From 8ed1900eac0a2ea3fe5edb81082e4ac06d600035 Mon Sep 17 00:00:00 2001 From: brijesh-elastic Date: Thu, 29 May 2025 15:43:04 +0530 Subject: [PATCH 01/19] add support of asset_vulnerability datastream --- .../_dev/deploy/docker/files/config.yml | 895 ++++++++++ packages/rapid7_insightvm/changelog.yml | 5 + .../pipeline/test-asset.log-expected.json | 2 +- .../pipeline/test-asset-vulnerability.log | 7 + ...test-asset-vulnerability.log-expected.json | 1435 +++++++++++++++++ .../_dev/test/pipeline/test-common-config.yml | 4 + .../_dev/test/system/test-default-config.yml | 12 + .../agent/stream/cel.yml.hbs | 188 +++ .../elasticsearch/ingest_pipeline/default.yml | 1015 ++++++++++++ .../fields/base-fields.yml | 20 + .../asset_vulnerability/fields/beats.yml | 6 + .../asset_vulnerability/fields/ecs.yml | 7 + .../asset_vulnerability/fields/fields.yml | 329 ++++ .../asset_vulnerability/fields/package.yml | 11 + .../asset_vulnerability/fields/resource.yml | 7 + .../fields/vulnerability.yml | 12 + .../asset_vulnerability/manifest.yml | 78 + .../asset_vulnerability/sample_event.json | 207 +++ .../test-vulnerability.log-expected.json | 2 +- packages/rapid7_insightvm/manifest.yml | 64 +- 20 files changed, 4300 insertions(+), 6 deletions(-) create mode 100644 packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log create mode 100644 packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log-expected.json create mode 100644 packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-common-config.yml create mode 100644 packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/system/test-default-config.yml create mode 100644 packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs create mode 100644 packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml create mode 100644 packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/base-fields.yml create mode 100644 packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/beats.yml create mode 100644 packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/ecs.yml create mode 100644 packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/fields.yml create mode 100644 packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/package.yml create mode 100644 packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/resource.yml create mode 100644 packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/vulnerability.yml create mode 100644 packages/rapid7_insightvm/data_stream/asset_vulnerability/manifest.yml create mode 100644 packages/rapid7_insightvm/data_stream/asset_vulnerability/sample_event.json diff --git a/packages/rapid7_insightvm/_dev/deploy/docker/files/config.yml b/packages/rapid7_insightvm/_dev/deploy/docker/files/config.yml index 60fa6234768..70c75fb4aa2 100644 --- a/packages/rapid7_insightvm/_dev/deploy/docker/files/config.yml +++ b/packages/rapid7_insightvm/_dev/deploy/docker/files/config.yml @@ -1,4 +1,899 @@ rules: + - path: /vm/v4/integration/assets + methods: ['POST'] + query_params: + size: 2 + includeUniqueIdentifiers: true + includeSame: true + comparisonTime: null + cursor: null + request_headers: + X-Api-Key: + - api_key + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "credential_assessments": [], + "critical_vulnerabilities": 5, + "exploits": 0, + "host_name": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": "10.50.6.126", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00:00:5E:00:53:01", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os_architecture": "x86_64", + "os_description": "Ubuntu Linux 22.04", + "os_family": "Linux", + "os_name": "Linux", + "os_system_name": "Ubuntu Linux", + "os_type": "", + "os_vendor": "Ubuntu", + "os_version": "22.04", + "risk_score": 5656, + "severe_vulnerabilities": 6, + "tags": [ + { + "name": "rapid7 insight agents", + "type": "SITE" + } + ], + "total_vulnerabilities": 12, + "type": "guest", + "unique_identifiers": [ + { + "id": "B7123456-5678-1234-ABCD-6F6ABCDEFA91", + "source": "dmidecode" + }, + { + "id": "cababcdefabcd0123456789f16d7061a", + "source": "R7 Agent" + }, + { + "id": "cab682b411e200123456789ab6d7061a", + "source": "Endpoint Agent" + } + ], + "same": [ + { + "check_id": null, + "first_found": "2025-05-14T13:52:10Z", + "key": "/root/infaagent/jdk/lib/jrt-fs.jar", + "last_found": "2025-05-27T19:54:43.777Z", + "nic": null, + "port": null, + "proof": "

Vulnerable OS: Ubuntu Linux 22.04

Vulnerable software installed: Azul Systems JRE 17.54.22 (/root/infaagent/jdk/lib/jrt-fs.jar)

", + "protocol": null, + "reintroduced": null, + "solution_fix": "

\n Download and upgrade to the latest version of Azul Zulu from here.

", + "solution_id": "azul-zulu-upgrade-latest", + "solution_summary": "Upgrade Azul Zulu to the latest version", + "solution_type": "workaround", + "status": "VULNERABLE_VERS", + "vulnerability_id": "azul-zulu-cve-2025-21502" + }, + { + "check_id": null, + "first_found": "2025-05-13T13:25:40Z", + "key": "", + "last_found": "2025-05-27T19:54:43.777Z", + "nic": null, + "port": null, + "proof": "

Grub config with no password found.

", + "protocol": null, + "reintroduced": null, + "solution_fix": "

Set a password in the GRUB configuration file. This\n is often located in one of several locations, but can really be\n anywhere:

\n          /etc/grub.conf\n          /boot/grub/grub.conf\n          /boot/grub/grub.cfg\n          /boot/grub/menu.lst\n

For all files mentioned above ensure that a password is set or that the files do not exist.

To set a plain-text password, edit your GRUB configuration file\n and add the following line before the first uncommented line:

   password <password>

To set an encrypted password, run grub-md5-crypt and use its\n output when adding the following line before the first\n uncommented line:

   password --md5 <encryptedpassword>

For either approach, choose an appropriately strong password.

", + "solution_id": "linux-grub-missing-passwd", + "solution_summary": " Enable GRUB password ", + "solution_type": "workaround", + "status": "VULNERABLE_EXPL", + "vulnerability_id": "linux-grub-missing-passwd" + } + ] + }, + { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "credential_assessments": [ + { + "port": 135, + "protocol": "TCP", + "status": "NO_CREDS_SUPPLIED" + }, + { + "port": 445, + "protocol": "TCP", + "status": "NO_CREDS_SUPPLIED" + } + ], + "critical_vulnerabilities": 119, + "exploits": 4, + "host_name": "Win11-50-13-52", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "ip": "10.50.13.52", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00:00:5E:00:53:00", + "malware_kits": 0, + "moderate_vulnerabilities": 8, + "os_architecture": "x86_64", + "os_description": "Microsoft Windows 11 22H2", + "os_family": "Windows", + "os_name": "Windows 11", + "os_system_name": "Microsoft Windows", + "os_type": "Workstation", + "os_vendor": "Microsoft", + "os_version": "22H2", + "risk_score": 181622, + "severe_vulnerabilities": 241, + "tags": [ + { + "name": "USA", + "type": "LOCATION" + }, + { + "name": "test", + "type": "SITE" + }, + { + "name": "rapid7 insight agents", + "type": "SITE" + } + ], + "total_vulnerabilities": 368, + "type": "guest", + "unique_identifiers": [ + { + "id": "F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050", + "source": "CSPRODUCT" + }, + { + "id": "c5cf46abcdef0123456789291c7d554a", + "source": "R7 Agent" + } + ], + "same": [ + { + "check_id": null, + "first_found": "2025-04-30T06:21:05Z", + "key": "", + "last_found": "2025-05-27T19:54:43.777Z", + "nic": null, + "port": 3389, + "proof": "

The subject common name found in the X.509 certificate does not seem to match the scan target:

", + "protocol": "TCP", + "reintroduced": "2025-05-27T13:34:19Z", + "solution_fix": "

\n The subject's common name (CN) field in the X.509 certificate should be fixed\nto reflect the name of the entity presenting the certificate (e.g., the\nhostname). This is done by generating a new certificate usually signed by a\nCertification Authority (CA) trusted by both the client and server.\n

", + "solution_id": "certificate-common-name-mismatch", + "solution_summary": "Fix the subject's Common Name (CN) field in the certificate", + "solution_type": "workaround", + "status": "VULNERABLE_EXPL", + "vulnerability_id": "certificate-common-name-mismatch" + }, + { + "check_id": "microsoft-windows-cve-2025-21204-windows_11-22h2-kb5055528", + "first_found": "2025-05-13T07:25:34Z", + "key": "", + "last_found": "2025-05-27T19:54:43.777Z", + "nic": null, + "port": null, + "proof": "

Vulnerable OS: Microsoft Windows 11 22H2

", + "protocol": null, + "reintroduced": null, + "solution_fix": "

Download and apply the patch from: https://support.microsoft.com/help/5058405

", + "solution_id": "microsoft-windows-windows_11-22h2-kb5058405", + "solution_summary": "2025-05 Cumulative Update for Microsoft Windows 11, version 22H2 (KB5058405)", + "solution_type": "patch", + "status": "VULNERABLE_EXPL", + "vulnerability_id": "microsoft-windows-cve-2025-21204" + }, + { + "check_id": "WINDOWS-HOTFIX-MS13-098-x64", + "first_found": "2025-05-13T07:25:34Z", + "key": "", + "last_found": "2025-05-27T19:54:43.777Z", + "nic": null, + "port": null, + "proof": "

Vulnerable OS: Microsoft Windows 11 22H2

", + "protocol": null, + "reintroduced": null, + "solution_fix": "

Download and apply the patch from: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900

", + "solution_id": "windows-hotfix-ms13-098", + "solution_summary": "Enable Certificate Padding Check for Windows Systems", + "solution_type": "patch", + "status": "VULNERABLE_EXPL", + "vulnerability_id": "windows-hotfix-ms13-098" + } + ] + } + ], + "metadata": { + "number": 0, + "size": 2, + "totalResources": 3, + "totalPages": 2, + "cursor": "1542252837:::_S:::81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1" + }, + "links": [ + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/assets?includeSame=true&includeUniqueIdentifiers=true&page=0&size=2&sort=id,asc", + "rel": "first" + }, + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/assets?includeSame=true&includeUniqueIdentifiers=true&page=0&size=2&sort=id,asc", + "rel": "self" + }, + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/assets?includeSame=true&includeUniqueIdentifiers=true&page=1&size=2&sort=id,asc&cursor=1542252837:::_S:::81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "rel": "next" + }, + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/assets?includeSame=true&includeUniqueIdentifiers=true&page=8&size=2&sort=id,asc", + "rel": "last" + } + ] + } + `}} + - path: /vm/v4/integration/assets + methods: ['POST'] + query_params: + size: 2 + includeUniqueIdentifiers: true + includeSame: true + comparisonTime: null + cursor: 1542252837:::_S:::81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1 + request_headers: + X-Api-Key: + - api_key + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "credential_assessments": [ + { + "port": 22, + "protocol": "TCP", + "status": "NO_CREDS_SUPPLIED" + } + ], + "critical_vulnerabilities": 3, + "exploits": 0, + "host_name": "computer-test", + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6", + "ip": "10.50.5.112", + "last_assessed_for_vulnerabilities": "2025-05-27T18:21:36.279Z", + "last_scan_end": "2025-05-27T18:21:36.279Z", + "last_scan_start": "2025-05-27T18:20:41.505Z", + "mac": "00:00:5E:00:53:02", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os_architecture": "x86_64", + "os_description": "Red Hat Enterprise Linux 7.9", + "os_family": "Linux", + "os_name": "Enterprise Linux", + "os_system_name": "Red Hat Linux", + "os_type": "", + "os_vendor": "Red Hat", + "os_version": "7.9", + "risk_score": 18250, + "severe_vulnerabilities": 48, + "tags": [ + { + "name": "Ahmedabad", + "type": "LOCATION" + }, + { + "name": "test", + "type": "SITE" + }, + { + "name": "rapid7 insight agents", + "type": "SITE" + } + ], + "total_vulnerabilities": 52, + "type": "guest", + "unique_identifiers": [ + { + "id": "CEF12345-ABCD-1234-ABCD-95ABCDEF1234", + "source": "dmidecode" + }, + { + "id": "e80644e940123456789abcdef66a8b16", + "source": "R7 Agent" + } + ], + "same": [ + { + "check_id": null, + "first_found": "2025-05-12T16:25:35Z", + "key": "", + "last_found": "2025-05-27T18:21:36.279Z", + "nic": null, + "port": null, + "proof": "

Following entries in /etc/securetty \n may allow anonymous root logins:

", + "protocol": null, + "reintroduced": null, + "solution_fix": "

Remove all the entries in /etc/securetty except console,\n tty[0-9]* and vc\\[0-9]*

Note: ssh does not use /etc/securetty. To disable root login\n through ssh, use the "PermitRootLogin" setting in /etc/ssh/sshd_config\n and restart the ssh daemon.

", + "solution_id": "unix-anonymous-root-logins", + "solution_summary": "Edit '/etc/securetty' entries", + "solution_type": "workaround", + "status": "VULNERABLE_EXPL", + "vulnerability_id": "unix-anonymous-root-logins" + }, + { + "check_id": null, + "first_found": "2025-05-14T13:52:10Z", + "key": "", + "last_found": "2025-05-27T18:21:36.279Z", + "nic": null, + "port": null, + "proof": "

The following world writable files were found.

", + "protocol": null, + "reintroduced": null, + "solution_fix": "

For each world-writable file, determine whether there is a good reason for\n it to be world writable. If not, remove world write permissions for the file.\n The output here is limited to 50 files. In order to find all of these files without needing to\n run another Nexpose scan run the following command:

 find / -type f -perm -02

Please note; it may be necessary exclude particular paths or file share types, run 'man find' for information.

