13-098, but has now been republished as CVE-2013-3900. Microsoft provides current information on the CVE-2013-3900 advisory.\",\"exploits\":[],\"id\":\"windows-hotfix-ms13-098\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2013-3900\",\"id\":\"CVE-2013-3900\",\"source\":\"cve\"},{\"href\":\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900\",\"id\":\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2025-04-22T00:00:00Z\",\"pci_cvss_score\":4.7,\"pci_fail\":true,\"pci_severity_score\":3,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2013-12-10T00:00:00Z\",\"references\":\"cve:CVE-2013-3900,url:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900\",\"risk_score\":450,\"severity\":\"severe\",\"severity_score\":5,\"title\":\"CVE-2013-3900: MS13-098: Vulnerability in Windows Could Allow Remote Code Execution\"}}", + "severity": 5, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "Win11-50-13-52", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "ip": [ + "10.50.13.52" + ], + "mac": [ + "00-00-5E-00-53-00" + ], + "name": "Win11-50-13-52", + "os": { + "family": "Windows", + "full": "Microsoft Windows 11 22H2", + "name": "Windows 11", + "platform": "windows", + "type": "windows", + "version": "22H2" + }, + "risk": { + "static_score": 181622.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "name": "Microsoft Windows 11 22H2", + "version": "Microsoft Windows 11 22H2" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 119, + "exploits": 4, + "host_name": "Win11-50-13-52", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "ip": "10.50.13.52", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-00", + "malware_kits": 0, + "moderate_vulnerabilities": 8, + "os": { + "architecture": "x86_64", + "description": "Microsoft Windows 11 22H2", + "family": "Windows", + "name": "Windows 11", + "system_name": "Microsoft Windows", + "type": "Workstation", + "vendor": "Microsoft", + "version": "22H2" + }, + "risk_score": 181622.0, + "severe_vulnerabilities": 241, + "total_vulnerabilities": 368, + "type": "guest", + "unique_identifiers": [ + { + "id": "F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050", + "source": "CSPRODUCT" + }, + { + "id": "c5cf46abcdef0123456789291c7d554a", + "source": "R7 Agent" + } + ], + "vulnerability": { + "added": "2013-12-10T00:00:00.000Z", + "categories": [ + "CISA KEV", + "Exploited in the Wild", + "Microsoft", + "Microsoft Patch", + "Microsoft Windows", + "Remote Execution" + ], + "check_id": "WINDOWS-HOTFIX-MS13-098-x64", + "cves": [ + "CVE-2013-3900" + ], + "cvss_v2": { + "access_complexity": "medium", + "access_vector": "local", + "authentication": "none", + "availability_impact": "none", + "confidentiality_impact": "none", + "exploit_score": 3.392575981616974, + "impact_score": 6.870600273013115, + "integrity_impact": "complete", + "score": 4.7, + "vector": "(AV:L/AC:M/Au:N/C:N/I:C/A:N)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "local", + "availability_impact": "none", + "confidentiality_impact": "none", + "exploit_score": 1.8345765900000002, + "impact_score": 3.5952, + "integrity_impact": "high", + "privileges_required": "none", + "scope": "unchanged", + "score": 5.5, + "user_interaction": "required", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" + }, + "denial_of_service": false, + "description": "This vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system. Note that this vulnerability was originally published by Microsoft as MS13-098, but has now been republished as CVE-2013-3900. Microsoft provides current information on the CVE-2013-3900 advisory.", + "first_found": "2025-05-13T07:25:34.000Z", + "id": "windows-hotfix-ms13-098", + "last_found": "2025-05-27T19:54:43.777Z", + "links": [ + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2013-3900", + "id": "CVE-2013-3900", + "source": "cve" + }, + { + "href": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900", + "id": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900", + "source": "url" + } + ], + "modified": "2025-04-22T00:00:00.000Z", + "pci": { + "cvss_score": 4.7, + "fail": true, + "severity_score": 3, + "status": "fail" + }, + "proof": "Vulnerable OS: Microsoft Windows 11 22H2\n\n\n\n\n\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Wintrust\\Config - key does not exist\n\nEnableCertPaddingCheck - value does not exist", + "published": "2013-12-10T00:00:00.000Z", + "references": "cve:CVE-2013-3900,url:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900", + "risk_score": 450.0, + "severity": "severe", + "severity_score": 5, + "solution": { + "fix": "Download and apply the patch from: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900", + "id": "windows-hotfix-ms13-098", + "summary": "Enable Certificate Padding Check for Windows Systems", + "type": "patch" + }, + "status": "VULNERABLE_EXPL", + "title": "CVE-2013-3900: MS13-098: Vulnerability in Windows Could Allow Remote Code Execution" + } + } + }, + "related": { + "hosts": [ + "Win11-50-13-52", + "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1" + ], + "ip": [ + "10.50.13.52" + ] + }, + "resource": { + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "name": "Win11-50-13-52" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "CISA KEV", + "Exploited in the Wild", + "Microsoft", + "Microsoft Patch", + "Microsoft Windows", + "Remote Execution" + ], + "classification": "CVSS", + "description": "This vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system. Note that this vulnerability was originally published by Microsoft as MS13-098, but has now been republished as CVE-2013-3900. Microsoft provides current information on the CVE-2013-3900 advisory.", + "enumeration": "CVE", + "id": [ + "CVE-2013-3900" + ], + "published_date": "2013-12-10T00:00:00.000Z", + "reference": [ + "http://nvd.nist.gov/vuln/detail/CVE-2013-3900", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900" + ], + "scanner": { + "name": "c5cf46abcdef0123456789291c7d554a", + "vendor": "Rapid7" + }, + "score": { + "base": 5.5, + "version": "3.0" + }, + "severity": "High", + "title": "MS13-098: Vulnerability in Windows Could Allow Remote Code Execution" + } + }, + { + "@timestamp": "2025-05-27T18:21:36.279Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2025-05-12T16:25:35.000Z", + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6|unix-anonymous-root-logins|2025-05-27T18:21:36.279Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":22,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":3,\"exploits\":0,\"host_name\":\"computer-test\",\"id\":\"8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6\",\"ip\":\"10.50.5.112\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T18:21:36.279Z\",\"last_scan_end\":\"2025-05-27T18:21:36.279Z\",\"last_scan_start\":\"2025-05-27T18:20:41.505Z\",\"mac\":\"00:00:5E:00:53:02\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Red Hat Enterprise Linux 7.9\",\"os_family\":\"Linux\",\"os_name\":\"Enterprise Linux\",\"os_system_name\":\"Red Hat Linux\",\"os_type\":\"\",\"os_vendor\":\"Red Hat\",\"os_version\":\"7.9\",\"risk_score\":18250,\"severe_vulnerabilities\":48,\"tags\":[{\"name\":\"Ahmedabad\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":52,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"CEF12345-ABCD-1234-ABCD-95ABCDEF1234\",\"source\":\"dmidecode\"},{\"id\":\"e80644e940123456789abcdef66a8b16\",\"source\":\"R7 Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2025-05-12T16:25:35Z\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"nic\":null,\"port\":null,\"proof\":\"Following entries in /etc/securetty \\n may allow anonymous root logins:
Remove all the entries in /etc/securetty except console,\\n tty[0-9]* and vc\\\\[0-9]*
Note: ssh does not use /etc/securetty. To disable root login\\n through ssh, use the "PermitRootLogin" setting in /etc/ssh/sshd_config\\n and restart the ssh daemon.
\",\"solution_id\":\"unix-anonymous-root-logins\",\"solution_summary\":\"Edit '/etc/securetty' entries\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"unix-anonymous-root-logins\",\"added\":\"2004-11-30T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,UNIX\",\"cves\":\"\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"single\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":7.9520000338554375,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.5,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:S/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.515145325,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":8.4,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \\\"su\\\" to become root.\",\"exploits\":[],\"id\":\"unix-anonymous-root-logins\",\"links\":[],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":6.5,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2004-11-30T00:00:00Z\",\"references\":\"\",\"risk_score\":562,\"severity\":\"severe\",\"severity_score\":7,\"title\":\"Anonymous root login is allowed\"}}", + "severity": 7, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "computer-test", + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6", + "ip": [ + "10.50.5.112" + ], + "mac": [ + "00-00-5E-00-53-02" + ], + "name": "computer-test", + "os": { + "family": "Linux", + "full": "Red Hat Enterprise Linux 7.9", + "name": "Enterprise Linux", + "platform": "linux", + "type": "linux", + "version": "7.9" + }, + "risk": { + "static_score": 18250.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 3, + "exploits": 0, + "host_name": "computer-test", + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6", + "ip": "10.50.5.112", + "last_assessed_for_vulnerabilities": "2025-05-27T18:21:36.279Z", + "last_scan_end": "2025-05-27T18:21:36.279Z", + "last_scan_start": "2025-05-27T18:20:41.505Z", + "mac": "00-00-5E-00-53-02", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os": { + "architecture": "x86_64", + "description": "Red Hat Enterprise Linux 7.9", + "family": "Linux", + "name": "Enterprise Linux", + "system_name": "Red Hat Linux", + "vendor": "Red Hat", + "version": "7.9" + }, + "risk_score": 18250.0, + "severe_vulnerabilities": 48, + "total_vulnerabilities": 52, + "type": "guest", + "unique_identifiers": [ + { + "id": "CEF12345-ABCD-1234-ABCD-95ABCDEF1234", + "source": "dmidecode" + }, + { + "id": "e80644e940123456789abcdef66a8b16", + "source": "R7 Agent" + } + ], + "vulnerability": { + "added": "2004-11-30T00:00:00.000Z", + "categories": [ + "CVSS Score Predicted with Rapid7 AI", + "UNIX" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "network", + "authentication": "single", + "availability_impact": "partial", + "confidentiality_impact": "partial", + "exploit_score": 7.9520000338554375, + "impact_score": 6.442976653521584, + "integrity_impact": "partial", + "score": 6.5, + "vector": "(AV:N/AC:L/Au:S/C:P/I:P/A:P)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "local", + "availability_impact": "high", + "confidentiality_impact": "high", + "exploit_score": 2.515145325, + "impact_score": 5.873118720000001, + "integrity_impact": "high", + "privileges_required": "none", + "scope": "unchanged", + "score": 8.4, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + "denial_of_service": false, + "description": "Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \"su\" to become root.", + "first_found": "2025-05-12T16:25:35.000Z", + "id": "unix-anonymous-root-logins", + "last_found": "2025-05-27T18:21:36.279Z", + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 6.5, + "fail": true, + "severity_score": 4, + "status": "fail" + }, + "proof": "Following entries in /etc/securetty \n may allow anonymous root logins: \n\nttyS0\n\nttysclp0\n\nsclp_line0\n\n3270/tty1\n\nhvc0\n\nhvc1\n\nhvc2\n\nhvc3\n\nhvc4\n\nhvc5\n\nhvc6\n\nhvc7\n\nhvsi0\n\nhvsi1\n\nhvsi2\n\nxvc0", + "published": "2004-11-30T00:00:00.000Z", + "risk_score": 562.0, + "severity": "severe", + "severity_score": 7, + "solution": { + "fix": "Remove all the entries in /etc/securetty except console,\n tty[0-9]* and vc\\[0-9]* \n\nNote: ssh does not use /etc/securetty. To disable root login\n through ssh, use the \"PermitRootLogin\" setting in /etc/ssh/sshd_config\n and restart the ssh daemon.", + "id": "unix-anonymous-root-logins", + "summary": "Edit '/etc/securetty' entries", + "type": "workaround" + }, + "status": "VULNERABLE_EXPL", + "title": "Anonymous root login is allowed" + } + } + }, + "related": { + "hosts": [ + "computer-test", + "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6" + ], + "ip": [ + "10.50.5.112" + ] + }, + "resource": { + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6", + "name": "computer-test" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "CVSS Score Predicted with Rapid7 AI", + "UNIX" + ], + "classification": "CVSS", + "description": "Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \"su\" to become root.", + "enumeration": "CVE", + "published_date": "2004-11-30T00:00:00.000Z", + "scanner": { + "name": "e80644e940123456789abcdef66a8b16", + "vendor": "Rapid7" + }, + "score": { + "base": 8.4, + "version": "3.0" + }, + "severity": "High", + "title": "Anonymous root login is allowed" + } + }, + { + "@timestamp": "2025-05-27T18:21:36.279Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2025-05-14T13:52:10.000Z", + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6|unix-world-writable-files|2025-05-27T18:21:36.279Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":22,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":3,\"exploits\":0,\"host_name\":\"computer-test\",\"id\":\"8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6\",\"ip\":\"10.50.5.112\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T18:21:36.279Z\",\"last_scan_end\":\"2025-05-27T18:21:36.279Z\",\"last_scan_start\":\"2025-05-27T18:20:41.505Z\",\"mac\":\"00:00:5E:00:53:02\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Red Hat Enterprise Linux 7.9\",\"os_family\":\"Linux\",\"os_name\":\"Enterprise Linux\",\"os_system_name\":\"Red Hat Linux\",\"os_type\":\"\",\"os_vendor\":\"Red Hat\",\"os_version\":\"7.9\",\"risk_score\":18250,\"severe_vulnerabilities\":48,\"tags\":[{\"name\":\"Ahmedabad\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":52,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"CEF12345-ABCD-1234-ABCD-95ABCDEF1234\",\"source\":\"dmidecode\"},{\"id\":\"e80644e940123456789abcdef66a8b16\",\"source\":\"R7 Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2025-05-14T13:52:10Z\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"nic\":null,\"port\":null,\"proof\":\"The following world writable files were found.
For each world-writable file, determine whether there is a good reason for\\n it to be world writable. If not, remove world write permissions for the file.\\n The output here is limited to 50 files. In order to find all of these files without needing to\\n run another Nexpose scan run the following command:
find / -type f -perm -02
Please note; it may be necessary exclude particular paths or file share types, run 'man find' for information.
\",\"solution_id\":\"unix-world-writable-files\",\"solution_summary\":\"Remove world write permissions\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"unix-world-writable-files\",\"added\":\"2005-01-15T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,UNIX\",\"cves\":\"\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"local\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"none\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":3.948735978603363,\"cvss_v2_impact_score\":4.938243839970231,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":3.6,\"cvss_v2_vector\":\"(AV:L/AC:L/Au:N/C:P/I:P/A:N)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"low\",\"cvss_v3_exploit_score\":2.515145325,\"cvss_v3_impact_score\":1.4123999999999999,\"cvss_v3_integrity_impact\":\"none\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":4,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"denial_of_service\":false,\"description\":\"World writable files were found on the system. A file that can be written by any user on the system could be a serious security flaw.\",\"exploits\":[],\"id\":\"unix-world-writable-files\",\"links\":[],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":3.6,\"pci_fail\":false,\"pci_severity_score\":2,\"pci_special_notes\":\"\",\"pci_status\":\"pass\",\"published\":\"2005-01-15T00:00:00Z\",\"references\":\"\",\"risk_score\":268,\"severity\":\"severe\",\"severity_score\":4,\"title\":\"World writable files exist\"}}", + "severity": 4, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "computer-test", + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6", + "ip": [ + "10.50.5.112" + ], + "mac": [ + "00-00-5E-00-53-02" + ], + "name": "computer-test", + "os": { + "family": "Linux", + "full": "Red Hat Enterprise Linux 7.9", + "name": "Enterprise Linux", + "platform": "linux", + "type": "linux", + "version": "7.9" + }, + "risk": { + "static_score": 18250.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 3, + "exploits": 0, + "host_name": "computer-test", + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6", + "ip": "10.50.5.112", + "last_assessed_for_vulnerabilities": "2025-05-27T18:21:36.279Z", + "last_scan_end": "2025-05-27T18:21:36.279Z", + "last_scan_start": "2025-05-27T18:20:41.505Z", + "mac": "00-00-5E-00-53-02", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os": { + "architecture": "x86_64", + "description": "Red Hat Enterprise Linux 7.9", + "family": "Linux", + "name": "Enterprise Linux", + "system_name": "Red Hat Linux", + "vendor": "Red Hat", + "version": "7.9" + }, + "risk_score": 18250.0, + "severe_vulnerabilities": 48, + "total_vulnerabilities": 52, + "type": "guest", + "unique_identifiers": [ + { + "id": "CEF12345-ABCD-1234-ABCD-95ABCDEF1234", + "source": "dmidecode" + }, + { + "id": "e80644e940123456789abcdef66a8b16", + "source": "R7 Agent" + } + ], + "vulnerability": { + "added": "2005-01-15T00:00:00.000Z", + "categories": [ + "CVSS Score Predicted with Rapid7 AI", + "UNIX" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "local", + "authentication": "none", + "availability_impact": "none", + "confidentiality_impact": "partial", + "exploit_score": 3.948735978603363, + "impact_score": 4.938243839970231, + "integrity_impact": "partial", + "score": 3.6, + "vector": "(AV:L/AC:L/Au:N/C:P/I:P/A:N)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "local", + "availability_impact": "none", + "confidentiality_impact": "low", + "exploit_score": 2.515145325, + "impact_score": 1.4123999999999999, + "integrity_impact": "none", + "privileges_required": "none", + "scope": "unchanged", + "score": 4.0, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + }, + "denial_of_service": false, + "description": "World writable files were found on the system. A file that can be written by any user on the system could be a serious security flaw.", + "first_found": "2025-05-14T13:52:10.000Z", + "id": "unix-world-writable-files", + "last_found": "2025-05-27T18:21:36.279Z", + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 3.6, + "fail": false, + "severity_score": 2, + "status": "pass" + }, + "proof": "The following world writable files were found.\n\n/var/.com.zerog.registry.xml (-rwxrwxrwx)", + "published": "2005-01-15T00:00:00.000Z", + "risk_score": 268.0, + "severity": "severe", + "severity_score": 4, + "solution": { + "fix": "For each world-writable file, determine whether there is a good reason for\n it to be world writable. If not, remove world write permissions for the file.\n The output here is limited to 50 files. In order to find all of these files without needing to\n run another Nexpose scan run the following command:\n\n find / -type f -perm -02\n\nPlease note; it may be necessary exclude particular paths or file share types, run 'man find' for information.", + "id": "unix-world-writable-files", + "summary": "Remove world write permissions", + "type": "workaround" + }, + "status": "VULNERABLE_EXPL", + "title": "World writable files exist" + } + } + }, + "related": { + "hosts": [ + "computer-test", + "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6" + ], + "ip": [ + "10.50.5.112" + ] + }, + "resource": { + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6", + "name": "computer-test" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "CVSS Score Predicted with Rapid7 AI", + "UNIX" + ], + "classification": "CVSS", + "description": "World writable files were found on the system. A file that can be written by any user on the system could be a serious security flaw.", + "enumeration": "CVE", + "published_date": "2005-01-15T00:00:00.000Z", + "scanner": { + "name": "e80644e940123456789abcdef66a8b16", + "vendor": "Rapid7" + }, + "score": { + "base": 4.0, + "version": "3.0" + }, + "severity": "High", + "title": "World writable files exist" + } + }, + { + "@timestamp": "2020-07-23T20:11:10.304Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2020-07-23T20:11:10.000Z", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|debian-obsolete|2020-07-23T20:11:10.304Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2020-07-23T20:11:10Z\",\"key\":\"Debian Linux 8.0\",\"last_found\":\"2020-07-23T20:11:10.304Z\",\"nic\":null,\"port\":null,\"proof\":\"Vulnerable OS: Debian Linux 8.0
\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"\\n See the Debian 9 release notes for instructions on upgrading to Debian GNU/Linux 9, alias "stretch".\\n
\",\"solution_id\":\"debian-upgrade-to-stretch\",\"solution_summary\":\"Upgrade to Debian GNU/Linux 9 or later\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"debian-obsolete\",\"added\":\"2013-01-29T00:00:00Z\",\"categories\":\"Debian Linux,Obsolete OS,Obsolete Software\",\"cves\":\"\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":10.000845454680942,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":10,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:C/I:C/A:C)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":3.8870427750000003,\"cvss_v3_impact_score\":6.0477304915445185,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"changed\",\"cvss_v3_score\":10,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Debian terminated support for Debian GNU/Linux 9 \\\"stretch\\\" on Jun 30, 2022. All Debian versions prior to 10.0 \\\"buster\\\" may have unpatched security vulnerabilities.\",\"exploits\":[],\"id\":\"debian-obsolete\",\"links\":[{\"href\":\"https://wiki.debian.org/LTS\",\"id\":\"https://wiki.debian.org/LTS\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2025-03-28T00:00:00Z\",\"pci_cvss_score\":10,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"This operating system version is no longer supported by the vendor, and results in an automatic failure. \",\"pci_status\":\"fail\",\"published\":\"2006-06-30T00:00:00Z\",\"references\":\"url:https://wiki.debian.org/LTS\",\"risk_score\":911.42,\"severity\":\"critical\",\"severity_score\":10,\"title\":\"Obsolete Debian GNU/Linux Version\"}}", + "severity": 10, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": [ + "10.50.6.126" + ], + "mac": [ + "00-00-5E-00-53-01" + ], + "name": "ub22-50-6-126", + "os": { + "family": "Linux", + "full": "Ubuntu Linux 22.04", + "name": "Linux", + "platform": "linux", + "type": "linux", + "version": "22.04" + }, + "risk": { + "static_score": 5656.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "fixed_version": "Debian GNU/Linux 9 or later", + "name": "Debian Linux 8.0", + "version": "Debian Linux 8.0" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 5, + "exploits": 0, + "host_name": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": "10.50.6.126", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-01", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os": { + "architecture": "x86_64", + "description": "Ubuntu Linux 22.04", + "family": "Linux", + "name": "Linux", + "system_name": "Ubuntu Linux", + "vendor": "Ubuntu", + "version": "22.04" + }, + "risk_score": 5656.0, + "severe_vulnerabilities": 6, + "total_vulnerabilities": 12, + "type": "guest", + "unique_identifiers": [ + { + "id": "B7123456-5678-1234-ABCD-6F6ABCDEFA91", + "source": "dmidecode" + }, + { + "id": "cababcdefabcd0123456789f16d7061a", + "source": "R7 Agent" + }, + { + "id": "cab682b411e200123456789ab6d7061a", + "source": "Endpoint Agent" + } + ], + "vulnerability": { + "added": "2013-01-29T00:00:00.000Z", + "categories": [ + "Debian Linux", + "Obsolete OS", + "Obsolete Software" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "network", + "authentication": "none", + "availability_impact": "complete", + "confidentiality_impact": "complete", + "exploit_score": 9.996799945831299, + "impact_score": 10.000845454680942, + "integrity_impact": "complete", + "score": 10.0, + "vector": "(AV:N/AC:L/Au:N/C:C/I:C/A:C)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "network", + "availability_impact": "high", + "confidentiality_impact": "high", + "exploit_score": 3.8870427750000003, + "impact_score": 6.0477304915445185, + "integrity_impact": "high", + "privileges_required": "none", + "scope": "changed", + "score": 10.0, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + }, + "denial_of_service": false, + "description": "Debian terminated support for Debian GNU/Linux 9 \"stretch\" on Jun 30, 2022. All Debian versions prior to 10.0 \"buster\" may have unpatched security vulnerabilities.", + "first_found": "2020-07-23T20:11:10.000Z", + "id": "debian-obsolete", + "key": "Debian Linux 8.0", + "last_found": "2020-07-23T20:11:10.304Z", + "links": [ + { + "href": "https://wiki.debian.org/LTS", + "id": "https://wiki.debian.org/LTS", + "source": "url" + } + ], + "modified": "2025-03-28T00:00:00.000Z", + "pci": { + "cvss_score": 10.0, + "fail": true, + "severity_score": 5, + "special_notes": "This operating system version is no longer supported by the vendor, and results in an automatic failure. ", + "status": "fail" + }, + "proof": "Vulnerable OS: Debian Linux 8.0", + "published": "2006-06-30T00:00:00.000Z", + "references": "url:https://wiki.debian.org/LTS", + "risk_score": 911.42, + "severity": "critical", + "severity_score": 10, + "solution": { + "fix": "See the Debian 9 release notes for instructions on upgrading to Debian GNU/Linux 9, alias \"stretch\".", + "id": "debian-upgrade-to-stretch", + "summary": "Upgrade to Debian GNU/Linux 9 or later", + "type": "workaround" + }, + "status": "VULNERABLE_VERS", + "title": "Obsolete Debian GNU/Linux Version" + } + } + }, + "related": { + "hosts": [ + "ub22-50-6-126", + "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7" + ], + "ip": [ + "10.50.6.126" + ] + }, + "resource": { + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "name": "ub22-50-6-126" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "Debian Linux", + "Obsolete OS", + "Obsolete Software" + ], + "classification": "CVSS", + "description": "Debian terminated support for Debian GNU/Linux 9 \"stretch\" on Jun 30, 2022. All Debian versions prior to 10.0 \"buster\" may have unpatched security vulnerabilities.", + "enumeration": "CVE", + "published_date": "2006-06-30T00:00:00.000Z", + "reference": [ + "https://wiki.debian.org/LTS" + ], + "scanner": { + "name": "cababcdefabcd0123456789f16d7061a", + "vendor": "Rapid7" + }, + "score": { + "base": 10.0, + "version": "3.0" + }, + "severity": "Critical", + "title": "Obsolete Debian GNU/Linux Version" + } + }, + { + "@timestamp": "2023-05-23T18:16:30.836Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2018-11-25T09:20:27.000Z", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|windows-hotfix-ms06-035|2023-05-23T18:16:30.836Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2018-11-25T09:20:27Z\",\"key\":\"\",\"last_found\":\"2023-05-23T18:16:30.836Z\",\"nic\":null,\"port\":null,\"proof\":\"Vulnerable OS: Microsoft Windows Server 2003 SP1
Server responded with vulnerable error code: 2 and class: 1
\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"Take a look at all possible solutions for vulnerability\",\"solution_id\":\"unknown-windows-hotfix-ms06-035\",\"solution_summary\":\"The solution is unknown for vuln windows-hotfix-ms06-035\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"windows-hotfix-ms06-035\",\"added\":\"2006-07-12T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution\",\"cves\":\"CVE-2006-1314,CVE-2006-1315\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":7.5,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.83525473,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"none\",\"cvss_v3_privileges_required\":\"low\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":6.5,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"denial_of_service\":false,\"description\":\"This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \\\"Vulnerability Details\\\" section of this bulletin. We recommend that customers apply the update immediately.\",\"exploits\":[{\"description\":\"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)\",\"id\":\"2057\",\"name\":\"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module triggers a kernel pool corruption bug in SRV.SYS. Each\\n call to the mailslot write function results in a two byte return value\\n being written into the response packet. The code which creates this packet\\n fails to consider these two bytes in the allocation routine, resulting in\\n a slow corruption of the kernel memory pool. These two bytes are almost\\n always set to \\\"\\\\xff\\\\xff\\\" (a short integer with value of -1).\",\"id\":\"auxiliary/dos/windows/smb/ms06_035_mailslot\",\"name\":\"Microsoft SRV.SYS Mailslot Write Corruption\",\"rank\":\"normal\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"}],\"id\":\"windows-hotfix-ms06-035\",\"links\":[{\"href\":\"http://www.kb.cert.org/vuls/id/189140\",\"id\":\"189140\",\"source\":\"cert-vn\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/26818\",\"id\":\"win-mailslot-bo(26818)\",\"source\":\"xf\"},{\"href\":\"http://www.securityfocus.com/bid/18863\",\"id\":\"18863\",\"source\":\"bid\"},{\"href\":\"https://support.microsoft.com/en-us/kb/917159\",\"id\":\"KB917159\",\"source\":\"mskb\"},{\"href\":\"http://www.us-cert.gov/cas/techalerts/TA06-192A.html\",\"id\":\"TA06-192A\",\"source\":\"cert\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2006-1314\",\"id\":\"CVE-2006-1314\",\"source\":\"cve\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2006-1315\",\"id\":\"CVE-2006-1315\",\"source\":\"cve\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3\",\"id\":\"3\",\"source\":\"oval\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600\",\"id\":\"600\",\"source\":\"oval\"},{\"href\":\"http://www.osvdb.org/27155\",\"id\":\"27155\",\"source\":\"osvdb\"},{\"href\":\"http://www.osvdb.org/27154\",\"id\":\"27154\",\"source\":\"osvdb\"},{\"href\":\"http://technet.microsoft.com/security/bulletin/MS06-035\",\"id\":\"MS06-035\",\"source\":\"ms\"},{\"href\":\"http://www.securityfocus.com/bid/18891\",\"id\":\"18891\",\"source\":\"bid\"},{\"href\":\"http://technet.microsoft.com/en-us/security/bulletin/MS06-035\",\"id\":\"http://technet.microsoft.com/en-us/security/bulletin/MS06-035\",\"source\":\"url\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/26820\",\"id\":\"win-smb-information-disclosure(26820)\",\"source\":\"xf\"},{\"href\":\"http://www.kb.cert.org/vuls/id/333636\",\"id\":\"333636\",\"source\":\"cert-vn\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":7.5,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2006-07-11T00:00:00Z\",\"references\":\"bid:18863,bid:18891,cert-vn:189140,osvdb:27154,osvdb:27155,oval:3,cert-vn:333636,oval:600,cve:CVE-2006-1314,cve:CVE-2006-1315,mskb:KB917159,ms:MS06-035,cert:TA06-192A,url:http://technet.microsoft.com/en-us/security/bulletin/MS06-035,xf:win-mailslot-bo(26818),xf:win-smb-information-disclosure(26820)\",\"risk_score\":756.57,\"severity\":\"critical\",\"severity_score\":8,\"title\":\"MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)\"}}", + "severity": 8, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": [ + "10.50.6.126" + ], + "mac": [ + "00-00-5E-00-53-01" + ], + "name": "ub22-50-6-126", + "os": { + "family": "Linux", + "full": "Ubuntu Linux 22.04", + "name": "Linux", + "platform": "linux", + "type": "linux", + "version": "22.04" + }, + "risk": { + "static_score": 5656.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "name": "Microsoft Windows Server 2003 SP1", + "version": "Microsoft Windows Server 2003 SP1" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 5, + "exploits": 0, + "host_name": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": "10.50.6.126", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-01", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os": { + "architecture": "x86_64", + "description": "Ubuntu Linux 22.04", + "family": "Linux", + "name": "Linux", + "system_name": "Ubuntu Linux", + "vendor": "Ubuntu", + "version": "22.04" + }, + "risk_score": 5656.0, + "severe_vulnerabilities": 6, + "total_vulnerabilities": 12, + "type": "guest", + "unique_identifiers": [ + { + "id": "B7123456-5678-1234-ABCD-6F6ABCDEFA91", + "source": "dmidecode" + }, + { + "id": "cababcdefabcd0123456789f16d7061a", + "source": "R7 Agent" + }, + { + "id": "cab682b411e200123456789ab6d7061a", + "source": "Endpoint Agent" + } + ], + "vulnerability": { + "added": "2006-07-12T00:00:00.000Z", + "categories": [ + "CVSS Score Predicted with Rapid7 AI", + "Microsoft", + "Microsoft Patch", + "Remote Execution" + ], + "cves": [ + "CVE-2006-1314", + "CVE-2006-1315" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "network", + "authentication": "none", + "availability_impact": "partial", + "confidentiality_impact": "partial", + "exploit_score": 9.996799945831299, + "impact_score": 6.442976653521584, + "integrity_impact": "partial", + "score": 7.5, + "vector": "(AV:N/AC:L/Au:N/C:P/I:P/A:P)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "network", + "availability_impact": "none", + "confidentiality_impact": "high", + "exploit_score": 2.83525473, + "impact_score": 3.5952, + "integrity_impact": "none", + "privileges_required": "low", + "scope": "unchanged", + "score": 6.5, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "denial_of_service": false, + "description": "This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \"Vulnerability Details\" section of this bulletin. We recommend that customers apply the update immediately.", + "exploits": [ + { + "description": "Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)", + "id": "2057", + "name": "Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)", + "rank": "average", + "skill_level": "expert", + "source": "exploitdb" + }, + { + "description": "This module triggers a kernel pool corruption bug in SRV.SYS. Each\n call to the mailslot write function results in a two byte return value\n being written into the response packet. The code which creates this packet\n fails to consider these two bytes in the allocation routine, resulting in\n a slow corruption of the kernel memory pool. These two bytes are almost\n always set to \"\\xff\\xff\" (a short integer with value of -1).", + "id": "auxiliary/dos/windows/smb/ms06_035_mailslot", + "name": "Microsoft SRV.SYS Mailslot Write Corruption", + "rank": "normal", + "skill_level": "intermediate", + "source": "metasploit" + } + ], + "first_found": "2018-11-25T09:20:27.000Z", + "id": "windows-hotfix-ms06-035", + "last_found": "2023-05-23T18:16:30.836Z", + "links": [ + { + "href": "http://www.kb.cert.org/vuls/id/189140", + "id": "189140", + "source": "cert-vn" + }, + { + "href": "https://exchange.xforce.ibmcloud.com/vulnerabilities/26818", + "id": "win-mailslot-bo(26818)", + "source": "xf" + }, + { + "href": "http://www.securityfocus.com/bid/18863", + "id": "18863", + "source": "bid" + }, + { + "href": "https://support.microsoft.com/en-us/kb/917159", + "id": "KB917159", + "source": "mskb" + }, + { + "href": "http://www.us-cert.gov/cas/techalerts/TA06-192A.html", + "id": "TA06-192A", + "source": "cert" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2006-1314", + "id": "CVE-2006-1314", + "source": "cve" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2006-1315", + "id": "CVE-2006-1315", + "source": "cve" + }, + { + "href": "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3", + "id": "3", + "source": "oval" + }, + { + "href": "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600", + "id": "600", + "source": "oval" + }, + { + "href": "http://www.osvdb.org/27155", + "id": "27155", + "source": "osvdb" + }, + { + "href": "http://www.osvdb.org/27154", + "id": "27154", + "source": "osvdb" + }, + { + "href": "http://technet.microsoft.com/security/bulletin/MS06-035", + "id": "MS06-035", + "source": "ms" + }, + { + "href": "http://www.securityfocus.com/bid/18891", + "id": "18891", + "source": "bid" + }, + { + "href": "http://technet.microsoft.com/en-us/security/bulletin/MS06-035", + "id": "http://technet.microsoft.com/en-us/security/bulletin/MS06-035", + "source": "url" + }, + { + "href": "https://exchange.xforce.ibmcloud.com/vulnerabilities/26820", + "id": "win-smb-information-disclosure(26820)", + "source": "xf" + }, + { + "href": "http://www.kb.cert.org/vuls/id/333636", + "id": "333636", + "source": "cert-vn" + } + ], + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 7.5, + "fail": true, + "severity_score": 5, + "status": "fail" + }, + "proof": "Vulnerable OS: Microsoft Windows Server 2003 SP1\n\n\n\nServer responded with vulnerable error code: 2 and class: 1", + "published": "2006-07-11T00:00:00.000Z", + "references": "bid:18863,bid:18891,cert-vn:189140,osvdb:27154,osvdb:27155,oval:3,cert-vn:333636,oval:600,cve:CVE-2006-1314,cve:CVE-2006-1315,mskb:KB917159,ms:MS06-035,cert:TA06-192A,url:http://technet.microsoft.com/en-us/security/bulletin/MS06-035,xf:win-mailslot-bo(26818),xf:win-smb-information-disclosure(26820)", + "risk_score": 756.57, + "severity": "critical", + "severity_score": 8, + "solution": { + "fix": "Take a look at all possible solutions for vulnerability", + "id": "unknown-windows-hotfix-ms06-035", + "summary": "The solution is unknown for vuln windows-hotfix-ms06-035", + "type": "workaround" + }, + "status": "VULNERABLE_EXPL", + "title": "MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)" + } + } + }, + "related": { + "hosts": [ + "ub22-50-6-126", + "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7" + ], + "ip": [ + "10.50.6.126" + ] + }, + "resource": { + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "name": "ub22-50-6-126" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "CVSS Score Predicted with Rapid7 AI", + "Microsoft", + "Microsoft Patch", + "Remote Execution" + ], + "classification": "CVSS", + "description": "This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \"Vulnerability Details\" section of this bulletin. We recommend that customers apply the update immediately.", + "enumeration": "CVE", + "id": [ + "CVE-2006-1314", + "CVE-2006-1315" + ], + "published_date": "2006-07-11T00:00:00.000Z", + "reference": [ + "http://www.kb.cert.org/vuls/id/189140", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/26818", + "http://www.securityfocus.com/bid/18863", + "https://support.microsoft.com/en-us/kb/917159", + "http://www.us-cert.gov/cas/techalerts/TA06-192A.html", + "http://nvd.nist.gov/vuln/detail/CVE-2006-1314", + "http://nvd.nist.gov/vuln/detail/CVE-2006-1315", + "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3", + "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600", + "http://www.osvdb.org/27155", + "http://www.osvdb.org/27154", + "http://technet.microsoft.com/security/bulletin/MS06-035", + "http://www.securityfocus.com/bid/18891", + "http://technet.microsoft.com/en-us/security/bulletin/MS06-035", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/26820", + "http://www.kb.cert.org/vuls/id/333636" + ], + "scanner": { + "name": "cababcdefabcd0123456789f16d7061a", + "vendor": "Rapid7" + }, + "score": { + "base": 6.5, + "version": "3.0" + }, + "severity": "Critical", + "title": "Vulnerability in Server Service Could Allow Remote Code Execution (917159)" + } + }, + { + "@timestamp": "2023-05-23T18:16:30.836Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2018-11-25T09:20:27.000Z", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|windows-hotfix-ms06-035|2023-05-23T18:16:30.836Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2018-11-25T09:20:27Z\",\"key\":\"\",\"last_found\":\"2023-05-23T18:16:30.836Z\",\"nic\":null,\"port\":null,\"proof\":\"Vulnerable OS: Microsoft Windows Server 2003 SP1
Based on the result of the "dcerpc-ms-netapi-netpathcanonicalize-dos" test, this node is applicable to this issue.