", + "solution_id": "unix-world-writable-files", + "solution_summary": "Remove world write permissions", + "solution_type": "workaround", + "status": "VULNERABLE_EXPL", + "vulnerability_id": "unix-world-writable-files" + } + ] + } + ], + "metadata": { + "number": 0, + "size": 2, + "totalResources": 3, + "totalPages": 2, + "cursor": "1542252837:::_S:::8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6" + }, + "links": [ + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/assets?includeSame=true&includeUniqueIdentifiers=true&page=0&size=2&sort=id,asc", + "rel": "first" + }, + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/assets?includeSame=true&includeUniqueIdentifiers=true&page=0&size=2&sort=id,asc&cursor=1542252837:::_S:::81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "rel": "self" + }, + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/assets?includeSame=true&includeUniqueIdentifiers=true&page=1&size=2&sort=id,asc&cursor=1542252837:::_S:::8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6", + "rel": "next" + }, + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/assets?includeSame=true&includeUniqueIdentifiers=true&page=8&size=2&sort=id,asc", + "rel": "last" + } + ] + } + `}} + - path: /vm/v4/integration/assets + methods: ['POST'] + query_params: + size: 2 + includeUniqueIdentifiers: true + includeSame: true + comparisonTime: null + cursor: 1542252837:::_S:::8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6 + request_headers: + X-Api-Key: + - api_key + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [], + "metadata": { + "number": 0, + "size": 2, + "totalResources": 0, + "totalPages": 0, + "cursor": null + }, + "links": [ + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/assets?includeSame=true&includeUniqueIdentifiers=true&page=0&size=2&sort=id,asc&cursor=1542252837:::_S:::8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6", + "rel": "self" + } + ] + } + `}} + - path: /vm/v4/integration/vulnerabilities + methods: ['POST'] + query_params: + size: 500 + cursor: null + request_headers: + X-Api-Key: + - api_key + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [ + { + "added": "2025-02-05T00:00:00Z", + "categories": "Azul Systems,Azul Zulu,Java,Web", + "cves": "CVE-2025-21502", + "cvss_v2_access_complexity": "high", + "cvss_v2_access_vector": "network", + "cvss_v2_authentication": "none", + "cvss_v2_availability_impact": "none", + "cvss_v2_confidentiality_impact": "partial", + "cvss_v2_exploit_score": 4.927999973297119, + "cvss_v2_impact_score": 4.938243839970231, + "cvss_v2_integrity_impact": "partial", + "cvss_v2_score": 4, + "cvss_v2_vector": "(AV:N/AC:H/Au:N/C:P/I:P/A:N)", + "cvss_v3_attack_complexity": "high", + "cvss_v3_attack_vector": "network", + "cvss_v3_availability_impact": "none", + "cvss_v3_confidentiality_impact": "low", + "cvss_v3_exploit_score": 2.2211673, + "cvss_v3_impact_score": 2.5140719999999996, + "cvss_v3_integrity_impact": "low", + "cvss_v3_privileges_required": "none", + "cvss_v3_scope": "unchanged", + "cvss_v3_score": 4.8, + "cvss_v3_user_interaction": "none", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "denial_of_service": false, + "description": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM for JDK: 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM Enterprise Edition: 20.3.16 and 21.3.12. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).", + "exploits": [], + "id": "azul-zulu-cve-2025-21502", + "links": [ + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2025-21502", + "id": "CVE-2025-21502", + "source": "cve" + }, + { + "href": "https://www.azul.com/downloads/", + "id": "https://www.azul.com/downloads/", + "source": "url" + } + ], + "malware_kits": [], + "modified": "2025-02-18T00:00:00Z", + "pci_cvss_score": 4, + "pci_fail": true, + "pci_severity_score": 3, + "pci_special_notes": "", + "pci_status": "fail", + "published": "2025-01-21T00:00:00Z", + "references": "cve:CVE-2025-21502,url:https://www.azul.com/downloads/", + "risk_score": 321, + "severity": "low", + "severity_score": 4, + "title": "Azul Zulu: CVE-2025-21502: Vulnerability in the Azul Zulu OpenJDK component" + }, + { + "added": "2004-11-30T00:00:00Z", + "categories": "CVSS Score Predicted with Rapid7 AI,UNIX", + "cves": "", + "cvss_v2_access_complexity": "low", + "cvss_v2_access_vector": "local", + "cvss_v2_authentication": "none", + "cvss_v2_availability_impact": "partial", + "cvss_v2_confidentiality_impact": "partial", + "cvss_v2_exploit_score": 3.948735978603363, + "cvss_v2_impact_score": 6.442976653521584, + "cvss_v2_integrity_impact": "partial", + "cvss_v2_score": 4.6, + "cvss_v2_vector": "(AV:L/AC:L/Au:N/C:P/I:P/A:P)", + "cvss_v3_attack_complexity": "low", + "cvss_v3_attack_vector": "local", + "cvss_v3_availability_impact": "none", + "cvss_v3_confidentiality_impact": "high", + "cvss_v3_exploit_score": 2.515145325, + "cvss_v3_impact_score": 5.177088, + "cvss_v3_integrity_impact": "high", + "cvss_v3_privileges_required": "none", + "cvss_v3_scope": "unchanged", + "cvss_v3_score": 7.7, + "cvss_v3_user_interaction": "none", + "cvss_v3_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "denial_of_service": false, + "description": "GRUB bootloader is not password protected. An attacker can use the GRUB editor interface to change its configuration or to gather information using the cat command. It can also be exploited to boot into single user mode as root or boot into an insecure operating system.", + "exploits": [], + "id": "linux-grub-missing-passwd", + "links": [], + "malware_kits": [], + "modified": "2025-02-18T00:00:00Z", + "pci_cvss_score": 4.6, + "pci_fail": true, + "pci_severity_score": 3, + "pci_special_notes": "", + "pci_status": "fail", + "published": "1999-01-01T00:00:00Z", + "references": "", + "risk_score": 515, + "severity": "critical", + "severity_score": 5, + "title": "No password for Grub" + }, + { + "added": "2007-08-03T00:00:00Z", + "categories": "CVSS Score Predicted with Rapid7 AI,HTTP,Web", + "cves": "", + "cvss_v2_access_complexity": "high", + "cvss_v2_access_vector": "network", + "cvss_v2_authentication": "none", + "cvss_v2_availability_impact": "none", + "cvss_v2_confidentiality_impact": "complete", + "cvss_v2_exploit_score": 4.927999973297119, + "cvss_v2_impact_score": 7.843935219030975, + "cvss_v2_integrity_impact": "partial", + "cvss_v2_score": 6.1, + "cvss_v2_vector": "(AV:N/AC:H/Au:N/C:C/I:P/A:N)", + "cvss_v3_attack_complexity": "high", + "cvss_v3_attack_vector": "network", + "cvss_v3_availability_impact": "none", + "cvss_v3_confidentiality_impact": "high", + "cvss_v3_exploit_score": 2.2211673, + "cvss_v3_impact_score": 5.177088, + "cvss_v3_integrity_impact": "high", + "cvss_v3_privileges_required": "none", + "cvss_v3_scope": "unchanged", + "cvss_v3_score": 7.4, + "cvss_v3_user_interaction": "none", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "denial_of_service": false, + "description": "The subject common name (CN) field in the X.509 certificate does not match the name of the entity presenting the certificate.\n\nBefore issuing a certificate, a Certification Authority (CA) must check the identity of the entity requesting the certificate, as specified in the CA's Certification Practice Statement (CPS). Thus, standard certificate validation procedures require the subject CN field of a certificate to match the actual name of the entity presenting the certificate. For example, in a certificate presented by \"https://www.example.com/\", the CN should be \"www.example.com\". \n\nIn order to detect and prevent active eavesdropping attacks, the validity of a certificate must be verified, or else an attacker could then launch a man-in-the-middle attack and gain full control of the data stream. Of particular importance is the validity of the subject's CN, that should match the name of the entity (hostname).\n\nA CN mismatch most often occurs due to a configuration error, though it can also indicate that a man-in-the-middle attack is being conducted.", + "exploits": [], + "id": "certificate-common-name-mismatch", + "links": [], + "malware_kits": [], + "modified": "2025-02-18T00:00:00Z", + "pci_cvss_score": 6.1, + "pci_fail": true, + "pci_severity_score": 4, + "pci_special_notes": "", + "pci_status": "fail", + "published": "2007-08-03T00:00:00Z", + "references": "", + "risk_score": 495, + "severity": "none", + "severity_score": 6, + "title": "X.509 Certificate Subject CN Does Not Match the Entity Name" + }, + { + "added": "2025-04-08T00:00:00Z", + "categories": "Microsoft,Microsoft Patch,Microsoft Windows,Privilege Escalation", + "cves": "CVE-2025-21204", + "cvss_v2_access_complexity": "low", + "cvss_v2_access_vector": "local", + "cvss_v2_authentication": "single", + "cvss_v2_availability_impact": "complete", + "cvss_v2_confidentiality_impact": "complete", + "cvss_v2_exploit_score": 3.141040013372898, + "cvss_v2_impact_score": 10.000845454680942, + "cvss_v2_integrity_impact": "complete", + "cvss_v2_score": 6.8, + "cvss_v2_vector": "(AV:L/AC:L/Au:S/C:C/I:C/A:C)", + "cvss_v3_attack_complexity": "low", + "cvss_v3_attack_vector": "local", + "cvss_v3_availability_impact": "high", + "cvss_v3_confidentiality_impact": "high", + "cvss_v3_exploit_score": 1.8345765900000002, + "cvss_v3_impact_score": 5.873118720000001, + "cvss_v3_integrity_impact": "high", + "cvss_v3_privileges_required": "low", + "cvss_v3_scope": "unchanged", + "cvss_v3_score": 7.8, + "cvss_v3_user_interaction": "none", + "cvss_v3_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "denial_of_service": false, + "description": "Microsoft Windows: CVE-2025-21204: Windows Process Activation Elevation of Privilege Vulnerability", + "exploits": [], + "id": "microsoft-windows-cve-2025-21204", + "links": [ + { + "href": "https://support.microsoft.com/help/5055557", + "id": "https://support.microsoft.com/help/5055557", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055547", + "id": "https://support.microsoft.com/help/5055547", + "source": "url" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2025-21204", + "id": "CVE-2025-21204", + "source": "cve" + }, + { + "href": "https://support.microsoft.com/help/5055526", + "id": "https://support.microsoft.com/help/5055526", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055527", + "id": "https://support.microsoft.com/help/5055527", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055521", + "id": "https://support.microsoft.com/help/5055521", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055523", + "id": "https://support.microsoft.com/help/5055523", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055528", + "id": "https://support.microsoft.com/help/5055528", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055518", + "id": "https://support.microsoft.com/help/5055518", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055519", + "id": "https://support.microsoft.com/help/5055519", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055581", + "id": "https://support.microsoft.com/help/5055581", + "source": "url" + } + ], + "malware_kits": [], + "modified": "2025-04-14T00:00:00Z", + "pci_cvss_score": 6.8, + "pci_fail": true, + "pci_severity_score": 4, + "pci_special_notes": "", + "pci_status": "fail", + "published": "2025-04-08T00:00:00Z", + "references": "cve:CVE-2025-21204,url:https://support.microsoft.com/help/5055518,url:https://support.microsoft.com/help/5055519,url:https://support.microsoft.com/help/5055521,url:https://support.microsoft.com/help/5055523,url:https://support.microsoft.com/help/5055526,url:https://support.microsoft.com/help/5055527,url:https://support.microsoft.com/help/5055528,url:https://support.microsoft.com/help/5055547,url:https://support.microsoft.com/help/5055557,url:https://support.microsoft.com/help/5055581", + "risk_score": 522, + "severity": "informational", + "severity_score": 7, + "title": "Microsoft Windows: CVE-2025-21204: Windows Process Activation Elevation of Privilege Vulnerability" + }, + { + "added": "2013-12-10T00:00:00Z", + "categories": "CISA KEV,Exploited in the Wild,Microsoft,Microsoft Patch,Microsoft Windows,Remote Execution", + "cves": "CVE-2013-3900", + "cvss_v2_access_complexity": "medium", + "cvss_v2_access_vector": "local", + "cvss_v2_authentication": "none", + "cvss_v2_availability_impact": "none", + "cvss_v2_confidentiality_impact": "none", + "cvss_v2_exploit_score": 3.392575981616974, + "cvss_v2_impact_score": 6.870600273013115, + "cvss_v2_integrity_impact": "complete", + "cvss_v2_score": 4.7, + "cvss_v2_vector": "(AV:L/AC:M/Au:N/C:N/I:C/A:N)", + "cvss_v3_attack_complexity": "low", + "cvss_v3_attack_vector": "local", + "cvss_v3_availability_impact": "none", + "cvss_v3_confidentiality_impact": "none", + "cvss_v3_exploit_score": 1.8345765900000002, + "cvss_v3_impact_score": 3.5952, + "cvss_v3_integrity_impact": "high", + "cvss_v3_privileges_required": "none", + "cvss_v3_scope": "unchanged", + "cvss_v3_score": 5.5, + "cvss_v3_user_interaction": "required", + "cvss_v3_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", + "denial_of_service": false, + "description": "This vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system. Note that this vulnerability was originally published by Microsoft as MS13-098, but has now been republished as CVE-2013-3900. Microsoft provides current information on the CVE-2013-3900 advisory.", + "exploits": [], + "id": "windows-hotfix-ms13-098", + "links": [ + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2013-3900", + "id": "CVE-2013-3900", + "source": "cve" + }, + { + "href": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900", + "id": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900", + "source": "url" + } + ], + "malware_kits": [], + "modified": "2025-04-22T00:00:00Z", + "pci_cvss_score": 4.7, + "pci_fail": true, + "pci_severity_score": 3, + "pci_special_notes": "", + "pci_status": "fail", + "published": "2013-12-10T00:00:00Z", + "references": "cve:CVE-2013-3900,url:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900", + "risk_score": 450, + "severity": "severe", + "severity_score": 5, + "title": "CVE-2013-3900: MS13-098: Vulnerability in Windows Could Allow Remote Code Execution" + }, + { + "added": "2004-11-30T00:00:00Z", + "categories": "CVSS Score Predicted with Rapid7 AI,UNIX", + "cves": "", + "cvss_v2_access_complexity": "low", + "cvss_v2_access_vector": "network", + "cvss_v2_authentication": "single", + "cvss_v2_availability_impact": "partial", + "cvss_v2_confidentiality_impact": "partial", + "cvss_v2_exploit_score": 7.9520000338554375, + "cvss_v2_impact_score": 6.442976653521584, + "cvss_v2_integrity_impact": "partial", + "cvss_v2_score": 6.5, + "cvss_v2_vector": "(AV:N/AC:L/Au:S/C:P/I:P/A:P)", + "cvss_v3_attack_complexity": "low", + "cvss_v3_attack_vector": "local", + "cvss_v3_availability_impact": "high", + "cvss_v3_confidentiality_impact": "high", + "cvss_v3_exploit_score": 2.515145325, + "cvss_v3_impact_score": 5.873118720000001, + "cvss_v3_integrity_impact": "high", + "cvss_v3_privileges_required": "none", + "cvss_v3_scope": "unchanged", + "cvss_v3_score": 8.4, + "cvss_v3_user_interaction": "none", + "cvss_v3_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "denial_of_service": false, + "description": "Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \"su\" to become root.", + "exploits": [], + "id": "unix-anonymous-root-logins", + "links": [], + "malware_kits": [], + "modified": "2025-02-18T00:00:00Z", + "pci_cvss_score": 6.5, + "pci_fail": true, + "pci_severity_score": 4, + "pci_special_notes": "", + "pci_status": "fail", + "published": "2004-11-30T00:00:00Z", + "references": "", + "risk_score": 562, + "severity": "severe", + "severity_score": 7, + "title": "Anonymous root login is allowed" + }, + { + "added": "2005-01-15T00:00:00Z", + "categories": "CVSS Score Predicted with Rapid7 AI,UNIX", + "cves": "", + "cvss_v2_access_complexity": "low", + "cvss_v2_access_vector": "local", + "cvss_v2_authentication": "none", + "cvss_v2_availability_impact": "none", + "cvss_v2_confidentiality_impact": "partial", + "cvss_v2_exploit_score": 3.948735978603363, + "cvss_v2_impact_score": 4.938243839970231, + "cvss_v2_integrity_impact": "partial", + "cvss_v2_score": 3.6, + "cvss_v2_vector": "(AV:L/AC:L/Au:N/C:P/I:P/A:N)", + "cvss_v3_attack_complexity": "low", + "cvss_v3_attack_vector": "local", + "cvss_v3_availability_impact": "none", + "cvss_v3_confidentiality_impact": "low", + "cvss_v3_exploit_score": 2.515145325, + "cvss_v3_impact_score": 1.4123999999999999, + "cvss_v3_integrity_impact": "none", + "cvss_v3_privileges_required": "none", + "cvss_v3_scope": "unchanged", + "cvss_v3_score": 4, + "cvss_v3_user_interaction": "none", + "cvss_v3_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "denial_of_service": false, + "description": "World writable files were found on the system. A file that can be written by any user on the system could be a serious security flaw.", + "exploits": [], + "id": "unix-world-writable-files", + "links": [], + "malware_kits": [], + "modified": "2025-02-18T00:00:00Z", + "pci_cvss_score": 3.6, + "pci_fail": false, + "pci_severity_score": 2, + "pci_special_notes": "", + "pci_status": "pass", + "published": "2005-01-15T00:00:00Z", + "references": "", + "risk_score": 268, + "severity": "severe", + "severity_score": 4, + "title": "World writable files exist" + } + ], + "metadata": { + "number": 0, + "size": 500, + "totalResources": 7, + "totalPages": 1, + "cursor": "-2034101655:::_L:::1748390400000:::_S:::unix-world-writable-files" + }, + "links": [ + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/vulnerabilities?page=0&size=500&sort=modified,asc", + "rel": "first" + }, + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/vulnerabilities?page=0&size=500&sort=modified,asc", + "rel": "self" + }, + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/vulnerabilities?page=1&size=500&sort=modified,asc&cursor=-2034101655:::_L:::1748390400000:::_S:::unix-world-writable-files", + "rel": "next" + }, + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/vulnerabilities?page=2&size=500&sort=modified,asc", + "rel": "last" + } + ] + } + `}} + - path: /vm/v4/integration/vulnerabilities + methods: ['POST'] + query_params: + size: 500 + cursor: -2034101655:::_L:::1748390400000:::_S:::unix-world-writable-files + request_headers: + X-Api-Key: + - api_key + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "data": [], + "metadata": { + "number": 0, + "size": 500, + "totalResources": 0, + "totalPages": 0, + "cursor": null + }, + "links": [ + { + "href": "https://us.api.insight.rapid7.com:443/vm/v4/integration/vulnerabilities?page=1&size=500&sort=modified,asc&cursor=-2034101655:::_L:::1748390400000:::_S:::unix-world-writable-files", + "rel": "self" + } + ] + } + `}} - path: /vm/v4/integration/assets methods: ["POST"] responses: diff --git a/packages/rapid7_insightvm/changelog.yml b/packages/rapid7_insightvm/changelog.yml index 3b184554348..243f3fd966f 100644 --- a/packages/rapid7_insightvm/changelog.yml +++ b/packages/rapid7_insightvm/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.0.0" + changes: + - description: Add asset_vulnerability datastream support for Cloud Detection and Response (CDR) vulnerability workflow. + type: enhancement + link: https://github.com/elastic/integrations/pull/1 - version: "1.16.0" changes: - description: Update Kibana constraint to support 9.0.0. diff --git a/packages/rapid7_insightvm/data_stream/asset/_dev/test/pipeline/test-asset.log-expected.json b/packages/rapid7_insightvm/data_stream/asset/_dev/test/pipeline/test-asset.log-expected.json index 72495111434..d94cd892b88 100644 --- a/packages/rapid7_insightvm/data_stream/asset/_dev/test/pipeline/test-asset.log-expected.json +++ b/packages/rapid7_insightvm/data_stream/asset/_dev/test/pipeline/test-asset.log-expected.json @@ -177,4 +177,4 @@ }, null ] -} \ No newline at end of file +} diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log new file mode 100644 index 00000000000..aea9dcbd927 --- /dev/null +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log @@ -0,0 +1,7 @@ +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vuln":{"check_id":null,"first_found":"2025-05-14T13:52:10Z","key":"/root/infaagent/jdk/lib/jrt-fs.jar","last_found":"2025-05-27T19:54:43.777Z","nic":null,"port":null,"proof":"

Vulnerable OS: Ubuntu Linux 22.04

Vulnerable software installed: Azul Systems JRE 17.54.22 (/root/infaagent/jdk/lib/jrt-fs.jar)

","protocol":null,"reintroduced":null,"solution_fix":"

\n Download and upgrade to the latest version of Azul Zulu from here.

","solution_id":"azul-zulu-upgrade-latest","solution_summary":"Upgrade Azul Zulu to the latest version","solution_type":"workaround","status":"VULNERABLE_VERS","vulnerability_id":"azul-zulu-cve-2025-21502","added":"2025-02-05T00:00:00Z","categories":"Azul Systems,Azul Zulu,Java,Web","cves":"CVE-2025-21502","cvss_v2_access_complexity":"high","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"none","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":4.927999973297119,"cvss_v2_impact_score":4.938243839970231,"cvss_v2_integrity_impact":"partial","cvss_v2_score":4,"cvss_v2_vector":"(AV:N/AC:H/Au:N/C:P/I:P/A:N)","cvss_v3_attack_complexity":"high","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"low","cvss_v3_exploit_score":2.2211673,"cvss_v3_impact_score":2.5140719999999996,"cvss_v3_integrity_impact":"low","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":4.8,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N","denial_of_service":false,"description":"Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM for JDK: 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM Enterprise Edition: 20.3.16 and 21.3.12. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).","exploits":[],"id":"azul-zulu-cve-2025-21502","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2025-21502","id":"CVE-2025-21502","source":"cve"},{"href":"https://www.azul.com/downloads/","id":"https://www.azul.com/downloads/","source":"url"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":4,"pci_fail":true,"pci_severity_score":3,"pci_special_notes":"","pci_status":"fail","published":"2025-01-21T00:00:00Z","references":"cve:CVE-2025-21502,url:https://www.azul.com/downloads/","risk_score":321,"severity":"low","severity_score":4,"title":"Azul Zulu: CVE-2025-21502: Vulnerability in the Azul Zulu OpenJDK component"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vuln":{"check_id":null,"first_found":"2025-05-13T13:25:40Z","key":"","last_found":"2025-05-27T19:54:43.777Z","nic":null,"port":null,"proof":"

Grub config with no password found.

","protocol":null,"reintroduced":null,"solution_fix":"

Set a password in the GRUB configuration file. This\n is often located in one of several locations, but can really be\n anywhere:

\n          /etc/grub.conf\n          /boot/grub/grub.conf\n          /boot/grub/grub.cfg\n          /boot/grub/menu.lst\n

For all files mentioned above ensure that a password is set or that the files do not exist.

To set a plain-text password, edit your GRUB configuration file\n and add the following line before the first uncommented line:

   password <password>

To set an encrypted password, run grub-md5-crypt and use its\n output when adding the following line before the first\n uncommented line:

   password --md5 <encryptedpassword>

For either approach, choose an appropriately strong password.

","solution_id":"linux-grub-missing-passwd","solution_summary":" Enable GRUB password ","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"linux-grub-missing-passwd","added":"2004-11-30T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,UNIX","cves":"","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"local","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":3.948735978603363,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":4.6,"cvss_v2_vector":"(AV:L/AC:L/Au:N/C:P/I:P/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.515145325,"cvss_v3_impact_score":5.177088,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":7.7,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","denial_of_service":false,"description":"GRUB bootloader is not password protected. An attacker can use the GRUB editor interface to change its configuration or to gather information using the cat command. It can also be exploited to boot into single user mode as root or boot into an insecure operating system.","exploits":[],"id":"linux-grub-missing-passwd","links":[],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":4.6,"pci_fail":true,"pci_severity_score":3,"pci_special_notes":"","pci_status":"fail","published":"1999-01-01T00:00:00Z","references":"","risk_score":515,"severity":"critical","severity_score":5,"title":"No password for Grub"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":135,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":445,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":119,"exploits":4,"host_name":"Win11-50-13-52","id":"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1","ip":"10.50.13.52","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":8,"os_architecture":"x86_64","os_description":"Microsoft Windows 11 22H2","os_family":"Windows","os_name":"Windows 11","os_system_name":"Microsoft Windows","os_type":"Workstation","os_vendor":"Microsoft","os_version":"22H2","risk_score":181622,"severe_vulnerabilities":241,"tags":[{"name":"USA","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":368,"type":"guest","unique_identifiers":[{"id":"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050","source":"CSPRODUCT"},{"id":"c5cf46abcdef0123456789291c7d554a","source":"R7 Agent"}],"vuln":{"check_id":null,"first_found":"2025-04-30T06:21:05Z","key":"","last_found":"2025-05-27T19:54:43.777Z","nic":null,"port":3389,"proof":"

The subject common name found in the X.509 certificate does not seem to match the scan target:

","protocol":"TCP","reintroduced":"2025-05-27T13:34:19Z","solution_fix":"

\n The subject's common name (CN) field in the X.509 certificate should be fixed\nto reflect the name of the entity presenting the certificate (e.g., the\nhostname). This is done by generating a new certificate usually signed by a\nCertification Authority (CA) trusted by both the client and server.\n

","solution_id":"certificate-common-name-mismatch","solution_summary":"Fix the subject's Common Name (CN) field in the certificate","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"certificate-common-name-mismatch","added":"2007-08-03T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,HTTP,Web","cves":"","cvss_v2_access_complexity":"high","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"none","cvss_v2_confidentiality_impact":"complete","cvss_v2_exploit_score":4.927999973297119,"cvss_v2_impact_score":7.843935219030975,"cvss_v2_integrity_impact":"partial","cvss_v2_score":6.1,"cvss_v2_vector":"(AV:N/AC:H/Au:N/C:C/I:P/A:N)","cvss_v3_attack_complexity":"high","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.2211673,"cvss_v3_impact_score":5.177088,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":7.4,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","denial_of_service":false,"description":"The subject common name (CN) field in the X.509 certificate does not match the name of the entity presenting the certificate.\n\nBefore issuing a certificate, a Certification Authority (CA) must check the identity of the entity requesting the certificate, as specified in the CA's Certification Practice Statement (CPS). Thus, standard certificate validation procedures require the subject CN field of a certificate to match the actual name of the entity presenting the certificate. For example, in a certificate presented by \"https://www.example.com/\", the CN should be \"www.example.com\". \n\nIn order to detect and prevent active eavesdropping attacks, the validity of a certificate must be verified, or else an attacker could then launch a man-in-the-middle attack and gain full control of the data stream. Of particular importance is the validity of the subject's CN, that should match the name of the entity (hostname).\n\nA CN mismatch most often occurs due to a configuration error, though it can also indicate that a man-in-the-middle attack is being conducted.","exploits":[],"id":"certificate-common-name-mismatch","links":[],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":6.1,"pci_fail":true,"pci_severity_score":4,"pci_special_notes":"","pci_status":"fail","published":"2007-08-03T00:00:00Z","references":"","risk_score":495,"severity":"none","severity_score":6,"title":"X.509 Certificate Subject CN Does Not Match the Entity Name"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":135,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":445,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":119,"exploits":4,"host_name":"Win11-50-13-52","id":"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1","ip":"10.50.13.52","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":8,"os_architecture":"x86_64","os_description":"Microsoft Windows 11 22H2","os_family":"Windows","os_name":"Windows 11","os_system_name":"Microsoft Windows","os_type":"Workstation","os_vendor":"Microsoft","os_version":"22H2","risk_score":181622,"severe_vulnerabilities":241,"tags":[{"name":"USA","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":368,"type":"guest","unique_identifiers":[{"id":"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050","source":"CSPRODUCT"},{"id":"c5cf46abcdef0123456789291c7d554a","source":"R7 Agent"}],"vuln":{"check_id":"microsoft-windows-cve-2025-21204-windows_11-22h2-kb5055528","first_found":"2025-05-13T07:25:34Z","key":"","last_found":"2025-05-27T19:54:43.777Z","nic":null,"port":null,"proof":"

Vulnerable OS: Microsoft Windows 11 22H2

","protocol":null,"reintroduced":null,"solution_fix":"

Download and apply the patch from: https://support.microsoft.com/help/5058405

","solution_id":"microsoft-windows-windows_11-22h2-kb5058405","solution_summary":"2025-05 Cumulative Update for Microsoft Windows 11, version 22H2 (KB5058405)","solution_type":"patch","status":"VULNERABLE_EXPL","vulnerability_id":"microsoft-windows-cve-2025-21204","added":"2025-04-08T00:00:00Z","categories":"Microsoft,Microsoft Patch,Microsoft Windows,Privilege Escalation","cves":"CVE-2025-21204","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"local","cvss_v2_authentication":"single","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"complete","cvss_v2_exploit_score":3.141040013372898,"cvss_v2_impact_score":10.000845454680942,"cvss_v2_integrity_impact":"complete","cvss_v2_score":6.8,"cvss_v2_vector":"(AV:L/AC:L/Au:S/C:C/I:C/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":1.8345765900000002,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"low","cvss_v3_scope":"unchanged","cvss_v3_score":7.8,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"Microsoft Windows: CVE-2025-21204: Windows Process Activation Elevation of Privilege Vulnerability","exploits":[],"id":"microsoft-windows-cve-2025-21204","links":[{"href":"https://support.microsoft.com/help/5055557","id":"https://support.microsoft.com/help/5055557","source":"url"},{"href":"https://support.microsoft.com/help/5055547","id":"https://support.microsoft.com/help/5055547","source":"url"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2025-21204","id":"CVE-2025-21204","source":"cve"},{"href":"https://support.microsoft.com/help/5055526","id":"https://support.microsoft.com/help/5055526","source":"url"},{"href":"https://support.microsoft.com/help/5055527","id":"https://support.microsoft.com/help/5055527","source":"url"},{"href":"https://support.microsoft.com/help/5055521","id":"https://support.microsoft.com/help/5055521","source":"url"},{"href":"https://support.microsoft.com/help/5055523","id":"https://support.microsoft.com/help/5055523","source":"url"},{"href":"https://support.microsoft.com/help/5055528","id":"https://support.microsoft.com/help/5055528","source":"url"},{"href":"https://support.microsoft.com/help/5055518","id":"https://support.microsoft.com/help/5055518","source":"url"},{"href":"https://support.microsoft.com/help/5055519","id":"https://support.microsoft.com/help/5055519","source":"url"},{"href":"https://support.microsoft.com/help/5055581","id":"https://support.microsoft.com/help/5055581","source":"url"}],"malware_kits":[],"modified":"2025-04-14T00:00:00Z","pci_cvss_score":6.8,"pci_fail":true,"pci_severity_score":4,"pci_special_notes":"","pci_status":"fail","published":"2025-04-08T00:00:00Z","references":"cve:CVE-2025-21204,url:https://support.microsoft.com/help/5055518,url:https://support.microsoft.com/help/5055519,url:https://support.microsoft.com/help/5055521,url:https://support.microsoft.com/help/5055523,url:https://support.microsoft.com/help/5055526,url:https://support.microsoft.com/help/5055527,url:https://support.microsoft.com/help/5055528,url:https://support.microsoft.com/help/5055547,url:https://support.microsoft.com/help/5055557,url:https://support.microsoft.com/help/5055581","risk_score":522,"severity":"informational","severity_score":7,"title":"Microsoft Windows: CVE-2025-21204: Windows Process Activation Elevation of Privilege Vulnerability"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":135,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":445,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":119,"exploits":4,"host_name":"Win11-50-13-52","id":"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1","ip":"10.50.13.52","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":8,"os_architecture":"x86_64","os_description":"Microsoft Windows 11 22H2","os_family":"Windows","os_name":"Windows 11","os_system_name":"Microsoft Windows","os_type":"Workstation","os_vendor":"Microsoft","os_version":"22H2","risk_score":181622,"severe_vulnerabilities":241,"tags":[{"name":"USA","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":368,"type":"guest","unique_identifiers":[{"id":"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050","source":"CSPRODUCT"},{"id":"c5cf46abcdef0123456789291c7d554a","source":"R7 Agent"}],"vuln":{"check_id":"WINDOWS-HOTFIX-MS13-098-x64","first_found":"2025-05-13T07:25:34Z","key":"","last_found":"2025-05-27T19:54:43.777Z","nic":null,"port":null,"proof":"