\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"Take a look at all possible solutions for vulnerability\",\"solution_id\":\"unknown-windows-hotfix-ms06-035\",\"solution_summary\":\"The solution is unknown for vuln windows-hotfix-ms06-035\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"windows-hotfix-ms06-035\",\"added\":\"2006-07-12T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution\",\"cves\":\"CVE-2006-1314,CVE-2006-1315\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":7.5,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.83525473,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"none\",\"cvss_v3_privileges_required\":\"low\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":6.5,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"denial_of_service\":false,\"description\":\"This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \\\"Vulnerability Details\\\" section of this bulletin. We recommend that customers apply the update immediately.\",\"exploits\":[{\"description\":\"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)\",\"id\":\"2057\",\"name\":\"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module triggers a kernel pool corruption bug in SRV.SYS. Each\\n call to the mailslot write function results in a two byte return value\\n being written into the response packet. The code which creates this packet\\n fails to consider these two bytes in the allocation routine, resulting in\\n a slow corruption of the kernel memory pool. These two bytes are almost\\n always set to \\\"\\\\xff\\\\xff\\\" (a short integer with value of -1).\",\"id\":\"auxiliary/dos/windows/smb/ms06_035_mailslot\",\"name\":\"Microsoft SRV.SYS Mailslot Write Corruption\",\"rank\":\"normal\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"}],\"id\":\"windows-hotfix-ms06-035\",\"links\":[{\"href\":\"http://www.kb.cert.org/vuls/id/189140\",\"id\":\"189140\",\"source\":\"cert-vn\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/26818\",\"id\":\"win-mailslot-bo(26818)\",\"source\":\"xf\"},{\"href\":\"http://www.securityfocus.com/bid/18863\",\"id\":\"18863\",\"source\":\"bid\"},{\"href\":\"https://support.microsoft.com/en-us/kb/917159\",\"id\":\"KB917159\",\"source\":\"mskb\"},{\"href\":\"http://www.us-cert.gov/cas/techalerts/TA06-192A.html\",\"id\":\"TA06-192A\",\"source\":\"cert\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2006-1314\",\"id\":\"CVE-2006-1314\",\"source\":\"cve\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2006-1315\",\"id\":\"CVE-2006-1315\",\"source\":\"cve\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3\",\"id\":\"3\",\"source\":\"oval\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600\",\"id\":\"600\",\"source\":\"oval\"},{\"href\":\"http://www.osvdb.org/27155\",\"id\":\"27155\",\"source\":\"osvdb\"},{\"href\":\"http://www.osvdb.org/27154\",\"id\":\"27154\",\"source\":\"osvdb\"},{\"href\":\"http://technet.microsoft.com/security/bulletin/MS06-035\",\"id\":\"MS06-035\",\"source\":\"ms\"},{\"href\":\"http://www.securityfocus.com/bid/18891\",\"id\":\"18891\",\"source\":\"bid\"},{\"href\":\"http://technet.microsoft.com/en-us/security/bulletin/MS06-035\",\"id\":\"http://technet.microsoft.com/en-us/security/bulletin/MS06-035\",\"source\":\"url\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/26820\",\"id\":\"win-smb-information-disclosure(26820)\",\"source\":\"xf\"},{\"href\":\"http://www.kb.cert.org/vuls/id/333636\",\"id\":\"333636\",\"source\":\"cert-vn\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":7.5,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2006-07-11T00:00:00Z\",\"references\":\"bid:18863,bid:18891,cert-vn:189140,osvdb:27154,osvdb:27155,oval:3,cert-vn:333636,oval:600,cve:CVE-2006-1314,cve:CVE-2006-1315,mskb:KB917159,ms:MS06-035,cert:TA06-192A,url:http://technet.microsoft.com/en-us/security/bulletin/MS06-035,xf:win-mailslot-bo(26818),xf:win-smb-information-disclosure(26820)\",\"risk_score\":756.57,\"severity\":\"critical\",\"severity_score\":8,\"title\":\"MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)\"}}", + "severity": 8, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": [ + "10.50.6.126" + ], + "mac": [ + "00-00-5E-00-53-01" + ], + "name": "ub22-50-6-126", + "os": { + "family": "Linux", + "full": "Ubuntu Linux 22.04", + "name": "Linux", + "platform": "linux", + "type": "linux", + "version": "22.04" + }, + "risk": { + "static_score": 5656.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "name": "Microsoft Windows Server 2003 SP1", + "version": "Microsoft Windows Server 2003 SP1" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 5, + "exploits": 0, + "host_name": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": "10.50.6.126", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-01", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os": { + "architecture": "x86_64", + "description": "Ubuntu Linux 22.04", + "family": "Linux", + "name": "Linux", + "system_name": "Ubuntu Linux", + "vendor": "Ubuntu", + "version": "22.04" + }, + "risk_score": 5656.0, + "severe_vulnerabilities": 6, + "total_vulnerabilities": 12, + "type": "guest", + "unique_identifiers": [ + { + "id": "B7123456-5678-1234-ABCD-6F6ABCDEFA91", + "source": "dmidecode" + }, + { + "id": "cababcdefabcd0123456789f16d7061a", + "source": "R7 Agent" + }, + { + "id": "cab682b411e200123456789ab6d7061a", + "source": "Endpoint Agent" + } + ], + "vulnerability": { + "added": "2006-07-12T00:00:00.000Z", + "categories": [ + "CVSS Score Predicted with Rapid7 AI", + "Microsoft", + "Microsoft Patch", + "Remote Execution" + ], + "cves": [ + "CVE-2006-1314", + "CVE-2006-1315" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "network", + "authentication": "none", + "availability_impact": "partial", + "confidentiality_impact": "partial", + "exploit_score": 9.996799945831299, + "impact_score": 6.442976653521584, + "integrity_impact": "partial", + "score": 7.5, + "vector": "(AV:N/AC:L/Au:N/C:P/I:P/A:P)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "network", + "availability_impact": "none", + "confidentiality_impact": "high", + "exploit_score": 2.83525473, + "impact_score": 3.5952, + "integrity_impact": "none", + "privileges_required": "low", + "scope": "unchanged", + "score": 6.5, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "denial_of_service": false, + "description": "This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \"Vulnerability Details\" section of this bulletin. We recommend that customers apply the update immediately.", + "exploits": [ + { + "description": "Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)", + "id": "2057", + "name": "Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)", + "rank": "average", + "skill_level": "expert", + "source": "exploitdb" + }, + { + "description": "This module triggers a kernel pool corruption bug in SRV.SYS. Each\n call to the mailslot write function results in a two byte return value\n being written into the response packet. The code which creates this packet\n fails to consider these two bytes in the allocation routine, resulting in\n a slow corruption of the kernel memory pool. These two bytes are almost\n always set to \"\\xff\\xff\" (a short integer with value of -1).", + "id": "auxiliary/dos/windows/smb/ms06_035_mailslot", + "name": "Microsoft SRV.SYS Mailslot Write Corruption", + "rank": "normal", + "skill_level": "intermediate", + "source": "metasploit" + } + ], + "first_found": "2018-11-25T09:20:27.000Z", + "id": "windows-hotfix-ms06-035", + "last_found": "2023-05-23T18:16:30.836Z", + "links": [ + { + "href": "http://www.kb.cert.org/vuls/id/189140", + "id": "189140", + "source": "cert-vn" + }, + { + "href": "https://exchange.xforce.ibmcloud.com/vulnerabilities/26818", + "id": "win-mailslot-bo(26818)", + "source": "xf" + }, + { + "href": "http://www.securityfocus.com/bid/18863", + "id": "18863", + "source": "bid" + }, + { + "href": "https://support.microsoft.com/en-us/kb/917159", + "id": "KB917159", + "source": "mskb" + }, + { + "href": "http://www.us-cert.gov/cas/techalerts/TA06-192A.html", + "id": "TA06-192A", + "source": "cert" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2006-1314", + "id": "CVE-2006-1314", + "source": "cve" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2006-1315", + "id": "CVE-2006-1315", + "source": "cve" + }, + { + "href": "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3", + "id": "3", + "source": "oval" + }, + { + "href": "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600", + "id": "600", + "source": "oval" + }, + { + "href": "http://www.osvdb.org/27155", + "id": "27155", + "source": "osvdb" + }, + { + "href": "http://www.osvdb.org/27154", + "id": "27154", + "source": "osvdb" + }, + { + "href": "http://technet.microsoft.com/security/bulletin/MS06-035", + "id": "MS06-035", + "source": "ms" + }, + { + "href": "http://www.securityfocus.com/bid/18891", + "id": "18891", + "source": "bid" + }, + { + "href": "http://technet.microsoft.com/en-us/security/bulletin/MS06-035", + "id": "http://technet.microsoft.com/en-us/security/bulletin/MS06-035", + "source": "url" + }, + { + "href": "https://exchange.xforce.ibmcloud.com/vulnerabilities/26820", + "id": "win-smb-information-disclosure(26820)", + "source": "xf" + }, + { + "href": "http://www.kb.cert.org/vuls/id/333636", + "id": "333636", + "source": "cert-vn" + } + ], + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 7.5, + "fail": true, + "severity_score": 5, + "status": "fail" + }, + "proof": "Vulnerable OS: Microsoft Windows Server 2003 SP1\n\n\n\nBased on the result of the \"dcerpc-ms-netapi-netpathcanonicalize-dos\" test, this node is applicable to this issue.", + "published": "2006-07-11T00:00:00.000Z", + "references": "bid:18863,bid:18891,cert-vn:189140,osvdb:27154,osvdb:27155,oval:3,cert-vn:333636,oval:600,cve:CVE-2006-1314,cve:CVE-2006-1315,mskb:KB917159,ms:MS06-035,cert:TA06-192A,url:http://technet.microsoft.com/en-us/security/bulletin/MS06-035,xf:win-mailslot-bo(26818),xf:win-smb-information-disclosure(26820)", + "risk_score": 756.57, + "severity": "critical", + "severity_score": 8, + "solution": { + "fix": "Take a look at all possible solutions for vulnerability", + "id": "unknown-windows-hotfix-ms06-035", + "summary": "The solution is unknown for vuln windows-hotfix-ms06-035", + "type": "workaround" + }, + "status": "VULNERABLE_EXPL", + "title": "MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)" + } + } + }, + "related": { + "hosts": [ + "ub22-50-6-126", + "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7" + ], + "ip": [ + "10.50.6.126" + ] + }, + "resource": { + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "name": "ub22-50-6-126" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "CVSS Score Predicted with Rapid7 AI", + "Microsoft", + "Microsoft Patch", + "Remote Execution" + ], + "classification": "CVSS", + "description": "This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \"Vulnerability Details\" section of this bulletin. We recommend that customers apply the update immediately.", + "enumeration": "CVE", + "id": [ + "CVE-2006-1314", + "CVE-2006-1315" + ], + "published_date": "2006-07-11T00:00:00.000Z", + "reference": [ + "http://www.kb.cert.org/vuls/id/189140", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/26818", + "http://www.securityfocus.com/bid/18863", + "https://support.microsoft.com/en-us/kb/917159", + "http://www.us-cert.gov/cas/techalerts/TA06-192A.html", + "http://nvd.nist.gov/vuln/detail/CVE-2006-1314", + "http://nvd.nist.gov/vuln/detail/CVE-2006-1315", + "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3", + "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600", + "http://www.osvdb.org/27155", + "http://www.osvdb.org/27154", + "http://technet.microsoft.com/security/bulletin/MS06-035", + "http://www.securityfocus.com/bid/18891", + "http://technet.microsoft.com/en-us/security/bulletin/MS06-035", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/26820", + "http://www.kb.cert.org/vuls/id/333636" + ], + "scanner": { + "name": "cababcdefabcd0123456789f16d7061a", + "vendor": "Rapid7" + }, + "score": { + "base": 6.5, + "version": "3.0" + }, + "severity": "Critical", + "title": "Vulnerability in Server Service Could Allow Remote Code Execution (917159)" + } + }, + { + "@timestamp": "2023-06-23T17:29:23.453Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2022-12-23T18:40:29.000Z", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1|msft-cve-2022-37967|2023-06-23T17:29:23.453Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":135,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":445,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":119,\"exploits\":4,\"host_name\":\"Win11-50-13-52\",\"id\":\"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1\",\"ip\":\"10.50.13.52\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":8,\"os_architecture\":\"x86_64\",\"os_description\":\"Microsoft Windows 11 22H2\",\"os_family\":\"Windows\",\"os_name\":\"Windows 11\",\"os_system_name\":\"Microsoft Windows\",\"os_type\":\"Workstation\",\"os_vendor\":\"Microsoft\",\"os_version\":\"22H2\",\"risk_score\":181622,\"severe_vulnerabilities\":241,\"tags\":[{\"name\":\"USA\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":368,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050\",\"source\":\"CSPRODUCT\"},{\"id\":\"c5cf46abcdef0123456789291c7d554a\",\"source\":\"R7 Agent\"}],\"vulnerability\":{\"check_id\":\"msft-cve-2022-37967-kb5021288-c2d89794-10f9-459d-a1a9-79847eac03fc\",\"first_found\":\"2022-12-23T18:40:29Z\",\"key\":\"\",\"last_found\":\"2023-06-23T17:29:23.453Z\",\"nic\":null,\"port\":null,\"proof\":\"Vulnerable OS: Microsoft Windows 7 Enterprise Edition SP1
Based on the following 2 results:
Download and apply the patch from: https://support.microsoft.com/kb/5021288
\",\"solution_id\":\"msft-kb5021288-c2d89794-10f9-459d-a1a9-79847eac03fc\",\"solution_summary\":\"2022-12 Security Only Quality Update for Windows 7 for x64-based Systems (KB5021288)\",\"solution_type\":\"patch\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"msft-cve-2022-37967\",\"added\":\"2022-11-08T00:00:00Z\",\"categories\":\"Microsoft,Microsoft Patch,Microsoft Windows,Privilege Escalation\",\"cves\":\"CVE-2022-37967\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"multiple\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":6.389999830722808,\"cvss_v2_impact_score\":10.000845454680942,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":8.3,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:M/C:C/I:C/A:C)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":1.2347077050000002,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"high\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":7.2,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Windows Kerberos Elevation of Privilege Vulnerability.\",\"exploits\":[],\"id\":\"msft-cve-2022-37967\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2022-37967\",\"id\":\"CVE-2022-37967\",\"source\":\"cve\"},{\"href\":\"https://support.microsoft.com/help/5031364\",\"id\":\"https://support.microsoft.com/help/5031364\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5031362\",\"id\":\"https://support.microsoft.com/help/5031362\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5031361\",\"id\":\"https://support.microsoft.com/help/5031361\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5031407\",\"id\":\"https://support.microsoft.com/help/5031407\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5031419\",\"id\":\"https://support.microsoft.com/help/5031419\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5031427\",\"id\":\"https://support.microsoft.com/help/5031427\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2024-09-06T00:00:00Z\",\"pci_cvss_score\":8.3,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2022-11-08T00:00:00Z\",\"references\":\"cve:CVE-2022-37967,url:https://support.microsoft.com/help/5031361,url:https://support.microsoft.com/help/5031362,url:https://support.microsoft.com/help/5031364,url:https://support.microsoft.com/help/5031407,url:https://support.microsoft.com/help/5031419,url:https://support.microsoft.com/help/5031427\",\"risk_score\":434.28,\"severity\":\"critical\",\"severity_score\":8,\"title\":\"Microsoft Windows: CVE-2022-37967: Windows Kerberos Elevation of Privilege Vulnerability\"}}", + "severity": 8, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "Win11-50-13-52", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "ip": [ + "10.50.13.52" + ], + "mac": [ + "00-00-5E-00-53-00" + ], + "name": "Win11-50-13-52", + "os": { + "family": "Windows", + "full": "Microsoft Windows 11 22H2", + "name": "Windows 11", + "platform": "windows", + "type": "windows", + "version": "22H2" + }, + "risk": { + "static_score": 181622.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "name": "Microsoft Windows 7 Enterprise Edition SP1", + "version": "Microsoft Windows 7 Enterprise Edition SP1" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 119, + "exploits": 4, + "host_name": "Win11-50-13-52", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "ip": "10.50.13.52", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-00", + "malware_kits": 0, + "moderate_vulnerabilities": 8, + "os": { + "architecture": "x86_64", + "description": "Microsoft Windows 11 22H2", + "family": "Windows", + "name": "Windows 11", + "system_name": "Microsoft Windows", + "type": "Workstation", + "vendor": "Microsoft", + "version": "22H2" + }, + "risk_score": 181622.0, + "severe_vulnerabilities": 241, + "total_vulnerabilities": 368, + "type": "guest", + "unique_identifiers": [ + { + "id": "F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050", + "source": "CSPRODUCT" + }, + { + "id": "c5cf46abcdef0123456789291c7d554a", + "source": "R7 Agent" + } + ], + "vulnerability": { + "added": "2022-11-08T00:00:00.000Z", + "categories": [ + "Microsoft", + "Microsoft Patch", + "Microsoft Windows", + "Privilege Escalation" + ], + "check_id": "msft-cve-2022-37967-kb5021288-c2d89794-10f9-459d-a1a9-79847eac03fc", + "cves": [ + "CVE-2022-37967" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "network", + "authentication": "multiple", + "availability_impact": "complete", + "confidentiality_impact": "complete", + "exploit_score": 6.389999830722808, + "impact_score": 10.000845454680942, + "integrity_impact": "complete", + "score": 8.3, + "vector": "(AV:N/AC:L/Au:M/C:C/I:C/A:C)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "network", + "availability_impact": "high", + "confidentiality_impact": "high", + "exploit_score": 1.2347077050000002, + "impact_score": 5.873118720000001, + "integrity_impact": "high", + "privileges_required": "high", + "scope": "unchanged", + "score": 7.2, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + }, + "denial_of_service": false, + "description": "Windows Kerberos Elevation of Privilege Vulnerability.", + "first_found": "2022-12-23T18:40:29.000Z", + "id": "msft-cve-2022-37967", + "last_found": "2023-06-23T17:29:23.453Z", + "links": [ + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2022-37967", + "id": "CVE-2022-37967", + "source": "cve" + }, + { + "href": "https://support.microsoft.com/help/5031364", + "id": "https://support.microsoft.com/help/5031364", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5031362", + "id": "https://support.microsoft.com/help/5031362", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5031361", + "id": "https://support.microsoft.com/help/5031361", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5031407", + "id": "https://support.microsoft.com/help/5031407", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5031419", + "id": "https://support.microsoft.com/help/5031419", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5031427", + "id": "https://support.microsoft.com/help/5031427", + "source": "url" + } + ], + "modified": "2024-09-06T00:00:00.000Z", + "pci": { + "cvss_score": 8.3, + "fail": true, + "severity_score": 5, + "status": "fail" + }, + "proof": "Vulnerable OS: Microsoft Windows 7 Enterprise Edition SP1\n\n\n\nBased on the following 2 results:\n\n\n\n\nFound an applicable package: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Component Based Servicing\\Packages\\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.\n\n\n\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\Winners\\amd64_Microsoft-Windows-Audio-DMusic_31bf3856ad364e35_none_6ddb350169ebdb56 - key exists\n\nThe above CBS component is currently version 6.1.7600.16385, expected version 6.1.7601.26262 or higher\n\n2022-12 Security Only Quality Update for Windows 7 for x64-based Systems (KB5021288) is applicable for this CBS component\n\n\n\n\n\n\n\n\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\n\nUBR - contains 24443", + "published": "2022-11-08T00:00:00.000Z", + "references": "cve:CVE-2022-37967,url:https://support.microsoft.com/help/5031361,url:https://support.microsoft.com/help/5031362,url:https://support.microsoft.com/help/5031364,url:https://support.microsoft.com/help/5031407,url:https://support.microsoft.com/help/5031419,url:https://support.microsoft.com/help/5031427", + "risk_score": 434.28, + "severity": "critical", + "severity_score": 8, + "solution": { + "fix": "Download and apply the patch from: https://support.microsoft.com/kb/5021288", + "id": "msft-kb5021288-c2d89794-10f9-459d-a1a9-79847eac03fc", + "summary": "2022-12 Security Only Quality Update for Windows 7 for x64-based Systems (KB5021288)", + "type": "patch" + }, + "status": "VULNERABLE_EXPL", + "title": "Microsoft Windows: CVE-2022-37967: Windows Kerberos Elevation of Privilege Vulnerability" + } + } + }, + "related": { + "hosts": [ + "Win11-50-13-52", + "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1" + ], + "ip": [ + "10.50.13.52" + ] + }, + "resource": { + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "name": "Win11-50-13-52" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "Microsoft", + "Microsoft Patch", + "Microsoft Windows", + "Privilege Escalation" + ], + "classification": "CVSS", + "description": "Windows Kerberos Elevation of Privilege Vulnerability.", + "enumeration": "CVE", + "id": [ + "CVE-2022-37967" + ], + "published_date": "2022-11-08T00:00:00.000Z", + "reference": [ + "http://nvd.nist.gov/vuln/detail/CVE-2022-37967", + "https://support.microsoft.com/help/5031364", + "https://support.microsoft.com/help/5031362", + "https://support.microsoft.com/help/5031361", + "https://support.microsoft.com/help/5031407", + "https://support.microsoft.com/help/5031419", + "https://support.microsoft.com/help/5031427" + ], + "scanner": { + "name": "c5cf46abcdef0123456789291c7d554a", + "vendor": "Rapid7" + }, + "score": { + "base": 7.2, + "version": "3.0" + }, + "severity": "Critical", + "title": "Windows Kerberos Elevation of Privilege Vulnerability" + } + }, + { + "@timestamp": "2023-06-23T17:29:23.453Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2022-12-23T18:40:29.000Z", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1|windows-defender-cve-2022-24548|2023-06-23T17:29:23.453Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":135,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":445,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":119,\"exploits\":4,\"host_name\":\"Win11-50-13-52\",\"id\":\"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1\",\"ip\":\"10.50.13.52\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":8,\"os_architecture\":\"x86_64\",\"os_description\":\"Microsoft Windows 11 22H2\",\"os_family\":\"Windows\",\"os_name\":\"Windows 11\",\"os_system_name\":\"Microsoft Windows\",\"os_type\":\"Workstation\",\"os_vendor\":\"Microsoft\",\"os_version\":\"22H2\",\"risk_score\":181622,\"severe_vulnerabilities\":241,\"tags\":[{\"name\":\"USA\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":368,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050\",\"source\":\"CSPRODUCT\"},{\"id\":\"c5cf46abcdef0123456789291c7d554a\",\"source\":\"R7 Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2022-12-23T18:40:29Z\",\"key\":\"\",\"last_found\":\"2023-06-23T17:29:23.453Z\",\"nic\":null,\"port\":null,\"proof\":\"Vulnerable OS: Microsoft Windows 7 Enterprise Edition SP1
Based on the following 4 results:
Based on the following 2 results:
Verify that the latest version of the Microsoft Malware Protection Engine\\nand definition updates are being actively downloaded and installed for their Microsoft antimalware products.\\nFor more information on how to verify the version number for the Microsoft Malware Protection Engine that your\\nsoftware is currently using, see the section Verifying Update Installation\\nin Microsoft Knowledge Base Article 2510781 https://support.microsoft.com/kb/2510781
\",\"solution_id\":\"windows-defender-upgrade-latest\",\"solution_summary\":\"Upgrade Microsoft Defender to the latest version.\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"windows-defender-cve-2022-24548\",\"added\":\"2022-04-14T00:00:00Z\",\"categories\":\"Denial of Service,Microsoft Windows Defender\",\"cves\":\"CVE-2022-24548\",\"cvss_v2_access_complexity\":\"medium\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"none\",\"cvss_v2_exploit_score\":8.588799953460693,\"cvss_v2_impact_score\":2.862749751806259,\"cvss_v2_integrity_impact\":\"none\",\"cvss_v2_score\":4.3,\"cvss_v2_vector\":\"(AV:N/AC:M/Au:N/C:N/I:N/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"none\",\"cvss_v3_exploit_score\":1.8345765900000002,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"none\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":5.5,\"cvss_v3_user_interaction\":\"required\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\"denial_of_service\":true,\"description\":\"Microsoft Defender Denial of Service Vulnerability\",\"exploits\":[],\"id\":\"windows-defender-cve-2022-24548\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2022-24548\",\"id\":\"CVE-2022-24548\",\"source\":\"cve\"},{\"href\":\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548\",\"id\":\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2023-12-13T00:00:00Z\",\"pci_cvss_score\":4.3,\"pci_fail\":false,\"pci_severity_score\":2,\"pci_special_notes\":\"Denial-of-Service-only vulnerability marked as compliant. \",\"pci_status\":\"pass\",\"published\":\"2022-04-14T00:00:00Z\",\"references\":\"cve:CVE-2022-24548,url:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548\",\"risk_score\":124.28,\"severity\":\"severe\",\"severity_score\":4,\"title\":\"Microsoft Defender Denial of Service Vulnerability (CVE-2022-24548)\"}}", + "severity": 4, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "Win11-50-13-52", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "ip": [ + "10.50.13.52" + ], + "mac": [ + "00-00-5E-00-53-00" + ], + "name": "Win11-50-13-52", + "os": { + "family": "Windows", + "full": "Microsoft Windows 11 22H2", + "name": "Windows 11", + "platform": "windows", + "type": "windows", + "version": "22H2" + }, + "risk": { + "static_score": 181622.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "fixed_version": "latest", + "name": "Microsoft Windows 7 Enterprise Edition SP1", + "version": "Microsoft Windows 7 Enterprise Edition SP1" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 119, + "exploits": 4, + "host_name": "Win11-50-13-52", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "ip": "10.50.13.52", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-00", + "malware_kits": 0, + "moderate_vulnerabilities": 8, + "os": { + "architecture": "x86_64", + "description": "Microsoft Windows 11 22H2", + "family": "Windows", + "name": "Windows 11", + "system_name": "Microsoft Windows", + "type": "Workstation", + "vendor": "Microsoft", + "version": "22H2" + }, + "risk_score": 181622.0, + "severe_vulnerabilities": 241, + "total_vulnerabilities": 368, + "type": "guest", + "unique_identifiers": [ + { + "id": "F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050", + "source": "CSPRODUCT" + }, + { + "id": "c5cf46abcdef0123456789291c7d554a", + "source": "R7 Agent" + } + ], + "vulnerability": { + "added": "2022-04-14T00:00:00.000Z", + "categories": [ + "Denial of Service", + "Microsoft Windows Defender" + ], + "cves": [ + "CVE-2022-24548" + ], + "cvss_v2": { + "access_complexity": "medium", + "access_vector": "network", + "authentication": "none", + "availability_impact": "partial", + "confidentiality_impact": "none", + "exploit_score": 8.588799953460693, + "impact_score": 2.862749751806259, + "integrity_impact": "none", + "score": 4.3, + "vector": "(AV:N/AC:M/Au:N/C:N/I:N/A:P)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "local", + "availability_impact": "high", + "confidentiality_impact": "none", + "exploit_score": 1.8345765900000002, + "impact_score": 3.5952, + "integrity_impact": "none", + "privileges_required": "none", + "scope": "unchanged", + "score": 5.5, + "user_interaction": "required", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + }, + "denial_of_service": true, + "description": "Microsoft Defender Denial of Service Vulnerability", + "first_found": "2022-12-23T18:40:29.000Z", + "id": "windows-defender-cve-2022-24548", + "last_found": "2023-06-23T17:29:23.453Z", + "links": [ + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2022-24548", + "id": "CVE-2022-24548", + "source": "cve" + }, + { + "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548", + "id": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548", + "source": "url" + } + ], + "modified": "2023-12-13T00:00:00.000Z", + "pci": { + "cvss_score": 4.3, + "fail": false, + "severity_score": 2, + "special_notes": "Denial-of-Service-only vulnerability marked as compliant. ", + "status": "pass" + }, + "proof": "Vulnerable OS: Microsoft Windows 7 Enterprise Edition SP1\n\n\n\nBased on the following 4 results:\n\n\n\nBased on the following 2 results:\n\n\n\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender - key does not exist\n\n\n\n\n\n\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\n\nDisableAntiSpyware - contains 0\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Signature Updates\n\nEngineVersion - contains 1.1.9203.0\n\n\n\n\n\n\n\n\n\n\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SepMasterService - key does not exist\n\nStart - value does not exist\n\n\n\n\n\n\n\n\n\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\MsMpSvc - key does not exist\n\nStart - value does not exist", + "published": "2022-04-14T00:00:00.000Z", + "references": "cve:CVE-2022-24548,url:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548", + "risk_score": 124.28, + "severity": "severe", + "severity_score": 4, + "solution": { + "fix": "Verify that the latest version of the Microsoft Malware Protection Engine\nand definition updates are being actively downloaded and installed for their Microsoft antimalware products.\nFor more information on how to verify the version number for the Microsoft Malware Protection Engine that your\nsoftware is currently using, see the section Verifying Update Installation\nin Microsoft Knowledge Base Article 2510781 https://support.microsoft.com/kb/2510781", + "id": "windows-defender-upgrade-latest", + "summary": "Upgrade Microsoft Defender to the latest version.", + "type": "workaround" + }, + "status": "VULNERABLE_EXPL", + "title": "Microsoft Defender Denial of Service Vulnerability (CVE-2022-24548)" + } + } + }, + "related": { + "hosts": [ + "Win11-50-13-52", + "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1" + ], + "ip": [ + "10.50.13.52" + ] + }, + "resource": { + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "name": "Win11-50-13-52" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "Denial of Service", + "Microsoft Windows Defender" + ], + "classification": "CVSS", + "description": "Microsoft Defender Denial of Service Vulnerability", + "enumeration": "CVE", + "id": [ + "CVE-2022-24548" + ], + "published_date": "2022-04-14T00:00:00.000Z", + "reference": [ + "http://nvd.nist.gov/vuln/detail/CVE-2022-24548", + "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548" + ], + "scanner": { + "name": "c5cf46abcdef0123456789291c7d554a", + "vendor": "Rapid7" + }, + "score": { + "base": 5.5, + "version": "3.0" + }, + "severity": "High", + "title": "Microsoft Defender Denial of Service Vulnerability (CVE-2022-24548)" + } + }, + { + "@timestamp": "2019-02-14T21:39:25.312Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2018-11-25T09:10:10.000Z", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1|windows-hotfix-ms09-050|2019-02-14T21:39:25.312Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":135,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":445,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":119,\"exploits\":4,\"host_name\":\"Win11-50-13-52\",\"id\":\"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1\",\"ip\":\"10.50.13.52\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":8,\"os_architecture\":\"x86_64\",\"os_description\":\"Microsoft Windows 11 22H2\",\"os_family\":\"Windows\",\"os_name\":\"Windows 11\",\"os_system_name\":\"Microsoft Windows\",\"os_type\":\"Workstation\",\"os_vendor\":\"Microsoft\",\"os_version\":\"22H2\",\"risk_score\":181622,\"severe_vulnerabilities\":241,\"tags\":[{\"name\":\"USA\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":368,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050\",\"source\":\"CSPRODUCT\"},{\"id\":\"c5cf46abcdef0123456789291c7d554a\",\"source\":\"R7 Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2018-11-25T09:10:10Z\",\"key\":\"\",\"last_found\":\"2019-02-14T21:39:25.312Z\",\"nic\":null,\"port\":445,\"proof\":\"Vulnerable OS: Microsoft Windows Server 2008 Enterprise Edition SP2
System replied with a malformed SMB packet