Vulnerable OS: Microsoft Windows 11 22H2

","protocol":null,"reintroduced":null,"solution_fix":"

Download and apply the patch from: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900

","solution_id":"windows-hotfix-ms13-098","solution_summary":"Enable Certificate Padding Check for Windows Systems","solution_type":"patch","status":"VULNERABLE_EXPL","vulnerability_id":"windows-hotfix-ms13-098","added":"2013-12-10T00:00:00Z","categories":"CISA KEV,Exploited in the Wild,Microsoft,Microsoft Patch,Microsoft Windows,Remote Execution","cves":"CVE-2013-3900","cvss_v2_access_complexity":"medium","cvss_v2_access_vector":"local","cvss_v2_authentication":"none","cvss_v2_availability_impact":"none","cvss_v2_confidentiality_impact":"none","cvss_v2_exploit_score":3.392575981616974,"cvss_v2_impact_score":6.870600273013115,"cvss_v2_integrity_impact":"complete","cvss_v2_score":4.7,"cvss_v2_vector":"(AV:L/AC:M/Au:N/C:N/I:C/A:N)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"none","cvss_v3_exploit_score":1.8345765900000002,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":5.5,"cvss_v3_user_interaction":"required","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N","denial_of_service":false,"description":"This vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system. Note that this vulnerability was originally published by Microsoft as MS13-098, but has now been republished as CVE-2013-3900. Microsoft provides current information on the CVE-2013-3900 advisory.","exploits":[],"id":"windows-hotfix-ms13-098","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2013-3900","id":"CVE-2013-3900","source":"cve"},{"href":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900","id":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900","source":"url"}],"malware_kits":[],"modified":"2025-04-22T00:00:00Z","pci_cvss_score":4.7,"pci_fail":true,"pci_severity_score":3,"pci_special_notes":"","pci_status":"fail","published":"2013-12-10T00:00:00Z","references":"cve:CVE-2013-3900,url:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900","risk_score":450,"severity":"severe","severity_score":5,"title":"CVE-2013-3900: MS13-098: Vulnerability in Windows Could Allow Remote Code Execution"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":22,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":3,"exploits":0,"host_name":"computer-test","id":"8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6","ip":"10.50.5.112","last_assessed_for_vulnerabilities":"2025-05-27T18:21:36.279Z","last_scan_end":"2025-05-27T18:21:36.279Z","last_scan_start":"2025-05-27T18:20:41.505Z","mac":"00:00:5E:00:53:02","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Red Hat Enterprise Linux 7.9","os_family":"Linux","os_name":"Enterprise Linux","os_system_name":"Red Hat Linux","os_type":"","os_vendor":"Red Hat","os_version":"7.9","risk_score":18250,"severe_vulnerabilities":48,"tags":[{"name":"Ahmedabad","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":52,"type":"guest","unique_identifiers":[{"id":"CEF12345-ABCD-1234-ABCD-95ABCDEF1234","source":"dmidecode"},{"id":"e80644e940123456789abcdef66a8b16","source":"R7 Agent"}],"vuln":{"check_id":null,"first_found":"2025-05-12T16:25:35Z","key":"","last_found":"2025-05-27T18:21:36.279Z","nic":null,"port":null,"proof":"

Following entries in /etc/securetty \n may allow anonymous root logins:

","protocol":null,"reintroduced":null,"solution_fix":"

Remove all the entries in /etc/securetty except console,\n tty[0-9]* and vc\\[0-9]*

Note: ssh does not use /etc/securetty. To disable root login\n through ssh, use the "PermitRootLogin" setting in /etc/ssh/sshd_config\n and restart the ssh daemon.

","solution_id":"unix-anonymous-root-logins","solution_summary":"Edit '/etc/securetty' entries","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"unix-anonymous-root-logins","added":"2004-11-30T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,UNIX","cves":"","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"single","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":7.9520000338554375,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":6.5,"cvss_v2_vector":"(AV:N/AC:L/Au:S/C:P/I:P/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.515145325,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":8.4,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \"su\" to become root.","exploits":[],"id":"unix-anonymous-root-logins","links":[],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":6.5,"pci_fail":true,"pci_severity_score":4,"pci_special_notes":"","pci_status":"fail","published":"2004-11-30T00:00:00Z","references":"","risk_score":562,"severity":"severe","severity_score":7,"title":"Anonymous root login is allowed"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":22,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":3,"exploits":0,"host_name":"computer-test","id":"8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6","ip":"10.50.5.112","last_assessed_for_vulnerabilities":"2025-05-27T18:21:36.279Z","last_scan_end":"2025-05-27T18:21:36.279Z","last_scan_start":"2025-05-27T18:20:41.505Z","mac":"00:00:5E:00:53:02","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Red Hat Enterprise Linux 7.9","os_family":"Linux","os_name":"Enterprise Linux","os_system_name":"Red Hat Linux","os_type":"","os_vendor":"Red Hat","os_version":"7.9","risk_score":18250,"severe_vulnerabilities":48,"tags":[{"name":"Ahmedabad","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":52,"type":"guest","unique_identifiers":[{"id":"CEF12345-ABCD-1234-ABCD-95ABCDEF1234","source":"dmidecode"},{"id":"e80644e940123456789abcdef66a8b16","source":"R7 Agent"}],"vuln":{"check_id":null,"first_found":"2025-05-14T13:52:10Z","key":"","last_found":"2025-05-27T18:21:36.279Z","nic":null,"port":null,"proof":"

The following world writable files were found.

","protocol":null,"reintroduced":null,"solution_fix":"

For each world-writable file, determine whether there is a good reason for\n it to be world writable. If not, remove world write permissions for the file.\n The output here is limited to 50 files. In order to find all of these files without needing to\n run another Nexpose scan run the following command:

 find / -type f -perm -02

Please note; it may be necessary exclude particular paths or file share types, run 'man find' for information.

","solution_id":"unix-world-writable-files","solution_summary":"Remove world write permissions","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"unix-world-writable-files","added":"2005-01-15T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,UNIX","cves":"","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"local","cvss_v2_authentication":"none","cvss_v2_availability_impact":"none","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":3.948735978603363,"cvss_v2_impact_score":4.938243839970231,"cvss_v2_integrity_impact":"partial","cvss_v2_score":3.6,"cvss_v2_vector":"(AV:L/AC:L/Au:N/C:P/I:P/A:N)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"low","cvss_v3_exploit_score":2.515145325,"cvss_v3_impact_score":1.4123999999999999,"cvss_v3_integrity_impact":"none","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":4,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","denial_of_service":false,"description":"World writable files were found on the system. A file that can be written by any user on the system could be a serious security flaw.","exploits":[],"id":"unix-world-writable-files","links":[],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":3.6,"pci_fail":false,"pci_severity_score":2,"pci_special_notes":"","pci_status":"pass","published":"2005-01-15T00:00:00Z","references":"","risk_score":268,"severity":"severe","severity_score":4,"title":"World writable files exist"}} diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log-expected.json b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log-expected.json new file mode 100644 index 00000000000..620fc66f9c2 --- /dev/null +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log-expected.json @@ -0,0 +1,1435 @@ +{ + "expected": [ + { + "@timestamp": "2025-05-27T19:54:43.777Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2025-05-14T13:52:10.000Z", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|azul-zulu-cve-2025-21502|2025-05-27T19:54:43.777Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2025-05-14T13:52:10Z\",\"key\":\"/root/infaagent/jdk/lib/jrt-fs.jar\",\"last_found\":\"2025-05-27T19:54:43.777Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: Ubuntu Linux 22.04

Vulnerable software installed: Azul Systems JRE 17.54.22 (/root/infaagent/jdk/lib/jrt-fs.jar)

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

\\n Download and upgrade to the latest version of Azul Zulu from here.

\",\"solution_id\":\"azul-zulu-upgrade-latest\",\"solution_summary\":\"Upgrade Azul Zulu to the latest version\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"azul-zulu-cve-2025-21502\",\"added\":\"2025-02-05T00:00:00Z\",\"categories\":\"Azul Systems,Azul Zulu,Java,Web\",\"cves\":\"CVE-2025-21502\",\"cvss_v2_access_complexity\":\"high\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"none\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":4.927999973297119,\"cvss_v2_impact_score\":4.938243839970231,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":4,\"cvss_v2_vector\":\"(AV:N/AC:H/Au:N/C:P/I:P/A:N)\",\"cvss_v3_attack_complexity\":\"high\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"low\",\"cvss_v3_exploit_score\":2.2211673,\"cvss_v3_impact_score\":2.5140719999999996,\"cvss_v3_integrity_impact\":\"low\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":4.8,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"denial_of_service\":false,\"description\":\"Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM for JDK: 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM Enterprise Edition: 20.3.16 and 21.3.12. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).\",\"exploits\":[],\"id\":\"azul-zulu-cve-2025-21502\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2025-21502\",\"id\":\"CVE-2025-21502\",\"source\":\"cve\"},{\"href\":\"https://www.azul.com/downloads/\",\"id\":\"https://www.azul.com/downloads/\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":4,\"pci_fail\":true,\"pci_severity_score\":3,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2025-01-21T00:00:00Z\",\"references\":\"cve:CVE-2025-21502,url:https://www.azul.com/downloads/\",\"risk_score\":321,\"severity\":\"low\",\"severity_score\":4,\"title\":\"Azul Zulu: CVE-2025-21502: Vulnerability in the Azul Zulu OpenJDK component\"}}", + "severity": 4, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": [ + "10.50.6.126" + ], + "mac": [ + "00-00-5E-00-53-01" + ], + "name": "ub22-50-6-126", + "os": { + "family": "Linux", + "full": "Ubuntu Linux 22.04", + "name": "Linux", + "platform": "linux", + "type": "linux", + "version": "22.04" + }, + "risk": { + "static_score": 5656.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 5, + "exploits": 0, + "host_name": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": "10.50.6.126", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-01", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os": { + "architecture": "x86_64", + "description": "Ubuntu Linux 22.04", + "family": "Linux", + "name": "Linux", + "system_name": "Ubuntu Linux", + "vendor": "Ubuntu", + "version": "22.04" + }, + "risk_score": 5656.0, + "severe_vulnerabilities": 6, + "total_vulnerabilities": 12, + "type": "guest", + "unique_identifiers": [ + { + "id": "B7123456-5678-1234-ABCD-6F6ABCDEFA91", + "source": "dmidecode" + }, + { + "id": "cababcdefabcd0123456789f16d7061a", + "source": "R7 Agent" + }, + { + "id": "cab682b411e200123456789ab6d7061a", + "source": "Endpoint Agent" + } + ], + "vuln": { + "added": "2025-02-05T00:00:00.000Z", + "categories": [ + "Azul Systems", + "Azul Zulu", + "Java", + "Web" + ], + "cves": [ + "CVE-2025-21502" + ], + "cvss_v2": { + "access_complexity": "high", + "access_vector": "network", + "authentication": "none", + "availability_impact": "none", + "confidentiality_impact": "partial", + "exploit_score": 4.927999973297119, + "impact_score": 4.938243839970231, + "integrity_impact": "partial", + "score": 4.0, + "vector": "(AV:N/AC:H/Au:N/C:P/I:P/A:N)" + }, + "cvss_v3": { + "attack_complexity": "high", + "attack_vector": "network", + "availability_impact": "none", + "confidentiality_impact": "low", + "exploit_score": 2.2211673, + "impact_score": 2.5140719999999996, + "integrity_impact": "low", + "privileges_required": "none", + "scope": "unchanged", + "score": 4.8, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" + }, + "denial_of_service": false, + "description": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM for JDK: 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM Enterprise Edition: 20.3.16 and 21.3.12. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).", + "first_found": "2025-05-14T13:52:10.000Z", + "id": "azul-zulu-cve-2025-21502", + "key": "/root/infaagent/jdk/lib/jrt-fs.jar", + "last_found": "2025-05-27T19:54:43.777Z", + "links": [ + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2025-21502", + "id": "CVE-2025-21502", + "source": "cve" + }, + { + "href": "https://www.azul.com/downloads/", + "id": "https://www.azul.com/downloads/", + "source": "url" + } + ], + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 4.0, + "fail": true, + "severity_score": 3, + "status": "fail" + }, + "proof": "

Vulnerable OS: Ubuntu Linux 22.04

Vulnerable software installed: Azul Systems JRE 17.54.22 (/root/infaagent/jdk/lib/jrt-fs.jar)

", + "published": "2025-01-21T00:00:00.000Z", + "references": "cve:CVE-2025-21502,url:https://www.azul.com/downloads/", + "risk_score": 321.0, + "severity": "low", + "severity_score": 4, + "solution": { + "fix": "

\n Download and upgrade to the latest version of Azul Zulu from here.

", + "id": "azul-zulu-upgrade-latest", + "summary": "Upgrade Azul Zulu to the latest version", + "type": "workaround" + }, + "status": "VULNERABLE_VERS", + "title": "Azul Zulu: CVE-2025-21502: Vulnerability in the Azul Zulu OpenJDK component" + } + } + }, + "related": { + "hosts": [ + "ub22-50-6-126", + "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7" + ], + "ip": [ + "10.50.6.126" + ] + }, + "resource": { + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "name": "ub22-50-6-126" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "Azul Systems", + "Azul Zulu", + "Java", + "Web" + ], + "classification": "CVSS", + "description": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM for JDK: 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM Enterprise Edition: 20.3.16 and 21.3.12. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).", + "enumeration": "CVE", + "id": [ + "CVE-2025-21502" + ], + "published_date": "2025-01-21T00:00:00.000Z", + "reference": [ + "http://nvd.nist.gov/vuln/detail/CVE-2025-21502", + "https://www.azul.com/downloads/" + ], + "scanner": { + "name": "cababcdefabcd0123456789f16d7061a", + "vendor": "Rapid7" + }, + "score": { + "base": 4.8, + "version": "3.0" + }, + "severity": "Low", + "title": "Vulnerability in the Azul Zulu OpenJDK component" + } + }, + { + "@timestamp": "2025-05-27T19:54:43.777Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2025-05-13T13:25:40.000Z", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|linux-grub-missing-passwd|2025-05-27T19:54:43.777Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2025-05-13T13:25:40Z\",\"key\":\"\",\"last_found\":\"2025-05-27T19:54:43.777Z\",\"nic\":null,\"port\":null,\"proof\":\"

Grub config with no password found.

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

Set a password in the GRUB configuration file. This\\n is often located in one of several locations, but can really be\\n anywhere:

\\n          /etc/grub.conf\\n          /boot/grub/grub.conf\\n          /boot/grub/grub.cfg\\n          /boot/grub/menu.lst\\n

For all files mentioned above ensure that a password is set or that the files do not exist.

To set a plain-text password, edit your GRUB configuration file\\n and add the following line before the first uncommented line:

   password <password>

To set an encrypted password, run grub-md5-crypt and use its\\n output when adding the following line before the first\\n uncommented line:

   password --md5 <encryptedpassword>

For either approach, choose an appropriately strong password.

\",\"solution_id\":\"linux-grub-missing-passwd\",\"solution_summary\":\" Enable GRUB password \",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"linux-grub-missing-passwd\",\"added\":\"2004-11-30T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,UNIX\",\"cves\":\"\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"local\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":3.948735978603363,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":4.6,\"cvss_v2_vector\":\"(AV:L/AC:L/Au:N/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.515145325,\"cvss_v3_impact_score\":5.177088,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":7.7,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"denial_of_service\":false,\"description\":\"GRUB bootloader is not password protected. An attacker can use the GRUB editor interface to change its configuration or to gather information using the cat command. It can also be exploited to boot into single user mode as root or boot into an insecure operating system.\",\"exploits\":[],\"id\":\"linux-grub-missing-passwd\",\"links\":[],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":4.6,\"pci_fail\":true,\"pci_severity_score\":3,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"1999-01-01T00:00:00Z\",\"references\":\"\",\"risk_score\":515,\"severity\":\"critical\",\"severity_score\":5,\"title\":\"No password for Grub\"}}", + "severity": 5, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": [ + "10.50.6.126" + ], + "mac": [ + "00-00-5E-00-53-01" + ], + "name": "ub22-50-6-126", + "os": { + "family": "Linux", + "full": "Ubuntu Linux 22.04", + "name": "Linux", + "platform": "linux", + "type": "linux", + "version": "22.04" + }, + "risk": { + "static_score": 5656.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 5, + "exploits": 0, + "host_name": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": "10.50.6.126", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-01", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os": { + "architecture": "x86_64", + "description": "Ubuntu Linux 22.04", + "family": "Linux", + "name": "Linux", + "system_name": "Ubuntu Linux", + "vendor": "Ubuntu", + "version": "22.04" + }, + "risk_score": 5656.0, + "severe_vulnerabilities": 6, + "total_vulnerabilities": 12, + "type": "guest", + "unique_identifiers": [ + { + "id": "B7123456-5678-1234-ABCD-6F6ABCDEFA91", + "source": "dmidecode" + }, + { + "id": "cababcdefabcd0123456789f16d7061a", + "source": "R7 Agent" + }, + { + "id": "cab682b411e200123456789ab6d7061a", + "source": "Endpoint Agent" + } + ], + "vuln": { + "added": "2004-11-30T00:00:00.000Z", + "categories": [ + "CVSS Score Predicted with Rapid7 AI", + "UNIX" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "local", + "authentication": "none", + "availability_impact": "partial", + "confidentiality_impact": "partial", + "exploit_score": 3.948735978603363, + "impact_score": 6.442976653521584, + "integrity_impact": "partial", + "score": 4.6, + "vector": "(AV:L/AC:L/Au:N/C:P/I:P/A:P)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "local", + "availability_impact": "none", + "confidentiality_impact": "high", + "exploit_score": 2.515145325, + "impact_score": 5.177088, + "integrity_impact": "high", + "privileges_required": "none", + "scope": "unchanged", + "score": 7.7, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" + }, + "denial_of_service": false, + "description": "GRUB bootloader is not password protected. An attacker can use the GRUB editor interface to change its configuration or to gather information using the cat command. It can also be exploited to boot into single user mode as root or boot into an insecure operating system.", + "first_found": "2025-05-13T13:25:40.000Z", + "id": "linux-grub-missing-passwd", + "last_found": "2025-05-27T19:54:43.777Z", + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 4.6, + "fail": true, + "severity_score": 3, + "status": "fail" + }, + "proof": "

Grub config with no password found.

", + "published": "1999-01-01T00:00:00.000Z", + "risk_score": 515.0, + "severity": "critical", + "severity_score": 5, + "solution": { + "fix": "

Set a password in the GRUB configuration file. This\n is often located in one of several locations, but can really be\n anywhere:

\n          /etc/grub.conf\n          /boot/grub/grub.conf\n          /boot/grub/grub.cfg\n          /boot/grub/menu.lst\n

For all files mentioned above ensure that a password is set or that the files do not exist.

To set a plain-text password, edit your GRUB configuration file\n and add the following line before the first uncommented line:

   password <password>

To set an encrypted password, run grub-md5-crypt and use its\n output when adding the following line before the first\n uncommented line:

   password --md5 <encryptedpassword>

For either approach, choose an appropriately strong password.

", + "id": "linux-grub-missing-passwd", + "summary": " Enable GRUB password ", + "type": "workaround" + }, + "status": "VULNERABLE_EXPL", + "title": "No password for Grub" + } + } + }, + "related": { + "hosts": [ + "ub22-50-6-126", + "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7" + ], + "ip": [ + "10.50.6.126" + ] + }, + "resource": { + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "name": "ub22-50-6-126" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "CVSS Score Predicted with Rapid7 AI", + "UNIX" + ], + "classification": "CVSS", + "description": "GRUB bootloader is not password protected. An attacker can use the GRUB editor interface to change its configuration or to gather information using the cat command. It can also be exploited to boot into single user mode as root or boot into an insecure operating system.", + "enumeration": "CVE", + "published_date": "1999-01-01T00:00:00.000Z", + "scanner": { + "name": "cababcdefabcd0123456789f16d7061a", + "vendor": "Rapid7" + }, + "score": { + "base": 7.7, + "version": "3.0" + }, + "severity": "Critical", + "title": "No password for Grub" + } + }, + { + "@timestamp": "2025-05-27T19:54:43.777Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2025-04-30T06:21:05.000Z", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1|certificate-common-name-mismatch|2025-05-27T19:54:43.777Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":135,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":445,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":119,\"exploits\":4,\"host_name\":\"Win11-50-13-52\",\"id\":\"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1\",\"ip\":\"10.50.13.52\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":8,\"os_architecture\":\"x86_64\",\"os_description\":\"Microsoft Windows 11 22H2\",\"os_family\":\"Windows\",\"os_name\":\"Windows 11\",\"os_system_name\":\"Microsoft Windows\",\"os_type\":\"Workstation\",\"os_vendor\":\"Microsoft\",\"os_version\":\"22H2\",\"risk_score\":181622,\"severe_vulnerabilities\":241,\"tags\":[{\"name\":\"USA\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":368,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050\",\"source\":\"CSPRODUCT\"},{\"id\":\"c5cf46abcdef0123456789291c7d554a\",\"source\":\"R7 Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2025-04-30T06:21:05Z\",\"key\":\"\",\"last_found\":\"2025-05-27T19:54:43.777Z\",\"nic\":null,\"port\":3389,\"proof\":\"

The subject common name found in the X.509 certificate does not seem to match the scan target:

\",\"protocol\":\"TCP\",\"reintroduced\":\"2025-05-27T13:34:19Z\",\"solution_fix\":\"

\\n The subject's common name (CN) field in the X.509 certificate should be fixed\\nto reflect the name of the entity presenting the certificate (e.g., the\\nhostname). This is done by generating a new certificate usually signed by a\\nCertification Authority (CA) trusted by both the client and server.\\n

\",\"solution_id\":\"certificate-common-name-mismatch\",\"solution_summary\":\"Fix the subject's Common Name (CN) field in the certificate\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"certificate-common-name-mismatch\",\"added\":\"2007-08-03T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,HTTP,Web\",\"cves\":\"\",\"cvss_v2_access_complexity\":\"high\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"none\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":4.927999973297119,\"cvss_v2_impact_score\":7.843935219030975,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.1,\"cvss_v2_vector\":\"(AV:N/AC:H/Au:N/C:C/I:P/A:N)\",\"cvss_v3_attack_complexity\":\"high\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.2211673,\"cvss_v3_impact_score\":5.177088,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":7.4,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"denial_of_service\":false,\"description\":\"The subject common name (CN) field in the X.509 certificate does not match the name of the entity presenting the certificate.\\n\\nBefore issuing a certificate, a Certification Authority (CA) must check the identity of the entity requesting the certificate, as specified in the CA's Certification Practice Statement (CPS). Thus, standard certificate validation procedures require the subject CN field of a certificate to match the actual name of the entity presenting the certificate. For example, in a certificate presented by \\\"https://www.example.com/\\\", the CN should be \\\"www.example.com\\\". \\n\\nIn order to detect and prevent active eavesdropping attacks, the validity of a certificate must be verified, or else an attacker could then launch a man-in-the-middle attack and gain full control of the data stream. Of particular importance is the validity of the subject's CN, that should match the name of the entity (hostname).\\n\\nA CN mismatch most often occurs due to a configuration error, though it can also indicate that a man-in-the-middle attack is being conducted.\",\"exploits\":[],\"id\":\"certificate-common-name-mismatch\",\"links\":[],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":6.1,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2007-08-03T00:00:00Z\",\"references\":\"\",\"risk_score\":495,\"severity\":\"none\",\"severity_score\":6,\"title\":\"X.509 Certificate Subject CN Does Not Match the Entity Name\"}}", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "Win11-50-13-52", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "ip": [ + "10.50.13.52" + ], + "mac": [ + "00-00-5E-00-53-00" + ], + "name": "Win11-50-13-52", + "os": { + "family": "Windows", + "full": "Microsoft Windows 11 22H2", + "name": "Windows 11", + "platform": "windows", + "type": "windows", + "version": "22H2" + }, + "risk": { + "static_score": 181622.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 119, + "exploits": 4, + "host_name": "Win11-50-13-52", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "ip": "10.50.13.52", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-00", + "malware_kits": 0, + "moderate_vulnerabilities": 8, + "os": { + "architecture": "x86_64", + "description": "Microsoft Windows 11 22H2", + "family": "Windows", + "name": "Windows 11", + "system_name": "Microsoft Windows", + "type": "Workstation", + "vendor": "Microsoft", + "version": "22H2" + }, + "risk_score": 181622.0, + "severe_vulnerabilities": 241, + "total_vulnerabilities": 368, + "type": "guest", + "unique_identifiers": [ + { + "id": "F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050", + "source": "CSPRODUCT" + }, + { + "id": "c5cf46abcdef0123456789291c7d554a", + "source": "R7 Agent" + } + ], + "vuln": { + "added": "2007-08-03T00:00:00.000Z", + "categories": [ + "CVSS Score Predicted with Rapid7 AI", + "HTTP", + "Web" + ], + "cvss_v2": { + "access_complexity": "high", + "access_vector": "network", + "authentication": "none", + "availability_impact": "none", + "confidentiality_impact": "complete", + "exploit_score": 4.927999973297119, + "impact_score": 7.843935219030975, + "integrity_impact": "partial", + "score": 6.1, + "vector": "(AV:N/AC:H/Au:N/C:C/I:P/A:N)" + }, + "cvss_v3": { + "attack_complexity": "high", + "attack_vector": "network", + "availability_impact": "none", + "confidentiality_impact": "high", + "exploit_score": 2.2211673, + "impact_score": 5.177088, + "integrity_impact": "high", + "privileges_required": "none", + "scope": "unchanged", + "score": 7.4, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" + }, + "denial_of_service": false, + "description": "The subject common name (CN) field in the X.509 certificate does not match the name of the entity presenting the certificate.\n\nBefore issuing a certificate, a Certification Authority (CA) must check the identity of the entity requesting the certificate, as specified in the CA's Certification Practice Statement (CPS). Thus, standard certificate validation procedures require the subject CN field of a certificate to match the actual name of the entity presenting the certificate. For example, in a certificate presented by \"https://www.example.com/\", the CN should be \"www.example.com\". \n\nIn order to detect and prevent active eavesdropping attacks, the validity of a certificate must be verified, or else an attacker could then launch a man-in-the-middle attack and gain full control of the data stream. Of particular importance is the validity of the subject's CN, that should match the name of the entity (hostname).\n\nA CN mismatch most often occurs due to a configuration error, though it can also indicate that a man-in-the-middle attack is being conducted.", + "first_found": "2025-04-30T06:21:05.000Z", + "id": "certificate-common-name-mismatch", + "last_found": "2025-05-27T19:54:43.777Z", + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 6.1, + "fail": true, + "severity_score": 4, + "status": "fail" + }, + "port": 3389, + "proof": "

The subject common name found in the X.509 certificate does not seem to match the scan target:

", + "protocol": "TCP", + "published": "2007-08-03T00:00:00.000Z", + "risk_score": 495.0, + "severity": "none", + "severity_score": 6, + "solution": { + "fix": "

\n The subject's common name (CN) field in the X.509 certificate should be fixed\nto reflect the name of the entity presenting the certificate (e.g., the\nhostname). This is done by generating a new certificate usually signed by a\nCertification Authority (CA) trusted by both the client and server.\n

", + "id": "certificate-common-name-mismatch", + "summary": "Fix the subject's Common Name (CN) field in the certificate", + "type": "workaround" + }, + "status": "VULNERABLE_EXPL", + "title": "X.509 Certificate Subject CN Does Not Match the Entity Name" + } + } + }, + "related": { + "hosts": [ + "Win11-50-13-52", + "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1" + ], + "ip": [ + "10.50.13.52" + ] + }, + "resource": { + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "name": "Win11-50-13-52" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "CVSS Score Predicted with Rapid7 AI", + "HTTP", + "Web" + ], + "classification": "CVSS", + "description": "The subject common name (CN) field in the X.509 certificate does not match the name of the entity presenting the certificate.\n\nBefore issuing a certificate, a Certification Authority (CA) must check the identity of the entity requesting the certificate, as specified in the CA's Certification Practice Statement (CPS). Thus, standard certificate validation procedures require the subject CN field of a certificate to match the actual name of the entity presenting the certificate. For example, in a certificate presented by \"https://www.example.com/\", the CN should be \"www.example.com\". \n\nIn order to detect and prevent active eavesdropping attacks, the validity of a certificate must be verified, or else an attacker could then launch a man-in-the-middle attack and gain full control of the data stream. Of particular importance is the validity of the subject's CN, that should match the name of the entity (hostname).\n\nA CN mismatch most often occurs due to a configuration error, though it can also indicate that a man-in-the-middle attack is being conducted.", + "enumeration": "CVE", + "published_date": "2007-08-03T00:00:00.000Z", + "scanner": { + "name": "c5cf46abcdef0123456789291c7d554a", + "vendor": "Rapid7" + }, + "score": { + "base": 7.4, + "version": "3.0" + }, + "severity": "None", + "title": "X.509 Certificate Subject CN Does Not Match the Entity Name" + } + }, + { + "@timestamp": "2025-05-27T19:54:43.777Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2025-05-13T07:25:34.000Z", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1|microsoft-windows-cve-2025-21204|2025-05-27T19:54:43.777Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":135,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":445,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":119,\"exploits\":4,\"host_name\":\"Win11-50-13-52\",\"id\":\"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1\",\"ip\":\"10.50.13.52\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":8,\"os_architecture\":\"x86_64\",\"os_description\":\"Microsoft Windows 11 22H2\",\"os_family\":\"Windows\",\"os_name\":\"Windows 11\",\"os_system_name\":\"Microsoft Windows\",\"os_type\":\"Workstation\",\"os_vendor\":\"Microsoft\",\"os_version\":\"22H2\",\"risk_score\":181622,\"severe_vulnerabilities\":241,\"tags\":[{\"name\":\"USA\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":368,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050\",\"source\":\"CSPRODUCT\"},{\"id\":\"c5cf46abcdef0123456789291c7d554a\",\"source\":\"R7 Agent\"}],\"vuln\":{\"check_id\":\"microsoft-windows-cve-2025-21204-windows_11-22h2-kb5055528\",\"first_found\":\"2025-05-13T07:25:34Z\",\"key\":\"\",\"last_found\":\"2025-05-27T19:54:43.777Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: Microsoft Windows 11 22H2