\",\"protocol\":\"TCP\",\"reintroduced\":null,\"solution_fix\":\"Take a look at all possible solutions for vulnerability\",\"solution_id\":\"unknown-windows-hotfix-ms09-050\",\"solution_summary\":\"The solution is unknown for vuln windows-hotfix-ms09-050\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"windows-hotfix-ms09-050\",\"added\":\"2009-10-13T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution\",\"cves\":\"CVE-2009-2526,CVE-2009-2532,CVE-2009-3103\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":10.000845454680942,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":10,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:C/I:C/A:C)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":3.8870427750000003,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":9.8,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"This security update resolves one publicly disclosed and two privately reported vulnerabilities in Server Message Block Version 2 (SMBv2). The most severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.\",\"exploits\":[{\"description\":\"Microsoft Windows 7/2008 R2 - Remote Kernel Crash\",\"id\":\"10005\",\"name\":\"Microsoft Windows 7/2008 R2 - Remote Kernel Crash\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing\\n an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.\\n Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.\",\"id\":\"auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff\",\"name\":\"Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference\",\"rank\":\"normal\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"},{\"description\":\"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)\",\"id\":\"40280\",\"name\":\"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service\",\"id\":\"12524\",\"name\":\"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module exploits an out of bounds function table dereference in the SMB\\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\\n without SP1 does not seem affected by this flaw.\",\"id\":\"exploit/windows/smb/ms09_050_smb2_negotiate_func_index\",\"name\":\"MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference\",\"rank\":\"good\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"},{\"description\":\"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)\",\"id\":\"14674\",\"name\":\"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module exploits an out of bounds function table dereference in the SMB\\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows\\tVista\\n without SP1 does not seem affected by this flaw.\",\"id\":\"auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh\",\"name\":\"Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference\",\"rank\":\"normal\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"},{\"description\":\"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)\",\"id\":\"9594\",\"name\":\"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"}],\"id\":\"windows-hotfix-ms09-050\",\"links\":[{\"href\":\"http://www.us-cert.gov/cas/techalerts/TA09-286A.html\",\"id\":\"TA09-286A\",\"source\":\"cert\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6489\",\"id\":\"6489\",\"source\":\"oval\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6336\",\"id\":\"6336\",\"source\":\"oval\"},{\"href\":\"http://www.securityfocus.com/bid/36299\",\"id\":\"36299\",\"source\":\"bid\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:5595\",\"id\":\"5595\",\"source\":\"oval\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2009-2526\",\"id\":\"CVE-2009-2526\",\"source\":\"cve\"},{\"href\":\"http://technet.microsoft.com/security/bulletin/MS09-050\",\"id\":\"MS09-050\",\"source\":\"ms\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2009-3103\",\"id\":\"CVE-2009-3103\",\"source\":\"cve\"},{\"href\":\"http://www.kb.cert.org/vuls/id/135940\",\"id\":\"135940\",\"source\":\"cert-vn\"},{\"href\":\"https://support.microsoft.com/en-us/kb/975517\",\"id\":\"KB975517\",\"source\":\"mskb\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2009-2532\",\"id\":\"CVE-2009-2532\",\"source\":\"cve\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/53090\",\"id\":\"53090\",\"source\":\"xf\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":10,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2009-10-13T00:00:00Z\",\"references\":\"cert-vn:135940,bid:36299,xf:53090,oval:5595,oval:6336,oval:6489,cve:CVE-2009-2526,cve:CVE-2009-2532,cve:CVE-2009-3103,mskb:KB975517,ms:MS09-050,cert:TA09-286A\",\"risk_score\":914.2,\"severity\":\"critical\",\"severity_score\":10,\"title\":\"MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)\"}}", + "severity": 10, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "Win11-50-13-52", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "ip": [ + "10.50.13.52" + ], + "mac": [ + "00-00-5E-00-53-00" + ], + "name": "Win11-50-13-52", + "os": { + "family": "Windows", + "full": "Microsoft Windows 11 22H2", + "name": "Windows 11", + "platform": "windows", + "type": "windows", + "version": "22H2" + }, + "risk": { + "static_score": 181622.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "name": "Microsoft Windows Server 2008 Enterprise Edition SP2", + "version": "Microsoft Windows Server 2008 Enterprise Edition SP2" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 119, + "exploits": 4, + "host_name": "Win11-50-13-52", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "ip": "10.50.13.52", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-00", + "malware_kits": 0, + "moderate_vulnerabilities": 8, + "os": { + "architecture": "x86_64", + "description": "Microsoft Windows 11 22H2", + "family": "Windows", + "name": "Windows 11", + "system_name": "Microsoft Windows", + "type": "Workstation", + "vendor": "Microsoft", + "version": "22H2" + }, + "risk_score": 181622.0, + "severe_vulnerabilities": 241, + "total_vulnerabilities": 368, + "type": "guest", + "unique_identifiers": [ + { + "id": "F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050", + "source": "CSPRODUCT" + }, + { + "id": "c5cf46abcdef0123456789291c7d554a", + "source": "R7 Agent" + } + ], + "vulnerability": { + "added": "2009-10-13T00:00:00.000Z", + "categories": [ + "CVSS Score Predicted with Rapid7 AI", + "Microsoft", + "Microsoft Patch", + "Remote Execution" + ], + "cves": [ + "CVE-2009-2526", + "CVE-2009-2532", + "CVE-2009-3103" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "network", + "authentication": "none", + "availability_impact": "complete", + "confidentiality_impact": "complete", + "exploit_score": 9.996799945831299, + "impact_score": 10.000845454680942, + "integrity_impact": "complete", + "score": 10.0, + "vector": "(AV:N/AC:L/Au:N/C:C/I:C/A:C)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "network", + "availability_impact": "high", + "confidentiality_impact": "high", + "exploit_score": 3.8870427750000003, + "impact_score": 5.873118720000001, + "integrity_impact": "high", + "privileges_required": "none", + "scope": "unchanged", + "score": 9.8, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + "denial_of_service": false, + "description": "This security update resolves one publicly disclosed and two privately reported vulnerabilities in Server Message Block Version 2 (SMBv2). The most severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.", + "exploits": [ + { + "description": "Microsoft Windows 7/2008 R2 - Remote Kernel Crash", + "id": "10005", + "name": "Microsoft Windows 7/2008 R2 - Remote Kernel Crash", + "rank": "average", + "skill_level": "expert", + "source": "exploitdb" + }, + { + "description": "This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing\n an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.\n Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.", + "id": "auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff", + "name": "Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference", + "rank": "normal", + "skill_level": "intermediate", + "source": "metasploit" + }, + { + "description": "Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)", + "id": "40280", + "name": "Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)", + "rank": "average", + "skill_level": "expert", + "source": "exploitdb" + }, + { + "description": "Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service", + "id": "12524", + "name": "Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service", + "rank": "average", + "skill_level": "expert", + "source": "exploitdb" + }, + { + "description": "This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\n without SP1 does not seem affected by this flaw.", + "id": "exploit/windows/smb/ms09_050_smb2_negotiate_func_index", + "name": "MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference", + "rank": "good", + "skill_level": "intermediate", + "source": "metasploit" + }, + { + "description": "Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)", + "id": "14674", + "name": "Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)", + "rank": "average", + "skill_level": "expert", + "source": "exploitdb" + }, + { + "description": "This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows\tVista\n without SP1 does not seem affected by this flaw.", + "id": "auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh", + "name": "Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference", + "rank": "normal", + "skill_level": "intermediate", + "source": "metasploit" + }, + { + "description": "Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)", + "id": "9594", + "name": "Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)", + "rank": "average", + "skill_level": "expert", + "source": "exploitdb" + } + ], + "first_found": "2018-11-25T09:10:10.000Z", + "id": "windows-hotfix-ms09-050", + "last_found": "2019-02-14T21:39:25.312Z", + "links": [ + { + "href": "http://www.us-cert.gov/cas/techalerts/TA09-286A.html", + "id": "TA09-286A", + "source": "cert" + }, + { + "href": "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6489", + "id": "6489", + "source": "oval" + }, + { + "href": "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6336", + "id": "6336", + "source": "oval" + }, + { + "href": "http://www.securityfocus.com/bid/36299", + "id": "36299", + "source": "bid" + }, + { + "href": "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:5595", + "id": "5595", + "source": "oval" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2009-2526", + "id": "CVE-2009-2526", + "source": "cve" + }, + { + "href": "http://technet.microsoft.com/security/bulletin/MS09-050", + "id": "MS09-050", + "source": "ms" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2009-3103", + "id": "CVE-2009-3103", + "source": "cve" + }, + { + "href": "http://www.kb.cert.org/vuls/id/135940", + "id": "135940", + "source": "cert-vn" + }, + { + "href": "https://support.microsoft.com/en-us/kb/975517", + "id": "KB975517", + "source": "mskb" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2009-2532", + "id": "CVE-2009-2532", + "source": "cve" + }, + { + "href": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53090", + "id": "53090", + "source": "xf" + } + ], + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 10.0, + "fail": true, + "severity_score": 5, + "status": "fail" + }, + "port": 445, + "proof": "Vulnerable OS: Microsoft Windows Server 2008 Enterprise Edition SP2\n\n\n\nSystem replied with a malformed SMB packet", + "protocol": "TCP", + "published": "2009-10-13T00:00:00.000Z", + "references": "cert-vn:135940,bid:36299,xf:53090,oval:5595,oval:6336,oval:6489,cve:CVE-2009-2526,cve:CVE-2009-2532,cve:CVE-2009-3103,mskb:KB975517,ms:MS09-050,cert:TA09-286A", + "risk_score": 914.2, + "severity": "critical", + "severity_score": 10, + "solution": { + "fix": "Take a look at all possible solutions for vulnerability", + "id": "unknown-windows-hotfix-ms09-050", + "summary": "The solution is unknown for vuln windows-hotfix-ms09-050", + "type": "workaround" + }, + "status": "VULNERABLE_EXPL", + "title": "MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)" + } + } + }, + "related": { + "hosts": [ + "Win11-50-13-52", + "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1" + ], + "ip": [ + "10.50.13.52" + ] + }, + "resource": { + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "name": "Win11-50-13-52" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "CVSS Score Predicted with Rapid7 AI", + "Microsoft", + "Microsoft Patch", + "Remote Execution" + ], + "classification": "CVSS", + "description": "This security update resolves one publicly disclosed and two privately reported vulnerabilities in Server Message Block Version 2 (SMBv2). The most severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.", + "enumeration": "CVE", + "id": [ + "CVE-2009-2526", + "CVE-2009-2532", + "CVE-2009-3103" + ], + "published_date": "2009-10-13T00:00:00.000Z", + "reference": [ + "http://www.us-cert.gov/cas/techalerts/TA09-286A.html", + "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6489", + "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6336", + "http://www.securityfocus.com/bid/36299", + "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:5595", + "http://nvd.nist.gov/vuln/detail/CVE-2009-2526", + "http://technet.microsoft.com/security/bulletin/MS09-050", + "http://nvd.nist.gov/vuln/detail/CVE-2009-3103", + "http://www.kb.cert.org/vuls/id/135940", + "https://support.microsoft.com/en-us/kb/975517", + "http://nvd.nist.gov/vuln/detail/CVE-2009-2532", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/53090" + ], + "scanner": { + "name": "c5cf46abcdef0123456789291c7d554a", + "vendor": "Rapid7" + }, + "score": { + "base": 9.8, + "version": "3.0" + }, + "severity": "Critical", + "title": "Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)" + } + }, + { + "@timestamp": "2022-04-23T18:04:36.094Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2021-02-23T18:39:30.000Z", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|centos_linux-cve-2020-2574|2022-04-23T18:04:36.094Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2021-02-23T18:39:30Z\",\"key\":\"\",\"last_found\":\"2022-04-23T18:04:36.094Z\",\"nic\":null,\"port\":null,\"proof\":\"Vulnerable OS: CentOS Linux 7.6.1810
Vulnerable OS: Microsoft Windows Server 2008 Enterprise Edition
\\\\BROWSER: WriteAndX succeeded with offset 77
\",\"protocol\":\"TCP\",\"reintroduced\":null,\"solution_fix\":\"Take a look at all possible solutions for vulnerability\",\"solution_id\":\"unknown-windows-hotfix-ms09-001\",\"solution_summary\":\"The solution is unknown for vuln windows-hotfix-ms09-001\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"windows-hotfix-ms09-001\",\"added\":\"2009-10-13T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution\",\"cves\":\"CVE-2009-2526,CVE-2009-2532,CVE-2009-3103\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":10.000845454680942,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":10,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:C/I:C/A:C)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":3.8870427750000003,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":9.8,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"This security update resolves one publicly disclosed and two privately reported vulnerabilities in Server Message Block Version 2 (SMBv2). The most severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.\",\"exploits\":[{\"description\":\"Microsoft Windows 7/2008 R2 - Remote Kernel Crash\",\"id\":\"10005\",\"name\":\"Microsoft Windows 7/2008 R2 - Remote Kernel Crash\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing\\n an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.\\n Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.\",\"id\":\"auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff\",\"name\":\"Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference\",\"rank\":\"normal\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"},{\"description\":\"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)\",\"id\":\"40280\",\"name\":\"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service\",\"id\":\"12524\",\"name\":\"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module exploits an out of bounds function table dereference in the SMB\\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\\n without SP1 does not seem affected by this flaw.\",\"id\":\"exploit/windows/smb/ms09_050_smb2_negotiate_func_index\",\"name\":\"MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference\",\"rank\":\"good\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"},{\"description\":\"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)\",\"id\":\"14674\",\"name\":\"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module exploits an out of bounds function table dereference in the SMB\\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows\\tVista\\n without SP1 does not seem affected by this flaw.\",\"id\":\"auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh\",\"name\":\"Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference\",\"rank\":\"normal\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"},{\"description\":\"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)\",\"id\":\"9594\",\"name\":\"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"}],\"id\":\"windows-hotfix-ms09-050\",\"links\":[{\"href\":\"http://www.us-cert.gov/cas/techalerts/TA09-286A.html\",\"id\":\"TA09-286A\",\"source\":\"cert\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6489\",\"id\":\"6489\",\"source\":\"oval\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6336\",\"id\":\"6336\",\"source\":\"oval\"},{\"href\":\"http://www.securityfocus.com/bid/36299\",\"id\":\"36299\",\"source\":\"bid\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:5595\",\"id\":\"5595\",\"source\":\"oval\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2009-2526\",\"id\":\"CVE-2009-2526\",\"source\":\"cve\"},{\"href\":\"http://technet.microsoft.com/security/bulletin/MS09-050\",\"id\":\"MS09-050\",\"source\":\"ms\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2009-3103\",\"id\":\"CVE-2009-3103\",\"source\":\"cve\"},{\"href\":\"http://www.kb.cert.org/vuls/id/135940\",\"id\":\"135940\",\"source\":\"cert-vn\"},{\"href\":\"https://support.microsoft.com/en-us/kb/975517\",\"id\":\"KB975517\",\"source\":\"mskb\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2009-2532\",\"id\":\"CVE-2009-2532\",\"source\":\"cve\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/53090\",\"id\":\"53090\",\"source\":\"xf\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":10,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2009-10-13T00:00:00Z\",\"references\":\"cert-vn:135940,bid:36299,xf:53090,oval:5595,oval:6336,oval:6489,cve:CVE-2009-2526,cve:CVE-2009-2532,cve:CVE-2009-3103,mskb:KB975517,ms:MS09-050,cert:TA09-286A\",\"risk_score\":914.2,\"severity\":\"critical\",\"severity_score\":10,\"title\":\"MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)\"}}", + "severity": 10, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "Win11-50-13-52", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "ip": [ + "10.50.13.52" + ], + "mac": [ + "00-00-5E-00-53-00" + ], + "name": "Win11-50-13-52", + "os": { + "family": "Windows", + "full": "Microsoft Windows 11 22H2", + "name": "Windows 11", + "platform": "windows", + "type": "windows", + "version": "22H2" + }, + "risk": { + "static_score": 181622.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "name": "Microsoft Windows Server 2008 Enterprise Edition", + "version": "Microsoft Windows Server 2008 Enterprise Edition" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 119, + "exploits": 4, + "host_name": "Win11-50-13-52", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "ip": "10.50.13.52", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-00", + "malware_kits": 0, + "moderate_vulnerabilities": 8, + "os": { + "architecture": "x86_64", + "description": "Microsoft Windows 11 22H2", + "family": "Windows", + "name": "Windows 11", + "system_name": "Microsoft Windows", + "type": "Workstation", + "vendor": "Microsoft", + "version": "22H2" + }, + "risk_score": 181622.0, + "severe_vulnerabilities": 241, + "total_vulnerabilities": 368, + "type": "guest", + "unique_identifiers": [ + { + "id": "F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050", + "source": "CSPRODUCT" + }, + { + "id": "c5cf46abcdef0123456789291c7d554a", + "source": "R7 Agent" + } + ], + "vulnerability": { + "added": "2009-10-13T00:00:00.000Z", + "categories": [ + "CVSS Score Predicted with Rapid7 AI", + "Microsoft", + "Microsoft Patch", + "Remote Execution" + ], + "cves": [ + "CVE-2009-2526", + "CVE-2009-2532", + "CVE-2009-3103" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "network", + "authentication": "none", + "availability_impact": "complete", + "confidentiality_impact": "complete", + "exploit_score": 9.996799945831299, + "impact_score": 10.000845454680942, + "integrity_impact": "complete", + "score": 10.0, + "vector": "(AV:N/AC:L/Au:N/C:C/I:C/A:C)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "network", + "availability_impact": "high", + "confidentiality_impact": "high", + "exploit_score": 3.8870427750000003, + "impact_score": 5.873118720000001, + "integrity_impact": "high", + "privileges_required": "none", + "scope": "unchanged", + "score": 9.8, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + "denial_of_service": false, + "description": "This security update resolves one publicly disclosed and two privately reported vulnerabilities in Server Message Block Version 2 (SMBv2). The most severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.", + "exploits": [ + { + "description": "Microsoft Windows 7/2008 R2 - Remote Kernel Crash", + "id": "10005", + "name": "Microsoft Windows 7/2008 R2 - Remote Kernel Crash", + "rank": "average", + "skill_level": "expert", + "source": "exploitdb" + }, + { + "description": "This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing\n an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.\n Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.", + "id": "auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff", + "name": "Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference", + "rank": "normal", + "skill_level": "intermediate", + "source": "metasploit" + }, + { + "description": "Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)", + "id": "40280", + "name": "Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)", + "rank": "average", + "skill_level": "expert", + "source": "exploitdb" + }, + { + "description": "Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service", + "id": "12524", + "name": "Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service", + "rank": "average", + "skill_level": "expert", + "source": "exploitdb" + }, + { + "description": "This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\n without SP1 does not seem affected by this flaw.", + "id": "exploit/windows/smb/ms09_050_smb2_negotiate_func_index", + "name": "MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference", + "rank": "good", + "skill_level": "intermediate", + "source": "metasploit" + }, + { + "description": "Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)", + "id": "14674", + "name": "Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)", + "rank": "average", + "skill_level": "expert", + "source": "exploitdb" + }, + { + "description": "This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows\tVista\n without SP1 does not seem affected by this flaw.", + "id": "auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh", + "name": "Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference", + "rank": "normal", + "skill_level": "intermediate", + "source": "metasploit" + }, + { + "description": "Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)", + "id": "9594", + "name": "Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)", + "rank": "average", + "skill_level": "expert", + "source": "exploitdb" + } + ], + "first_found": "2021-03-23T21:18:51.000Z", + "id": "windows-hotfix-ms09-050", + "last_found": "2023-06-23T19:16:12.895Z", + "links": [ + { + "href": "http://www.us-cert.gov/cas/techalerts/TA09-286A.html", + "id": "TA09-286A", + "source": "cert" + }, + { + "href": "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6489", + "id": "6489", + "source": "oval" + }, + { + "href": "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6336", + "id": "6336", + "source": "oval" + }, + { + "href": "http://www.securityfocus.com/bid/36299", + "id": "36299", + "source": "bid" + }, + { + "href": "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:5595", + "id": "5595", + "source": "oval" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2009-2526", + "id": "CVE-2009-2526", + "source": "cve" + }, + { + "href": "http://technet.microsoft.com/security/bulletin/MS09-050", + "id": "MS09-050", + "source": "ms" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2009-3103", + "id": "CVE-2009-3103", + "source": "cve" + }, + { + "href": "http://www.kb.cert.org/vuls/id/135940", + "id": "135940", + "source": "cert-vn" + }, + { + "href": "https://support.microsoft.com/en-us/kb/975517", + "id": "KB975517", + "source": "mskb" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2009-2532", + "id": "CVE-2009-2532", + "source": "cve" + }, + { + "href": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53090", + "id": "53090", + "source": "xf" + } + ], + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 10.0, + "fail": true, + "severity_score": 5, + "status": "fail" + }, + "port": 445, + "proof": "Vulnerable OS: Microsoft Windows Server 2008 Enterprise Edition\n\n\n\n\\BROWSER: WriteAndX succeeded with offset 77", + "protocol": "TCP", + "published": "2009-10-13T00:00:00.000Z", + "references": "cert-vn:135940,bid:36299,xf:53090,oval:5595,oval:6336,oval:6489,cve:CVE-2009-2526,cve:CVE-2009-2532,cve:CVE-2009-3103,mskb:KB975517,ms:MS09-050,cert:TA09-286A", + "risk_score": 914.2, + "severity": "critical", + "severity_score": 10, + "solution": { + "fix": "Take a look at all possible solutions for vulnerability", + "id": "unknown-windows-hotfix-ms09-001", + "summary": "The solution is unknown for vuln windows-hotfix-ms09-001", + "type": "workaround" + }, + "status": "VULNERABLE_EXPL", + "title": "MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)" + } + } + }, + "related": { + "hosts": [ + "Win11-50-13-52", + "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1" + ], + "ip": [ + "10.50.13.52" + ] + }, + "resource": { + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "name": "Win11-50-13-52" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "CVSS Score Predicted with Rapid7 AI", + "Microsoft", + "Microsoft Patch", + "Remote Execution" + ], + "classification": "CVSS", + "description": "This security update resolves one publicly disclosed and two privately reported vulnerabilities in Server Message Block Version 2 (SMBv2). The most severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.", + "enumeration": "CVE", + "id": [ + "CVE-2009-2526", + "CVE-2009-2532", + "CVE-2009-3103" + ], + "published_date": "2009-10-13T00:00:00.000Z", + "reference": [ + "http://www.us-cert.gov/cas/techalerts/TA09-286A.html", + "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6489", + "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6336", + "http://www.securityfocus.com/bid/36299", + "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:5595", + "http://nvd.nist.gov/vuln/detail/CVE-2009-2526", + "http://technet.microsoft.com/security/bulletin/MS09-050", + "http://nvd.nist.gov/vuln/detail/CVE-2009-3103", + "http://www.kb.cert.org/vuls/id/135940", + "https://support.microsoft.com/en-us/kb/975517", + "http://nvd.nist.gov/vuln/detail/CVE-2009-2532", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/53090" + ], + "scanner": { + "name": "c5cf46abcdef0123456789291c7d554a", + "vendor": "Rapid7" + }, + "score": { + "base": 9.8, + "version": "3.0" + }, + "severity": "Critical", + "title": "Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)" + } + }, + { + "@timestamp": "2022-02-23T20:10:02.535Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2018-11-25T09:16:57.000Z", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|dns-bind-cve-2015-4620|2022-02-23T20:10:02.535Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2018-11-25T09:16:57Z\",\"key\":\"\",\"last_found\":\"2022-02-23T20:10:02.535Z\",\"nic\":null,\"port\":53,\"proof\":\"Vulnerable OS: Debian Linux 6.0
\\n More information about upgrading your version of ISC BIND is available on the ISC website.\\n
\",\"solution_id\":\"upgrade-isc-bind-latest\",\"solution_summary\":\"Upgrade ISC BIND to latest version\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"dns-bind-cve-2015-4620\",\"added\":\"2015-10-27T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,DNS,Denial of Service,ISC,ISC BIND\",\"cves\":\"CVE-2015-4620\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"none\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":6.870600273013115,\"cvss_v2_integrity_impact\":\"none\",\"cvss_v2_score\":7.8,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:N/I:N/A:C)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"none\",\"cvss_v3_exploit_score\":3.8870427750000003,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"none\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":7.5,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"denial_of_service\":true,\"description\":\"name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone.\",\"exploits\":[],\"id\":\"dns-bind-cve-2015-4620\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2015-4620\",\"id\":\"CVE-2015-4620\",\"source\":\"cve\"},{\"href\":\"https://kb.isc.org/article/AA-01267/0\",\"id\":\"https://kb.isc.org/article/AA-01267/0\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":7.8,\"pci_fail\":false,\"pci_severity_score\":2,\"pci_special_notes\":\"Denial-of-Service-only vulnerability marked as compliant. \",\"pci_status\":\"pass\",\"published\":\"2015-07-08T00:00:00Z\",\"references\":\"cve:CVE-2015-4620,url:https://kb.isc.org/article/AA-01267/0\",\"risk_score\":334.11,\"severity\":\"critical\",\"severity_score\":8,\"title\":\"ISC BIND: Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating (CVE-2015-4620)\"}}", + "severity": 8, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": [ + "10.50.6.126" + ], + "mac": [ + "00-00-5E-00-53-01" + ], + "name": "ub22-50-6-126", + "os": { + "family": "Linux", + "full": "Ubuntu Linux 22.04", + "name": "Linux", + "platform": "linux", + "type": "linux", + "version": "22.04" + }, + "risk": { + "static_score": 5656.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "fixed_version": "latest", + "name": "ISC BIND 9.7.3", + "version": "ISC BIND 9.7.3" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 5, + "exploits": 0, + "host_name": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": "10.50.6.126", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-01", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os": { + "architecture": "x86_64", + "description": "Ubuntu Linux 22.04", + "family": "Linux", + "name": "Linux", + "system_name": "Ubuntu Linux", + "vendor": "Ubuntu", + "version": "22.04" + }, + "risk_score": 5656.0, + "severe_vulnerabilities": 6, + "total_vulnerabilities": 12, + "type": "guest", + "unique_identifiers": [ + { + "id": "B7123456-5678-1234-ABCD-6F6ABCDEFA91", + "source": "dmidecode" + }, + { + "id": "cababcdefabcd0123456789f16d7061a", + "source": "R7 Agent" + }, + { + "id": "cab682b411e200123456789ab6d7061a", + "source": "Endpoint Agent" + } + ], + "vulnerability": { + "added": "2015-10-27T00:00:00.000Z", + "categories": [ + "CVSS Score Predicted with Rapid7 AI", + "DNS", + "Denial of Service", + "ISC", + "ISC BIND" + ], + "cves": [ + "CVE-2015-4620" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "network", + "authentication": "none", + "availability_impact": "complete", + "confidentiality_impact": "none", + "exploit_score": 9.996799945831299, + "impact_score": 6.870600273013115, + "integrity_impact": "none", + "score": 7.8, + "vector": "(AV:N/AC:L/Au:N/C:N/I:N/A:C)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "network", + "availability_impact": "high", + "confidentiality_impact": "none", + "exploit_score": 3.8870427750000003, + "impact_score": 3.5952, + "integrity_impact": "none", + "privileges_required": "none", + "scope": "unchanged", + "score": 7.5, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "denial_of_service": true, + "description": "name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone.", + "first_found": "2018-11-25T09:16:57.000Z", + "id": "dns-bind-cve-2015-4620", + "last_found": "2022-02-23T20:10:02.535Z", + "links": [ + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2015-4620", + "id": "CVE-2015-4620", + "source": "cve" + }, + { + "href": "https://kb.isc.org/article/AA-01267/0", + "id": "https://kb.isc.org/article/AA-01267/0", + "source": "url" + } + ], + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 7.8, + "fail": false, + "severity_score": 2, + "special_notes": "Denial-of-Service-only vulnerability marked as compliant. ", + "status": "pass" + }, + "port": 53, + "proof": "Vulnerable OS: Debian Linux 6.0\n\n\nRunning DNS service\n\nProduct BIND exists -- ISC BIND 9.7.3\n\nVulnerable version of product BIND found -- ISC BIND 9.7.3", + "protocol": "TCP", + "published": "2015-07-08T00:00:00.000Z", + "references": "cve:CVE-2015-4620,url:https://kb.isc.org/article/AA-01267/0", + "risk_score": 334.11, + "severity": "critical", + "severity_score": 8, + "solution": { + "fix": "More information about upgrading your version of ISC BIND is available on the ISC website.", + "id": "upgrade-isc-bind-latest", + "summary": "Upgrade ISC BIND to latest version", + "type": "workaround" + }, + "status": "VULNERABLE_VERS", + "title": "ISC BIND: Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating (CVE-2015-4620)" + } + } + }, + "related": { + "hosts": [ + "ub22-50-6-126", + "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7" + ], + "ip": [ + "10.50.6.126" + ] + }, + "resource": { + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "name": "ub22-50-6-126" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "CVSS Score Predicted with Rapid7 AI", + "DNS", + "Denial of Service", + "ISC", + "ISC BIND" + ], + "classification": "CVSS", + "description": "name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone.", + "enumeration": "CVE", + "id": [ + "CVE-2015-4620" + ], + "published_date": "2015-07-08T00:00:00.000Z", + "reference": [ + "http://nvd.nist.gov/vuln/detail/CVE-2015-4620", + "https://kb.isc.org/article/AA-01267/0" + ], + "scanner": { + "name": "cababcdefabcd0123456789f16d7061a", + "vendor": "Rapid7" + }, + "score": { + "base": 7.5, + "version": "3.0" + }, + "severity": "Critical", + "title": "Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating (CVE-2015-4620)" + } + }, + { + "@timestamp": "2023-06-23T19:36:17.715Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2023-03-23T19:23:01.000Z", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|dns-bind-cve-2015-4620|2023-06-23T19:36:17.715Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2023-03-23T19:23:01Z\",\"key\":\"\",\"last_found\":\"2023-06-23T19:36:17.715Z\",\"nic\":null,\"port\":445,\"proof\":\"\\n Configure the system to enable or require SMB signing as appropriate.\\n The method and effect of doing this is system specific so please see\\n this Microsoft article for\\n details. Note: ensure that SMB signing configuration is done for \\n incoming connections (Server).\\n
\",\"solution_id\":\"cifs-smb-signing-windows\",\"solution_summary\":\"Configure SMB signing for Windows\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"cifs-smb2-signing-not-required\",\"added\":\"2015-10-27T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,DNS,Denial of Service,ISC,ISC BIND\",\"cves\":\"CVE-2015-4620\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"none\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":6.870600273013115,\"cvss_v2_integrity_impact\":\"none\",\"cvss_v2_score\":7.8,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:N/I:N/A:C)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"none\",\"cvss_v3_exploit_score\":3.8870427750000003,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"none\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":7.5,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"denial_of_service\":true,\"description\":\"name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone.\",\"exploits\":[],\"id\":\"dns-bind-cve-2015-4620\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2015-4620\",\"id\":\"CVE-2015-4620\",\"source\":\"cve\"},{\"href\":\"https://kb.isc.org/article/AA-01267/0\",\"id\":\"https://kb.isc.org/article/AA-01267/0\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":7.8,\"pci_fail\":false,\"pci_severity_score\":2,\"pci_special_notes\":\"Denial-of-Service-only vulnerability marked as compliant. \",\"pci_status\":\"pass\",\"published\":\"2015-07-08T00:00:00Z\",\"references\":\"cve:CVE-2015-4620,url:https://kb.isc.org/article/AA-01267/0\",\"risk_score\":334.11,\"severity\":\"critical\",\"severity_score\":8,\"title\":\"ISC BIND: Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating (CVE-2015-4620)\"}}", + "severity": 8, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": [ + "10.50.6.126" + ], + "mac": [ + "00-00-5E-00-53-01" + ], + "name": "ub22-50-6-126", + "os": { + "family": "Linux", + "full": "Ubuntu Linux 22.04", + "name": "Linux", + "platform": "linux", + "type": "linux", + "version": "22.04" + }, + "risk": { + "static_score": 5656.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 5, + "exploits": 0, + "host_name": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": "10.50.6.126", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-01", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os": { + "architecture": "x86_64", + "description": "Ubuntu Linux 22.04", + "family": "Linux", + "name": "Linux", + "system_name": "Ubuntu Linux", + "vendor": "Ubuntu", + "version": "22.04" + }, + "risk_score": 5656.0, + "severe_vulnerabilities": 6, + "total_vulnerabilities": 12, + "type": "guest", + "unique_identifiers": [ + { + "id": "B7123456-5678-1234-ABCD-6F6ABCDEFA91", + "source": "dmidecode" + }, + { + "id": "cababcdefabcd0123456789f16d7061a", + "source": "R7 Agent" + }, + { + "id": "cab682b411e200123456789ab6d7061a", + "source": "Endpoint Agent" + } + ], + "vulnerability": { + "added": "2015-10-27T00:00:00.000Z", + "categories": [ + "CVSS Score Predicted with Rapid7 AI", + "DNS", + "Denial of Service", + "ISC", + "ISC BIND" + ], + "cves": [ + "CVE-2015-4620" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "network", + "authentication": "none", + "availability_impact": "complete", + "confidentiality_impact": "none", + "exploit_score": 9.996799945831299, + "impact_score": 6.870600273013115, + "integrity_impact": "none", + "score": 7.8, + "vector": "(AV:N/AC:L/Au:N/C:N/I:N/A:C)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "network", + "availability_impact": "high", + "confidentiality_impact": "none", + "exploit_score": 3.8870427750000003, + "impact_score": 3.5952, + "integrity_impact": "none", + "privileges_required": "none", + "scope": "unchanged", + "score": 7.5, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "denial_of_service": true, + "description": "name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone.", + "first_found": "2023-03-23T19:23:01.000Z", + "id": "dns-bind-cve-2015-4620", + "last_found": "2023-06-23T19:36:17.715Z", + "links": [ + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2015-4620", + "id": "CVE-2015-4620", + "source": "cve" + }, + { + "href": "https://kb.isc.org/article/AA-01267/0", + "id": "https://kb.isc.org/article/AA-01267/0", + "source": "url" + } + ], + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 7.8, + "fail": false, + "severity_score": 2, + "special_notes": "Denial-of-Service-only vulnerability marked as compliant. ", + "status": "pass" + }, + "port": 445, + "proof": "Running CIFS service\n\nConfiguration item smb2-enabled set to 'true' matched\n\nConfiguration item smb2-signing set to 'enabled' matched", + "protocol": "TCP", + "published": "2015-07-08T00:00:00.000Z", + "references": "cve:CVE-2015-4620,url:https://kb.isc.org/article/AA-01267/0", + "risk_score": 334.11, + "severity": "critical", + "severity_score": 8, + "solution": { + "fix": "Configure the system to enable or require SMB signing as appropriate.\n The method and effect of doing this is system specific so please see\n this Microsoft article for\n details. Note: ensure that SMB signing configuration is done for \n incoming connections (Server).", + "id": "cifs-smb-signing-windows", + "summary": "Configure SMB signing for Windows", + "type": "workaround" + }, + "status": "VULNERABLE_VERS", + "title": "ISC BIND: Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating (CVE-2015-4620)" + } + } + }, + "related": { + "hosts": [ + "ub22-50-6-126", + "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7" + ], + "ip": [ + "10.50.6.126" + ] + }, + "resource": { + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "name": "ub22-50-6-126" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "CVSS Score Predicted with Rapid7 AI", + "DNS", + "Denial of Service", + "ISC", + "ISC BIND" + ], + "classification": "CVSS", + "description": "name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone.", + "enumeration": "CVE", + "id": [ + "CVE-2015-4620" + ], + "published_date": "2015-07-08T00:00:00.000Z", + "reference": [ + "http://nvd.nist.gov/vuln/detail/CVE-2015-4620", + "https://kb.isc.org/article/AA-01267/0" + ], + "scanner": { + "name": "cababcdefabcd0123456789f16d7061a", + "vendor": "Rapid7" + }, + "score": { + "base": 7.5, + "version": "3.0" + }, + "severity": "Critical", + "title": "Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating (CVE-2015-4620)" + } + }, + { + "@timestamp": "2023-06-23T18:08:29.154Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2022-12-23T19:25:13.000Z", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|vmsa-2012-0013-cve-2012-0815|2023-06-23T18:08:29.154Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2022-12-23T19:25:13Z\",\"key\":\"VMware ESX Server 4.0.0 GA\",\"last_found\":\"2023-06-23T18:08:29.154Z\",\"nic\":null,\"port\":null,\"proof\":\"Vulnerable OS: VMware ESX Server 4.0.0 GA
Download and apply the upgrade from: https://knowledge.broadcom.com/external/article?articleNumber=142814