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

Download and apply the patch from: https://support.microsoft.com/help/5058405

\",\"solution_id\":\"microsoft-windows-windows_11-22h2-kb5058405\",\"solution_summary\":\"2025-05 Cumulative Update for Microsoft Windows 11, version 22H2 (KB5058405)\",\"solution_type\":\"patch\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"microsoft-windows-cve-2025-21204\",\"added\":\"2025-04-08T00:00:00Z\",\"categories\":\"Microsoft,Microsoft Patch,Microsoft Windows,Privilege Escalation\",\"cves\":\"CVE-2025-21204\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"local\",\"cvss_v2_authentication\":\"single\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":3.141040013372898,\"cvss_v2_impact_score\":10.000845454680942,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":6.8,\"cvss_v2_vector\":\"(AV:L/AC:L/Au:S/C:C/I:C/A:C)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":1.8345765900000002,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"low\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":7.8,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Microsoft Windows: CVE-2025-21204: Windows Process Activation Elevation of Privilege Vulnerability\",\"exploits\":[],\"id\":\"microsoft-windows-cve-2025-21204\",\"links\":[{\"href\":\"https://support.microsoft.com/help/5055557\",\"id\":\"https://support.microsoft.com/help/5055557\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055547\",\"id\":\"https://support.microsoft.com/help/5055547\",\"source\":\"url\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2025-21204\",\"id\":\"CVE-2025-21204\",\"source\":\"cve\"},{\"href\":\"https://support.microsoft.com/help/5055526\",\"id\":\"https://support.microsoft.com/help/5055526\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055527\",\"id\":\"https://support.microsoft.com/help/5055527\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055521\",\"id\":\"https://support.microsoft.com/help/5055521\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055523\",\"id\":\"https://support.microsoft.com/help/5055523\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055528\",\"id\":\"https://support.microsoft.com/help/5055528\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055518\",\"id\":\"https://support.microsoft.com/help/5055518\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055519\",\"id\":\"https://support.microsoft.com/help/5055519\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055581\",\"id\":\"https://support.microsoft.com/help/5055581\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2025-04-14T00:00:00Z\",\"pci_cvss_score\":6.8,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2025-04-08T00:00:00Z\",\"references\":\"cve:CVE-2025-21204,url:https://support.microsoft.com/help/5055518,url:https://support.microsoft.com/help/5055519,url:https://support.microsoft.com/help/5055521,url:https://support.microsoft.com/help/5055523,url:https://support.microsoft.com/help/5055526,url:https://support.microsoft.com/help/5055527,url:https://support.microsoft.com/help/5055528,url:https://support.microsoft.com/help/5055547,url:https://support.microsoft.com/help/5055557,url:https://support.microsoft.com/help/5055581\",\"risk_score\":522,\"severity\":\"informational\",\"severity_score\":7,\"title\":\"Microsoft Windows: CVE-2025-21204: Windows Process Activation Elevation of Privilege Vulnerability\"}}", + "severity": 7, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "Win11-50-13-52", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "ip": [ + "10.50.13.52" + ], + "mac": [ + "00-00-5E-00-53-00" + ], + "name": "Win11-50-13-52", + "os": { + "family": "Windows", + "full": "Microsoft Windows 11 22H2", + "name": "Windows 11", + "platform": "windows", + "type": "windows", + "version": "22H2" + }, + "risk": { + "static_score": 181622.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 119, + "exploits": 4, + "host_name": "Win11-50-13-52", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "ip": "10.50.13.52", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-00", + "malware_kits": 0, + "moderate_vulnerabilities": 8, + "os": { + "architecture": "x86_64", + "description": "Microsoft Windows 11 22H2", + "family": "Windows", + "name": "Windows 11", + "system_name": "Microsoft Windows", + "type": "Workstation", + "vendor": "Microsoft", + "version": "22H2" + }, + "risk_score": 181622.0, + "severe_vulnerabilities": 241, + "total_vulnerabilities": 368, + "type": "guest", + "unique_identifiers": [ + { + "id": "F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050", + "source": "CSPRODUCT" + }, + { + "id": "c5cf46abcdef0123456789291c7d554a", + "source": "R7 Agent" + } + ], + "vuln": { + "added": "2025-04-08T00:00:00.000Z", + "categories": [ + "Microsoft", + "Microsoft Patch", + "Microsoft Windows", + "Privilege Escalation" + ], + "check_id": "microsoft-windows-cve-2025-21204-windows_11-22h2-kb5055528", + "cves": [ + "CVE-2025-21204" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "local", + "authentication": "single", + "availability_impact": "complete", + "confidentiality_impact": "complete", + "exploit_score": 3.141040013372898, + "impact_score": 10.000845454680942, + "integrity_impact": "complete", + "score": 6.8, + "vector": "(AV:L/AC:L/Au:S/C:C/I:C/A:C)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "local", + "availability_impact": "high", + "confidentiality_impact": "high", + "exploit_score": 1.8345765900000002, + "impact_score": 5.873118720000001, + "integrity_impact": "high", + "privileges_required": "low", + "scope": "unchanged", + "score": 7.8, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + "denial_of_service": false, + "description": "Microsoft Windows: CVE-2025-21204: Windows Process Activation Elevation of Privilege Vulnerability", + "first_found": "2025-05-13T07:25:34.000Z", + "id": "microsoft-windows-cve-2025-21204", + "last_found": "2025-05-27T19:54:43.777Z", + "links": [ + { + "href": "https://support.microsoft.com/help/5055557", + "id": "https://support.microsoft.com/help/5055557", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055547", + "id": "https://support.microsoft.com/help/5055547", + "source": "url" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2025-21204", + "id": "CVE-2025-21204", + "source": "cve" + }, + { + "href": "https://support.microsoft.com/help/5055526", + "id": "https://support.microsoft.com/help/5055526", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055527", + "id": "https://support.microsoft.com/help/5055527", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055521", + "id": "https://support.microsoft.com/help/5055521", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055523", + "id": "https://support.microsoft.com/help/5055523", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055528", + "id": "https://support.microsoft.com/help/5055528", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055518", + "id": "https://support.microsoft.com/help/5055518", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055519", + "id": "https://support.microsoft.com/help/5055519", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5055581", + "id": "https://support.microsoft.com/help/5055581", + "source": "url" + } + ], + "modified": "2025-04-14T00:00:00.000Z", + "pci": { + "cvss_score": 6.8, + "fail": true, + "severity_score": 4, + "status": "fail" + }, + "proof": "

Vulnerable OS: Microsoft Windows 11 22H2

", + "published": "2025-04-08T00:00:00.000Z", + "references": "cve:CVE-2025-21204,url:https://support.microsoft.com/help/5055518,url:https://support.microsoft.com/help/5055519,url:https://support.microsoft.com/help/5055521,url:https://support.microsoft.com/help/5055523,url:https://support.microsoft.com/help/5055526,url:https://support.microsoft.com/help/5055527,url:https://support.microsoft.com/help/5055528,url:https://support.microsoft.com/help/5055547,url:https://support.microsoft.com/help/5055557,url:https://support.microsoft.com/help/5055581", + "risk_score": 522.0, + "severity": "informational", + "severity_score": 7, + "solution": { + "fix": "

Download and apply the patch from: https://support.microsoft.com/help/5058405

", + "id": "microsoft-windows-windows_11-22h2-kb5058405", + "summary": "2025-05 Cumulative Update for Microsoft Windows 11, version 22H2 (KB5058405)", + "type": "patch" + }, + "status": "VULNERABLE_EXPL", + "title": "Microsoft Windows: CVE-2025-21204: Windows Process Activation Elevation of Privilege Vulnerability" + } + } + }, + "related": { + "hosts": [ + "Win11-50-13-52", + "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1" + ], + "ip": [ + "10.50.13.52" + ] + }, + "resource": { + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "name": "Win11-50-13-52" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "Microsoft", + "Microsoft Patch", + "Microsoft Windows", + "Privilege Escalation" + ], + "classification": "CVSS", + "description": "Microsoft Windows: CVE-2025-21204: Windows Process Activation Elevation of Privilege Vulnerability", + "enumeration": "CVE", + "id": [ + "CVE-2025-21204" + ], + "published_date": "2025-04-08T00:00:00.000Z", + "reference": [ + "https://support.microsoft.com/help/5055557", + "https://support.microsoft.com/help/5055547", + "http://nvd.nist.gov/vuln/detail/CVE-2025-21204", + "https://support.microsoft.com/help/5055526", + "https://support.microsoft.com/help/5055527", + "https://support.microsoft.com/help/5055521", + "https://support.microsoft.com/help/5055523", + "https://support.microsoft.com/help/5055528", + "https://support.microsoft.com/help/5055518", + "https://support.microsoft.com/help/5055519", + "https://support.microsoft.com/help/5055581" + ], + "scanner": { + "name": "c5cf46abcdef0123456789291c7d554a", + "vendor": "Rapid7" + }, + "score": { + "base": 7.8, + "version": "3.0" + }, + "severity": "Low", + "title": "Windows Process Activation Elevation of Privilege Vulnerability" + } + }, + { + "@timestamp": "2025-05-27T19:54:43.777Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2025-05-13T07:25:34.000Z", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1|windows-hotfix-ms13-098|2025-05-27T19:54:43.777Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":135,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":445,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":119,\"exploits\":4,\"host_name\":\"Win11-50-13-52\",\"id\":\"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1\",\"ip\":\"10.50.13.52\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":8,\"os_architecture\":\"x86_64\",\"os_description\":\"Microsoft Windows 11 22H2\",\"os_family\":\"Windows\",\"os_name\":\"Windows 11\",\"os_system_name\":\"Microsoft Windows\",\"os_type\":\"Workstation\",\"os_vendor\":\"Microsoft\",\"os_version\":\"22H2\",\"risk_score\":181622,\"severe_vulnerabilities\":241,\"tags\":[{\"name\":\"USA\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":368,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050\",\"source\":\"CSPRODUCT\"},{\"id\":\"c5cf46abcdef0123456789291c7d554a\",\"source\":\"R7 Agent\"}],\"vuln\":{\"check_id\":\"WINDOWS-HOTFIX-MS13-098-x64\",\"first_found\":\"2025-05-13T07:25:34Z\",\"key\":\"\",\"last_found\":\"2025-05-27T19:54:43.777Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: Microsoft Windows 11 22H2

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

Download and apply the patch from: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900

\",\"solution_id\":\"windows-hotfix-ms13-098\",\"solution_summary\":\"Enable Certificate Padding Check for Windows Systems\",\"solution_type\":\"patch\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"windows-hotfix-ms13-098\",\"added\":\"2013-12-10T00:00:00Z\",\"categories\":\"CISA KEV,Exploited in the Wild,Microsoft,Microsoft Patch,Microsoft Windows,Remote Execution\",\"cves\":\"CVE-2013-3900\",\"cvss_v2_access_complexity\":\"medium\",\"cvss_v2_access_vector\":\"local\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"none\",\"cvss_v2_confidentiality_impact\":\"none\",\"cvss_v2_exploit_score\":3.392575981616974,\"cvss_v2_impact_score\":6.870600273013115,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":4.7,\"cvss_v2_vector\":\"(AV:L/AC:M/Au:N/C:N/I:C/A:N)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"none\",\"cvss_v3_exploit_score\":1.8345765900000002,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":5.5,\"cvss_v3_user_interaction\":\"required\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\",\"denial_of_service\":false,\"description\":\"This vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system. Note that this vulnerability was originally published by Microsoft as MS13-098, but has now been republished as CVE-2013-3900. Microsoft provides current information on the CVE-2013-3900 advisory.\",\"exploits\":[],\"id\":\"windows-hotfix-ms13-098\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2013-3900\",\"id\":\"CVE-2013-3900\",\"source\":\"cve\"},{\"href\":\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900\",\"id\":\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2025-04-22T00:00:00Z\",\"pci_cvss_score\":4.7,\"pci_fail\":true,\"pci_severity_score\":3,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2013-12-10T00:00:00Z\",\"references\":\"cve:CVE-2013-3900,url:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900\",\"risk_score\":450,\"severity\":\"severe\",\"severity_score\":5,\"title\":\"CVE-2013-3900: MS13-098: Vulnerability in Windows Could Allow Remote Code Execution\"}}", + "severity": 5, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "Win11-50-13-52", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "ip": [ + "10.50.13.52" + ], + "mac": [ + "00-00-5E-00-53-00" + ], + "name": "Win11-50-13-52", + "os": { + "family": "Windows", + "full": "Microsoft Windows 11 22H2", + "name": "Windows 11", + "platform": "windows", + "type": "windows", + "version": "22H2" + }, + "risk": { + "static_score": 181622.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 119, + "exploits": 4, + "host_name": "Win11-50-13-52", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "ip": "10.50.13.52", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-00", + "malware_kits": 0, + "moderate_vulnerabilities": 8, + "os": { + "architecture": "x86_64", + "description": "Microsoft Windows 11 22H2", + "family": "Windows", + "name": "Windows 11", + "system_name": "Microsoft Windows", + "type": "Workstation", + "vendor": "Microsoft", + "version": "22H2" + }, + "risk_score": 181622.0, + "severe_vulnerabilities": 241, + "total_vulnerabilities": 368, + "type": "guest", + "unique_identifiers": [ + { + "id": "F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050", + "source": "CSPRODUCT" + }, + { + "id": "c5cf46abcdef0123456789291c7d554a", + "source": "R7 Agent" + } + ], + "vuln": { + "added": "2013-12-10T00:00:00.000Z", + "categories": [ + "CISA KEV", + "Exploited in the Wild", + "Microsoft", + "Microsoft Patch", + "Microsoft Windows", + "Remote Execution" + ], + "check_id": "WINDOWS-HOTFIX-MS13-098-x64", + "cves": [ + "CVE-2013-3900" + ], + "cvss_v2": { + "access_complexity": "medium", + "access_vector": "local", + "authentication": "none", + "availability_impact": "none", + "confidentiality_impact": "none", + "exploit_score": 3.392575981616974, + "impact_score": 6.870600273013115, + "integrity_impact": "complete", + "score": 4.7, + "vector": "(AV:L/AC:M/Au:N/C:N/I:C/A:N)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "local", + "availability_impact": "none", + "confidentiality_impact": "none", + "exploit_score": 1.8345765900000002, + "impact_score": 3.5952, + "integrity_impact": "high", + "privileges_required": "none", + "scope": "unchanged", + "score": 5.5, + "user_interaction": "required", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" + }, + "denial_of_service": false, + "description": "This vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system. Note that this vulnerability was originally published by Microsoft as MS13-098, but has now been republished as CVE-2013-3900. Microsoft provides current information on the CVE-2013-3900 advisory.", + "first_found": "2025-05-13T07:25:34.000Z", + "id": "windows-hotfix-ms13-098", + "last_found": "2025-05-27T19:54:43.777Z", + "links": [ + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2013-3900", + "id": "CVE-2013-3900", + "source": "cve" + }, + { + "href": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900", + "id": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900", + "source": "url" + } + ], + "modified": "2025-04-22T00:00:00.000Z", + "pci": { + "cvss_score": 4.7, + "fail": true, + "severity_score": 3, + "status": "fail" + }, + "proof": "