\",\"solution_id\":\"vmware-esx-upgrade-latest\",\"solution_summary\":\"Upgrade VMware ESX to the latest version\",\"solution_type\":\"rollup\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"vmsa-2012-0013-cve-2012-0815\",\"added\":\"2012-09-17T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,Denial of Service,IAVM,Remote Execution,VMware,VMware ESX/ESXi\",\"cves\":\"CVE-2012-0815\",\"cvss_v2_access_complexity\":\"medium\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":8.588799953460693,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.8,\"cvss_v2_vector\":\"(AV:N/AC:M/Au:N/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.515145325,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":8.4,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"The headerVerifyInfo function in lib/header.c in RPM before 4.9.1.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a negative value in a region offset of a package header, which is not properly handled in a numeric range comparison.\",\"exploits\":[],\"id\":\"vmsa-2012-0013-cve-2012-0815\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2012-0815\",\"id\":\"CVE-2012-0815\",\"source\":\"cve\"},{\"href\":\"http://iase.disa.mil/stigs/iavm-cve.html\",\"id\":\"V0033884\",\"source\":\"disa_vmskey\"},{\"href\":\"http://iase.disa.mil/stigs/iavm-cve.html\",\"id\":\"2012-A-0153\",\"source\":\"iavm\"},{\"href\":\"http://www.vmware.com/security/advisories/VMSA-2012-0013.html\",\"id\":\"http://www.vmware.com/security/advisories/VMSA-2012-0013.html\",\"source\":\"url\"},{\"href\":\"http://iase.disa.mil/stigs/iavm-cve.html\",\"id\":\"Category I\",\"source\":\"disa_severity\"},{\"href\":\"http://iase.disa.mil/stigs/iavm-cve.html\",\"id\":\"2012-A-0148\",\"source\":\"iavm\"},{\"href\":\"http://iase.disa.mil/stigs/iavm-cve.html\",\"id\":\"V0033794\",\"source\":\"disa_vmskey\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":6.8,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2012-06-04T00:00:00Z\",\"references\":\"iavm:2012-A-0148,iavm:2012-A-0153,cve:CVE-2012-0815,disa_severity:Category I,disa_vmskey:V0033794,disa_vmskey:V0033884,url:http://www.vmware.com/security/advisories/VMSA-2012-0013.html\",\"risk_score\":716.99,\"severity\":\"severe\",\"severity_score\":7,\"title\":\"VMSA-2012-0013: Update to ESX service console popt, rpm, rpm-libs, and rpm-python RPMS (CVE-2012-0815)\"}}", + "severity": 7, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": [ + "10.50.6.126" + ], + "mac": [ + "00-00-5E-00-53-01" + ], + "name": "ub22-50-6-126", + "os": { + "family": "Linux", + "full": "Ubuntu Linux 22.04", + "name": "Linux", + "platform": "linux", + "type": "linux", + "version": "22.04" + }, + "risk": { + "static_score": 5656.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "fixed_version": "latest", + "name": "VMware ESX Server 4.0.0 GA", + "version": "VMware ESX Server 4.0.0 GA" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 5, + "exploits": 0, + "host_name": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": "10.50.6.126", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-01", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os": { + "architecture": "x86_64", + "description": "Ubuntu Linux 22.04", + "family": "Linux", + "name": "Linux", + "system_name": "Ubuntu Linux", + "vendor": "Ubuntu", + "version": "22.04" + }, + "risk_score": 5656.0, + "severe_vulnerabilities": 6, + "total_vulnerabilities": 12, + "type": "guest", + "unique_identifiers": [ + { + "id": "B7123456-5678-1234-ABCD-6F6ABCDEFA91", + "source": "dmidecode" + }, + { + "id": "cababcdefabcd0123456789f16d7061a", + "source": "R7 Agent" + }, + { + "id": "cab682b411e200123456789ab6d7061a", + "source": "Endpoint Agent" + } + ], + "vulnerability": { + "added": "2012-09-17T00:00:00.000Z", + "categories": [ + "CVSS Score Predicted with Rapid7 AI", + "Denial of Service", + "IAVM", + "Remote Execution", + "VMware", + "VMware ESX/ESXi" + ], + "cves": [ + "CVE-2012-0815" + ], + "cvss_v2": { + "access_complexity": "medium", + "access_vector": "network", + "authentication": "none", + "availability_impact": "partial", + "confidentiality_impact": "partial", + "exploit_score": 8.588799953460693, + "impact_score": 6.442976653521584, + "integrity_impact": "partial", + "score": 6.8, + "vector": "(AV:N/AC:M/Au:N/C:P/I:P/A:P)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "local", + "availability_impact": "high", + "confidentiality_impact": "high", + "exploit_score": 2.515145325, + "impact_score": 5.873118720000001, + "integrity_impact": "high", + "privileges_required": "none", + "scope": "unchanged", + "score": 8.4, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + "denial_of_service": false, + "description": "The headerVerifyInfo function in lib/header.c in RPM before 4.9.1.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a negative value in a region offset of a package header, which is not properly handled in a numeric range comparison.", + "first_found": "2022-12-23T19:25:13.000Z", + "id": "vmsa-2012-0013-cve-2012-0815", + "key": "VMware ESX Server 4.0.0 GA", + "last_found": "2023-06-23T18:08:29.154Z", + "links": [ + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2012-0815", + "id": "CVE-2012-0815", + "source": "cve" + }, + { + "href": "http://iase.disa.mil/stigs/iavm-cve.html", + "id": "V0033884", + "source": "disa_vmskey" + }, + { + "href": "http://iase.disa.mil/stigs/iavm-cve.html", + "id": "2012-A-0153", + "source": "iavm" + }, + { + "href": "http://www.vmware.com/security/advisories/VMSA-2012-0013.html", + "id": "http://www.vmware.com/security/advisories/VMSA-2012-0013.html", + "source": "url" + }, + { + "href": "http://iase.disa.mil/stigs/iavm-cve.html", + "id": "Category I", + "source": "disa_severity" + }, + { + "href": "http://iase.disa.mil/stigs/iavm-cve.html", + "id": "2012-A-0148", + "source": "iavm" + }, + { + "href": "http://iase.disa.mil/stigs/iavm-cve.html", + "id": "V0033794", + "source": "disa_vmskey" + } + ], + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 6.8, + "fail": true, + "severity_score": 4, + "status": "fail" + }, + "proof": "Vulnerable OS: VMware ESX Server 4.0.0 GA\n\n\nThe property \"build\" contains: 164009.", + "published": "2012-06-04T00:00:00.000Z", + "references": "iavm:2012-A-0148,iavm:2012-A-0153,cve:CVE-2012-0815,disa_severity:Category I,disa_vmskey:V0033794,disa_vmskey:V0033884,url:http://www.vmware.com/security/advisories/VMSA-2012-0013.html", + "risk_score": 716.99, + "severity": "severe", + "severity_score": 7, + "solution": { + "fix": "Download and apply the upgrade from: https://knowledge.broadcom.com/external/article?articleNumber=142814", + "id": "vmware-esx-upgrade-latest", + "summary": "Upgrade VMware ESX to the latest version", + "type": "rollup" + }, + "status": "VULNERABLE_VERS", + "title": "VMSA-2012-0013: Update to ESX service console popt, rpm, rpm-libs, and rpm-python RPMS (CVE-2012-0815)" + } + } + }, + "related": { + "hosts": [ + "ub22-50-6-126", + "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7" + ], + "ip": [ + "10.50.6.126" + ] + }, + "resource": { + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "name": "ub22-50-6-126" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "CVSS Score Predicted with Rapid7 AI", + "Denial of Service", + "IAVM", + "Remote Execution", + "VMware", + "VMware ESX/ESXi" + ], + "classification": "CVSS", + "description": "The headerVerifyInfo function in lib/header.c in RPM before 4.9.1.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a negative value in a region offset of a package header, which is not properly handled in a numeric range comparison.", + "enumeration": "CVE", + "id": [ + "CVE-2012-0815" + ], + "published_date": "2012-06-04T00:00:00.000Z", + "reference": [ + "http://nvd.nist.gov/vuln/detail/CVE-2012-0815", + "http://iase.disa.mil/stigs/iavm-cve.html", + "http://www.vmware.com/security/advisories/VMSA-2012-0013.html" + ], + "scanner": { + "name": "cababcdefabcd0123456789f16d7061a", + "vendor": "Rapid7" + }, + "score": { + "base": 8.4, + "version": "3.0" + }, + "severity": "High", + "title": "Update to ESX service console popt, rpm, rpm-libs, and rpm-python RPMS (CVE-2012-0815)" + } + }, + { + "@timestamp": "2023-06-23T17:40:02.211Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2022-12-23T18:54:08.000Z", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|wordpress-cve-2015-5731|2023-06-23T17:40:02.211Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2022-12-23T18:54:08Z\",\"key\":\"\",\"last_found\":\"2023-06-23T17:40:02.211Z\",\"nic\":null,\"port\":null,\"proof\":\"Vulnerable software installed: Wordpress 3.0
\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"\\n Upgrade to the latest version of Wordpress from https://wordpress.org/download/release-archive/
\",\"solution_id\":\"wordpress-upgrade-latest\",\"solution_summary\":\"Upgrade to the latest version of Wordpress\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"wordpress-cve-2015-5731\",\"added\":\"2017-05-16T00:00:00Z\",\"categories\":\"CSRF,CVSS Score Predicted with Rapid7 AI,Denial of Service,WordPress\",\"cves\":\"CVE-2015-5731\",\"cvss_v2_access_complexity\":\"medium\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":8.588799953460693,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.8,\"cvss_v2_vector\":\"(AV:N/AC:M/Au:N/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"none\",\"cvss_v3_exploit_score\":2.8352547300000004,\"cvss_v3_impact_score\":5.177088,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":8.1,\"cvss_v3_user_interaction\":\"required\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Cross-site request forgery (CSRF) vulnerability in wp-admin/post.php in WordPress before 4.2.4 allows remote attackers to hijack the authentication of administrators for requests that lock a post, and consequently cause a denial of service (editing blockage), via a get-post-lock action.\",\"exploits\":[],\"id\":\"wordpress-cve-2015-5731\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2015-5731\",\"id\":\"CVE-2015-5731\",\"source\":\"cve\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":6.8,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2015-11-09T00:00:00Z\",\"references\":\"cve:CVE-2015-5731\",\"risk_score\":676.67,\"severity\":\"severe\",\"severity_score\":7,\"title\":\"Wordpress: CVE-2015-5731: Cross-Site Request Forgery (CSRF)\"}}", + "severity": 7, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": [ + "10.50.6.126" + ], + "mac": [ + "00-00-5E-00-53-01" + ], + "name": "ub22-50-6-126", + "os": { + "family": "Linux", + "full": "Ubuntu Linux 22.04", + "name": "Linux", + "platform": "linux", + "type": "linux", + "version": "22.04" + }, + "risk": { + "static_score": 5656.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "fixed_version": "latest", + "name": "Wordpress 3.0", + "version": "Wordpress 3.0" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 5, + "exploits": 0, + "host_name": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": "10.50.6.126", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-01", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os": { + "architecture": "x86_64", + "description": "Ubuntu Linux 22.04", + "family": "Linux", + "name": "Linux", + "system_name": "Ubuntu Linux", + "vendor": "Ubuntu", + "version": "22.04" + }, + "risk_score": 5656.0, + "severe_vulnerabilities": 6, + "total_vulnerabilities": 12, + "type": "guest", + "unique_identifiers": [ + { + "id": "B7123456-5678-1234-ABCD-6F6ABCDEFA91", + "source": "dmidecode" + }, + { + "id": "cababcdefabcd0123456789f16d7061a", + "source": "R7 Agent" + }, + { + "id": "cab682b411e200123456789ab6d7061a", + "source": "Endpoint Agent" + } + ], + "vulnerability": { + "added": "2017-05-16T00:00:00.000Z", + "categories": [ + "CSRF", + "CVSS Score Predicted with Rapid7 AI", + "Denial of Service", + "WordPress" + ], + "cves": [ + "CVE-2015-5731" + ], + "cvss_v2": { + "access_complexity": "medium", + "access_vector": "network", + "authentication": "none", + "availability_impact": "partial", + "confidentiality_impact": "partial", + "exploit_score": 8.588799953460693, + "impact_score": 6.442976653521584, + "integrity_impact": "partial", + "score": 6.8, + "vector": "(AV:N/AC:M/Au:N/C:P/I:P/A:P)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "network", + "availability_impact": "high", + "confidentiality_impact": "none", + "exploit_score": 2.8352547300000004, + "impact_score": 5.177088, + "integrity_impact": "high", + "privileges_required": "none", + "scope": "unchanged", + "score": 8.1, + "user_interaction": "required", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H" + }, + "denial_of_service": false, + "description": "Cross-site request forgery (CSRF) vulnerability in wp-admin/post.php in WordPress before 4.2.4 allows remote attackers to hijack the authentication of administrators for requests that lock a post, and consequently cause a denial of service (editing blockage), via a get-post-lock action.", + "first_found": "2022-12-23T18:54:08.000Z", + "id": "wordpress-cve-2015-5731", + "last_found": "2023-06-23T17:40:02.211Z", + "links": [ + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2015-5731", + "id": "CVE-2015-5731", + "source": "cve" + } + ], + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 6.8, + "fail": true, + "severity_score": 4, + "status": "fail" + }, + "proof": "Vulnerable software installed: Wordpress 3.0", + "published": "2015-11-09T00:00:00.000Z", + "references": "cve:CVE-2015-5731", + "risk_score": 676.67, + "severity": "severe", + "severity_score": 7, + "solution": { + "fix": "Upgrade to the latest version of Wordpress from https://wordpress.org/download/release-archive/", + "id": "wordpress-upgrade-latest", + "summary": "Upgrade to the latest version of Wordpress", + "type": "workaround" + }, + "status": "VULNERABLE_VERS", + "title": "Wordpress: CVE-2015-5731: Cross-Site Request Forgery (CSRF)" + } + } + }, + "related": { + "hosts": [ + "ub22-50-6-126", + "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7" + ], + "ip": [ + "10.50.6.126" + ] + }, + "resource": { + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "name": "ub22-50-6-126" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "CSRF", + "CVSS Score Predicted with Rapid7 AI", + "Denial of Service", + "WordPress" + ], + "classification": "CVSS", + "description": "Cross-site request forgery (CSRF) vulnerability in wp-admin/post.php in WordPress before 4.2.4 allows remote attackers to hijack the authentication of administrators for requests that lock a post, and consequently cause a denial of service (editing blockage), via a get-post-lock action.", + "enumeration": "CVE", + "id": [ + "CVE-2015-5731" + ], + "published_date": "2015-11-09T00:00:00.000Z", + "reference": [ + "http://nvd.nist.gov/vuln/detail/CVE-2015-5731" + ], + "scanner": { + "name": "cababcdefabcd0123456789f16d7061a", + "vendor": "Rapid7" + }, + "score": { + "base": 8.1, + "version": "3.0" + }, + "severity": "High", + "title": "Cross-Site Request Forgery (CSRF)" + } + }, + { + "@timestamp": "2023-06-23T17:41:50.071Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2022-12-23T18:55:39.000Z", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|php-cve-2016-3171|2023-06-23T17:41:50.071Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2022-12-23T18:55:39Z\",\"key\":\"\",\"last_found\":\"2023-06-23T17:41:50.071Z\",\"nic\":null,\"port\":80,\"proof\":\"Download and apply the upgrade from: http://www.php.net/downloads.php
\",\"solution_id\":\"php-upgrade-latest\",\"solution_summary\":\"Upgrade to the latest version of PHP\",\"solution_type\":\"rollup\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"php-cve-2016-3171\",\"added\":\"2019-09-30T00:00:00Z\",\"categories\":\"HTTP,PHP,Remote Execution\",\"cves\":\"CVE-2016-3171\",\"cvss_v2_access_complexity\":\"medium\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":8.588799953460693,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.8,\"cvss_v2_vector\":\"(AV:N/AC:M/Au:N/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"high\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.2211673,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":8.1,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.\",\"exploits\":[],\"id\":\"php-cve-2016-3171\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2016-3171\",\"id\":\"CVE-2016-3171\",\"source\":\"cve\"}],\"malware_kits\":[],\"modified\":\"2024-11-27T00:00:00Z\",\"pci_cvss_score\":6.8,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2016-04-12T00:00:00Z\",\"references\":\"cve:CVE-2016-3171\",\"risk_score\":669.57,\"severity\":\"severe\",\"severity_score\":7,\"title\":\"PHP Vulnerability: CVE-2016-3171\"}}", + "severity": 7, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": [ + "10.50.6.126" + ], + "mac": [ + "00-00-5E-00-53-01" + ], + "name": "ub22-50-6-126", + "os": { + "family": "Linux", + "full": "Ubuntu Linux 22.04", + "name": "Linux", + "platform": "linux", + "type": "linux", + "version": "22.04" + }, + "risk": { + "static_score": 5656.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "fixed_version": "latest", + "name": "PHP 5.4.16", + "version": "PHP 5.4.16" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 5, + "exploits": 0, + "host_name": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": "10.50.6.126", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-01", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os": { + "architecture": "x86_64", + "description": "Ubuntu Linux 22.04", + "family": "Linux", + "name": "Linux", + "system_name": "Ubuntu Linux", + "vendor": "Ubuntu", + "version": "22.04" + }, + "risk_score": 5656.0, + "severe_vulnerabilities": 6, + "total_vulnerabilities": 12, + "type": "guest", + "unique_identifiers": [ + { + "id": "B7123456-5678-1234-ABCD-6F6ABCDEFA91", + "source": "dmidecode" + }, + { + "id": "cababcdefabcd0123456789f16d7061a", + "source": "R7 Agent" + }, + { + "id": "cab682b411e200123456789ab6d7061a", + "source": "Endpoint Agent" + } + ], + "vulnerability": { + "added": "2019-09-30T00:00:00.000Z", + "categories": [ + "HTTP", + "PHP", + "Remote Execution" + ], + "cves": [ + "CVE-2016-3171" + ], + "cvss_v2": { + "access_complexity": "medium", + "access_vector": "network", + "authentication": "none", + "availability_impact": "partial", + "confidentiality_impact": "partial", + "exploit_score": 8.588799953460693, + "impact_score": 6.442976653521584, + "integrity_impact": "partial", + "score": 6.8, + "vector": "(AV:N/AC:M/Au:N/C:P/I:P/A:P)" + }, + "cvss_v3": { + "attack_complexity": "high", + "attack_vector": "network", + "availability_impact": "high", + "confidentiality_impact": "high", + "exploit_score": 2.2211673, + "impact_score": 5.873118720000001, + "integrity_impact": "high", + "privileges_required": "none", + "scope": "unchanged", + "score": 8.1, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + "denial_of_service": false, + "description": "Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.", + "first_found": "2022-12-23T18:55:39.000Z", + "id": "php-cve-2016-3171", + "last_found": "2023-06-23T17:41:50.071Z", + "links": [ + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2016-3171", + "id": "CVE-2016-3171", + "source": "cve" + } + ], + "modified": "2024-11-27T00:00:00.000Z", + "pci": { + "cvss_score": 6.8, + "fail": true, + "severity_score": 4, + "status": "fail" + }, + "port": 80, + "proof": "Running HTTP service\n\nVulnerable version of component PHP found -- PHP 5.4.16", + "protocol": "TCP", + "published": "2016-04-12T00:00:00.000Z", + "references": "cve:CVE-2016-3171", + "risk_score": 669.57, + "severity": "severe", + "severity_score": 7, + "solution": { + "fix": "Download and apply the upgrade from: http://www.php.net/downloads.php", + "id": "php-upgrade-latest", + "summary": "Upgrade to the latest version of PHP", + "type": "rollup" + }, + "status": "VULNERABLE_VERS", + "title": "PHP Vulnerability: CVE-2016-3171" + } + } + }, + "related": { + "hosts": [ + "ub22-50-6-126", + "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7" + ], + "ip": [ + "10.50.6.126" + ] + }, + "resource": { + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "name": "ub22-50-6-126" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "HTTP", + "PHP", + "Remote Execution" + ], + "classification": "CVSS", + "description": "Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.", + "enumeration": "CVE", + "id": [ + "CVE-2016-3171" + ], + "published_date": "2016-04-12T00:00:00.000Z", + "reference": [ + "http://nvd.nist.gov/vuln/detail/CVE-2016-3171" + ], + "scanner": { + "name": "cababcdefabcd0123456789f16d7061a", + "vendor": "Rapid7" + }, + "score": { + "base": 8.1, + "version": "3.0" + }, + "severity": "High", + "title": "CVE-2016-3171" + } + }, + { + "@timestamp": "2024-06-23T17:54:28.107Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2022-05-23T19:03:38.000Z", + "id": "12123455-abcd-5678-1234-01234567890e-default-asset-4123|f5-big-ip-cve-2017-7656|2024-06-23T17:54:28.107Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":161,\"protocol\":\"UDP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":161,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":22,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":9,\"exploits\":5,\"host_name\":\"BIG-IP-16-1-0.dev.test.rapid7.com\",\"id\":\"12123455-abcd-5678-1234-01234567890e-default-asset-4123\",\"ip\":\"175.16.199.1\",\"last_assessed_for_vulnerabilities\":\"2024-06-23T17:54:28.107Z\",\"last_scan_end\":\"2024-06-23T17:54:28.107Z\",\"last_scan_start\":\"2024-06-23T17:44:15.351Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":10,\"new\":[],\"os_architecture\":\"\",\"os_description\":\"F5 BIG-IP 16.1.0.0\",\"os_family\":\"BIG-IP\",\"os_name\":\"BIG-IP\",\"os_system_name\":\"F5 BIG-IP\",\"os_type\":\"Network management device\",\"os_vendor\":\"F5\",\"os_version\":\"16.1.0.0\",\"remediated\":[],\"risk_score\":35804.71185,\"vulnerability\":{\"check_id\":null,\"first_found\":\"2022-05-23T19:03:38Z\",\"key\":\"F5 BIG-IP 16.1.0.0\",\"last_found\":\"2024-06-23T17:54:28.107Z\",\"nic\":null,\"port\":null,\"proof\":\"Vulnerable OS: F5 BIG-IP 16.1.0.0
\\n Upgrade to the latest available version of F5 BIG-IP. Refer to BIG-IP Hotfix Matrix for the latest hotfix information.\\n
\",\"solution_id\":\"f5-big-ip-upgrade-latest\",\"solution_summary\":\"Upgrade to the latest available version of F5 BIG-IP\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"f5-big-ip-cve-2017-7656\",\"added\":\"2022-04-20T00:00:00Z\",\"categories\":\"F5,F5 BIG-IP,Web\",\"cves\":\"CVE-2017-7656\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"none\",\"cvss_v2_confidentiality_impact\":\"none\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":2.8627500620484354,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":5,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:N/I:P/A:N)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"none\",\"cvss_v3_exploit_score\":3.8870427750000003,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":7.5,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"denial_of_service\":false,\"description\":\"In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.\",\"exploits\":[],\"id\":\"f5-big-ip-cve-2017-7656\",\"links\":[{\"href\":\"https://my.f5.com/manage/s/article/K21054458\",\"id\":\"https://my.f5.com/manage/s/article/K21054458\",\"source\":\"url\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2017-7656\",\"id\":\"CVE-2017-7656\",\"source\":\"cve\"}],\"malware_kits\":[],\"modified\":\"2024-12-06T00:00:00Z\",\"pci_cvss_score\":5,\"pci_fail\":true,\"pci_severity_score\":3,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2018-06-26T00:00:00Z\",\"references\":\"cve:CVE-2017-7656,url:https://my.f5.com/manage/s/article/K21054458\",\"risk_score\":229.89,\"severity\":\"severe\",\"severity_score\":5,\"title\":\"F5 Networks: CVE-2017-7656: K21054458: Eclipse Jetty vulnerability CVE-2017-7656\"},\"severe_vulnerabilities\":94,\"tags\":[{\"name\":\"snow_test\",\"type\":\"CUSTOM\"},{\"name\":\"all_assets2\",\"type\":\"CUSTOM\"},{\"name\":\"all_assets\",\"type\":\"CUSTOM\"},{\"name\":\"my tag test\",\"type\":\"CUSTOM\"},{\"name\":\"lab\",\"type\":\"SITE\"}],\"total_vulnerabilities\":113,\"type\":\"guest\",\"unique_identifiers\":[]}", + "severity": 5, + "type": [ + "info" + ] + }, + "host": { + "hostname": "BIG-IP-16-1-0.dev.test.rapid7.com", + "id": "12123455-abcd-5678-1234-01234567890e-default-asset-4123", + "ip": [ + "175.16.199.1" + ], + "mac": [ + "00-00-5E-00-53-00" + ], + "name": "BIG-IP-16-1-0.dev.test.rapid7.com", + "os": { + "family": "BIG-IP", + "full": "F5 BIG-IP 16.1.0.0", + "name": "BIG-IP", + "version": "16.1.0.0" + }, + "risk": { + "static_score": 35804.71185 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "fixed_version": "latest", + "name": "F5 BIG-IP 16.1.0.0", + "version": "F5 BIG-IP 16.1.0.0" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 9, + "exploits": 5, + "host_name": "BIG-IP-16-1-0.dev.test.rapid7.com", + "id": "12123455-abcd-5678-1234-01234567890e-default-asset-4123", + "ip": "175.16.199.1", + "last_assessed_for_vulnerabilities": "2024-06-23T17:54:28.107Z", + "last_scan_end": "2024-06-23T17:54:28.107Z", + "last_scan_start": "2024-06-23T17:44:15.351Z", + "mac": "00-00-5E-00-53-00", + "malware_kits": 0, + "moderate_vulnerabilities": 10, + "os": { + "description": "F5 BIG-IP 16.1.0.0", + "family": "BIG-IP", + "name": "BIG-IP", + "system_name": "F5 BIG-IP", + "type": "Network management device", + "vendor": "F5", + "version": "16.1.0.0" + }, + "risk_score": 35804.71185, + "severe_vulnerabilities": 94, + "total_vulnerabilities": 113, + "type": "guest", + "vulnerability": { + "added": "2022-04-20T00:00:00.000Z", + "categories": [ + "F5", + "F5 BIG-IP", + "Web" + ], + "cves": [ + "CVE-2017-7656" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "network", + "authentication": "none", + "availability_impact": "none", + "confidentiality_impact": "none", + "exploit_score": 9.996799945831299, + "impact_score": 2.8627500620484354, + "integrity_impact": "partial", + "score": 5.0, + "vector": "(AV:N/AC:L/Au:N/C:N/I:P/A:N)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "network", + "availability_impact": "none", + "confidentiality_impact": "none", + "exploit_score": 3.8870427750000003, + "impact_score": 3.5952, + "integrity_impact": "high", + "privileges_required": "none", + "scope": "unchanged", + "score": 7.5, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + }, + "denial_of_service": false, + "description": "In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.", + "first_found": "2022-05-23T19:03:38.000Z", + "id": "f5-big-ip-cve-2017-7656", + "key": "F5 BIG-IP 16.1.0.0", + "last_found": "2024-06-23T17:54:28.107Z", + "links": [ + { + "href": "https://my.f5.com/manage/s/article/K21054458", + "id": "https://my.f5.com/manage/s/article/K21054458", + "source": "url" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2017-7656", + "id": "CVE-2017-7656", + "source": "cve" + } + ], + "modified": "2024-12-06T00:00:00.000Z", + "pci": { + "cvss_score": 5.0, + "fail": true, + "severity_score": 3, + "status": "fail" + }, + "proof": "Vulnerable OS: F5 BIG-IP 16.1.0.0\n\n\nThe property \"ltm\" contains: true.", + "published": "2018-06-26T00:00:00.000Z", + "references": "cve:CVE-2017-7656,url:https://my.f5.com/manage/s/article/K21054458", + "risk_score": 229.89, + "severity": "severe", + "severity_score": 5, + "solution": { + "fix": "Upgrade to the latest available version of F5 BIG-IP. Refer to BIG-IP Hotfix Matrix for the latest hotfix information.", + "id": "f5-big-ip-upgrade-latest", + "summary": "Upgrade to the latest available version of F5 BIG-IP", + "type": "workaround" + }, + "status": "VULNERABLE_VERS", + "title": "F5 Networks: CVE-2017-7656: K21054458: Eclipse Jetty vulnerability CVE-2017-7656" + } + } + }, + "related": { + "hosts": [ + "BIG-IP-16-1-0.dev.test.rapid7.com", + "12123455-abcd-5678-1234-01234567890e-default-asset-4123" + ], + "ip": [ + "175.16.199.1" + ] + }, + "resource": { + "id": "12123455-abcd-5678-1234-01234567890e-default-asset-4123", + "name": "BIG-IP-16-1-0.dev.test.rapid7.com" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "F5", + "F5 BIG-IP", + "Web" + ], + "classification": "CVSS", + "description": "In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.", + "enumeration": "CVE", + "id": [ + "CVE-2017-7656" + ], + "published_date": "2018-06-26T00:00:00.000Z", + "reference": [ + "https://my.f5.com/manage/s/article/K21054458", + "http://nvd.nist.gov/vuln/detail/CVE-2017-7656" + ], + "scanner": { + "vendor": "Rapid7" + }, + "score": { + "base": 7.5, + "version": "3.0" + }, + "severity": "High", + "title": "K21054458: Eclipse Jetty vulnerability CVE-2017-7656" + } + }, + { + "@timestamp": "2022-08-23T18:31:27.909Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2018-11-25T09:27:44.000Z", + "id": "11111111-34a7-40a3-1111-28db0b5cc90e-default-asset-1049|ubuntu-obsolete-version|2022-08-23T18:31:27.909Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":1,\"exploits\":0,\"id\":\"11111111-34a7-40a3-1111-28db0b5cc90e-default-asset-1049\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2022-08-23T18:31:27.909Z\",\"last_scan_end\":\"2022-08-23T18:31:27.909Z\",\"last_scan_start\":\"2022-08-23T18:30:49.674Z\",\"malware_kits\":0,\"moderate_vulnerabilities\":3,\"risk_score\":871.9886474609375,\"severe_vulnerabilities\":5,\"tags\":[{\"name\":\"No_Hostname\",\"type\":\"CUSTOM\"},{\"name\":\"all_assets2\",\"type\":\"CUSTOM\"},{\"name\":\"all_assets\",\"type\":\"CUSTOM\"},{\"name\":\"lab\",\"type\":\"SITE\"}],\"total_vulnerabilities\":9,\"unique_identifiers\":[],\"vulnerability\":{\"added\":\"2013-05-06T00:00:00Z\",\"categories\":\"Canonical,Obsolete OS,Obsolete Software,Ubuntu Linux,Web\",\"check_id\":null,\"cves\":\"\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":10.000845454680942,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":10,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:C/I:C/A:C)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":3.8870427750000003,\"cvss_v3_impact_score\":6.0477304915445185,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"changed\",\"cvss_v3_score\":10,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"This release has passed its End of Life. There may be unpatched security vulnerabilities. Please check with https://wiki.ubuntu.com/Releases (https://wiki.ubuntu.com/Releases) for supported versions.\",\"exploits\":[],\"first_found\":\"2018-11-25T09:27:44Z\",\"id\":\"ubuntu-obsolete-version\",\"key\":\"Ubuntu Linux 12.04\",\"last_found\":\"2022-08-23T18:31:27.909Z\",\"links\":[],\"malware_kits\":[],\"modified\":\"2025-03-28T00:00:00Z\",\"nic\":null,\"pci_cvss_score\":10,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"This operating system version is no longer supported by the vendor, and results in an automatic failure. \",\"pci_status\":\"fail\",\"port\":null,\"proof\":\"\\\\u003cp\\\\u003e\\\\u003cp\\\\u003eVulnerable OS: Ubuntu Linux 12.04\\\\u003cp\\\\u003e\\\\u003c/p\\\\u003e\\\\u003c/p\\\\u003e\\\\u003c/p\\\\u003e\",\"protocol\":null,\"published\":\"2013-05-06T00:00:00Z\",\"references\":\"\",\"reintroduced\":null,\"risk_score\":891.5,\"severity\":\"critical\",\"severity_score\":10,\"solution_fix\":\"\\\\u003cp\\\\u003eUpgrade to a supported version of Ubuntu Linux\\\\u003c/p\\\\u003e\",\"solution_id\":\"ubuntu-obsolete-version\",\"solution_summary\":\"Upgrade Ubuntu\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"title\":\"Obsolete Version of Ubuntu\",\"vulnerability_id\":\"ubuntu-obsolete-version\"}}", + "severity": 10, + "type": [ + "info" + ] + }, + "host": { + "id": "11111111-34a7-40a3-1111-28db0b5cc90e-default-asset-1049", + "ip": [ + "10.50.6.126" + ], + "risk": { + "static_score": 871.9886474609375 + } + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "version": "Ubuntu Linux 12.04" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 1, + "exploits": 0, + "id": "11111111-34a7-40a3-1111-28db0b5cc90e-default-asset-1049", + "ip": "10.50.6.126", + "last_assessed_for_vulnerabilities": "2022-08-23T18:31:27.909Z", + "last_scan_end": "2022-08-23T18:31:27.909Z", + "last_scan_start": "2022-08-23T18:30:49.674Z", + "malware_kits": 0, + "moderate_vulnerabilities": 3, + "risk_score": 871.9886474609375, + "severe_vulnerabilities": 5, + "total_vulnerabilities": 9, + "vulnerability": { + "added": "2013-05-06T00:00:00.000Z", + "categories": [ + "Canonical", + "Obsolete OS", + "Obsolete Software", + "Ubuntu Linux", + "Web" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "network", + "authentication": "none", + "availability_impact": "complete", + "confidentiality_impact": "complete", + "exploit_score": 9.996799945831299, + "impact_score": 10.000845454680942, + "integrity_impact": "complete", + "score": 10.0, + "vector": "(AV:N/AC:L/Au:N/C:C/I:C/A:C)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "network", + "availability_impact": "high", + "confidentiality_impact": "high", + "exploit_score": 3.8870427750000003, + "impact_score": 6.0477304915445185, + "integrity_impact": "high", + "privileges_required": "none", + "scope": "changed", + "score": 10.0, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + }, + "denial_of_service": false, + "description": "This release has passed its End of Life. There may be unpatched security vulnerabilities. Please check with https://wiki.ubuntu.com/Releases (https://wiki.ubuntu.com/Releases) for supported versions.", + "first_found": "2018-11-25T09:27:44.000Z", + "id": "ubuntu-obsolete-version", + "key": "Ubuntu Linux 12.04", + "last_found": "2022-08-23T18:31:27.909Z", + "modified": "2025-03-28T00:00:00.000Z", + "pci": { + "cvss_score": 10.0, + "fail": true, + "severity_score": 5, + "special_notes": "This operating system version is no longer supported by the vendor, and results in an automatic failure. ", + "status": "fail" + }, + "proof": "\\u003cp\\u003e\\u003cp\\u003eVulnerable OS: Ubuntu Linux 12.04\\u003cp\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\\u003c/p\\u003e", + "published": "2013-05-06T00:00:00.000Z", + "risk_score": 891.5, + "severity": "critical", + "severity_score": 10, + "solution": { + "fix": "\\u003cp\\u003eUpgrade to a supported version of Ubuntu Linux\\u003c/p\\u003e", + "id": "ubuntu-obsolete-version", + "summary": "Upgrade Ubuntu", + "type": "workaround" + }, + "status": "VULNERABLE_VERS", + "title": "Obsolete Version of Ubuntu" + } + } + }, + "related": { + "hosts": [ + "11111111-34a7-40a3-1111-28db0b5cc90e-default-asset-1049" + ], + "ip": [ + "10.50.6.126" + ] + }, + "resource": { + "id": "11111111-34a7-40a3-1111-28db0b5cc90e-default-asset-1049" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "Canonical", + "Obsolete OS", + "Obsolete Software", + "Ubuntu Linux", + "Web" + ], + "classification": "CVSS", + "description": "This release has passed its End of Life. There may be unpatched security vulnerabilities. Please check with https://wiki.ubuntu.com/Releases (https://wiki.ubuntu.com/Releases) for supported versions.", + "enumeration": "CVE", + "published_date": "2013-05-06T00:00:00.000Z", + "scanner": { + "vendor": "Rapid7" + }, + "score": { + "base": 10.0, + "version": "3.0" + }, + "severity": "Critical", + "title": "Obsolete Version of Ubuntu" + } + }, + { + "@timestamp": "2022-04-23T18:04:36.094Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2021-02-23T18:39:30.000Z", + "id": "12123455-1234-5678-0912-28dabcdefabe-default-asset-3709|centos_linux-cve-2019-9506|2022-04-23T18:04:36.094Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":22,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":32,\"exploits\":17,\"id\":\"12123455-1234-5678-0912-28dabcdefabe-default-asset-3709\",\"ip\":\"175.16.199.2\",\"last_assessed_for_vulnerabilities\":\"2022-04-23T18:04:36.094Z\",\"last_scan_end\":\"2022-04-23T18:04:36.094Z\",\"last_scan_start\":\"2022-04-23T17:56:27.286Z\",\"malware_kits\":0,\"moderate_vulnerabilities\":58,\"os_architecture\":\"\",\"os_description\":\"Linux LINUX 2.6.9 - 2.6.27 2.6.9\",\"os_family\":\"Linux\",\"os_name\":\"LINUX 2.6.9 - 2.6.27\",\"os_system_name\":\"Linux\",\"os_type\":\"General\",\"os_vendor\":\"Linux\",\"os_version\":\"2.6.9\",\"risk_score\":128750.1171875,\"severe_vulnerabilities\":307,\"tags\":[{\"name\":\"No_Hostname\",\"type\":\"CUSTOM\"},{\"name\":\"all_assets2\",\"type\":\"CUSTOM\"},{\"name\":\"snow_test\",\"type\":\"CUSTOM\"},{\"name\":\"all_assets\",\"type\":\"CUSTOM\"},{\"name\":\"lab\",\"type\":\"SITE\"}],\"total_vulnerabilities\":397,\"unique_identifiers\":[],\"vulnerability\":{\"added\":\"2019-10-16T00:00:00Z\",\"categories\":\"CentOS\",\"check_id\":null,\"cves\":\"CVE-2019-9506\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"adjacent\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"none\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":6.457932765007019,\"cvss_v2_impact_score\":4.938243839970231,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":4.8,\"cvss_v2_vector\":\"(AV:A/AC:L/Au:N/C:P/I:P/A:N)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"adjacent\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.83525473,\"cvss_v3_impact_score\":5.177088,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":8.1,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"denial_of_service\":false,\"description\":\"The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka \\\"KNOB\\\") that can decrypt traffic and inject arbitrary ciphertext without the victim noticing.\",\"exploits\":[],\"first_found\":\"2021-02-23T18:39:30Z\",\"id\":\"centos_linux-cve-2019-9506\",\"key\":\"\",\"last_found\":\"2022-04-23T18:04:36.094Z\",\"links\":[{\"href\":\"http://rhn.redhat.com/errata/RHSA-2019-3076.html\",\"id\":\"RHSA-2019:3076\",\"source\":\"redhat\"},{\"href\":\"http://rhn.redhat.com/errata/RHSA-2019-3055.html\",\"id\":\"RHSA-2019:3055\",\"source\":\"redhat\"},{\"href\":\"http://rhn.redhat.com/errata/RHSA-2019-3165.html\",\"id\":\"RHSA-2019:3165\",\"source\":\"redhat\"},{\"href\":\"http://rhn.redhat.com/errata/RHSA-2019-3187.html\",\"id\":\"RHSA-2019:3187\",\"source\":\"redhat\"},{\"href\":\"http://rhn.redhat.com/errata/RHSA-2019-3220.html\",\"id\":\"RHSA-2019:3220\",\"source\":\"redhat\"},{\"href\":\"http://rhn.redhat.com/errata/RHSA-2019-3231.html\",\"id\":\"RHSA-2019:3231\",\"source\":\"redhat\"},{\"href\":\"http://www.kb.cert.org/vuls/id/918987\",\"id\":\"918987\",\"source\":\"cert-vn\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2019-9506\",\"id\":\"CVE-2019-9506\",\"source\":\"nvd\"},{\"href\":\"http://rhn.redhat.com/errata/RHSA-2019-3517.html\",\"id\":\"RHSA-2019:3517\",\"source\":\"redhat\"},{\"href\":\"http://rhn.redhat.com/errata/RHSA-2019-3309.html\",\"id\":\"RHSA-2019:3309\",\"source\":\"redhat\"},{\"href\":\"http://rhn.redhat.com/errata/RHSA-2020-0204.html\",\"id\":\"RHSA-2020:0204\",\"source\":\"redhat\"},{\"href\":\"http://rhn.redhat.com/errata/RHSA-2019-3218.html\",\"id\":\"RHSA-2019:3218\",\"source\":\"redhat\"},{\"href\":\"http://rhn.redhat.com/errata/RHSA-2019-3217.html\",\"id\":\"RHSA-2019:3217\",\"source\":\"redhat\"},{\"href\":\"http://rhn.redhat.com/errata/RHSA-2019-2975.html\",\"id\":\"RHSA-2019:2975\",\"source\":\"redhat\"},{\"href\":\"http://rhn.redhat.com/errata/RHSA-2019-3089.html\",\"id\":\"RHSA-2019:3089\",\"source\":\"redhat\"}],\"malware_kits\":[],\"modified\":\"2023-05-25T00:00:00Z\",\"nic\":null,\"pci_cvss_score\":4.8,\"pci_fail\":true,\"pci_severity_score\":3,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"port\":null,\"proof\":\"Vulnerable OS: CentOS Linux 7.6.1810
Vulnerable software installed: Linux kernel 3.10.0-957.el7
Vulnerable OS: Microsoft Windows Small Business Server 2008
Based on the result of the "windows-hotfix-ms09-050" test, this node is applicable to this issue.
\",\"protocol\":\"TCP\",\"published\":\"2011-04-13T00:00:00Z\",\"references\":\"oval:12076,iavm:2011-A-0050,bid:47198,cve:CVE-2011-0661,disa_severity:Category I,mskb:KB2508429,ms:MS11-020,cert:TA11-102A,disa_vmskey:V0026521\",\"reintroduced\":null,\"risk_score\":900.45,\"severity\":\"critical\",\"severity_score\":10,\"solution_fix\":\"Take a look at all possible solutions for vulnerability\",\"solution_id\":\"unknown-windows-hotfix-ms11-020\",\"solution_summary\":\"The solution is unknown for vuln windows-hotfix-ms11-020\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"title\":\"MS11-020: Vulnerability in SMB Server Could Allow Remote Code Execution (2508429)\",\"vulnerability_id\":\"windows-hotfix-ms11-020\"}}", + "severity": 10, + "type": [ + "info" + ] + }, + "host": { + "hostname": "SBS2008-PREM-U", + "id": "12324565-1234-abcd-1234-21234567890e-default-asset-1239", + "ip": [ + "175.16.199.1" + ], + "mac": [ + "00-00-5E-00-53-00" + ], + "name": "SBS2008-PREM-U", + "os": { + "family": "Windows", + "full": "Microsoft Windows Small Business Server 2008", + "name": "Windows Small Business Server 2008", + "platform": "windows", + "type": "windows" + }, + "risk": { + "static_score": 15638.8798828125 + } + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "name": "Microsoft Windows Small Business Server 2008", + "version": "Microsoft Windows Small Business Server 2008" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 8, + "exploits": 32, + "host_name": "SBS2008-PREM-U", + "id": "12324565-1234-abcd-1234-21234567890e-default-asset-1239", + "ip": "175.16.199.1", + "last_assessed_for_vulnerabilities": "2023-06-23T19:51:46.262Z", + "last_scan_end": "2023-06-23T19:51:46.262Z", + "last_scan_start": "2023-06-23T19:39:28.295Z", + "mac": "00-00-5E-00-53-00", + "malware_kits": 1, + "moderate_vulnerabilities": 7, + "os": { + "description": "Microsoft Windows Small Business Server 2008", + "family": "Windows", + "name": "Windows Small Business Server 2008", + "system_name": "Microsoft Windows", + "type": "General", + "vendor": "Microsoft" + }, + "risk_score": 15638.8798828125, + "severe_vulnerabilities": 12, + "total_vulnerabilities": 27, + "vulnerability": { + "added": "2011-04-13T00:00:00.000Z", + "categories": [ + "CVSS Score Predicted with Rapid7 AI", + "IAVM", + "Microsoft", + "Microsoft Patch", + "Microsoft Windows", + "Remote Execution" + ], + "cves": [ + "CVE-2011-0661" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "network", + "authentication": "none", + "availability_impact": "complete", + "confidentiality_impact": "complete", + "exploit_score": 9.996799945831299, + "impact_score": 10.000845454680942, + "integrity_impact": "complete", + "score": 10.0, + "vector": "(AV:N/AC:L/Au:N/C:C/I:C/A:C)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "network", + "availability_impact": "high", + "confidentiality_impact": "high", + "exploit_score": 3.8870427750000003, + "impact_score": 5.873118720000001, + "integrity_impact": "high", + "privileges_required": "none", + "scope": "unchanged", + "score": 9.8, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + "denial_of_service": false, + "description": "This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker created a specially crafted SMB packet and sent the packet to an affected system. Firewall best practices and standard default firewall configurations can help protect networks from attacks originating outside the enterprise perimeter that would attempt to exploit these vulnerabilities.", + "first_found": "2019-02-15T05:37:32.000Z", + "id": "windows-hotfix-ms11-020", + "last_found": "2023-06-23T19:51:46.262Z", + "links": [ + { + "href": "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:12076", + "id": "12076", + "source": "oval" + }, + { + "href": "http://iase.disa.mil/stigs/iavm-cve.html", + "id": "2011-A-0050", + "source": "iavm" + }, + { + "href": "http://technet.microsoft.com/security/bulletin/MS11-020", + "id": "MS11-020", + "source": "ms" + }, + { + "href": "http://www.securityfocus.com/bid/47198", + "id": "47198", + "source": "bid" + }, + { + "href": "http://www.us-cert.gov/cas/techalerts/TA11-102A.html", + "id": "TA11-102A", + "source": "cert" + }, + { + "href": "http://iase.disa.mil/stigs/iavm-cve.html", + "id": "Category I", + "source": "disa_severity" + }, + { + "href": "http://iase.disa.mil/stigs/iavm-cve.html", + "id": "V0026521", + "source": "disa_vmskey" + }, + { + "href": "https://support.microsoft.com/en-us/kb/2508429", + "id": "KB2508429", + "source": "mskb" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2011-0661", + "id": "CVE-2011-0661", + "source": "cve" + } + ], + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 10.0, + "fail": true, + "severity_score": 5, + "status": "fail" + }, + "port": 445, + "proof": "Running CIFS service\n\n\nVulnerable OS: Microsoft Windows Small Business Server 2008\n\n\n\nBased on the result of the \"windows-hotfix-ms09-050\" test, this node is applicable to this issue.", + "protocol": "TCP", + "published": "2011-04-13T00:00:00.000Z", + "references": "oval:12076,iavm:2011-A-0050,bid:47198,cve:CVE-2011-0661,disa_severity:Category I,mskb:KB2508429,ms:MS11-020,cert:TA11-102A,disa_vmskey:V0026521", + "risk_score": 900.45, + "severity": "critical", + "severity_score": 10, + "solution": { + "fix": "Take a look at all possible solutions for vulnerability", + "id": "unknown-windows-hotfix-ms11-020", + "summary": "The solution is unknown for vuln windows-hotfix-ms11-020", + "type": "workaround" + }, + "status": "VULNERABLE_VERS", + "title": "MS11-020: Vulnerability in SMB Server Could Allow Remote Code Execution (2508429)" + } + } + }, + "related": { + "hosts": [ + "SBS2008-PREM-U", + "12324565-1234-abcd-1234-21234567890e-default-asset-1239" + ], + "ip": [ + "175.16.199.1" + ] + }, + "resource": { + "id": "12324565-1234-abcd-1234-21234567890e-default-asset-1239", + "name": "SBS2008-PREM-U" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "CVSS Score Predicted with Rapid7 AI", + "IAVM", + "Microsoft", + "Microsoft Patch", + "Microsoft Windows", + "Remote Execution" + ], + "classification": "CVSS", + "description": "This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker created a specially crafted SMB packet and sent the packet to an affected system. Firewall best practices and standard default firewall configurations can help protect networks from attacks originating outside the enterprise perimeter that would attempt to exploit these vulnerabilities.", + "enumeration": "CVE", + "id": [ + "CVE-2011-0661" + ], + "published_date": "2011-04-13T00:00:00.000Z", + "reference": [ + "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:12076", + "http://iase.disa.mil/stigs/iavm-cve.html", + "http://technet.microsoft.com/security/bulletin/MS11-020", + "http://www.securityfocus.com/bid/47198", + "http://www.us-cert.gov/cas/techalerts/TA11-102A.html", + "https://support.microsoft.com/en-us/kb/2508429", + "http://nvd.nist.gov/vuln/detail/CVE-2011-0661" + ], + "scanner": { + "vendor": "Rapid7" + }, + "score": { + "base": 9.8, + "version": "3.0" + }, + "severity": "Critical", + "title": "Vulnerability in SMB Server Could Allow Remote Code Execution (2508429)" + } + }, + { + "@timestamp": "2023-06-23T19:39:41.339Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2018-11-25T08:24:37.000Z", + "id": "12123455-1234-5678-9012-abcdefabcd0e-default-asset-152|windows-hotfix-ms06-035|2023-06-23T19:39:41.339Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":22,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":135,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":139,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":445,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":11,\"exploits\":37,\"host_name\":\"SHOCKWAVE-P\",\"id\":\"12123455-1234-5678-9012-abcdefabcd0e-default-asset-152\",\"ip\":\"175.16.199.3\",\"last_assessed_for_vulnerabilities\":\"2023-06-23T19:39:41.339Z\",\"last_scan_end\":\"2023-06-23T19:39:41.339Z\",\"last_scan_start\":\"2023-06-23T19:36:27.824Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":1,\"moderate_vulnerabilities\":4,\"os_architecture\":\"\",\"os_description\":\"Microsoft Windows XP\",\"os_family\":\"Windows\",\"os_name\":\"Windows XP\",\"os_system_name\":\"Microsoft Windows\",\"os_type\":\"General\",\"os_vendor\":\"Microsoft\",\"risk_score\":14912.1123046875,\"severe_vulnerabilities\":8,\"tags\":[{\"name\":\"my tag test\",\"type\":\"CUSTOM\"},{\"name\":\"Windows\",\"type\":\"CUSTOM\"},{\"name\":\"SI\",\"type\":\"CUSTOM\"},{\"name\":\"snow_test\",\"type\":\"CUSTOM\"},{\"name\":\"all_assets\",\"type\":\"CUSTOM\"},{\"name\":\"all_assets2\",\"type\":\"CUSTOM\"},{\"name\":\"lab\",\"type\":\"SITE\"}],\"total_vulnerabilities\":23,\"unique_identifiers\":[],\"vulnerability\":{\"added\":\"2006-07-12T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution\",\"check_id\":null,\"cves\":\"CVE-2006-1314,CVE-2006-1315\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":7.5,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.83525473,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"none\",\"cvss_v3_privileges_required\":\"low\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":6.5,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"denial_of_service\":false,\"description\":\"This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \\\"Vulnerability Details\\\" section of this bulletin. We recommend that customers apply the update immediately.\",\"exploits\":[{\"description\":\"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)\",\"id\":\"2057\",\"name\":\"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module triggers a kernel pool corruption bug in SRV.SYS. Each\\n call to the mailslot write function results in a two byte return value\\n being written into the response packet. The code which creates this packet\\n fails to consider these two bytes in the allocation routine, resulting in\\n a slow corruption of the kernel memory pool. These two bytes are almost\\n always set to \\\"\\\\xff\\\\xff\\\" (a short integer with value of -1).\",\"id\":\"auxiliary/dos/windows/smb/ms06_035_mailslot\",\"name\":\"Microsoft SRV.SYS Mailslot Write Corruption\",\"rank\":\"normal\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"}],\"first_found\":\"2018-11-25T08:24:37Z\",\"id\":\"windows-hotfix-ms06-035\",\"key\":\"\",\"last_found\":\"2023-06-23T19:39:41.339Z\",\"links\":[{\"href\":\"http://www.kb.cert.org/vuls/id/189140\",\"id\":\"189140\",\"source\":\"cert-vn\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/26818\",\"id\":\"win-mailslot-bo(26818)\",\"source\":\"xf\"},{\"href\":\"http://www.securityfocus.com/bid/18863\",\"id\":\"18863\",\"source\":\"bid\"},{\"href\":\"https://support.microsoft.com/en-us/kb/917159\",\"id\":\"KB917159\",\"source\":\"mskb\"},{\"href\":\"http://www.us-cert.gov/cas/techalerts/TA06-192A.html\",\"id\":\"TA06-192A\",\"source\":\"cert\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2006-1314\",\"id\":\"CVE-2006-1314\",\"source\":\"cve\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2006-1315\",\"id\":\"CVE-2006-1315\",\"source\":\"cve\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3\",\"id\":\"3\",\"source\":\"oval\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600\",\"id\":\"600\",\"source\":\"oval\"},{\"href\":\"http://www.osvdb.org/27155\",\"id\":\"27155\",\"source\":\"osvdb\"},{\"href\":\"http://www.osvdb.org/27154\",\"id\":\"27154\",\"source\":\"osvdb\"},{\"href\":\"http://technet.microsoft.com/security/bulletin/MS06-035\",\"id\":\"MS06-035\",\"source\":\"ms\"},{\"href\":\"http://www.securityfocus.com/bid/18891\",\"id\":\"18891\",\"source\":\"bid\"},{\"href\":\"http://technet.microsoft.com/en-us/security/bulletin/MS06-035\",\"id\":\"http://technet.microsoft.com/en-us/security/bulletin/MS06-035\",\"source\":\"url\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/26820\",\"id\":\"win-smb-information-disclosure(26820)\",\"source\":\"xf\"},{\"href\":\"http://www.kb.cert.org/vuls/id/333636\",\"id\":\"333636\",\"source\":\"cert-vn\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"nic\":null,\"pci_cvss_score\":7.5,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"port\":null,\"proof\":\"Vulnerable OS: Microsoft Windows XP
Server responded with vulnerable error code: 2 and class: 1
\",\"protocol\":null,\"published\":\"2006-07-11T00:00:00Z\",\"references\":\"bid:18863,bid:18891,cert-vn:189140,osvdb:27154,osvdb:27155,oval:3,cert-vn:333636,oval:600,cve:CVE-2006-1314,cve:CVE-2006-1315,mskb:KB917159,ms:MS06-035,cert:TA06-192A,url:http://technet.microsoft.com/en-us/security/bulletin/MS06-035,xf:win-mailslot-bo(26818),xf:win-smb-information-disclosure(26820)\",\"reintroduced\":null,\"risk_score\":756.61,\"severity\":\"critical\",\"severity_score\":8,\"solution_fix\":\"Take a look at all possible solutions for vulnerability\",\"solution_id\":\"unknown-windows-hotfix-ms06-035\",\"solution_summary\":\"The solution is unknown for vuln windows-hotfix-ms06-035\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"title\":\"MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)\",\"vulnerability_id\":\"windows-hotfix-ms06-035\"}}", + "severity": 8, + "type": [ + "info" + ] + }, + "host": { + "hostname": "SHOCKWAVE-P", + "id": "12123455-1234-5678-9012-abcdefabcd0e-default-asset-152", + "ip": [ + "175.16.199.3" + ], + "mac": [ + "00-00-5E-00-53-00" + ], + "name": "SHOCKWAVE-P", + "os": { + "family": "Windows", + "full": "Microsoft Windows XP", + "name": "Windows XP", + "platform": "windows", + "type": "windows" + }, + "risk": { + "static_score": 14912.1123046875 + } + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "name": "Microsoft Windows XP", + "version": "Microsoft Windows XP" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 11, + "exploits": 37, + "host_name": "SHOCKWAVE-P", + "id": "12123455-1234-5678-9012-abcdefabcd0e-default-asset-152", + "ip": "175.16.199.3", + "last_assessed_for_vulnerabilities": "2023-06-23T19:39:41.339Z", + "last_scan_end": "2023-06-23T19:39:41.339Z", + "last_scan_start": "2023-06-23T19:36:27.824Z", + "mac": "00-00-5E-00-53-00", + "malware_kits": 1, + "moderate_vulnerabilities": 4, + "os": { + "description": "Microsoft Windows XP", + "family": "Windows", + "name": "Windows XP", + "system_name": "Microsoft Windows", + "type": "General", + "vendor": "Microsoft" + }, + "risk_score": 14912.1123046875, + "severe_vulnerabilities": 8, + "total_vulnerabilities": 23, + "vulnerability": { + "added": "2006-07-12T00:00:00.000Z", + "categories": [ + "CVSS Score Predicted with Rapid7 AI", + "Microsoft", + "Microsoft Patch", + "Remote Execution" + ], + "cves": [ + "CVE-2006-1314", + "CVE-2006-1315" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "network", + "authentication": "none", + "availability_impact": "partial", + "confidentiality_impact": "partial", + "exploit_score": 9.996799945831299, + "impact_score": 6.442976653521584, + "integrity_impact": "partial", + "score": 7.5, + "vector": "(AV:N/AC:L/Au:N/C:P/I:P/A:P)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "network", + "availability_impact": "none", + "confidentiality_impact": "high", + "exploit_score": 2.83525473, + "impact_score": 3.5952, + "integrity_impact": "none", + "privileges_required": "low", + "scope": "unchanged", + "score": 6.5, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "denial_of_service": false, + "description": "This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \"Vulnerability Details\" section of this bulletin. We recommend that customers apply the update immediately.", + "exploits": [ + { + "description": "Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)", + "id": "2057", + "name": "Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)", + "rank": "average", + "skill_level": "expert", + "source": "exploitdb" + }, + { + "description": "This module triggers a kernel pool corruption bug in SRV.SYS. Each\n call to the mailslot write function results in a two byte return value\n being written into the response packet. The code which creates this packet\n fails to consider these two bytes in the allocation routine, resulting in\n a slow corruption of the kernel memory pool. These two bytes are almost\n always set to \"\\xff\\xff\" (a short integer with value of -1).", + "id": "auxiliary/dos/windows/smb/ms06_035_mailslot", + "name": "Microsoft SRV.SYS Mailslot Write Corruption", + "rank": "normal", + "skill_level": "intermediate", + "source": "metasploit" + } + ], + "first_found": "2018-11-25T08:24:37.000Z", + "id": "windows-hotfix-ms06-035", + "last_found": "2023-06-23T19:39:41.339Z", + "links": [ + { + "href": "http://www.kb.cert.org/vuls/id/189140", + "id": "189140", + "source": "cert-vn" + }, + { + "href": "https://exchange.xforce.ibmcloud.com/vulnerabilities/26818", + "id": "win-mailslot-bo(26818)", + "source": "xf" + }, + { + "href": "http://www.securityfocus.com/bid/18863", + "id": "18863", + "source": "bid" + }, + { + "href": "https://support.microsoft.com/en-us/kb/917159", + "id": "KB917159", + "source": "mskb" + }, + { + "href": "http://www.us-cert.gov/cas/techalerts/TA06-192A.html", + "id": "TA06-192A", + "source": "cert" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2006-1314", + "id": "CVE-2006-1314", + "source": "cve" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2006-1315", + "id": "CVE-2006-1315", + "source": "cve" + }, + { + "href": "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3", + "id": "3", + "source": "oval" + }, + { + "href": "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600", + "id": "600", + "source": "oval" + }, + { + "href": "http://www.osvdb.org/27155", + "id": "27155", + "source": "osvdb" + }, + { + "href": "http://www.osvdb.org/27154", + "id": "27154", + "source": "osvdb" + }, + { + "href": "http://technet.microsoft.com/security/bulletin/MS06-035", + "id": "MS06-035", + "source": "ms" + }, + { + "href": "http://www.securityfocus.com/bid/18891", + "id": "18891", + "source": "bid" + }, + { + "href": "http://technet.microsoft.com/en-us/security/bulletin/MS06-035", + "id": "http://technet.microsoft.com/en-us/security/bulletin/MS06-035", + "source": "url" + }, + { + "href": "https://exchange.xforce.ibmcloud.com/vulnerabilities/26820", + "id": "win-smb-information-disclosure(26820)", + "source": "xf" + }, + { + "href": "http://www.kb.cert.org/vuls/id/333636", + "id": "333636", + "source": "cert-vn" + } + ], + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 7.5, + "fail": true, + "severity_score": 5, + "status": "fail" + }, + "proof": "Vulnerable OS: Microsoft Windows XP\n\n\n\nServer responded with vulnerable error code: 2 and class: 1", + "published": "2006-07-11T00:00:00.000Z", + "references": "bid:18863,bid:18891,cert-vn:189140,osvdb:27154,osvdb:27155,oval:3,cert-vn:333636,oval:600,cve:CVE-2006-1314,cve:CVE-2006-1315,mskb:KB917159,ms:MS06-035,cert:TA06-192A,url:http://technet.microsoft.com/en-us/security/bulletin/MS06-035,xf:win-mailslot-bo(26818),xf:win-smb-information-disclosure(26820)", + "risk_score": 756.61, + "severity": "critical", + "severity_score": 8, + "solution": { + "fix": "Take a look at all possible solutions for vulnerability", + "id": "unknown-windows-hotfix-ms06-035", + "summary": "The solution is unknown for vuln windows-hotfix-ms06-035", + "type": "workaround" + }, + "status": "VULNERABLE_EXPL", + "title": "MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)" + } + } + }, + "related": { + "hosts": [ + "SHOCKWAVE-P", + "12123455-1234-5678-9012-abcdefabcd0e-default-asset-152" + ], + "ip": [ + "175.16.199.3" + ] + }, + "resource": { + "id": "12123455-1234-5678-9012-abcdefabcd0e-default-asset-152", + "name": "SHOCKWAVE-P" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "CVSS Score Predicted with Rapid7 AI", + "Microsoft", + "Microsoft Patch", + "Remote Execution" + ], + "classification": "CVSS", + "description": "This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \"Vulnerability Details\" section of this bulletin. We recommend that customers apply the update immediately.", + "enumeration": "CVE", + "id": [ + "CVE-2006-1314", + "CVE-2006-1315" + ], + "published_date": "2006-07-11T00:00:00.000Z", + "reference": [ + "http://www.kb.cert.org/vuls/id/189140", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/26818", + "http://www.securityfocus.com/bid/18863", + "https://support.microsoft.com/en-us/kb/917159", + "http://www.us-cert.gov/cas/techalerts/TA06-192A.html", + "http://nvd.nist.gov/vuln/detail/CVE-2006-1314", + "http://nvd.nist.gov/vuln/detail/CVE-2006-1315", + "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3", + "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600", + "http://www.osvdb.org/27155", + "http://www.osvdb.org/27154", + "http://technet.microsoft.com/security/bulletin/MS06-035", + "http://www.securityfocus.com/bid/18891", + "http://technet.microsoft.com/en-us/security/bulletin/MS06-035", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/26820", + "http://www.kb.cert.org/vuls/id/333636" + ], + "scanner": { + "vendor": "Rapid7" + }, + "score": { + "base": 6.5, + "version": "3.0" + }, + "severity": "Critical", + "title": "Vulnerability in Server Service Could Allow Remote Code Execution (917159)" + } + } + ] +} diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-common-config.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..be41bb0d476 --- /dev/null +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,4 @@ +fields: + tags: + - preserve_original_event + - preserve_duplicate_custom_fields diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/system/test-default-config.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..397ade4ac07 --- /dev/null +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/system/test-default-config.yml @@ -0,0 +1,15 @@ +input: cel +service: rapid7_insightvm +vars: + url: http://{{Hostname}}:{{Port}} + api_key: api_key + logging: + level: debug +data_stream: + vars: + batch_size: 2 + preserve_original_event: true + preserve_duplicate_custom_fields: true + enable_request_tracer: true +assert: + hit_count: 8 diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs b/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..42bc0ca7d70 --- /dev/null +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs @@ -0,0 +1,262 @@ +config_version: 2 +interval: {{interval}} +resource.tracer: + enabled: {{enable_request_tracer}} + filename: "../../logs/cel/http-request-trace-*.ndjson" + maxbackups: 5 +{{#if proxy_url}} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +resource.url: {{url}} +state: + api_key: {{api_key}} + batch_size: {{batch_size}} + initial_interval: {{initial_interval}} +redact: + fields: + - api_key +program: |- + + // The program collects all assets and enriches them with vulnerability details. + // Here's a detailed overview of how this process works: + // + // On execution, the program calls the [Assets API][1] and retrieves the first batch of assets. + // From this batch, we extract all vulnerability IDs associated with the assets (including new, existing, and remediated vulnerabilities). + // We then use this list of vulnerability IDs as a filter to call the [Vulnerabilities API][2], + // retrieving all relevant vulnerabilities until we receive a null value for the next cursor. + // + // After retrieving the vulnerability data, we aggregate it with the corresponding assets and publish the events. + // This process continues batch by batch until the Assets API returns a null value for the next cursor. + // + // [1]: https://help.rapid7.com/insightvm/en-us/api/integrations.html#tag/Asset/operation/searchIntegrationAssets + // [2]: https://help.rapid7.com/insightvm/en-us/api/integrations.html#tag/Vulnerability/operation/searchIntegrationVulnerabilities + + ( + state.?want_more.orValue(false) ? + state.interval_time + : + now + ).as(interval_time, + // If assets are already present and the vulnerabilities for the current asset batch have not been fully fetched, + // skip the Asset API call and continue forwarding the state to the next block. + has(state.assets) && (state.is_all_assets_fetched || !state.?is_current_vulnerabilities_fetched.orValue(false)) ? + { + "assets": state.assets, + "is_all_assets_fetched": state.is_all_assets_fetched, + "asset_vuln_ids": state.asset_vuln_ids, + "interval_time": interval_time, + ?"next_asset_cursor": state.?next_asset_cursor, + } + : + // The `includeSame` query parameter and `last_scan_end` body filter are only added in the first execution of program. + // These parameters are used to collect historical vulnerabilities for the assets. + request( + "POST", + state.url.trim_right("/") + "/vm/v4/integration/assets?" + { + "size": [string(state.batch_size)], + "includeUniqueIdentifiers": ["true"], + ?"includeSame": has(state.?cursor.last_interval_time) ? optional.none() : optional.of(["true"]), + ?"comparisonTime": state.?cursor.last_interval_time.optMap(v, [v]), + ?"cursor": state.?next_asset_cursor.optMap(v, [v]), + }.format_query() + ).with({ + "Header": { + "X-Api-Key": [state.api_key], + "Content-Type": ["application/json"], + }, + "Body": { + ?"asset": has(state.?cursor.last_interval_time) ? + optional.none() + : + optional.of(("last_scan_end > " + (timestamp(interval_time) - duration(state.initial_interval)).format(time_layout.RFC3339))), + }.encode_json(), + }).do_request().as(resp, resp.StatusCode == 200 ? + resp.Body.decode_json().as(body, { + "events": [{"message": "retry"}], + "batch_size": state.batch_size, + "initial_interval": state.initial_interval, + "api_key": state.api_key, + "cursor": { + ?"last_interval_time": state.?cursor.last_interval_time, + }, + ?"next_asset_cursor": has(body.?metadata.cursor) && body.metadata.cursor != null ? optional.of(body.metadata.cursor) : optional.none(), + "is_all_assets_fetched": !has(body.metadata.cursor) || body.metadata.cursor == null, + "assets": body.data, + "asset_vuln_ids": body.data.map(a, ( + a.?same.orValue([]).map(s, s.vulnerability_id) + + a.?new.orValue([]).map(n, n.vulnerability_id) + + a.?remediated.orValue([]).map(r, r.vulnerability_id) + )).flatten().as(vuln_ids, + zip(vuln_ids, vuln_ids) // to get a unique set of IDs + ).keys(), + "interval_time": interval_time, + "want_more": true + }) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "POST " + state.url.trim_right("/") + "/vm/v4/integration/assets:" + ( + size(resp.Body) != 0 ? + string(resp.Body) + : + string(resp.Status) + ' (' + string(resp.StatusCode) + ')' + ), + }, + }, + "want_more": false, + "api_key": state.api_key, + "batch_size": state.batch_size, + "initial_interval": state.initial_interval, + } + ) + ).as(work, + has(work.events) ? work : // Exit early + ( + // If the current set of vulnerabilities has been fetched, skip the Vulnerability API call and continue forwarding the state to the next block. + (has(state.vulnerabilities) && state.is_current_vulnerabilities_fetched) ? + work.with({ + "vulnerabilities": state.vulnerabilities, + "is_current_vulnerabilities_fetched": state.is_current_vulnerabilities_fetched + }) + : + request( + "POST", + state.url.trim_right("/") + "/vm/v4/integration/vulnerabilities?" + { + "size": ["500"], + ?"cursor": state.?next_vuln_cursor.optMap(v, [v]), + }.format_query() + ).with({ + "Header": { + "X-Api-Key": [state.api_key], + "Content-Type": ["application/json"] + }, + "Body": { + "vulnerability": work.asset_vuln_ids.as(x, sprintf("id IN ['%s']", [x.join("','")])), + }.encode_json(), + }).do_request().as(resp, resp.StatusCode == 200 ? + resp.Body.decode_json().as(body, { + "events": [{"message": "retry"}], + "batch_size": state.batch_size, + "api_key": state.api_key, + "initial_interval": state.initial_interval, + "assets": state.assets, + "cursor": { + ?"last_interval_time": state.?cursor.last_interval_time, + }, + "is_all_assets_fetched": state.is_all_assets_fetched, + ?"next_vuln_cursor": has(body.?metadata.cursor) && body.metadata.cursor != null ? optional.of(body.metadata.cursor) : optional.none(), + ?"next_asset_cursor": work.?next_asset_cursor, + "is_current_vulnerabilities_fetched": !has(body.metadata.cursor) || body.metadata.cursor == null, + "vulnerabilities": (state.?vulnerabilities.orValue([]) + body.data).flatten(), + "asset_vuln_ids": work.asset_vuln_ids, + "interval_time": work.interval_time, + "want_more": true + }) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "POST " + state.url.trim_right("/") + "/vm/v4/integration/vulnerabilities:" + ( + size(resp.Body) != 0 ? + string(resp.Body) + : + string(resp.Status) + ' (' + string(resp.StatusCode) + ')' + ), + }, + }, + "want_more": false, + "api_key": state.api_key, + "batch_size": state.batch_size, + "initial_interval": state.initial_interval, + } + ) + ) + ).as(work, + (type(work.events) == map || !(work.is_all_assets_fetched || work.?is_current_vulnerabilities_fetched.orValue(false))) ? + work // Error or more vulnerabilities to fetch for current assets. + : + work.is_all_assets_fetched ? + // All assets fetched. Save cursor and end iteration. + { + "events": [], + "cursor": { + ?"last_interval_time": optional.of(work.interval_time), + }, + "want_more": false, + "api_key": state.api_key, + "batch_size": state.batch_size, + "initial_interval": state.initial_interval, + } + : + // All vulnerabilities of current assets batch are fetched. Aggregate and publish events. + work.with({ + // convert vulnerabilities to map for better searching + "vulnerabilities": work.vulnerabilities.map(e, { + "key": e.id, + "value": e + }).as(result, zip( + result.map(e, e.key), + result.map(e, e.value) + )), + // combine same[] new[] remediated[] into vulnerability[] + "assets": work.assets.map(e, e.with({ + "vulnerabilities": e.?same.orValue([]) + e.?new.orValue([]) + e.?remediated.orValue([]).map(r, r.with({"is_remediated": true})), + }).drop(["new","remediated","same"])) + }).as(work, { + "events": (work.assets.map(e, e.vulnerabilities.map(v, { + "message": e.with({"vulnerability": v.with( + work.?vulnerabilities[v.vulnerability_id].orValue("not present") != "not present" ? + work.vulnerabilities[v.vulnerability_id] + : + {"is_enriched": false} + )}).drop("vulnerabilities").encode_json() + })).flatten()).as(result, size(result) != 0 ? // it will be empty when there is no vulnerability for current assets batch + result + : + [{"message": "retry"}] // retry execution as is_all_assets_fetched is false + ), + "cursor": { + ?"last_interval_time": state.?cursor.last_interval_time, + }, + "is_all_assets_fetched": work.is_all_assets_fetched, + "is_current_vulnerabilities_fetched": work.is_current_vulnerabilities_fetched, + ?"next_asset_cursor": work.?next_asset_cursor, + "interval_time": work.interval_time, + "want_more": true, + "api_key": state.api_key, + "batch_size": state.batch_size, + "initial_interval": state.initial_interval, + }) + ) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- drop_event: + when: + equals: + message: retry +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..8236808107d --- /dev/null +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,1132 @@ +--- +description: Pipeline for processing asset vulnerability events. +processors: + - set: + field: ecs.version + tag: set_ecs_version + value: 8.11.0 + - fail: + tag: data_collection_error + if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null + message: error message set and no data to process. + - remove: + field: + - organization + - division + - team + ignore_missing: true + if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String + tag: remove_agentless_tags + description: >- + Removes the fields added by Agentless as metadata, + as they can collide with ECS fields. + - rename: + field: message + tag: rename_message_to_event_original + target_field: event.original + ignore_missing: true + description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document. + if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null + - json: + field: event.original + tag: json_event_original + target_field: json + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + tag: set_event_kind_to_event + value: event + - append: + field: event.category + tag: append_vulnerability_into_event_category + value: vulnerability + - append: + field: event.type + tag: append_info_into_event_type + value: info + - set: + field: observer.vendor + tag: set_observer_vendor + value: Rapid7 + - set: + field: observer.product + tag: set_observer_product + value: Rapid7 InsightVM + - set: + field: vulnerability.scanner.vendor + tag: set_vulnerability_scanner_vendor + value: Rapid7 + - set: + field: vulnerability.classification + tag: set_vulnerability_classification + value: CVSS + - set: + field: vulnerability.enumeration + tag: set_vulnerability_enumeration + value: CVE + # Remove cloud.* fields populated by beat. + # These fields correspond to EA rather than Rapid7 hosts and could be misleading. + - remove: + field: cloud + ignore_missing: true + description: Remove ECS cloud fields that are populated from EA metadata. + - convert: + field: json.assessed_for_policies + tag: convert_assessed_for_policies_to_boolean + target_field: rapid7_insightvm.asset_vulnerability.assessed_for_policies + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.assessed_for_vulnerabilities + tag: convert_assessed_for_vulnerabilities_to_boolean + target_field: rapid7_insightvm.asset_vulnerability.assessed_for_vulnerabilities + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.credential_assessments.port + tag: convert_credential_assessments_port_to_long + target_field: rapid7_insightvm.asset_vulnerability.credential_assessments.port + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.credential_assessments.protocol + tag: rename_credential_assessments_protocol + target_field: rapid7_insightvm.asset_vulnerability.credential_assessments.protocol + ignore_missing: true + - rename: + field: json.credential_assessments.status + tag: rename_credential_assessments_status + target_field: rapid7_insightvm.asset_vulnerability.credential_assessments.status + ignore_missing: true + - convert: + field: json.critical_vulnerabilities + tag: convert_critical_vulnerabilities_to_long + target_field: rapid7_insightvm.asset_vulnerability.critical_vulnerabilities + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.exploits + tag: convert_exploits_to_long + target_field: rapid7_insightvm.asset_vulnerability.exploits + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.host_name + tag: rename_host_name + target_field: rapid7_insightvm.asset_vulnerability.host_name + ignore_missing: true + - set: + field: host.name + tag: set_host_name_from_asset_vulnerability_host_name + copy_from: rapid7_insightvm.asset_vulnerability.host_name + ignore_empty_value: true + - set: + field: host.hostname + tag: set_host_hostname_from_asset_vulnerability_host_name + copy_from: rapid7_insightvm.asset_vulnerability.host_name + ignore_empty_value: true + - set: + field: resource.name + tag: set_resource_name_from_asset_vulnerability_host_name + copy_from: rapid7_insightvm.asset_vulnerability.host_name + ignore_empty_value: true + - append: + field: related.hosts + tag: append_asset_vulnerability_host_name_into_related_hosts + value: '{{{rapid7_insightvm.asset_vulnerability.host_name}}}' + allow_duplicates: false + if: ctx.rapid7_insightvm?.asset_vulnerability?.host_name != null + - rename: + field: json.id + tag: rename_id + target_field: rapid7_insightvm.asset_vulnerability.id + ignore_missing: true + - set: + field: host.id + tag: set_host_id_from_asset_vulnerability_id + copy_from: rapid7_insightvm.asset_vulnerability.id + ignore_empty_value: true + - set: + field: resource.id + tag: set_resource_id_from_asset_vulnerability_id + copy_from: rapid7_insightvm.asset_vulnerability.id + ignore_empty_value: true + - append: + field: related.hosts + tag: append_asset_vulnerability_id_into_related_hosts + value: '{{{rapid7_insightvm.asset_vulnerability.id}}}' + allow_duplicates: false + if: ctx.rapid7_insightvm?.asset_vulnerability?.id != null + - convert: + field: json.ip + tag: convert_ip_to_ip + target_field: rapid7_insightvm.asset_vulnerability.ip + type: ip + ignore_missing: true + if: ctx.json?.ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - append: + field: host.ip + tag: append_rapid7_insightvm_asset_vulnerability_ip_into_host_ip + value: '{{{rapid7_insightvm.asset_vulnerability.ip}}}' + allow_duplicates: false + if: ctx.rapid7_insightvm?.asset_vulnerability?.ip != null + - append: + field: related.ip + tag: append_asset_vulnerability_ip_into_related_ip + value: '{{{rapid7_insightvm.asset_vulnerability.ip}}}' + allow_duplicates: false + if: ctx.rapid7_insightvm?.asset_vulnerability?.ip != null + - date: + field: json.last_assessed_for_vulnerabilities + tag: date_last_assessed_for_vulnerabilities + target_field: rapid7_insightvm.asset_vulnerability.last_assessed_for_vulnerabilities + formats: + - ISO8601 + if: ctx.json?.last_assessed_for_vulnerabilities != null && ctx.json.last_assessed_for_vulnerabilities != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.last_scan_end + tag: date_last_scan_end + target_field: rapid7_insightvm.asset_vulnerability.last_scan_end + formats: + - ISO8601 + if: ctx.json?.last_scan_end != null && ctx.json.last_scan_end != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.last_scan_start + tag: date_last_scan_start + target_field: rapid7_insightvm.asset_vulnerability.last_scan_start + formats: + - ISO8601 + if: ctx.json?.last_scan_start != null && ctx.json.last_scan_start != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - gsub: + field: json.mac + tag: gsub_mac + target_field: rapid7_insightvm.asset_vulnerability.mac + pattern: ':' + replacement: '-' + ignore_missing: true + - uppercase: + field: rapid7_insightvm.asset_vulnerability.mac + tag: uppercase_mac + ignore_missing: true + - append: + field: host.mac + tag: append_rapid7_insightvm_asset_vulnerability_mac_into_host_mac + value: '{{{rapid7_insightvm.asset_vulnerability.mac}}}' + allow_duplicates: false + if: ctx.rapid7_insightvm?.asset_vulnerability?.mac != null + - convert: + field: json.malware_kits + tag: convert_malware_kits_to_long + target_field: rapid7_insightvm.asset_vulnerability.malware_kits + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.moderate_vulnerabilities + tag: convert_moderate_vulnerabilities_to_long + target_field: rapid7_insightvm.asset_vulnerability.moderate_vulnerabilities + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.os_architecture + tag: rename_os_architecture + target_field: rapid7_insightvm.asset_vulnerability.os.architecture + ignore_missing: true + - set: + field: host.architecture + tag: set_host_architecture_from_asset_vulnerability_os_architecture + copy_from: rapid7_insightvm.asset_vulnerability.os.architecture + ignore_empty_value: true + - rename: + field: json.os_description + tag: rename_os_description + target_field: rapid7_insightvm.asset_vulnerability.os.description + ignore_missing: true + - set: + field: host.os.full + tag: set_host_os_full_from_asset_vulnerability_os_description + copy_from: rapid7_insightvm.asset_vulnerability.os.description + ignore_empty_value: true + - rename: + field: json.os_family + tag: rename_os_family + target_field: rapid7_insightvm.asset_vulnerability.os.family + ignore_missing: true + - set: + field: host.os.family + tag: set_host_os_family_from_asset_vulnerability_os_family + copy_from: rapid7_insightvm.asset_vulnerability.os.family + ignore_empty_value: true + - set: + field: host.os.platform + tag: set_host_os_platform_linux + value: linux + if: ctx.host?.os?.family != null && ctx.host.os.family.toLowerCase().contains('linux') + - set: + field: host.os.platform + tag: set_host_os_platform_windows + value: windows + if: ctx.host?.os?.family != null && ctx.host.os.family.toLowerCase().contains('windows') + - set: + field: host.os.platform + tag: set_host_os_platform_darwin + value: darwin + if: ctx.host?.os?.family != null && ctx.host.os.family.toLowerCase().contains('mac') + - script: + description: Dynamically set host.os.type values. + tag: script_map_host_os_type + lang: painless + if: ctx.host?.os?.family != null + params: + os_type: + - linux + - mac + - unix + - windows + - ios + - android + source: | + String os_family = ctx.host.os.family.toLowerCase(); + for (String os: params.os_type) { + if (os_family.contains(os)) { + if (os == 'mac') { + ctx.host.os.put('type', 'macos'); + } else { + ctx.host.os.put('type', os); + } + return; + } + } + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.os_name + tag: rename_os_name + target_field: rapid7_insightvm.asset_vulnerability.os.name + ignore_missing: true + - set: + field: host.os.name + tag: set_host_os_name_from_asset_vulnerability_os_name + copy_from: rapid7_insightvm.asset_vulnerability.os.name + ignore_empty_value: true + - rename: + field: json.os_system_name + tag: rename_os_system_name + target_field: rapid7_insightvm.asset_vulnerability.os.system_name + ignore_missing: true + - rename: + field: json.os_type + tag: rename_os_type + target_field: rapid7_insightvm.asset_vulnerability.os.type + ignore_missing: true + - rename: + field: json.os_vendor + tag: rename_os_vendor + target_field: rapid7_insightvm.asset_vulnerability.os.vendor + ignore_missing: true + - rename: + field: json.os_version + tag: rename_os_version + target_field: rapid7_insightvm.asset_vulnerability.os.version + ignore_missing: true + - set: + field: host.os.version + tag: set_host_os_version_from_asset_vulnerability_os_version + copy_from: rapid7_insightvm.asset_vulnerability.os.version + ignore_empty_value: true + - convert: + field: json.risk_score + tag: convert_risk_score_to_double + target_field: rapid7_insightvm.asset_vulnerability.risk_score + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: host.risk.static_score + tag: set_host_risk_static_score_from_asset_vulnerability_risk_score + copy_from: rapid7_insightvm.asset_vulnerability.risk_score + ignore_empty_value: true + - convert: + field: json.severe_vulnerabilities + tag: convert_severe_vulnerabilities_to_long + target_field: rapid7_insightvm.asset_vulnerability.severe_vulnerabilities + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.tags.name + tag: rename_tags_name + target_field: rapid7_insightvm.asset_vulnerability.tags.name + ignore_missing: true + - rename: + field: json.tags.type + tag: rename_tags_type + target_field: rapid7_insightvm.asset_vulnerability.tags.type + ignore_missing: true + - convert: + field: json.total_vulnerabilities + tag: convert_total_vulnerabilities_to_long + target_field: rapid7_insightvm.asset_vulnerability.total_vulnerabilities + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.type + tag: rename_type + target_field: rapid7_insightvm.asset_vulnerability.type + ignore_missing: true + - set: + field: host.type + tag: set_host_type_from_asset_vulnerability_type + copy_from: rapid7_insightvm.asset_vulnerability.type + ignore_empty_value: true + - rename: + field: json.unique_identifiers + tag: rename_unique_identifiers + target_field: rapid7_insightvm.asset_vulnerability.unique_identifiers + ignore_missing: true + - script: + description: Map vulnerability.scanner.name field. + tag: script_map_vulnerability_scanner_name + lang: painless + if: ctx.rapid7_insightvm?.asset_vulnerability?.unique_identifiers instanceof List + source: | + ctx.vulnerability = ctx.vulnerability ?: [:]; + ctx.vulnerability.scanner = ctx.vulnerability.scanner ?: [:]; + for (def o: ctx.rapid7_insightvm.asset_vulnerability.unique_identifiers) { + if (o.source == 'R7 Agent') { + ctx.vulnerability.scanner.put('name', o.id); + return; + } + } + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.vulnerability.added + tag: date_vulnerability_added + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.added + formats: + - ISO8601 + if: ctx.json?.vulnerability?.added != null && ctx.json.vulnerability.added != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - split: + field: json.vulnerability.categories + separator: ',' + tag: split_vulnerability_categories + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.categories + ignore_missing: true + if: ctx.json?.vulnerability?.categories instanceof String + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: vulnerability.category + tag: set_vulnerability_category_from_asset_vulnerability_vulnerability_categories + copy_from: rapid7_insightvm.asset_vulnerability.vulnerability.categories + ignore_empty_value: true + - rename: + field: json.vulnerability.check_id + tag: rename_vulnerability_check_id + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.check_id + ignore_missing: true + - split: + field: json.vulnerability.cves + separator: ',' + tag: split_vulnerability_cves + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cves + ignore_missing: true + if: ctx.json?.vulnerability?.cves instanceof String && ctx.json.vulnerability.cves != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: vulnerability.id + tag: set_vulnerability_id_from_asset_vulnerability_vulnerability_cves + copy_from: rapid7_insightvm.asset_vulnerability.vulnerability.cves + ignore_empty_value: true + - rename: + field: json.vulnerability.cvss_v2_access_complexity + tag: rename_vulnerability_cvss_v2_access_complexity + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.access_complexity + ignore_missing: true + - rename: + field: json.vulnerability.cvss_v2_access_vector + tag: rename_vulnerability_cvss_v2_access_vector + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.access_vector + ignore_missing: true + - rename: + field: json.vulnerability.cvss_v2_authentication + tag: rename_vulnerability_cvss_v2_authentication + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.authentication + ignore_missing: true + - rename: + field: json.vulnerability.cvss_v2_availability_impact + tag: rename_vulnerability_cvss_v2_availability_impact + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.availability_impact + ignore_missing: true + - rename: + field: json.vulnerability.cvss_v2_confidentiality_impact + tag: rename_vulnerability_cvss_v2_confidentiality_impact + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.confidentiality_impact + ignore_missing: true + - convert: + field: json.vulnerability.cvss_v2_exploit_score + tag: convert_vulnerability_cvss_v2_exploit_score_to_double + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.exploit_score + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.vulnerability.cvss_v2_impact_score + tag: convert_vulnerability_cvss_v2_impact_score_to_double + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.impact_score + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.vulnerability.cvss_v2_integrity_impact + tag: rename_vulnerability_cvss_v2_integrity_impact + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.integrity_impact + ignore_missing: true + - convert: + field: json.vulnerability.cvss_v2_score + tag: convert_vulnerability_cvss_v2_score_to_double + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.score + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.vulnerability.cvss_v2_vector + tag: rename_vulnerability_cvss_v2_vector + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.vector + ignore_missing: true + - rename: + field: json.vulnerability.cvss_v3_attack_complexity + tag: rename_vulnerability_cvss_v3_attack_complexity + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.attack_complexity + ignore_missing: true + - rename: + field: json.vulnerability.cvss_v3_attack_vector + tag: rename_vulnerability_cvss_v3_attack_vector + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.attack_vector + ignore_missing: true + - rename: + field: json.vulnerability.cvss_v3_availability_impact + tag: rename_vulnerability_cvss_v3_availability_impact + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.availability_impact + ignore_missing: true + - rename: + field: json.vulnerability.cvss_v3_confidentiality_impact + tag: rename_vulnerability_cvss_v3_confidentiality_impact + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.confidentiality_impact + ignore_missing: true + - convert: + field: json.vulnerability.cvss_v3_exploit_score + tag: convert_vulnerability_cvss_v3_exploit_score_to_double + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.exploit_score + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.vulnerability.cvss_v3_impact_score + tag: convert_vulnerability_cvss_v3_impact_score_to_double + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.impact_score + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.vulnerability.cvss_v3_integrity_impact + tag: rename_vulnerability_cvss_v3_integrity_impact + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.integrity_impact + ignore_missing: true + - rename: + field: json.vulnerability.cvss_v3_privileges_required + tag: rename_vulnerability_cvss_v3_privileges_required + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.privileges_required + ignore_missing: true + - rename: + field: json.vulnerability.cvss_v3_scope + tag: rename_vulnerability_cvss_v3_scope + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.scope + ignore_missing: true + - convert: + field: json.vulnerability.cvss_v3_score + tag: convert_vulnerability_cvss_v3_score_to_double + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.score + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: vulnerability.score.base + tag: set_vulnerability_score_base_from_asset_vulnerability_vulnerability_cvss_v3_score + copy_from: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.score + ignore_empty_value: true + - set: + field: vulnerability.score.version + tag: set_vulnerability_score_version + value: '3.0' + - rename: + field: json.vulnerability.cvss_v3_user_interaction + tag: rename_vulnerability_cvss_v3_user_interaction + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.user_interaction + ignore_missing: true + - rename: + field: json.vulnerability.cvss_v3_vector + tag: rename_vulnerability_cvss_v3_vector + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.vector + ignore_missing: true + - convert: + field: json.vulnerability.denial_of_service + tag: convert_vulnerability_denial_of_service_to_boolean + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.denial_of_service + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.vulnerability.description + tag: rename_vulnerability_description + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.description + ignore_missing: true + - set: + field: vulnerability.description + tag: set_vulnerability_description_from_asset_vulnerability_vulnerability_description + copy_from: rapid7_insightvm.asset_vulnerability.vulnerability.description + ignore_empty_value: true + - rename: + field: json.vulnerability.exploits + tag: rename_vulnerability_exploits + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.exploits + ignore_missing: true + - date: + field: json.vulnerability.first_found + tag: date_vulnerability_first_found + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.first_found + formats: + - ISO8601 + if: ctx.json?.vulnerability?.first_found != null && ctx.json.vulnerability.first_found != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.created + tag: set_event_created_from_asset_vulnerability_vulnerability_first_found + copy_from: rapid7_insightvm.asset_vulnerability.vulnerability.first_found + ignore_empty_value: true + - rename: + field: json.vulnerability.id + tag: rename_vulnerability_id + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.id + ignore_missing: true + - rename: + field: json.vulnerability.vulnerability_id + tag: rename_vulnerability_vulnerability_id + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.id + if: ctx.rapid7_insightvm?.asset_vulnerability?.vulnerability?.id == null + ignore_missing: true + - rename: + field: json.vulnerability.key + tag: rename_vulnerability_key + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.key + ignore_missing: true + - convert: + field: json.vulnerability.is_enriched + tag: convert_vulnerability_is_enriched_to_boolean + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.is_enriched + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.vulnerability.is_remediated + tag: convert_vulnerability_is_remediated_to_boolean + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.is_remediated + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.vulnerability.last_found + tag: date_vulnerability_last_found + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.last_found + formats: + - ISO8601 + if: ctx.json?.vulnerability?.last_found != null && ctx.json.vulnerability.last_found != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: '@timestamp' + tag: set_timestamp_from_asset_vulnerability_vulnerability_last_found + copy_from: rapid7_insightvm.asset_vulnerability.vulnerability.last_found + ignore_empty_value: true + - set: + field: event.id + tag: set_event_id + value: '{{rapid7_insightvm.asset_vulnerability.id}}|{{rapid7_insightvm.asset_vulnerability.vulnerability.id}}|{{rapid7_insightvm.asset_vulnerability.vulnerability.last_found}}' + - rename: + field: json.vulnerability.links + tag: rename_vulnerability_links + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.links + ignore_missing: true + - foreach: + field: rapid7_insightvm.asset_vulnerability.vulnerability.links + if: ctx.rapid7_insightvm?.asset_vulnerability?.vulnerability?.links instanceof List + processor: + append: + field: vulnerability.reference + tag: append_vulnerability_links_href_into_vulnerability_reference + value: '{{{_ingest._value.href}}}' + allow_duplicates: false + - rename: + field: json.vulnerability.malware_kits + tag: rename_vulnerability_malware_kits + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.malware_kits + ignore_missing: true + - date: + field: json.vulnerability.modified + tag: date_vulnerability_modified + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.modified + formats: + - ISO8601 + if: ctx.json?.vulnerability?.modified != null && ctx.json.vulnerability.modified != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.vulnerability.pci_cvss_score + tag: convert_vulnerability_pci_cvss_score_to_double + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.pci.cvss_score + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.vulnerability.pci_fail + tag: convert_vulnerability_pci_fail_to_boolean + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.pci.fail + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.vulnerability.pci_severity_score + tag: convert_vulnerability_pci_severity_score_to_long + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.pci.severity_score + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.vulnerability.pci_special_notes + tag: rename_vulnerability_pci_special_notes + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.pci.special_notes + ignore_missing: true + - rename: + field: json.vulnerability.pci_status + tag: rename_vulnerability_pci_status + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.pci.status + ignore_missing: true + - convert: + field: json.vulnerability.port + tag: convert_vulnerability_port_to_long + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.port + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - html_strip: + field: json.vulnerability.proof + tag: html_strip_vulnerability_proof + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.proof + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - trim: + field: rapid7_insightvm.asset_vulnerability.vulnerability.proof + tag: trim_vulnerability_proof + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.vulnerability.protocol + tag: rename_vulnerability_protocol + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.protocol + ignore_missing: true + - date: + field: json.vulnerability.published + tag: date_vulnerability_published + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.published + formats: + - ISO8601 + if: ctx.json?.vulnerability?.published != null && ctx.json.vulnerability.published != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: vulnerability.published_date + tag: set_vulnerability_published_date_from_asset_vulnerability_vulnerability_published + copy_from: rapid7_insightvm.asset_vulnerability.vulnerability.published + ignore_empty_value: true + - rename: + field: json.vulnerability.references + tag: rename_vulnerability_references + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.references + ignore_missing: true + - convert: + field: json.vulnerability.risk_score + tag: convert_vulnerability_risk_score_to_double + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.risk_score + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.vulnerability.severity + tag: rename_vulnerability_severity + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.severity + ignore_missing: true + - script: + description: Map vulnerability.severity to CVSS standard + tag: script_to_map_severity_to_CVSS + lang: painless + if: ctx.rapid7_insightvm?.asset_vulnerability?.vulnerability?.severity != null + source: > + String severity = ctx.rapid7_insightvm.asset_vulnerability.vulnerability.severity.toLowerCase(); + if (severity == 'none') { + ctx.vulnerability.put('severity', 'None'); + } else if (severity == 'informational') { + ctx.vulnerability.put('severity', 'Low'); + } else if (severity == 'low') { + ctx.vulnerability.put('severity', 'Low'); + } else if (severity == 'moderate') { + ctx.vulnerability.put('severity', 'Medium'); + } else if (severity == 'severe') { + ctx.vulnerability.put('severity', 'High'); + } else if (severity == 'critical') { + ctx.vulnerability.put('severity', 'Critical'); + } + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.vulnerability.severity_score + tag: convert_vulnerability_severity_score_to_long + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.severity_score + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.severity + tag: set_event_severity_from_asset_vulnerability_vulnerability_severity_score + copy_from: rapid7_insightvm.asset_vulnerability.vulnerability.severity_score + ignore_empty_value: true + - html_strip: + field: json.vulnerability.solution_fix + tag: html_strip_vulnerability_solution_fix + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.solution.fix + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - trim: + field: rapid7_insightvm.asset_vulnerability.vulnerability.solution.fix + tag: trim_vulnerability_solution_fix + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.vulnerability.solution_id + tag: rename_vulnerability_solution_id + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.solution.id + ignore_missing: true + - rename: + field: json.vulnerability.solution_summary + tag: rename_vulnerability_solution_summary + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.solution.summary + ignore_missing: true + - rename: + field: json.vulnerability.solution_type + tag: rename_vulnerability_solution_type + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.solution.type + ignore_missing: true + - grok: + field: rapid7_insightvm.asset_vulnerability.vulnerability.proof + description: Extract package fields from proof. + tag: grok_parse_vulnerability_proof + patterns: + - '^Vulnerable OS: %{DATA:_temp.os}(\n)*Vulnerable software installed: %{DATA:package.name} Required patch %{GREEDYDATA}$' + - '^Vulnerable OS: %{DATA:_temp.os}(\n)*Vulnerable software installed: %{DATA:package.name} Running HTTPS service %{GREEDYDATA}$' + - '^Vulnerable OS: %{DATA:_temp.os}(\n)*Vulnerable software installed: %{DATA:package.name}$' + - '^Vulnerable OS: %{DATA:_temp.os}(\n)*Running %{DATA:_temp.service} service(\n)*%{DATA}(\n)*Vulnerable version of %{DATA} found -- %{DATA:package.name}$' + - '^Vulnerable OS: %{DATA:package.name}(\n)*The property %{GREEDYDATA}$' + - '^Vulnerable OS: %{DATA:package.name}(\n)*Based on the result of the %{GREEDYDATA}$' + - '^Vulnerable OS: %{DATA:package.name}(\n)*%{DATA}succeeded with offset %{GREEDYDATA}$' + - '^Vulnerable OS: %{DATA:_temp.os}(\n)*%{DATA:package.name} is installed$' + - '^Vulnerable OS: %{DATA:package.name}(\n)*System replied with a malformed SMB packet$' + - '^Vulnerable OS: %{DATA:package.name}(\n)*Based on the following %{DATA} results: %{GREEDYDATA}$' + - '^Vulnerable OS: %{DATA:package.name}(\n)*Found an applicable package: %{GREEDYDATA}$' + - '^Vulnerable OS: %{DATA:package.name}(\n)*Server responded with vulnerable error code: %{GREEDYDATA}$' + - '^Vulnerable OS: %{DATA:package.name}$' + - '^Vulnerable software installed: %{DATA:package.name}(\n)*Vulnerable OS: %{DATA:_temp.os}$' + - '^Vulnerable software installed: %{DATA:package.name}$' + - '^Vulnerable: %{DATA:package.name}$' + - '^Running CIFS service(\n)*Vulnerable OS: %{DATA:package.name}(\n)*Based on the result of the %{GREEDYDATA}$' + - '^Running CIFS service(\n)*Vulnerable OS: %{DATA:package.name}(\n)*Received vulnerable status reply$' + - '^Running %{DATA:_temp.service} service(\n)*%{DATA}Vulnerable version of %{DATA} found -- %{DATA:package.name}$' + - '^%{GREEDYDATA}$' + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: package.version + tag: set_package_version_from_package_name + copy_from: package.name + ignore_empty_value: true + - grok: + field: rapid7_insightvm.asset_vulnerability.vulnerability.solution.summary + tag: grok_parse_vulnerability_solution_summary + patterns: + - '^Upgrade to the %{DATA:package.fixed_version}( available)? version of %{DATA:_temp.package_name}$' + - '^(Upgrade|Update) %{DATA:_temp.package_name} to (the )?%{DATA:package.fixed_version}( version)?(.)?$' + - '^(Upgrade|Update) to (a|an|the)?%{DATA:package.fixed_version}$' + - '^%{GREEDYDATA}$' + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: package.name + tag: set_package_name_from_temp_package_name + copy_from: _temp.package_name + ignore_empty_value: true + if: ctx.package?.name == null + - set: + field: package.version + tag: set_package_version_from_vulnerability_key + copy_from: rapid7_insightvm.asset_vulnerability.vulnerability.key + ignore_empty_value: true + if: ctx.package?.version == null + - rename: + field: json.vulnerability.status + tag: rename_vulnerability_status + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.status + ignore_missing: true + - rename: + field: json.vulnerability.title + tag: rename_vulnerability_title + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.title + ignore_missing: true + - grok: + field: rapid7_insightvm.asset_vulnerability.vulnerability.title + tag: grok_parse_vulnerability_title + patterns: + - '^%{DATA:_temp.package}: CVE-%{DATA:_temp.cve_id}: %{GREEDYDATA:vulnerability.title}$' + - '^%{DATA:_temp.package}: %{GREEDYDATA:vulnerability.title}$' + - '^%{GREEDYDATA:vulnerability.title}$' + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - remove: + field: + - rapid7_insightvm.asset_vulnerability.host_name + - rapid7_insightvm.asset_vulnerability.id + - rapid7_insightvm.asset_vulnerability.ip + - rapid7_insightvm.asset_vulnerability.mac + - rapid7_insightvm.asset_vulnerability.os.architecture + - rapid7_insightvm.asset_vulnerability.os.description + - rapid7_insightvm.asset_vulnerability.os.family + - rapid7_insightvm.asset_vulnerability.os.name + - rapid7_insightvm.asset_vulnerability.os.version + - rapid7_insightvm.asset_vulnerability.risk_score + - rapid7_insightvm.asset_vulnerability.type + - rapid7_insightvm.asset_vulnerability.vulnerability.categories + - rapid7_insightvm.asset_vulnerability.vulnerability.first_found + - rapid7_insightvm.asset_vulnerability.vulnerability.published + - rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.score + - rapid7_insightvm.asset_vulnerability.vulnerability.description + - rapid7_insightvm.asset_vulnerability.vulnerability.severity_score + tag: remove_custom_duplicate_fields + ignore_missing: true + if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') + - remove: + field: + - json + - _temp + tag: remove_json + ignore_missing: true + - script: + tag: script_to_drop_null_values + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: |- + void handleMap(Map map) { + map.values().removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + void handleList(List list) { + list.removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + handleMap(ctx); + - set: + field: event.kind + tag: set_pipeline_error_into_event_kind + value: pipeline_error + if: ctx.error?.message != null + - append: + field: tags + value: preserve_original_event + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: |- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/base-fields.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/base-fields.yml new file mode 100644 index 00000000000..56ffab0744f --- /dev/null +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/base-fields.yml @@ -0,0 +1,16 @@ +- name: data_stream.type + external: ecs +- name: data_stream.dataset + external: ecs +- name: data_stream.namespace + external: ecs +- name: event.module + external: ecs + type: constant_keyword + value: rapid7_insightvm +- name: event.dataset + external: ecs + type: constant_keyword + value: rapid7_insightvm.asset_vulnerability +- name: '@timestamp' + external: ecs diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/beats.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/beats.yml new file mode 100644 index 00000000000..4084f1dc7f5 --- /dev/null +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Type of filebeat input. +- name: log.offset + type: long + description: Log offset. diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/ecs.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/ecs.yml new file mode 100644 index 00000000000..cc61312ef72 --- /dev/null +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/ecs.yml @@ -0,0 +1,7 @@ +# Define ECS constant fields as constant_keyword +- name: observer.vendor + type: constant_keyword + external: ecs +- name: vulnerability.scanner.vendor + type: constant_keyword + external: ecs diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/fields.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/fields.yml new file mode 100644 index 00000000000..d753a158a77 --- /dev/null +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/fields.yml @@ -0,0 +1,335 @@ +- name: rapid7_insightvm + type: group + fields: + - name: asset_vulnerability + type: group + fields: + - name: assessed_for_policies + type: boolean + description: Whether an asset was assessed for policies. + - name: assessed_for_vulnerabilities + type: boolean + description: Whether an asset was assessed for vulnerabilities. + - name: credential_assessments + type: group + fields: + - name: port + type: long + description: The port the authentication was used on. + - name: protocol + type: keyword + description: The protocol the authentication was used on. + - name: status + type: keyword + description: The authentication of the last scan performed. + - name: critical_vulnerabilities + type: long + description: The count of critical vulnerability findings. + - name: exploits + type: long + description: The count of known unique exploits that can be used to exploit vulnerabilities on the asset. + - name: host_name + type: keyword + description: The host name (local or FQDN). + - name: id + type: keyword + description: The identifier of the asset. + - name: ip + type: ip + description: The IPv4 or IPv6 address. + - name: last_assessed_for_vulnerabilities + type: date + description: The time at which an asset was assessed for vulnerabilities. + - name: last_scan_end + type: date + description: The time at which the last scan of the asset ended. + - name: last_scan_start + type: date + description: The time at which the last scan of the asset started. + - name: mac + type: keyword + description: The Media Access Control (MAC) address. The format is six groups of two hexadecimal digits separated by colons. + - name: malware_kits + type: long + description: The count of known unique malware kits that can be used to attack vulnerabilities on the asset. + - name: moderate_vulnerabilities + type: long + description: The count of moderate vulnerability findings. + - name: os + type: group + fields: + - name: architecture + type: keyword + description: The architecture of the operating system. + - name: description + type: keyword + description: The description of the operating system (containing vendor, family, product, version and architecture in a single string). + - name: family + type: keyword + description: The family of the operating system. + - name: name + type: keyword + description: The name of the operating system. + - name: system_name + type: keyword + description: A combination of vendor and family (with redundancies removed), suitable for grouping. + - name: type + type: keyword + description: The type of operating system. + - name: vendor + type: keyword + description: The vendor of the operating system. + - name: version + type: keyword + description: The version of the operating system. + - name: risk_score + type: double + description: The risk score (with criticality adjustments) of the asset. + - name: severe_vulnerabilities + type: long + description: The count of severe vulnerability findings. + - name: tags + type: group + fields: + - name: name + type: keyword + description: The stored value. + - name: type + type: keyword + description: The type of information stored and displayed. For sites, the value is "SITE". + - name: total_vulnerabilities + type: long + description: The total count of vulnerability findings. + - name: type + type: keyword + description: The type of asset. + - name: unique_identifiers + type: group + fields: + - name: id + type: keyword + description: The unique identifier. + - name: source + type: keyword + description: The source of the unique identifier. + - name: vulnerability + type: group + fields: + - name: added + type: date + description: The date the vulnerability coverage was added. The format is an ISO 8601 date, YYYY-MM-DD. + - name: categories + type: keyword + description: Comma-separated list of categories the vulnerability is classified under. + - name: check_id + type: keyword + description: The identifier of the vulnerability check. + - name: cves + type: keyword + description: All CVEs assigned to this vulnerability. + - name: cvss_v2 + type: group + fields: + - name: access_complexity + type: keyword + description: Access Complexity (AC) component which measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system. + - name: access_vector + type: keyword + description: Access Vector (Av) component which reflects how the vulnerability is exploited. + - name: authentication + type: keyword + description: Authentication (Au) component which measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. + - name: availability_impact + type: keyword + description: Availability Impact (A) component which measures the impact to availability of a successfully exploited vulnerability. + - name: confidentiality_impact + type: keyword + description: Confidentiality Impact (C) component which measures the impact on confidentiality of a successfully exploited vulnerability. + - name: exploit_score + type: double + description: The CVSS exploit score. + - name: impact_score + type: double + description: The CVSS impact score. + - name: integrity_impact + type: keyword + description: Integrity Impact (I) component measures the impact to integrity of a successfully exploited vulnerability. + - name: score + type: double + description: The CVSS score, which ranges from 0-10. + - name: vector + type: keyword + description: The CVSS v2 vector. + - name: cvss_v3 + type: group + fields: + - name: attack_complexity + type: keyword + description: Attack Complexity (AC) component with measures the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. + - name: attack_vector + type: keyword + description: Attack Vector (AV) component which measures context by which vulnerability exploitation is possible. + - name: availability_impact + type: keyword + description: Availability Impact (A) measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. + - name: confidentiality_impact + type: keyword + description: Confidentiality Impact (C) component which measures the impact on confidentiality of a successfully exploited vulnerability. + - name: exploit_score + type: double + description: The CVSS exploit score. + - name: impact_score + type: double + description: The CVSS impact score. + - name: integrity_impact + type: keyword + description: Integrity Impact (I) measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. + - name: privileges_required + type: keyword + description: Privileges Required (PR) measures the level of privileges an attacker must possess before successfully exploiting the vulnerability. + - name: scope + type: keyword + description: Scope (S) measures the collection of privileges defined by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization. + - name: score + type: double + description: The CVSS score, which ranges from 0-10. + - name: user_interaction + type: keyword + description: User Interaction (UI) measures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component. + - name: vector + type: keyword + description: The CVSS v3 vector. + - name: denial_of_service + type: boolean + description: Whether the vulnerability can lead to Denial of Service (DoS). + - name: description + type: keyword + description: A verbose description of the vulnerability. + - name: exploits + type: group + fields: + - name: description + type: keyword + description: A verbose description of the exploit. + - name: id + type: keyword + description: The identifier of the exploit. + - name: name + type: keyword + description: The name of the exploit. + - name: rank + type: keyword + description: How common the exploit is used. + - name: skill_level + type: keyword + description: The level of skill required to use the exploit. + - name: source + type: keyword + description: Details about where the exploit is defined. + - name: first_found + type: date + description: The first time the vulnerability was discovered. + - name: id + type: keyword + description: The identifier of the vulnerability. + - name: is_enriched + type: boolean + description: Whether the enriched vulnerability information is available. + - name: is_remediated + type: boolean + description: Whether the vulnerability has been remediated. + - name: key + type: keyword + description: The identifier of the assessment key. + - name: last_found + type: date + description: The most recent time the vulnerability was discovered. + - name: links + type: group + fields: + - name: href + type: keyword + - name: id + type: keyword + - name: rel + type: keyword + - name: source + type: keyword + - name: malware_kits + type: group + fields: + - name: description + type: keyword + description: A known Malware Kit that can be used to compromise a vulnerability. + - name: name + type: keyword + description: The name of the malware kit. + - name: popularity + type: keyword + description: The popularity of the malware kit. + - name: modified + type: date + description: The last date the vulnerability was modified. The format is an ISO 8601 date, YYYY-MM-DD. + - name: pci + type: group + fields: + - name: cvss_score + type: double + description: The CVSS score of the vulnerability, adjusted for PCI rules and exceptions, on a scale of 0-10. + - name: fail + type: boolean + description: Whether if present on a host this vulnerability would cause a PCI failure. true if compliance status is "fail", false otherwise. + - name: severity_score + type: long + description: The severity score of the vulnerability, adjusted for PCI rules and exceptions, on a scale of 0-10. + - name: special_notes + type: keyword + description: Any special notes or remarks about the vulnerability that pertain to PCI compliance. + - name: status + type: keyword + description: The PCI compliance status. + - name: port + type: long + description: For services vulnerabilities, the port that is vulnerable. + - name: proof + type: keyword + description: The identifier of the vulnerability proof. + - name: protocol + type: keyword + description: For services vulnerabilities, the protocol that is vulnerable. + - name: published + type: date + description: The date the vulnerability was first published or announced. The format is an ISO 8601 date, YYYY-MM-DD. + - name: references + type: keyword + description: References to security standards this vulnerability is a part of, in condensed format (comma-separated). + - name: risk_score + type: double + description: The risk score of the vulnerability. If using the default Rapid7 Real Risk™ model, this value ranges from 0-1000. + - name: severity + type: keyword + description: The severity of the vulnerability. + - name: severity_score + type: long + description: The severity score of the vulnerability, on a scale of 0-10. + - name: solution + type: group + fields: + - name: fix + type: keyword + description: The solution fix for the vulnerability. + - name: id + type: keyword + description: The identifier of the solution for the vulnerability. + - name: summary + type: keyword + description: The summary for the solution for the vulnerability. + - name: type + type: keyword + description: The solution type for the vulnerability. + - name: status + type: keyword + description: The status of the vulnerability finding. + - name: title + type: keyword + description: The title (summary) of the vulnerability. diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/package.