Vulnerable OS: Microsoft Windows 11 22H2

", + "published": "2013-12-10T00:00:00.000Z", + "references": "cve:CVE-2013-3900,url:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900", + "risk_score": 450.0, + "severity": "severe", + "severity_score": 5, + "solution": { + "fix": "

Download and apply the patch from: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900

", + "id": "windows-hotfix-ms13-098", + "summary": "Enable Certificate Padding Check for Windows Systems", + "type": "patch" + }, + "status": "VULNERABLE_EXPL", + "title": "CVE-2013-3900: MS13-098: Vulnerability in Windows Could Allow Remote Code Execution" + } + } + }, + "related": { + "hosts": [ + "Win11-50-13-52", + "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1" + ], + "ip": [ + "10.50.13.52" + ] + }, + "resource": { + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "name": "Win11-50-13-52" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "CISA KEV", + "Exploited in the Wild", + "Microsoft", + "Microsoft Patch", + "Microsoft Windows", + "Remote Execution" + ], + "classification": "CVSS", + "description": "This vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system. Note that this vulnerability was originally published by Microsoft as MS13-098, but has now been republished as CVE-2013-3900. Microsoft provides current information on the CVE-2013-3900 advisory.", + "enumeration": "CVE", + "id": [ + "CVE-2013-3900" + ], + "published_date": "2013-12-10T00:00:00.000Z", + "reference": [ + "http://nvd.nist.gov/vuln/detail/CVE-2013-3900", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900" + ], + "scanner": { + "name": "c5cf46abcdef0123456789291c7d554a", + "vendor": "Rapid7" + }, + "score": { + "base": 5.5, + "version": "3.0" + }, + "severity": "High", + "title": "MS13-098: Vulnerability in Windows Could Allow Remote Code Execution" + } + }, + { + "@timestamp": "2025-05-27T18:21:36.279Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2025-05-12T16:25:35.000Z", + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6|unix-anonymous-root-logins|2025-05-27T18:21:36.279Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":22,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":3,\"exploits\":0,\"host_name\":\"computer-test\",\"id\":\"8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6\",\"ip\":\"10.50.5.112\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T18:21:36.279Z\",\"last_scan_end\":\"2025-05-27T18:21:36.279Z\",\"last_scan_start\":\"2025-05-27T18:20:41.505Z\",\"mac\":\"00:00:5E:00:53:02\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Red Hat Enterprise Linux 7.9\",\"os_family\":\"Linux\",\"os_name\":\"Enterprise Linux\",\"os_system_name\":\"Red Hat Linux\",\"os_type\":\"\",\"os_vendor\":\"Red Hat\",\"os_version\":\"7.9\",\"risk_score\":18250,\"severe_vulnerabilities\":48,\"tags\":[{\"name\":\"Ahmedabad\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":52,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"CEF12345-ABCD-1234-ABCD-95ABCDEF1234\",\"source\":\"dmidecode\"},{\"id\":\"e80644e940123456789abcdef66a8b16\",\"source\":\"R7 Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2025-05-12T16:25:35Z\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"nic\":null,\"port\":null,\"proof\":\"

Following entries in /etc/securetty \\n may allow anonymous root logins:

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

Remove all the entries in /etc/securetty except console,\\n tty[0-9]* and vc\\\\[0-9]*

Note: ssh does not use /etc/securetty. To disable root login\\n through ssh, use the "PermitRootLogin" setting in /etc/ssh/sshd_config\\n and restart the ssh daemon.

\",\"solution_id\":\"unix-anonymous-root-logins\",\"solution_summary\":\"Edit '/etc/securetty' entries\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"unix-anonymous-root-logins\",\"added\":\"2004-11-30T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,UNIX\",\"cves\":\"\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"single\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":7.9520000338554375,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.5,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:S/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.515145325,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":8.4,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \\\"su\\\" to become root.\",\"exploits\":[],\"id\":\"unix-anonymous-root-logins\",\"links\":[],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":6.5,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2004-11-30T00:00:00Z\",\"references\":\"\",\"risk_score\":562,\"severity\":\"severe\",\"severity_score\":7,\"title\":\"Anonymous root login is allowed\"}}", + "severity": 7, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "computer-test", + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6", + "ip": [ + "10.50.5.112" + ], + "mac": [ + "00-00-5E-00-53-02" + ], + "name": "computer-test", + "os": { + "family": "Linux", + "full": "Red Hat Enterprise Linux 7.9", + "name": "Enterprise Linux", + "platform": "linux", + "type": "linux", + "version": "7.9" + }, + "risk": { + "static_score": 18250.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 3, + "exploits": 0, + "host_name": "computer-test", + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6", + "ip": "10.50.5.112", + "last_assessed_for_vulnerabilities": "2025-05-27T18:21:36.279Z", + "last_scan_end": "2025-05-27T18:21:36.279Z", + "last_scan_start": "2025-05-27T18:20:41.505Z", + "mac": "00-00-5E-00-53-02", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os": { + "architecture": "x86_64", + "description": "Red Hat Enterprise Linux 7.9", + "family": "Linux", + "name": "Enterprise Linux", + "system_name": "Red Hat Linux", + "vendor": "Red Hat", + "version": "7.9" + }, + "risk_score": 18250.0, + "severe_vulnerabilities": 48, + "total_vulnerabilities": 52, + "type": "guest", + "unique_identifiers": [ + { + "id": "CEF12345-ABCD-1234-ABCD-95ABCDEF1234", + "source": "dmidecode" + }, + { + "id": "e80644e940123456789abcdef66a8b16", + "source": "R7 Agent" + } + ], + "vuln": { + "added": "2004-11-30T00:00:00.000Z", + "categories": [ + "CVSS Score Predicted with Rapid7 AI", + "UNIX" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "network", + "authentication": "single", + "availability_impact": "partial", + "confidentiality_impact": "partial", + "exploit_score": 7.9520000338554375, + "impact_score": 6.442976653521584, + "integrity_impact": "partial", + "score": 6.5, + "vector": "(AV:N/AC:L/Au:S/C:P/I:P/A:P)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "local", + "availability_impact": "high", + "confidentiality_impact": "high", + "exploit_score": 2.515145325, + "impact_score": 5.873118720000001, + "integrity_impact": "high", + "privileges_required": "none", + "scope": "unchanged", + "score": 8.4, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + "denial_of_service": false, + "description": "Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \"su\" to become root.", + "first_found": "2025-05-12T16:25:35.000Z", + "id": "unix-anonymous-root-logins", + "last_found": "2025-05-27T18:21:36.279Z", + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 6.5, + "fail": true, + "severity_score": 4, + "status": "fail" + }, + "proof": "

Following entries in /etc/securetty \n may allow anonymous root logins:

", + "published": "2004-11-30T00:00:00.000Z", + "risk_score": 562.0, + "severity": "severe", + "severity_score": 7, + "solution": { + "fix": "

Remove all the entries in /etc/securetty except console,\n tty[0-9]* and vc\\[0-9]*

Note: ssh does not use /etc/securetty. To disable root login\n through ssh, use the "PermitRootLogin" setting in /etc/ssh/sshd_config\n and restart the ssh daemon.

", + "id": "unix-anonymous-root-logins", + "summary": "Edit '/etc/securetty' entries", + "type": "workaround" + }, + "status": "VULNERABLE_EXPL", + "title": "Anonymous root login is allowed" + } + } + }, + "related": { + "hosts": [ + "computer-test", + "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6" + ], + "ip": [ + "10.50.5.112" + ] + }, + "resource": { + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6", + "name": "computer-test" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "CVSS Score Predicted with Rapid7 AI", + "UNIX" + ], + "classification": "CVSS", + "description": "Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \"su\" to become root.", + "enumeration": "CVE", + "published_date": "2004-11-30T00:00:00.000Z", + "scanner": { + "name": "e80644e940123456789abcdef66a8b16", + "vendor": "Rapid7" + }, + "score": { + "base": 8.4, + "version": "3.0" + }, + "severity": "High", + "title": "Anonymous root login is allowed" + } + }, + { + "@timestamp": "2025-05-27T18:21:36.279Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2025-05-14T13:52:10.000Z", + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6|unix-world-writable-files|2025-05-27T18:21:36.279Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":22,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":3,\"exploits\":0,\"host_name\":\"computer-test\",\"id\":\"8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6\",\"ip\":\"10.50.5.112\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T18:21:36.279Z\",\"last_scan_end\":\"2025-05-27T18:21:36.279Z\",\"last_scan_start\":\"2025-05-27T18:20:41.505Z\",\"mac\":\"00:00:5E:00:53:02\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Red Hat Enterprise Linux 7.9\",\"os_family\":\"Linux\",\"os_name\":\"Enterprise Linux\",\"os_system_name\":\"Red Hat Linux\",\"os_type\":\"\",\"os_vendor\":\"Red Hat\",\"os_version\":\"7.9\",\"risk_score\":18250,\"severe_vulnerabilities\":48,\"tags\":[{\"name\":\"Ahmedabad\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":52,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"CEF12345-ABCD-1234-ABCD-95ABCDEF1234\",\"source\":\"dmidecode\"},{\"id\":\"e80644e940123456789abcdef66a8b16\",\"source\":\"R7 Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2025-05-14T13:52:10Z\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"nic\":null,\"port\":null,\"proof\":\"

The following world writable files were found.

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

For each world-writable file, determine whether there is a good reason for\\n it to be world writable. If not, remove world write permissions for the file.\\n The output here is limited to 50 files. In order to find all of these files without needing to\\n run another Nexpose scan run the following command:

 find / -type f -perm -02

Please note; it may be necessary exclude particular paths or file share types, run 'man find' for information.

\",\"solution_id\":\"unix-world-writable-files\",\"solution_summary\":\"Remove world write permissions\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"unix-world-writable-files\",\"added\":\"2005-01-15T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,UNIX\",\"cves\":\"\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"local\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"none\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":3.948735978603363,\"cvss_v2_impact_score\":4.938243839970231,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":3.6,\"cvss_v2_vector\":\"(AV:L/AC:L/Au:N/C:P/I:P/A:N)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"low\",\"cvss_v3_exploit_score\":2.515145325,\"cvss_v3_impact_score\":1.4123999999999999,\"cvss_v3_integrity_impact\":\"none\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":4,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"denial_of_service\":false,\"description\":\"World writable files were found on the system. A file that can be written by any user on the system could be a serious security flaw.\",\"exploits\":[],\"id\":\"unix-world-writable-files\",\"links\":[],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":3.6,\"pci_fail\":false,\"pci_severity_score\":2,\"pci_special_notes\":\"\",\"pci_status\":\"pass\",\"published\":\"2005-01-15T00:00:00Z\",\"references\":\"\",\"risk_score\":268,\"severity\":\"severe\",\"severity_score\":4,\"title\":\"World writable files exist\"}}", + "severity": 4, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "computer-test", + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6", + "ip": [ + "10.50.5.112" + ], + "mac": [ + "00-00-5E-00-53-02" + ], + "name": "computer-test", + "os": { + "family": "Linux", + "full": "Red Hat Enterprise Linux 7.9", + "name": "Enterprise Linux", + "platform": "linux", + "type": "linux", + "version": "7.9" + }, + "risk": { + "static_score": 18250.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 3, + "exploits": 0, + "host_name": "computer-test", + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6", + "ip": "10.50.5.112", + "last_assessed_for_vulnerabilities": "2025-05-27T18:21:36.279Z", + "last_scan_end": "2025-05-27T18:21:36.279Z", + "last_scan_start": "2025-05-27T18:20:41.505Z", + "mac": "00-00-5E-00-53-02", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os": { + "architecture": "x86_64", + "description": "Red Hat Enterprise Linux 7.9", + "family": "Linux", + "name": "Enterprise Linux", + "system_name": "Red Hat Linux", + "vendor": "Red Hat", + "version": "7.9" + }, + "risk_score": 18250.0, + "severe_vulnerabilities": 48, + "total_vulnerabilities": 52, + "type": "guest", + "unique_identifiers": [ + { + "id": "CEF12345-ABCD-1234-ABCD-95ABCDEF1234", + "source": "dmidecode" + }, + { + "id": "e80644e940123456789abcdef66a8b16", + "source": "R7 Agent" + } + ], + "vuln": { + "added": "2005-01-15T00:00:00.000Z", + "categories": [ + "CVSS Score Predicted with Rapid7 AI", + "UNIX" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "local", + "authentication": "none", + "availability_impact": "none", + "confidentiality_impact": "partial", + "exploit_score": 3.948735978603363, + "impact_score": 4.938243839970231, + "integrity_impact": "partial", + "score": 3.6, + "vector": "(AV:L/AC:L/Au:N/C:P/I:P/A:N)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "local", + "availability_impact": "none", + "confidentiality_impact": "low", + "exploit_score": 2.515145325, + "impact_score": 1.4123999999999999, + "integrity_impact": "none", + "privileges_required": "none", + "scope": "unchanged", + "score": 4.0, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + }, + "denial_of_service": false, + "description": "World writable files were found on the system. A file that can be written by any user on the system could be a serious security flaw.", + "first_found": "2025-05-14T13:52:10.000Z", + "id": "unix-world-writable-files", + "last_found": "2025-05-27T18:21:36.279Z", + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 3.6, + "fail": false, + "severity_score": 2, + "status": "pass" + }, + "proof": "

The following world writable files were found.

", + "published": "2005-01-15T00:00:00.000Z", + "risk_score": 268.0, + "severity": "severe", + "severity_score": 4, + "solution": { + "fix": "

For each world-writable file, determine whether there is a good reason for\n it to be world writable. If not, remove world write permissions for the file.\n The output here is limited to 50 files. In order to find all of these files without needing to\n run another Nexpose scan run the following command:

 find / -type f -perm -02

Please note; it may be necessary exclude particular paths or file share types, run 'man find' for information.