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/package.yml new file mode 100644 index 00000000000..dd2e5a96bb9 --- /dev/null +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/package.yml @@ -0,0 +1,11 @@ +- name: package + type: group + fields: + - name: fixed_version + type: keyword + - name: name + type: keyword + external: ecs + - name: version + type: keyword + external: ecs diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/resource.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/resource.yml new file mode 100644 index 00000000000..425eb9530e9 --- /dev/null +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/resource.yml @@ -0,0 +1,7 @@ +- name: resource + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/vulnerability.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/vulnerability.yml new file mode 100644 index 00000000000..c1e3f2fa6da --- /dev/null +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/vulnerability.yml @@ -0,0 +1,12 @@ +- name: vulnerability + type: group + fields: + - name: published_date + type: date + - name: scanner + type: group + fields: + - name: name + type: keyword + - name: title + type: keyword diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/manifest.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/manifest.yml new file mode 100644 index 00000000000..a19804cceda --- /dev/null +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/manifest.yml @@ -0,0 +1,86 @@ +title: Asset Vulnerability Event +type: logs +streams: + - input: cel + title: Asset Vulnerability Event + description: Collect enriched asset vulnerability events via API. + template_path: cel.yml.hbs + enabled: false + vars: + - name: initial_interval + type: text + title: Initial Interval + multi: false + required: true + show_user: true + default: 2160h + description: How far back to pull the events from Rapid7 InsightVM API. Supported units for this parameter are h/m/s. + - name: interval + type: text + title: Interval + description: Duration between requests to the Rapid7 InsightVM API. Supported units for this parameter are h/m/s. + default: 24h + multi: false + required: true + show_user: true + - name: batch_size + type: integer + title: Batch Size + description: Batch size for the response of the Rapid7 InsightVM API. The maximum supported batch size value is 500. + default: 500 + multi: false + required: true + show_user: false + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 120s + - name: enable_request_tracer + type: bool + title: Enable request tracing + default: false + multi: false + required: false + show_user: false + description: >- + The request tracer logs requests and responses to the agent's local file-system for debugging configurations. + Enabling this request tracing compromises security and should only be used for debugging. Disabling the request + tracer will delete any stored traces. + See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) + for details. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - rapid7_insightvm-asset_vulnerability + - name: preserve_original_event + required: false + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: false + show_user: false + title: Preserve duplicate custom fields + description: Preserve rapid7_insightvm.asset_vulnerability fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/sample_event.json b/packages/rapid7_insightvm/data_stream/asset_vulnerability/sample_event.json new file mode 100644 index 00000000000..e3cf85d9672 --- /dev/null +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/sample_event.json @@ -0,0 +1,207 @@ +{ + "@timestamp": "2025-05-27T18:21:36.279Z", + "agent": { + "ephemeral_id": "8f30a153-d7fb-4630-8931-752c0f5190e4", + "id": "3e3bd5a6-8efb-4f70-b560-987a16383f05", + "name": "elastic-agent-64243", + "type": "filebeat", + "version": "8.19.0" + }, + "data_stream": { + "dataset": "rapid7_insightvm.asset_vulnerability", + "namespace": "30380", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "3e3bd5a6-8efb-4f70-b560-987a16383f05", + "snapshot": true, + "version": "8.19.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "vulnerability" + ], + "created": "2025-05-12T16:25:35.000Z", + "dataset": "rapid7_insightvm.asset_vulnerability", + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6|unix-anonymous-root-logins|2025-05-27T18:21:36.279Z", + "ingested": "2025-06-07T12:24:02Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":22,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":3,\"exploits\":0,\"host_name\":\"computer-test\",\"id\":\"8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6\",\"ip\":\"10.50.5.112\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T18:21:36.279Z\",\"last_scan_end\":\"2025-05-27T18:21:36.279Z\",\"last_scan_start\":\"2025-05-27T18:20:41.505Z\",\"mac\":\"00:00:5E:00:53:02\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Red Hat Enterprise Linux 7.9\",\"os_family\":\"Linux\",\"os_name\":\"Enterprise Linux\",\"os_system_name\":\"Red Hat Linux\",\"os_type\":\"\",\"os_vendor\":\"Red Hat\",\"os_version\":\"7.9\",\"risk_score\":18250,\"severe_vulnerabilities\":48,\"tags\":[{\"name\":\"Ahmedabad\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":52,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"CEF12345-ABCD-1234-ABCD-95ABCDEF1234\",\"source\":\"dmidecode\"},{\"id\":\"e80644e940123456789abcdef66a8b16\",\"source\":\"R7 Agent\"}],\"vulnerability\":{\"added\":\"2004-11-30T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,UNIX\",\"check_id\":null,\"cves\":\"\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"single\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":7.9520000338554375,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.5,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:S/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.515145325,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":8.4,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \\\"su\\\" to become root.\",\"exploits\":[],\"first_found\":\"2025-05-12T16:25:35Z\",\"id\":\"unix-anonymous-root-logins\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"links\":[],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"nic\":null,\"pci_cvss_score\":6.5,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"port\":null,\"proof\":\"\\u003cp\\u003e\\u003cp\\u003eFollowing entries in /etc/securetty \\n may allow anonymous root logins: \\u003cul\\u003e\\u003cli\\u003ettyS0\\u003c/li\\u003e\\u003cli\\u003ettysclp0\\u003c/li\\u003e\\u003cli\\u003esclp_line0\\u003c/li\\u003e\\u003cli\\u003e3270/tty1\\u003c/li\\u003e\\u003cli\\u003ehvc0\\u003c/li\\u003e\\u003cli\\u003ehvc1\\u003c/li\\u003e\\u003cli\\u003ehvc2\\u003c/li\\u003e\\u003cli\\u003ehvc3\\u003c/li\\u003e\\u003cli\\u003ehvc4\\u003c/li\\u003e\\u003cli\\u003ehvc5\\u003c/li\\u003e\\u003cli\\u003ehvc6\\u003c/li\\u003e\\u003cli\\u003ehvc7\\u003c/li\\u003e\\u003cli\\u003ehvsi0\\u003c/li\\u003e\\u003cli\\u003ehvsi1\\u003c/li\\u003e\\u003cli\\u003ehvsi2\\u003c/li\\u003e\\u003cli\\u003exvc0\\u003c/li\\u003e\\u003c/ul\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\",\"protocol\":null,\"published\":\"2004-11-30T00:00:00Z\",\"references\":\"\",\"reintroduced\":null,\"risk_score\":562,\"severity\":\"severe\",\"severity_score\":7,\"solution_fix\":\"\\u003cp\\u003e\\u003cp\\u003eRemove all the entries in /etc/securetty except console,\\n tty[0-9]* and vc\\\\[0-9]* \\u003c/p\\u003e\\u003cp\\u003eNote: ssh does not use /etc/securetty. To disable root login\\n through ssh, use the \\u0026quot;PermitRootLogin\\u0026quot; setting in /etc/ssh/sshd_config\\n and restart the ssh daemon. \\u003c/p\\u003e\\u003c/p\\u003e\",\"solution_id\":\"unix-anonymous-root-logins\",\"solution_summary\":\"Edit '/etc/securetty' entries\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"title\":\"Anonymous root login is allowed\",\"vulnerability_id\":\"unix-anonymous-root-logins\"}}", + "severity": 7, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "computer-test", + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6", + "ip": [ + "10.50.5.112" + ], + "mac": [ + "00-00-5E-00-53-02" + ], + "name": "computer-test", + "os": { + "family": "Linux", + "full": "Red Hat Enterprise Linux 7.9", + "name": "Enterprise Linux", + "platform": "linux", + "type": "linux", + "version": "7.9" + }, + "risk": { + "static_score": 18250 + }, + "type": "guest" + }, + "input": { + "type": "cel" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 3, + "exploits": 0, + "host_name": "computer-test", + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6", + "ip": "10.50.5.112", + "last_assessed_for_vulnerabilities": "2025-05-27T18:21:36.279Z", + "last_scan_end": "2025-05-27T18:21:36.279Z", + "last_scan_start": "2025-05-27T18:20:41.505Z", + "mac": "00-00-5E-00-53-02", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os": { + "architecture": "x86_64", + "description": "Red Hat Enterprise Linux 7.9", + "family": "Linux", + "name": "Enterprise Linux", + "system_name": "Red Hat Linux", + "vendor": "Red Hat", + "version": "7.9" + }, + "risk_score": 18250, + "severe_vulnerabilities": 48, + "total_vulnerabilities": 52, + "type": "guest", + "unique_identifiers": [ + { + "id": "CEF12345-ABCD-1234-ABCD-95ABCDEF1234", + "source": "dmidecode" + }, + { + "id": "e80644e940123456789abcdef66a8b16", + "source": "R7 Agent" + } + ], + "vulnerability": { + "added": "2004-11-30T00:00:00.000Z", + "categories": [ + "CVSS Score Predicted with Rapid7 AI", + "UNIX" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "network", + "authentication": "single", + "availability_impact": "partial", + "confidentiality_impact": "partial", + "exploit_score": 7.9520000338554375, + "impact_score": 6.442976653521584, + "integrity_impact": "partial", + "score": 6.5, + "vector": "(AV:N/AC:L/Au:S/C:P/I:P/A:P)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "local", + "availability_impact": "high", + "confidentiality_impact": "high", + "exploit_score": 2.515145325, + "impact_score": 5.873118720000001, + "integrity_impact": "high", + "privileges_required": "none", + "scope": "unchanged", + "score": 8.4, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + "denial_of_service": false, + "description": "Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \"su\" to become root.", + "first_found": "2025-05-12T16:25:35.000Z", + "id": "unix-anonymous-root-logins", + "last_found": "2025-05-27T18:21:36.279Z", + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 6.5, + "fail": true, + "severity_score": 4, + "status": "fail" + }, + "proof": "Following entries in /etc/securetty \n may allow anonymous root logins: \n\nttyS0\n\nttysclp0\n\nsclp_line0\n\n3270/tty1\n\nhvc0\n\nhvc1\n\nhvc2\n\nhvc3\n\nhvc4\n\nhvc5\n\nhvc6\n\nhvc7\n\nhvsi0\n\nhvsi1\n\nhvsi2\n\nxvc0", + "published": "2004-11-30T00:00:00.000Z", + "risk_score": 562, + "severity": "severe", + "severity_score": 7, + "solution": { + "fix": "Remove all the entries in /etc/securetty except console,\n tty[0-9]* and vc\\[0-9]* \n\nNote: ssh does not use /etc/securetty. To disable root login\n through ssh, use the \"PermitRootLogin\" setting in /etc/ssh/sshd_config\n and restart the ssh daemon.", + "id": "unix-anonymous-root-logins", + "summary": "Edit '/etc/securetty' entries", + "type": "workaround" + }, + "status": "VULNERABLE_EXPL", + "title": "Anonymous root login is allowed" + } + } + }, + "related": { + "hosts": [ + "computer-test", + "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6" + ], + "ip": [ + "10.50.5.112" + ] + }, + "resource": { + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6", + "name": "computer-test" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "rapid7_insightvm-asset_vulnerability" + ], + "vulnerability": { + "category": [ + "CVSS Score Predicted with Rapid7 AI", + "UNIX" + ], + "classification": "CVSS", + "description": "Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \"su\" to become root.", + "enumeration": "CVE", + "published_date": "2004-11-30T00:00:00.000Z", + "scanner": { + "name": "e80644e940123456789abcdef66a8b16", + "vendor": "Rapid7" + }, + "score": { + "base": 8.4, + "version": "3.0" + }, + "severity": "High", + "title": "Anonymous root login is allowed" + } +} diff --git a/packages/rapid7_insightvm/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json b/packages/rapid7_insightvm/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json index 43719aa976c..453b97d8582 100644 --- a/packages/rapid7_insightvm/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json +++ b/packages/rapid7_insightvm/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json @@ -325,4 +325,4 @@ }, null ] -} \ No newline at end of file +} diff --git a/packages/rapid7_insightvm/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml b/packages/rapid7_insightvm/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml index c81d19bd9b3..141cc22ac46 100644 --- a/packages/rapid7_insightvm/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml +++ b/packages/rapid7_insightvm/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml @@ -13,11 +13,30 @@ processors: - set: field: event.type value: [info] + - remove: + field: + - organization + - division + - team + ignore_missing: true + if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String + tag: remove_agentless_tags + description: >- + Removes the fields added by Agentless as metadata, + as they can collide with ECS fields. - rename: field: message + tag: rename_message_to_event_original target_field: event.original ignore_missing: true + description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document. if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null - json: field: event.original tag: 'json_decoding' diff --git a/packages/rapid7_insightvm/data_stream/vulnerability/sample_event.json b/packages/rapid7_insightvm/data_stream/vulnerability/sample_event.json index 3fa547df0e5..2334f389ffe 100644 --- a/packages/rapid7_insightvm/data_stream/vulnerability/sample_event.json +++ b/packages/rapid7_insightvm/data_stream/vulnerability/sample_event.json @@ -1,34 +1,34 @@ { "@timestamp": "2018-06-08T00:00:00.000Z", "agent": { - "ephemeral_id": "9844171e-82cf-4571-bba2-2256a2464500", - "id": "e4354c0c-ca75-448a-b886-ec73a12bce07", - "name": "docker-fleet-agent", + "ephemeral_id": "dbee2821-362a-4d7a-9e8e-0fcd816d4696", + "id": "6a264171-bdc2-47a0-a131-9a515aa1c01f", + "name": "elastic-agent-42291", "type": "filebeat", - "version": "8.11.0" + "version": "8.18.0" }, "data_stream": { "dataset": "rapid7_insightvm.vulnerability", - "namespace": "ep", + "namespace": "75615", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "e4354c0c-ca75-448a-b886-ec73a12bce07", + "id": "6a264171-bdc2-47a0-a131-9a515aa1c01f", "snapshot": false, - "version": "8.11.0" + "version": "8.18.0" }, "event": { "agent_id_status": "verified", "category": [ "vulnerability" ], - "created": "2023-12-20T15:51:20.233Z", + "created": "2025-05-30T11:12:58.134Z", "dataset": "rapid7_insightvm.vulnerability", "id": "7-zip-cve-2008-6536", - "ingested": "2023-12-20T15:51:23Z", + "ingested": "2025-05-30T11:13:00Z", "kind": "event", "original": "{\"added\":\"2018-05-16T00:00:00Z\",\"categories\":\"7-Zip\",\"cves\":\"CVE-2008-6536\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":9.996799,\"cvss_v2_impact_score\":10.000845,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":10,\"cvss_v2_vector\":\"AV:N/AC:L/Au:N/C:C/I:C/A:C\",\"cvss_v3_attack_complexity\":null,\"cvss_v3_attack_vector\":null,\"cvss_v3_availability_impact\":null,\"cvss_v3_confidentiality_impact\":null,\"cvss_v3_exploit_score\":0,\"cvss_v3_impact_score\":0,\"cvss_v3_integrity_impact\":null,\"cvss_v3_privileges_required\":null,\"cvss_v3_scope\":null,\"cvss_v3_score\":0,\"cvss_v3_user_interaction\":null,\"cvss_v3_vector\":null,\"denial_of_service\":false,\"description\":\"Unspecified vulnerability in 7-zip before 4.5.7 has unknown impact and remote attack vectors, as demonstrated by the PROTOS GENOME test suite for Archive Formats (c10).\",\"exploits\":[],\"id\":\"7-zip-cve-2008-6536\",\"links\":[{\"href\":\"http://www.securityfocus.com/bid/28285\",\"id\":\"28285\",\"rel\":\"advisory\",\"source\":\"bid\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/41247\",\"id\":\"41247\",\"rel\":\"advisory\",\"source\":\"xf\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2008-6536\",\"id\":\"CVE-2008-6536\",\"rel\":\"advisory\",\"source\":\"cve\"},{\"href\":\"http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html\",\"id\":\"http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html\",\"rel\":\"advisory\",\"source\":\"url\"},{\"href\":\"http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/\",\"id\":\"http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/\",\"rel\":\"advisory\",\"source\":\"url\"},{\"href\":\"http://www.securityfocus.com/bid/28285\",\"id\":\"http://www.securityfocus.com/bid/28285\",\"rel\":\"advisory\",\"source\":\"url\"},{\"href\":\"http://www.vupen.com/english/advisories/2008/0914/references\",\"id\":\"http://www.vupen.com/english/advisories/2008/0914/references\",\"rel\":\"advisory\",\"source\":\"url\"},{\"href\":\"http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf\",\"id\":\"http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf\",\"rel\":\"advisory\",\"source\":\"url\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/41247\",\"id\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/41247\",\"rel\":\"advisory\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2018-06-08T00:00:00Z\",\"pci_cvss_score\":10,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2009-03-29T00:00:00Z\",\"references\":\"bid:28285,xf:41247,cve:CVE-2008-6536,url:http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html,url:http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/,url:http://www.securityfocus.com/bid/28285,url:http://www.vupen.com/english/advisories/2008/0914/references,url:http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf,url:https://exchange.xforce.ibmcloud.com/vulnerabilities/41247\",\"risk_score\":885.16,\"severity\":\"critical\",\"severity_score\":10,\"title\":\"7-Zip: CVE-2008-6536: Unspecified vulnerability in 7-zip before 4.5.7\"}", "risk_score": 885.16, @@ -173,4 +173,4 @@ }, "severity": "critical" } -} \ No newline at end of file +} diff --git a/packages/rapid7_insightvm/docs/README.md b/packages/rapid7_insightvm/docs/README.md index 3d8cc0ce549..0b9b1f3114a 100644 --- a/packages/rapid7_insightvm/docs/README.md +++ b/packages/rapid7_insightvm/docs/README.md @@ -10,13 +10,23 @@ Use the Rapid7 InsightVM integration to collect and parse data from the REST API The Rapid7 InsightVM integration collects two type of events: Asset and Vulnerability. -**Asset** is used to get details related to inventory, assessment, and summary details of assets that the user has access to. See more details in the API documentation [here](https://help.rapid7.com/insightvm/en-us/api/integrations.html#operation/searchIntegrationAssets). +**Asset (Deprecated)** is used to get details related to inventory, assessment, and summary details of assets that the user has access to. See more details in the API documentation [here](https://help.rapid7.com/insightvm/en-us/api/integrations.html#operation/searchIntegrationAssets). It is deprecated in version `2.0.0`. Instead, use the `Asset Vulnerability` data stream for enriched vulnerability documents and improved mappings. + +**Asset Vulnerability** is used to gather and aggregate data on assets and vulnerabilities to support Native CDR Workflows. **Vulnerability** is used to retrieve all vulnerabilities that can be assessed. See more details in the API documentation [here](https://help.rapid7.com/insightvm/en-us/api/integrations.html#operation/searchIntegrationVulnerabilities). ## Requirements -Elasticsearch is needed to store and search data, and Kibana is needed for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your hardware. +### Agent-based installation + +Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). + +### Agentless-enabled integration + +Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). + +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. This module uses **InsightVM Cloud Integrations API v4**. @@ -26,6 +36,27 @@ This module uses **InsightVM Cloud Integrations API v4**. 1. Generate the platform API key to access all Rapid7 InsightVM APIs. For more details, see [Documentation](https://docs.rapid7.com/insight/managing-platform-api-keys). +## Troubleshooting + +### Breaking Changes + +#### Support for Elastic Vulnerability Findings page. + +Version `2.0.0` of the Rapid7 InsightVM integration adds support for [Elastic Cloud Security workflow](https://www.elastic.co/docs/solutions/security/cloud/ingest-third-party-cloud-security-data#_ingest_third_party_security_posture_and_vulnerability_data). The enhancement enables the users of Rapid7 InsightVM integration to ingest their enriched asset vulnerabilities from Rapid7 InsightVM platform into Elastic and get insights directly from Elastic [Vulnerability Findings page](https://www.elastic.co/docs/solutions/security/cloud/findings-page-3). +This update adds [Elastic Latest Transform](https://www.elastic.co/docs/explore-analyze/transforms/transform-overview#latest-transform-overview) which copies the latest vulnerability findings from source indices matching the pattern `logs-rapid7_insightvm.asset_vulnerability-*` into new destination indices matching the pattern `security_solution-rapid7_insightvm.vulnerability_latest-*`. The Elastic Vulnerability Findings page will display vulnerabilities based on the destination indices. + +For existing users of Rapid7 InsightVM integration, before upgrading to `2.0.0` please ensure following requirements are met: + +1. Users need [Elastic Security solution](https://www.elastic.co/docs/solutions/security) which has requirements documented [here](https://www.elastic.co/docs/solutions/security/get-started/elastic-security-requirements). +2. To use transforms, users must have: + - at least one [transform node](https://www.elastic.co/docs/deploy-manage/distributed-architecture/clusters-nodes-shards/node-roles#transform-node-role), + - management features visible in the Kibana space, and + - security privileges that: + - grant use of transforms, and + - grant access to source and destination indices + For more details on Transform Setup, refer to the link [here](https://www.elastic.co/docs/explore-analyze/transforms/transform-setup) +3. Because the latest copy of vulnerabilities is now indexed in two places, i.e., in both source and destination indices, users must anticipate storage requirements accordingly. + ## Logs Reference ### asset @@ -38,35 +69,35 @@ An example event for `asset` looks as following: ```json { - "@timestamp": "2023-05-23T16:17:06.996Z", + "@timestamp": "2025-05-30T11:10:37.869Z", "agent": { - "ephemeral_id": "163d2260-4499-492b-bbd5-4d90487865b9", - "id": "c157ef08-38bb-40dd-bae1-c6bc8c8f02fa", - "name": "docker-fleet-agent", + "ephemeral_id": "6545769f-e426-4e1c-9549-44bd7f788ee4", + "id": "afb159d9-5bc3-429a-b8a7-3cda969112a5", + "name": "elastic-agent-88629", "type": "filebeat", - "version": "8.9.0" + "version": "8.18.0" }, "data_stream": { "dataset": "rapid7_insightvm.asset", - "namespace": "ep", + "namespace": "81787", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "c157ef08-38bb-40dd-bae1-c6bc8c8f02fa", - "snapshot": true, - "version": "8.9.0" + "id": "afb159d9-5bc3-429a-b8a7-3cda969112a5", + "snapshot": false, + "version": "8.18.0" }, "event": { "agent_id_status": "verified", "category": [ "host" ], - "created": "2023-05-23T16:17:06.996Z", + "created": "2025-05-30T11:10:37.869Z", "dataset": "rapid7_insightvm.asset", - "ingested": "2023-05-23T16:17:08Z", + "ingested": "2025-05-30T11:10:40Z", "kind": "state", "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"critical_vulnerabilities\":0,\"exploits\":0,\"id\":\"452534235-25a7-40a3-9321-28ce0b5cc90e-default-asset-199\",\"ip\":\"10.1.0.128\",\"last_assessed_for_vulnerabilities\":\"2020-03-20T19:19:42.611Z\",\"last_scan_end\":\"2020-03-20T19:19:42.611Z\",\"last_scan_start\":\"2020-03-20T19:18:13.611Z\",\"malware_kits\":0,\"moderate_vulnerabilities\":2,\"new\":[],\"os_architecture\":\"x86_64\",\"os_description\":\"CentOS Linux 2.6.18\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"CentOS Linux\",\"os_type\":\"General\",\"os_vendor\":\"CentOS\",\"os_version\":\"2.6.18\",\"remediated\":[],\"risk_score\":0,\"severe_vulnerabilities\":0,\"tags\":[{\"name\":\"lab\",\"type\":\"SITE\"}],\"total_vulnerabilities\":2}", "type": [ @@ -227,6 +258,347 @@ An example event for `asset` looks as following: | rapid7.insightvm.asset.unique_identifiers.source | The source of the unique identifier. | keyword | +### asset_vulnerability + +This is the `asset_vulnerability` dataset. + +#### Example + +An example event for `asset_vulnerability` looks as following: + +```json +{ + "@timestamp": "2025-05-27T18:21:36.279Z", + "agent": { + "ephemeral_id": "8f30a153-d7fb-4630-8931-752c0f5190e4", + "id": "3e3bd5a6-8efb-4f70-b560-987a16383f05", + "name": "elastic-agent-64243", + "type": "filebeat", + "version": "8.19.0" + }, + "data_stream": { + "dataset": "rapid7_insightvm.asset_vulnerability", + "namespace": "30380", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "3e3bd5a6-8efb-4f70-b560-987a16383f05", + "snapshot": true, + "version": "8.19.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "vulnerability" + ], + "created": "2025-05-12T16:25:35.000Z", + "dataset": "rapid7_insightvm.asset_vulnerability", + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6|unix-anonymous-root-logins|2025-05-27T18:21:36.279Z", + "ingested": "2025-06-07T12:24:02Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":22,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":3,\"exploits\":0,\"host_name\":\"computer-test\",\"id\":\"8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6\",\"ip\":\"10.50.5.112\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T18:21:36.279Z\",\"last_scan_end\":\"2025-05-27T18:21:36.279Z\",\"last_scan_start\":\"2025-05-27T18:20:41.505Z\",\"mac\":\"00:00:5E:00:53:02\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Red Hat Enterprise Linux 7.9\",\"os_family\":\"Linux\",\"os_name\":\"Enterprise Linux\",\"os_system_name\":\"Red Hat Linux\",\"os_type\":\"\",\"os_vendor\":\"Red Hat\",\"os_version\":\"7.9\",\"risk_score\":18250,\"severe_vulnerabilities\":48,\"tags\":[{\"name\":\"Ahmedabad\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":52,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"CEF12345-ABCD-1234-ABCD-95ABCDEF1234\",\"source\":\"dmidecode\"},{\"id\":\"e80644e940123456789abcdef66a8b16\",\"source\":\"R7 Agent\"}],\"vulnerability\":{\"added\":\"2004-11-30T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,UNIX\",\"check_id\":null,\"cves\":\"\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"single\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":7.9520000338554375,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.5,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:S/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.515145325,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":8.4,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \\\"su\\\" to become root.\",\"exploits\":[],\"first_found\":\"2025-05-12T16:25:35Z\",\"id\":\"unix-anonymous-root-logins\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"links\":[],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"nic\":null,\"pci_cvss_score\":6.5,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"port\":null,\"proof\":\"\\u003cp\\u003e\\u003cp\\u003eFollowing entries in /etc/securetty \\n may allow anonymous root logins: \\u003cul\\u003e\\u003cli\\u003ettyS0\\u003c/li\\u003e\\u003cli\\u003ettysclp0\\u003c/li\\u003e\\u003cli\\u003esclp_line0\\u003c/li\\u003e\\u003cli\\u003e3270/tty1\\u003c/li\\u003e\\u003cli\\u003ehvc0\\u003c/li\\u003e\\u003cli\\u003ehvc1\\u003c/li\\u003e\\u003cli\\u003ehvc2\\u003c/li\\u003e\\u003cli\\u003ehvc3\\u003c/li\\u003e\\u003cli\\u003ehvc4\\u003c/li\\u003e\\u003cli\\u003ehvc5\\u003c/li\\u003e\\u003cli\\u003ehvc6\\u003c/li\\u003e\\u003cli\\u003ehvc7\\u003c/li\\u003e\\u003cli\\u003ehvsi0\\u003c/li\\u003e\\u003cli\\u003ehvsi1\\u003c/li\\u003e\\u003cli\\u003ehvsi2\\u003c/li\\u003e\\u003cli\\u003exvc0\\u003c/li\\u003e\\u003c/ul\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\",\"protocol\":null,\"published\":\"2004-11-30T00:00:00Z\",\"references\":\"\",\"reintroduced\":null,\"risk_score\":562,\"severity\":\"severe\",\"severity_score\":7,\"solution_fix\":\"\\u003cp\\u003e\\u003cp\\u003eRemove all the entries in /etc/securetty except console,\\n tty[0-9]* and vc\\\\[0-9]* \\u003c/p\\u003e\\u003cp\\u003eNote: ssh does not use /etc/securetty. To disable root login\\n through ssh, use the \\u0026quot;PermitRootLogin\\u0026quot; setting in /etc/ssh/sshd_config\\n and restart the ssh daemon. \\u003c/p\\u003e\\u003c/p\\u003e\",\"solution_id\":\"unix-anonymous-root-logins\",\"solution_summary\":\"Edit '/etc/securetty' entries\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"title\":\"Anonymous root login is allowed\",\"vulnerability_id\":\"unix-anonymous-root-logins\"}}", + "severity": 7, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "computer-test", + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6", + "ip": [ + "10.50.5.112" + ], + "mac": [ + "00-00-5E-00-53-02" + ], + "name": "computer-test", + "os": { + "family": "Linux", + "full": "Red Hat Enterprise Linux 7.9", + "name": "Enterprise Linux", + "platform": "linux", + "type": "linux", + "version": "7.9" + }, + "risk": { + "static_score": 18250 + }, + "type": "guest" + }, + "input": { + "type": "cel" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 3, + "exploits": 0, + "host_name": "computer-test", + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6", + "ip": "10.50.5.112", + "last_assessed_for_vulnerabilities": "2025-05-27T18:21:36.279Z", + "last_scan_end": "2025-05-27T18:21:36.279Z", + "last_scan_start": "2025-05-27T18:20:41.505Z", + "mac": "00-00-5E-00-53-02", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os": { + "architecture": "x86_64", + "description": "Red Hat Enterprise Linux 7.9", + "family": "Linux", + "name": "Enterprise Linux", + "system_name": "Red Hat Linux", + "vendor": "Red Hat", + "version": "7.9" + }, + "risk_score": 18250, + "severe_vulnerabilities": 48, + "total_vulnerabilities": 52, + "type": "guest", + "unique_identifiers": [ + { + "id": "CEF12345-ABCD-1234-ABCD-95ABCDEF1234", + "source": "dmidecode" + }, + { + "id": "e80644e940123456789abcdef66a8b16", + "source": "R7 Agent" + } + ], + "vulnerability": { + "added": "2004-11-30T00:00:00.000Z", + "categories": [ + "CVSS Score Predicted with Rapid7 AI", + "UNIX" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "network", + "authentication": "single", + "availability_impact": "partial", + "confidentiality_impact": "partial", + "exploit_score": 7.9520000338554375, + "impact_score": 6.442976653521584, + "integrity_impact": "partial", + "score": 6.5, + "vector": "(AV:N/AC:L/Au:S/C:P/I:P/A:P)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "local", + "availability_impact": "high", + "confidentiality_impact": "high", + "exploit_score": 2.515145325, + "impact_score": 5.873118720000001, + "integrity_impact": "high", + "privileges_required": "none", + "scope": "unchanged", + "score": 8.4, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + "denial_of_service": false, + "description": "Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \"su\" to become root.", + "first_found": "2025-05-12T16:25:35.000Z", + "id": "unix-anonymous-root-logins", + "last_found": "2025-05-27T18:21:36.279Z", + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 6.5, + "fail": true, + "severity_score": 4, + "status": "fail" + }, + "proof": "Following entries in /etc/securetty \n may allow anonymous root logins: \n\nttyS0\n\nttysclp0\n\nsclp_line0\n\n3270/tty1\n\nhvc0\n\nhvc1\n\nhvc2\n\nhvc3\n\nhvc4\n\nhvc5\n\nhvc6\n\nhvc7\n\nhvsi0\n\nhvsi1\n\nhvsi2\n\nxvc0", + "published": "2004-11-30T00:00:00.000Z", + "risk_score": 562, + "severity": "severe", + "severity_score": 7, + "solution": { + "fix": "Remove all the entries in /etc/securetty except console,\n tty[0-9]* and vc\\[0-9]* \n\nNote: ssh does not use /etc/securetty. To disable root login\n through ssh, use the \"PermitRootLogin\" setting in /etc/ssh/sshd_config\n and restart the ssh daemon.", + "id": "unix-anonymous-root-logins", + "summary": "Edit '/etc/securetty' entries", + "type": "workaround" + }, + "status": "VULNERABLE_EXPL", + "title": "Anonymous root login is allowed" + } + } + }, + "related": { + "hosts": [ + "computer-test", + "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6" + ], + "ip": [ + "10.50.5.112" + ] + }, + "resource": { + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6", + "name": "computer-test" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "rapid7_insightvm-asset_vulnerability" + ], + "vulnerability": { + "category": [ + "CVSS Score Predicted with Rapid7 AI", + "UNIX" + ], + "classification": "CVSS", + "description": "Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \"su\" to become root.", + "enumeration": "CVE", + "published_date": "2004-11-30T00:00:00.000Z", + "scanner": { + "name": "e80644e940123456789abcdef66a8b16", + "vendor": "Rapid7" + }, + "score": { + "base": 8.4, + "version": "3.0" + }, + "severity": "High", + "title": "Anonymous root login is allowed" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | +| input.type | Type of filebeat input. | keyword | +| log.offset | Log offset. | long | +| observer.vendor | Vendor name of the observer. | constant_keyword | +| package.fixed_version | | keyword | +| package.name | Package name | keyword | +| package.version | Package version | keyword | +| rapid7_insightvm.asset_vulnerability.assessed_for_policies | Whether an asset was assessed for policies. | boolean | +| rapid7_insightvm.asset_vulnerability.assessed_for_vulnerabilities | Whether an asset was assessed for vulnerabilities. | boolean | +| rapid7_insightvm.asset_vulnerability.credential_assessments.port | The port the authentication was used on. | long | +| rapid7_insightvm.asset_vulnerability.credential_assessments.protocol | The protocol the authentication was used on. | keyword | +| rapid7_insightvm.asset_vulnerability.credential_assessments.status | The authentication of the last scan performed. | keyword | +| rapid7_insightvm.asset_vulnerability.critical_vulnerabilities | The count of critical vulnerability findings. | long | +| rapid7_insightvm.asset_vulnerability.exploits | The count of known unique exploits that can be used to exploit vulnerabilities on the asset. | long | +| rapid7_insightvm.asset_vulnerability.host_name | The host name (local or FQDN). | keyword | +| rapid7_insightvm.asset_vulnerability.id | The identifier of the asset. | keyword | +| rapid7_insightvm.asset_vulnerability.ip | The IPv4 or IPv6 address. | ip | +| rapid7_insightvm.asset_vulnerability.last_assessed_for_vulnerabilities | The time at which an asset was assessed for vulnerabilities. | date | +| rapid7_insightvm.asset_vulnerability.last_scan_end | The time at which the last scan of the asset ended. | date | +| rapid7_insightvm.asset_vulnerability.last_scan_start | The time at which the last scan of the asset started. | date | +| rapid7_insightvm.asset_vulnerability.mac | The Media Access Control (MAC) address. The format is six groups of two hexadecimal digits separated by colons. | keyword | +| rapid7_insightvm.asset_vulnerability.malware_kits | The count of known unique malware kits that can be used to attack vulnerabilities on the asset. | long | +| rapid7_insightvm.asset_vulnerability.moderate_vulnerabilities | The count of moderate vulnerability findings. | long | +| rapid7_insightvm.asset_vulnerability.os.architecture | The architecture of the operating system. | keyword | +| rapid7_insightvm.asset_vulnerability.os.description | The description of the operating system (containing vendor, family, product, version and architecture in a single string). | keyword | +| rapid7_insightvm.asset_vulnerability.os.family | The family of the operating system. | keyword | +| rapid7_insightvm.asset_vulnerability.os.name | The name of the operating system. | keyword | +| rapid7_insightvm.asset_vulnerability.os.system_name | A combination of vendor and family (with redundancies removed), suitable for grouping. | keyword | +| rapid7_insightvm.asset_vulnerability.os.type | The type of operating system. | keyword | +| rapid7_insightvm.asset_vulnerability.os.vendor | The vendor of the operating system. | keyword | +| rapid7_insightvm.asset_vulnerability.os.version | The version of the operating system. | keyword | +| rapid7_insightvm.asset_vulnerability.risk_score | The risk score (with criticality adjustments) of the asset. | double | +| rapid7_insightvm.asset_vulnerability.severe_vulnerabilities | The count of severe vulnerability findings. | long | +| rapid7_insightvm.asset_vulnerability.tags.name | The stored value. | keyword | +| rapid7_insightvm.asset_vulnerability.tags.type | The type of information stored and displayed. For sites, the value is "SITE". | keyword | +| rapid7_insightvm.asset_vulnerability.total_vulnerabilities | The total count of vulnerability findings. | long | +| rapid7_insightvm.asset_vulnerability.type | The type of asset. | keyword | +| rapid7_insightvm.asset_vulnerability.unique_identifiers.id | The unique identifier. | keyword | +| rapid7_insightvm.asset_vulnerability.unique_identifiers.source | The source of the unique identifier. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.added | The date the vulnerability coverage was added. The format is an ISO 8601 date, YYYY-MM-DD. | date | +| rapid7_insightvm.asset_vulnerability.vulnerability.categories | Comma-separated list of categories the vulnerability is classified under. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.check_id | The identifier of the vulnerability check. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cves | All CVEs assigned to this vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.access_complexity | Access Complexity (AC) component which measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.access_vector | Access Vector (Av) component which reflects how the vulnerability is exploited. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.authentication | Authentication (Au) component which measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.availability_impact | Availability Impact (A) component which measures the impact to availability of a successfully exploited vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.confidentiality_impact | Confidentiality Impact (C) component which measures the impact on confidentiality of a successfully exploited vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.exploit_score | The CVSS exploit score. | double | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.impact_score | The CVSS impact score. | double | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.integrity_impact | Integrity Impact (I) component measures the impact to integrity of a successfully exploited vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.score | The CVSS score, which ranges from 0-10. | double | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.vector | The CVSS v2 vector. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.attack_complexity | Attack Complexity (AC) component with measures the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.attack_vector | Attack Vector (AV) component which measures context by which vulnerability exploitation is possible. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.availability_impact | Availability Impact (A) measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.confidentiality_impact | Confidentiality Impact (C) component which measures the impact on confidentiality of a successfully exploited vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.exploit_score | The CVSS exploit score. | double | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.impact_score | The CVSS impact score. | double | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.integrity_impact | Integrity Impact (I) measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.privileges_required | Privileges Required (PR) measures the level of privileges an attacker must possess before successfully exploiting the vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.scope | Scope (S) measures the collection of privileges defined by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.score | The CVSS score, which ranges from 0-10. | double | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.user_interaction | User Interaction (UI) measures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.vector | The CVSS v3 vector. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.denial_of_service | Whether the vulnerability can lead to Denial of Service (DoS). | boolean | +| rapid7_insightvm.asset_vulnerability.vulnerability.description | A verbose description of the vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.exploits.description | A verbose description of the exploit. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.exploits.id | The identifier of the exploit. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.exploits.name | The name of the exploit. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.exploits.rank | How common the exploit is used. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.exploits.skill_level | The level of skill required to use the exploit. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.exploits.source | Details about where the exploit is defined. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.first_found | The first time the vulnerability was discovered. | date | +| rapid7_insightvm.asset_vulnerability.vulnerability.id | The identifier of the vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.is_enriched | Whether the enriched vulnerability information is available. | boolean | +| rapid7_insightvm.asset_vulnerability.vulnerability.is_remediated | Whether the vulnerability has been remediated. | boolean | +| rapid7_insightvm.asset_vulnerability.vulnerability.key | The identifier of the assessment key. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.last_found | The most recent time the vulnerability was discovered. | date | +| rapid7_insightvm.asset_vulnerability.vulnerability.links.href | | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.links.id | | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.links.rel | | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.links.source | | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.malware_kits.description | A known Malware Kit that can be used to compromise a vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.malware_kits.name | The name of the malware kit. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.malware_kits.popularity | The popularity of the malware kit. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.modified | The last date the vulnerability was modified. The format is an ISO 8601 date, YYYY-MM-DD. | date | +| rapid7_insightvm.asset_vulnerability.vulnerability.pci.cvss_score | The CVSS score of the vulnerability, adjusted for PCI rules and exceptions, on a scale of 0-10. | double | +| rapid7_insightvm.asset_vulnerability.vulnerability.pci.fail | Whether if present on a host this vulnerability would cause a PCI failure. true if compliance status is "fail", false otherwise. | boolean | +| rapid7_insightvm.asset_vulnerability.vulnerability.pci.severity_score | The severity score of the vulnerability, adjusted for PCI rules and exceptions, on a scale of 0-10. | long | +| rapid7_insightvm.asset_vulnerability.vulnerability.pci.special_notes | Any special notes or remarks about the vulnerability that pertain to PCI compliance. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.pci.status | The PCI compliance status. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.port | For services vulnerabilities, the port that is vulnerable. | long | +| rapid7_insightvm.asset_vulnerability.vulnerability.proof | The identifier of the vulnerability proof. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.protocol | For services vulnerabilities, the protocol that is vulnerable. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.published | The date the vulnerability was first published or announced. The format is an ISO 8601 date, YYYY-MM-DD. | date | +| rapid7_insightvm.asset_vulnerability.vulnerability.references | References to security standards this vulnerability is a part of, in condensed format (comma-separated). | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.risk_score | The risk score of the vulnerability. If using the default Rapid7 Real Risk™ model, this value ranges from 0-1000. | double | +| rapid7_insightvm.asset_vulnerability.vulnerability.severity | The severity of the vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.severity_score | The severity score of the vulnerability, on a scale of 0-10. | long | +| rapid7_insightvm.asset_vulnerability.vulnerability.solution.fix | The solution fix for the vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.solution.id | The identifier of the solution for the vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.solution.summary | The summary for the solution for the vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.solution.type | The solution type for the vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.status | The status of the vulnerability finding. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.title | The title (summary) of the vulnerability. | keyword | +| resource.id | | keyword | +| resource.name | | keyword | +| vulnerability.published_date | | date | +| vulnerability.scanner.name | | keyword | +| vulnerability.scanner.vendor | The name of the vulnerability scanner vendor. | constant_keyword | +| vulnerability.title | | keyword | + + ### vulnerability This is the `vulnerability` dataset. @@ -239,34 +611,34 @@ An example event for `vulnerability` looks as following: { "@timestamp": "2018-06-08T00:00:00.000Z", "agent": { - "ephemeral_id": "9844171e-82cf-4571-bba2-2256a2464500", - "id": "e4354c0c-ca75-448a-b886-ec73a12bce07", - "name": "docker-fleet-agent", + "ephemeral_id": "dbee2821-362a-4d7a-9e8e-0fcd816d4696", + "id": "6a264171-bdc2-47a0-a131-9a515aa1c01f", + "name": "elastic-agent-42291", "type": "filebeat", - "version": "8.11.0" + "version": "8.18.0" }, "data_stream": { "dataset": "rapid7_insightvm.vulnerability", - "namespace": "ep", + "namespace": "75615", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "e4354c0c-ca75-448a-b886-ec73a12bce07", + "id": "6a264171-bdc2-47a0-a131-9a515aa1c01f", "snapshot": false, - "version": "8.11.0" + "version": "8.18.0" }, "event": { "agent_id_status": "verified", "category": [ "vulnerability" ], - "created": "2023-12-20T15:51:20.233Z", + "created": "2025-05-30T11:12:58.134Z", "dataset": "rapid7_insightvm.vulnerability", "id": "7-zip-cve-2008-6536", - "ingested": "2023-12-20T15:51:23Z", + "ingested": "2025-05-30T11:13:00Z", "kind": "event", "original": "{\"added\":\"2018-05-16T00:00:00Z\",\"categories\":\"7-Zip\",\"cves\":\"CVE-2008-6536\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":9.996799,\"cvss_v2_impact_score\":10.000845,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":10,\"cvss_v2_vector\":\"AV:N/AC:L/Au:N/C:C/I:C/A:C\",\"cvss_v3_attack_complexity\":null,\"cvss_v3_attack_vector\":null,\"cvss_v3_availability_impact\":null,\"cvss_v3_confidentiality_impact\":null,\"cvss_v3_exploit_score\":0,\"cvss_v3_impact_score\":0,\"cvss_v3_integrity_impact\":null,\"cvss_v3_privileges_required\":null,\"cvss_v3_scope\":null,\"cvss_v3_score\":0,\"cvss_v3_user_interaction\":null,\"cvss_v3_vector\":null,\"denial_of_service\":false,\"description\":\"Unspecified vulnerability in 7-zip before 4.5.7 has unknown impact and remote attack vectors, as demonstrated by the PROTOS GENOME test suite for Archive Formats (c10).\",\"exploits\":[],\"id\":\"7-zip-cve-2008-6536\",\"links\":[{\"href\":\"http://www.securityfocus.com/bid/28285\",\"id\":\"28285\",\"rel\":\"advisory\",\"source\":\"bid\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/41247\",\"id\":\"41247\",\"rel\":\"advisory\",\"source\":\"xf\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2008-6536\",\"id\":\"CVE-2008-6536\",\"rel\":\"advisory\",\"source\":\"cve\"},{\"href\":\"http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html\",\"id\":\"http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html\",\"rel\":\"advisory\",\"source\":\"url\"},{\"href\":\"http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/\",\"id\":\"http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/\",\"rel\":\"advisory\",\"source\":\"url\"},{\"href\":\"http://www.securityfocus.com/bid/28285\",\"id\":\"http://www.securityfocus.com/bid/28285\",\"rel\":\"advisory\",\"source\":\"url\"},{\"href\":\"http://www.vupen.com/english/advisories/2008/0914/references\",\"id\":\"http://www.vupen.com/english/advisories/2008/0914/references\",\"rel\":\"advisory\",\"source\":\"url\"},{\"href\":\"http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf\",\"id\":\"http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf\",\"rel\":\"advisory\",\"source\":\"url\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/41247\",\"id\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/41247\",\"rel\":\"advisory\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2018-06-08T00:00:00Z\",\"pci_cvss_score\":10,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2009-03-29T00:00:00Z\",\"references\":\"bid:28285,xf:41247,cve:CVE-2008-6536,url:http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html,url:http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/,url:http://www.securityfocus.com/bid/28285,url:http://www.vupen.com/english/advisories/2008/0914/references,url:http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf,url:https://exchange.xforce.ibmcloud.com/vulnerabilities/41247\",\"risk_score\":885.16,\"severity\":\"critical\",\"severity_score\":10,\"title\":\"7-Zip: CVE-2008-6536: Unspecified vulnerability in 7-zip before 4.5.7\"}", "risk_score": 885.16, diff --git a/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/base-fields.yml b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/base-fields.yml new file mode 100644 index 00000000000..32066c5865d --- /dev/null +++ b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/base-fields.yml @@ -0,0 +1,17 @@ +- name: data_stream.type + external: ecs +- name: data_stream.dataset + external: ecs +- name: data_stream.namespace + external: ecs + type: keyword +- name: event.module + external: ecs + type: constant_keyword + value: rapid7_insightvm +- name: event.dataset + external: ecs + type: constant_keyword + value: rapid7_insightvm.asset_vulnerability +- name: '@timestamp' + external: ecs diff --git a/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/beats.yml b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/beats.yml new file mode 100644 index 00000000000..4084f1dc7f5 --- /dev/null +++ b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Type of filebeat input. +- name: log.offset + type: long + description: Log offset. diff --git a/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs.yml b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs.yml new file mode 100644 index 00000000000..436631adbbd --- /dev/null +++ b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs.yml @@ -0,0 +1,102 @@ +# Define ECS constant fields as constant_keyword +- name: observer.vendor + type: constant_keyword + external: ecs +- name: vulnerability.scanner.vendor + type: constant_keyword + external: ecs +# Other ECS fields +- name: agent.ephemeral_id + external: ecs +- name: agent.id + external: ecs +- name: agent.name + external: ecs +- name: agent.type + external: ecs +- name: agent.version + external: ecs +- name: ecs.version + external: ecs +- name: error.code + external: ecs +- name: error.id + external: ecs +- name: error.message + external: ecs +- name: event.agent_id_status + external: ecs +- name: event.category + external: ecs +- name: event.created + external: ecs +- name: event.id + external: ecs +- name: event.ingested + external: ecs +- name: event.kind + external: ecs +- name: event.original + external: ecs +- name: event.severity + external: ecs +- name: event.type + external: ecs +- name: host.architecture + external: ecs +- name: host.hostname + external: ecs +- name: host.id + external: ecs +- name: host.ip + external: ecs +- name: host.mac + external: ecs +- name: host.name + external: ecs +- name: host.os.family + external: ecs +- name: host.os.full + external: ecs +- name: host.os.name + external: ecs +- name: host.os.platform + external: ecs +- name: host.os.type + external: ecs +- name: host.os.version + external: ecs +- name: host.type + external: ecs +- name: host.risk.static_score + external: ecs +- name: observer.product + external: ecs +- name: package.name + external: ecs +- name: package.version + external: ecs +- name: related.hosts + external: ecs +- name: related.ip + external: ecs +- name: tags + external: ecs +- name: vulnerability.category + external: ecs +- name: vulnerability.classification + external: ecs +- name: vulnerability.description + external: ecs +- name: vulnerability.enumeration + external: ecs +- name: vulnerability.id + external: ecs +- name: vulnerability.reference + external: ecs +- name: vulnerability.score.base + external: ecs +- name: vulnerability.score.version + external: ecs +- name: vulnerability.severity + external: ecs diff --git a/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml new file mode 100644 index 00000000000..d753a158a77 --- /dev/null +++ b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml @@ -0,0 +1,335 @@ +- name: rapid7_insightvm + type: group + fields: + - name: asset_vulnerability + type: group + fields: + - name: assessed_for_policies + type: boolean + description: Whether an asset was assessed for policies. + - name: assessed_for_vulnerabilities + type: boolean + description: Whether an asset was assessed for vulnerabilities. + - name: credential_assessments + type: group + fields: + - name: port + type: long + description: The port the authentication was used on. + - name: protocol + type: keyword + description: The protocol the authentication was used on. + - name: status + type: keyword + description: The authentication of the last scan performed. + - name: critical_vulnerabilities + type: long + description: The count of critical vulnerability findings. + - name: exploits + type: long + description: The count of known unique exploits that can be used to exploit vulnerabilities on the asset. + - name: host_name + type: keyword + description: The host name (local or FQDN). + - name: id + type: keyword + description: The identifier of the asset. + - name: ip + type: ip + description: The IPv4 or IPv6 address. + - name: last_assessed_for_vulnerabilities + type: date + description: The time at which an asset was assessed for vulnerabilities. + - name: last_scan_end + type: date + description: The time at which the last scan of the asset ended. + - name: last_scan_start + type: date + description: The time at which the last scan of the asset started. + - name: mac + type: keyword + description: The Media Access Control (MAC) address. The format is six groups of two hexadecimal digits separated by colons. + - name: malware_kits + type: long + description: The count of known unique malware kits that can be used to attack vulnerabilities on the asset. + - name: moderate_vulnerabilities + type: long + description: The count of moderate vulnerability findings. + - name: os + type: group + fields: + - name: architecture + type: keyword + description: The architecture of the operating system. + - name: description + type: keyword + description: The description of the operating system (containing vendor, family, product, version and architecture in a single string). + - name: family + type: keyword + description: The family of the operating system. + - name: name + type: keyword + description: The name of the operating system. + - name: system_name + type: keyword + description: A combination of vendor and family (with redundancies removed), suitable for grouping. + - name: type + type: keyword + description: The type of operating system. + - name: vendor + type: keyword + description: The vendor of the operating system. + - name: version + type: keyword + description: The version of the operating system. + - name: risk_score + type: double + description: The risk score (with criticality adjustments) of the asset. + - name: severe_vulnerabilities + type: long + description: The count of severe vulnerability findings. + - name: tags + type: group + fields: + - name: name + type: keyword + description: The stored value. + - name: type + type: keyword + description: The type of information stored and displayed. For sites, the value is "SITE". + - name: total_vulnerabilities + type: long + description: The total count of vulnerability findings. + - name: type + type: keyword + description: The type of asset. + - name: unique_identifiers + type: group + fields: + - name: id + type: keyword + description: The unique identifier. + - name: source + type: keyword + description: The source of the unique identifier. + - name: vulnerability + type: group + fields: + - name: added + type: date + description: The date the vulnerability coverage was added. The format is an ISO 8601 date, YYYY-MM-DD. + - name: categories + type: keyword + description: Comma-separated list of categories the vulnerability is classified under. + - name: check_id + type: keyword + description: The identifier of the vulnerability check. + - name: cves + type: keyword + description: All CVEs assigned to this vulnerability. + - name: cvss_v2 + type: group + fields: + - name: access_complexity + type: keyword + description: Access Complexity (AC) component which measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system. + - name: access_vector + type: keyword + description: Access Vector (Av) component which reflects how the vulnerability is exploited. + - name: authentication + type: keyword + description: Authentication (Au) component which measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. + - name: availability_impact + type: keyword + description: Availability Impact (A) component which measures the impact to availability of a successfully exploited vulnerability. + - name: confidentiality_impact + type: keyword + description: Confidentiality Impact (C) component which measures the impact on confidentiality of a successfully exploited vulnerability. + - name: exploit_score + type: double + description: The CVSS exploit score. + - name: impact_score + type: double + description: The CVSS impact score. + - name: integrity_impact + type: keyword + description: Integrity Impact (I) component measures the impact to integrity of a successfully exploited vulnerability. + - name: score + type: double + description: The CVSS score, which ranges from 0-10. + - name: vector + type: keyword + description: The CVSS v2 vector. + - name: cvss_v3 + type: group + fields: + - name: attack_complexity + type: keyword + description: Attack Complexity (AC) component with measures the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. + - name: attack_vector + type: keyword + description: Attack Vector (AV) component which measures context by which vulnerability exploitation is possible. + - name: availability_impact + type: keyword + description: Availability Impact (A) measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. + - name: confidentiality_impact + type: keyword + description: Confidentiality Impact (C) component which measures the impact on confidentiality of a successfully exploited vulnerability. + - name: exploit_score + type: double + description: The CVSS exploit score. + - name: impact_score + type: double + description: The CVSS impact score. + - name: integrity_impact + type: keyword + description: Integrity Impact (I) measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. + - name: privileges_required + type: keyword + description: Privileges Required (PR) measures the level of privileges an attacker must possess before successfully exploiting the vulnerability. + - name: scope + type: keyword + description: Scope (S) measures the collection of privileges defined by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization. + - name: score + type: double + description: The CVSS score, which ranges from 0-10. + - name: user_interaction + type: keyword + description: User Interaction (UI) measures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component. + - name: vector + type: keyword + description: The CVSS v3 vector. + - name: denial_of_service + type: boolean + description: Whether the vulnerability can lead to Denial of Service (DoS). + - name: description + type: keyword + description: A verbose description of the vulnerability. + - name: exploits + type: group + fields: + - name: description + type: keyword + description: A verbose description of the exploit. + - name: id + type: keyword + description: The identifier of the exploit. + - name: name + type: keyword + description: The name of the exploit. + - name: rank + type: keyword + description: How common the exploit is used. + - name: skill_level + type: keyword + description: The level of skill required to use the exploit. + - name: source + type: keyword + description: Details about where the exploit is defined. + - name: first_found + type: date + description: The first time the vulnerability was discovered. + - name: id + type: keyword + description: The identifier of the vulnerability. + - name: is_enriched + type: boolean + description: Whether the enriched vulnerability information is available. + - name: is_remediated + type: boolean + description: Whether the vulnerability has been remediated. + - name: key + type: keyword + description: The identifier of the assessment key. + - name: last_found + type: date + description: The most recent time the vulnerability was discovered. + - name: links + type: group + fields: + - name: href + type: keyword + - name: id + type: keyword + - name: rel + type: keyword + - name: source + type: keyword + - name: malware_kits + type: group + fields: + - name: description + type: keyword + description: A known Malware Kit that can be used to compromise a vulnerability. + - name: name + type: keyword + description: The name of the malware kit. + - name: popularity + type: keyword + description: The popularity of the malware kit. + - name: modified + type: date + description: The last date the vulnerability was modified. The format is an ISO 8601 date, YYYY-MM-DD. + - name: pci + type: group + fields: + - name: cvss_score + type: double + description: The CVSS score of the vulnerability, adjusted for PCI rules and exceptions, on a scale of 0-10. + - name: fail + type: boolean + description: Whether if present on a host this vulnerability would cause a PCI failure. true if compliance status is "fail", false otherwise. + - name: severity_score + type: long + description: The severity score of the vulnerability, adjusted for PCI rules and exceptions, on a scale of 0-10. + - name: special_notes + type: keyword + description: Any special notes or remarks about the vulnerability that pertain to PCI compliance. + - name: status + type: keyword + description: The PCI compliance status. + - name: port + type: long + description: For services vulnerabilities, the port that is vulnerable. + - name: proof + type: keyword + description: The identifier of the vulnerability proof. + - name: protocol + type: keyword + description: For services vulnerabilities, the protocol that is vulnerable. + - name: published + type: date + description: The date the vulnerability was first published or announced. The format is an ISO 8601 date, YYYY-MM-DD. + - name: references + type: keyword + description: References to security standards this vulnerability is a part of, in condensed format (comma-separated). + - name: risk_score + type: double + description: The risk score of the vulnerability. If using the default Rapid7 Real Risk™ model, this value ranges from 0-1000. + - name: severity + type: keyword + description: The severity of the vulnerability. + - name: severity_score + type: long + description: The severity score of the vulnerability, on a scale of 0-10. + - name: solution + type: group + fields: + - name: fix + type: keyword + description: The solution fix for the vulnerability. + - name: id + type: keyword + description: The identifier of the solution for the vulnerability. + - name: summary + type: keyword + description: The summary for the solution for the vulnerability. + - name: type + type: keyword + description: The solution type for the vulnerability. + - name: status + type: keyword + description: The status of the vulnerability finding. + - name: title + type: keyword + description: The title (summary) of the vulnerability. diff --git a/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/package.yml b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/package.yml new file mode 100644 index 00000000000..dd2e5a96bb9 --- /dev/null +++ b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/package.yml @@ -0,0 +1,11 @@ +- name: package + type: group + fields: + - name: fixed_version + type: keyword + - name: name + type: keyword + external: ecs + - name: version + type: keyword + external: ecs diff --git a/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/resource.yml b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/resource.yml new file mode 100644 index 00000000000..425eb9530e9 --- /dev/null +++ b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/resource.yml @@ -0,0 +1,7 @@ +- name: resource + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword diff --git a/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/vulnerability.yml b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/vulnerability.yml new file mode 100644 index 00000000000..c1e3f2fa6da --- /dev/null +++ b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/vulnerability.yml @@ -0,0 +1,12 @@ +- name: vulnerability + type: group + fields: + - name: published_date + type: date + - name: scanner + type: group + fields: + - name: name + type: keyword + - name: title + type: keyword diff --git a/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml new file mode 100644 index 00000000000..eecae70230b --- /dev/null +++ b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml @@ -0,0 +1,30 @@ +source: + index: + - "logs-rapid7_insightvm.asset_vulnerability-*" +dest: + index: "security_solution-rapid7_insightvm.vulnerability_latest-v1" + aliases: + - alias: "security_solution-rapid7_insightvm.vulnerability_latest" + move_on_creation: true +latest: + unique_key: + - event.id + - resource.id + - data_stream.namespace + sort: "@timestamp" +description: Latest Vulnerabilities Findings from Rapid7 InsightVM. +settings: + unattended: true +frequency: 5m +sync: + time: + field: event.ingested +retention_policy: + time: + field: "@timestamp" + max_age: 90d +_meta: + managed: true + # Bump this version to delete, reinstall, and restart the transform during package. + # Version bump is needed if there is any code change in transform. + fleet_transform_version: 0.1.0 diff --git a/packages/rapid7_insightvm/manifest.yml b/packages/rapid7_insightvm/manifest.yml index f86fc252ee3..2286e39945b 100644 --- a/packages/rapid7_insightvm/manifest.yml +++ b/packages/rapid7_insightvm/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.2" +format_version: "3.3.5" name: rapid7_insightvm title: Rapid7 InsightVM -version: "1.16.0" +version: "2.0.0" source: license: "Elastic-2.0" description: Collect logs from Rapid7 InsightVM with Elastic Agent. @@ -11,7 +11,7 @@ categories: - vulnerability_management conditions: kibana: - version: "^8.13.0 || ^9.0.0" + version: "^8.19.0 || ^9.1.0" elastic: subscription: "basic" screenshots: @@ -32,10 +32,22 @@ policy_templates: - name: rapid7_insightvm title: Rapid7 InsightVM logs description: Collect Rapid7 InsightVM logs. + deployment_modes: + default: + enabled: true + agentless: + enabled: true + organization: security + division: engineering + team: security-service-integrations + # The default memory allocation of 1Gi for agentless deployment results in the input restarting multiple times and becoming stuck in a loop, unable to complete the ingestion cycle. Increasing the memory to 4Gi solves the issue. + resources: + requests: + memory: 4Gi inputs: - type: httpjson - title: Collect Rapid7 InsightVM logs via API - description: Collecting Rapid7 InsightVM via API. + title: Collect Rapid7 InsightVM logs via HTTPJSON + description: Collecting Rapid7 InsightVM via HTTPJSON. vars: - name: hostname type: text @@ -95,6 +107,62 @@ policy_templates: # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk # sxSmbIUfc2SGJGCJD4I= # -----END CERTIFICATE----- + - type: cel + title: Collect Rapid7 InsightVM logs via CEL + description: Collecting Rapid7 InsightVM logs via CEL. + vars: + - name: url + type: url + title: URL + description: URL for the Rapid7 InsightVM API (Add https:// before the hostname). Add a region of the Insight Platform to the URL. + default: https://