", + "id": "unix-world-writable-files", + "summary": "Remove world write permissions", + "type": "workaround" + }, + "status": "VULNERABLE_EXPL", + "title": "World writable files exist" + } + } + }, + "related": { + "hosts": [ + "computer-test", + "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6" + ], + "ip": [ + "10.50.5.112" + ] + }, + "resource": { + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6", + "name": "computer-test" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "CVSS Score Predicted with Rapid7 AI", + "UNIX" + ], + "classification": "CVSS", + "description": "World writable files were found on the system. A file that can be written by any user on the system could be a serious security flaw.", + "enumeration": "CVE", + "published_date": "2005-01-15T00:00:00.000Z", + "scanner": { + "name": "e80644e940123456789abcdef66a8b16", + "vendor": "Rapid7" + }, + "score": { + "base": 4.0, + "version": "3.0" + }, + "severity": "High", + "title": "World writable files exist" + } + } + ] +} diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-common-config.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..be41bb0d476 --- /dev/null +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,4 @@ +fields: + tags: + - preserve_original_event + - preserve_duplicate_custom_fields diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/system/test-default-config.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..d7108d9ed5f --- /dev/null +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/system/test-default-config.yml @@ -0,0 +1,12 @@ +input: cel +service: rapid7_insightvm +vars: + url: http://{{Hostname}}:{{Port}} + api_key: api_key +data_stream: + vars: + batch_size: 2 + preserve_original_event: true + preserve_duplicate_custom_fields: true +assert: + hit_count: 7 diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs b/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..5346f790048 --- /dev/null +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs @@ -0,0 +1,188 @@ +config_version: 2 +interval: {{interval}} +resource.tracer: + enabled: {{enable_request_tracer}} + filename: "../../logs/cel/http-request-trace-*.ndjson" + maxbackups: 5 +{{#if proxy_url}} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +resource.url: {{url}} +state: + api_key: {{api_key}} + batch_size: {{batch_size}} +redact: + fields: + - api_key +program: | + ( + state.?want_more.orValue(false) ? + state.interval_time + : + now + ).as(interval_time, + has(state.assets) && state.is_all_assets_fetched ? + { + "assets": state.assets, + "is_all_assets_fetched": state.is_all_assets_fetched, + "interval_time": interval_time, + } + : + request( + "POST", + state.url.trim_right("/") + "/vm/v4/integration/assets?" + { + "size": [string(state.batch_size)], + "includeUniqueIdentifiers": ["true"], + ?"includeSame": has(state.?cursor.last_interval_time) ? optional.none() : optional.of(["true"]), + ?"comparisonTime": state.?cursor.last_interval_time.optMap(v, [v]), + ?"cursor": state.?next_cursor.optMap(v, [v]), + }.format_query() + ).with({ + "Header": { + "X-Api-Key": [state.api_key] + } + }).do_request().as(resp, resp.StatusCode == 200 ? + resp.Body.decode_json().as(body, { + "events": [{"message": "retry"}], + "batch_size": state.batch_size, + "api_key": state.api_key, + ?"next_cursor": has(body.?metadata.cursor) && body.metadata.cursor != null ? optional.of(body.metadata.cursor) : optional.none(), + "is_all_assets_fetched": has(body.metadata.cursor) && body.metadata.cursor != null ? false : true, + "assets": (state.?assets.orValue([]) + body.data).flatten(), + "interval_time": interval_time, + "want_more": true + }) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "POST " + state.url.trim_right("/") + "/vm/v4/integration/assets:" + ( + size(resp.Body) != 0 ? + string(resp.Body) + : + string(resp.Status) + ' (' + string(resp.StatusCode) + ')' + ), + }, + }, + "want_more": false, + "api_key": state.api_key, + "batch_size": state.batch_size + } + ) + ).as(work, + has(work.events) ? work : // Exit early + ( + has(state.vulnerabilities) && state.is_all_vulnerabilities_fetched ? + work.with({ + "vulnerabilities": state.vulnerabilities, + "is_all_vulnerabilities_fetched": state.is_all_vulnerabilities_fetched + }) + : + request( + "POST", + state.url.trim_right("/") + "/vm/v4/integration/vulnerabilities?" + { + "size": ["500"], + ?"cursor": state.?next_cursor.optMap(v, [v]), + }.format_query(), + { + "vulnerability": "modified >= 2025-05-01T00:00:00Z" + }.encode_json() + ).with({ + "Header": { + "X-Api-Key": [state.api_key], + "Content-Type": ["application/json"] + } + }).do_request().as(resp, resp.StatusCode == 200 ? + resp.Body.decode_json().as(body, { + "events": [{"message": "retry"}], + "batch_size": state.batch_size, + "api_key": state.api_key, + "assets": state.assets, + "is_all_assets_fetched": state.is_all_assets_fetched, + ?"next_cursor": has(body.?metadata.cursor) && body.metadata.cursor != null ? optional.of(body.metadata.cursor) : optional.none(), + "is_all_vulnerabilities_fetched": has(body.metadata.cursor) && body.metadata.cursor != null ? false : true, + "vulnerabilities": (state.?vulnerabilities.orValue([]) + body.data).flatten(), + "interval_time": work.interval_time, + "want_more": true + }) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "POST " + state.url.trim_right("/") + "/vm/v4/integration/vulnerabilities:" + ( + size(resp.Body) != 0 ? + string(resp.Body) + : + string(resp.Status) + ' (' + string(resp.StatusCode) + ')' + ), + }, + }, + "want_more": false, + "api_key": state.api_key, + "batch_size": state.batch_size + } + ) + ) + ).as(work, + has(work.events) ? work : // Exit early + work.with({ + // convert vulnerabilities to map for better searching + "vulnerabilities": work.vulnerabilities.map(e, { + "key": e.id, + "value": e + }).as(result, zip( + result.map(e, e.key), + result.map(e, e.value) + )), + // combine same[] new[] remediated[] into vulnerability[] + "assets": work.assets.map(e, e.with({ + "vulnerability": e.?same.orValue([]) + e.?new.orValue([]) + e.?remediated.orValue([]).map(r, r.with({"remediated": true})), + }).drop(["new","remediated","same"])) + }).as(work, { + "events": work.assets.map(e, e.vulnerability.map(v, { + "message": e.with({"vuln": v.with( + work.?vulnerabilities[v.vulnerability_id].orValue("not present") != "not present" ? + work.vulnerabilities[v.vulnerability_id] + : + {"key": "not present"} + )}).encode_json() + })).flatten(), + "cursor": { + "last_interval_time": state.interval_time, + }, + "want_more": false, + "api_key": state.api_key, + "batch_size": state.batch_size + }) + ) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- drop_event: + when: + equals: + message: retry +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..be28064c3d1 --- /dev/null +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,1015 @@ +--- +description: Pipeline for processing asset vulnerability events. +processors: + - set: + field: ecs.version + tag: set_ecs_version + value: 8.11.0 + - fail: + tag: data_collection_error + if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null + message: error message set and no data to process. + - rename: + field: message + tag: rename_message_to_event_original + target_field: event.original + ignore_missing: true + description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document. + if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null + - json: + field: event.original + tag: json_event_original + target_field: json + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + tag: set_event_kind_to_event + value: event + - append: + field: event.category + tag: append_vulnerability_into_event_category + value: vulnerability + - append: + field: event.type + tag: append_info_into_event_type + value: info + - set: + field: observer.vendor + tag: set_observer_vendor + value: Rapid7 + - set: + field: observer.product + tag: set_observer_product + value: Rapid7 InsightVM + - set: + field: vulnerability.scanner.vendor + tag: set_vulnerability_scanner_vendor + value: Rapid7 + - set: + field: vulnerability.classification + tag: set_vulnerability_classification + value: CVSS + - set: + field: vulnerability.enumeration + tag: set_vulnerability_enumeration + value: CVE + # Remove cloud.* fields populated by beat. + # These fields correspond to EA rather than Tenable hosts and could be misleading. + - remove: + field: cloud + ignore_missing: true + description: Remove ECS cloud fields that are populated from EA metadata. + - rename: + field: json.key + tag: rename_key + target_field: rapid7_insightvm.asset_vulnerability.key + ignore_missing: true + - convert: + field: json.assessed_for_policies + tag: convert_assessed_for_policies_to_boolean + target_field: rapid7_insightvm.asset_vulnerability.assessed_for_policies + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.assessed_for_vulnerabilities + tag: convert_assessed_for_vulnerabilities_to_boolean + target_field: rapid7_insightvm.asset_vulnerability.assessed_for_vulnerabilities + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.credential_assessments.port + tag: convert_credential_assessments_port_to_long + target_field: rapid7_insightvm.asset_vulnerability.credential_assessments.port + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.credential_assessments.protocol + tag: rename_credential_assessments_protocol + target_field: rapid7_insightvm.asset_vulnerability.credential_assessments.protocol + ignore_missing: true + - rename: + field: json.credential_assessments.status + tag: rename_credential_assessments_status + target_field: rapid7_insightvm.asset_vulnerability.credential_assessments.status + ignore_missing: true + - convert: + field: json.critical_vulnerabilities + tag: convert_critical_vulnerabilities_to_long + target_field: rapid7_insightvm.asset_vulnerability.critical_vulnerabilities + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.exploits + tag: convert_exploits_to_long + target_field: rapid7_insightvm.asset_vulnerability.exploits + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.host_name + tag: rename_host_name + target_field: rapid7_insightvm.asset_vulnerability.host_name + ignore_missing: true + - set: + field: host.name + tag: set_host_name_from_asset_vulnerability_host_name + copy_from: rapid7_insightvm.asset_vulnerability.host_name + ignore_empty_value: true + - set: + field: host.hostname + tag: set_host_hostname_from_asset_vulnerability_host_name + copy_from: rapid7_insightvm.asset_vulnerability.host_name + ignore_empty_value: true + - set: + field: resource.name + tag: set_resource_name_from_asset_vulnerability_host_name + copy_from: rapid7_insightvm.asset_vulnerability.host_name + ignore_empty_value: true + - append: + field: related.hosts + tag: append_asset_vulnerability_host_name_into_related_hosts + value: '{{{rapid7_insightvm.asset_vulnerability.host_name}}}' + allow_duplicates: false + if: ctx.rapid7_insightvm?.asset_vulnerability?.host_name != null + - rename: + field: json.id + tag: rename_id + target_field: rapid7_insightvm.asset_vulnerability.id + ignore_missing: true + - set: + field: host.id + tag: set_host_id_from_asset_vulnerability_id + copy_from: rapid7_insightvm.asset_vulnerability.id + ignore_empty_value: true + - set: + field: resource.id + tag: set_resource_id_from_asset_vulnerability_id + copy_from: rapid7_insightvm.asset_vulnerability.id + ignore_empty_value: true + - append: + field: related.hosts + tag: append_asset_vulnerability_id_into_related_hosts + value: '{{{rapid7_insightvm.asset_vulnerability.id}}}' + allow_duplicates: false + if: ctx.rapid7_insightvm?.asset_vulnerability?.id != null + - convert: + field: json.ip + tag: convert_ip_to_ip + target_field: rapid7_insightvm.asset_vulnerability.ip + type: ip + ignore_missing: true + if: ctx.json?.ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - append: + field: host.ip + tag: append_rapid7_insightvm_asset_vulnerability_ip_into_host_ip + value: '{{{rapid7_insightvm.asset_vulnerability.ip}}}' + allow_duplicates: false + if: ctx.rapid7_insightvm?.asset_vulnerability?.ip != null + - append: + field: related.ip + tag: append_asset_vulnerability_ip_into_related_ip + value: '{{{rapid7_insightvm.asset_vulnerability.ip}}}' + allow_duplicates: false + if: ctx.rapid7_insightvm?.asset_vulnerability?.ip != null + - date: + field: json.last_assessed_for_vulnerabilities + tag: date_last_assessed_for_vulnerabilities + target_field: rapid7_insightvm.asset_vulnerability.last_assessed_for_vulnerabilities + formats: + - ISO8601 + if: ctx.json?.last_assessed_for_vulnerabilities != null && ctx.json.last_assessed_for_vulnerabilities != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.last_scan_end + tag: date_last_scan_end + target_field: rapid7_insightvm.asset_vulnerability.last_scan_end + formats: + - ISO8601 + if: ctx.json?.last_scan_end != null && ctx.json.last_scan_end != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.last_scan_start + tag: date_last_scan_start + target_field: rapid7_insightvm.asset_vulnerability.last_scan_start + formats: + - ISO8601 + if: ctx.json?.last_scan_start != null && ctx.json.last_scan_start != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - gsub: + field: json.mac + tag: gsub_mac + target_field: rapid7_insightvm.asset_vulnerability.mac + pattern: ':' + replacement: '-' + ignore_missing: true + - uppercase: + field: rapid7_insightvm.asset_vulnerability.mac + tag: uppercase_mac + ignore_missing: true + - append: + field: host.mac + tag: append_rapid7_insightvm_asset_vulnerability_mac_into_host_mac + value: '{{{rapid7_insightvm.asset_vulnerability.mac}}}' + allow_duplicates: false + if: ctx.rapid7_insightvm?.asset_vulnerability?.mac != null + - convert: + field: json.malware_kits + tag: convert_malware_kits_to_long + target_field: rapid7_insightvm.asset_vulnerability.malware_kits + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.moderate_vulnerabilities + tag: convert_moderate_vulnerabilities_to_long + target_field: rapid7_insightvm.asset_vulnerability.moderate_vulnerabilities + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.os_architecture + tag: rename_os_architecture + target_field: rapid7_insightvm.asset_vulnerability.os.architecture + ignore_missing: true + - set: + field: host.architecture + tag: set_host_architecture_from_asset_vulnerability_os_architecture + copy_from: rapid7_insightvm.asset_vulnerability.os.architecture + ignore_empty_value: true + - rename: + field: json.os_description + tag: rename_os_description + target_field: rapid7_insightvm.asset_vulnerability.os.description + ignore_missing: true + - set: + field: host.os.full + tag: set_host_os_full_from_asset_vulnerability_os_description + copy_from: rapid7_insightvm.asset_vulnerability.os.description + ignore_empty_value: true + - rename: + field: json.os_family + tag: rename_os_family + target_field: rapid7_insightvm.asset_vulnerability.os.family + ignore_missing: true + - set: + field: host.os.family + tag: set_host_os_family_from_asset_vulnerability_os_family + copy_from: rapid7_insightvm.asset_vulnerability.os.family + ignore_empty_value: true + - set: + field: host.os.platform + tag: set_host_os_platform_linux + value: linux + if: ctx.host?.os?.family != null && ctx.host.os.family.toLowerCase().contains('linux') + - set: + field: host.os.platform + tag: set_host_os_platform_windows + value: windows + if: ctx.host?.os?.family != null && ctx.host.os.family.toLowerCase().contains('windows') + - set: + field: host.os.platform + tag: set_host_os_platform_darwin + value: darwin + if: ctx.host?.os?.family != null && ctx.host.os.family.toLowerCase().contains('mac') + - script: + description: Dynamically set host.os.type values. + tag: script_map_host_os_type + lang: painless + if: ctx.host?.os?.family != null + params: + os_type: + - linux + - mac + - unix + - windows + - ios + - android + source: | + String os_family = ctx.host.os.family.toLowerCase(); + for (String os: params.os_type) { + if (os_family.contains(os)) { + if (os == 'mac') { + ctx.host.os.put('type', 'macos'); + } else { + ctx.host.os.put('type', os); + } + return; + } + } + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.os_name + tag: rename_os_name + target_field: rapid7_insightvm.asset_vulnerability.os.name + ignore_missing: true + - set: + field: host.os.name + tag: set_host_os_name_from_asset_vulnerability_os_name + copy_from: rapid7_insightvm.asset_vulnerability.os.name + ignore_empty_value: true + - rename: + field: json.os_system_name + tag: rename_os_system_name + target_field: rapid7_insightvm.asset_vulnerability.os.system_name + ignore_missing: true + - rename: + field: json.os_type + tag: rename_os_type + target_field: rapid7_insightvm.asset_vulnerability.os.type + ignore_missing: true + - rename: + field: json.os_vendor + tag: rename_os_vendor + target_field: rapid7_insightvm.asset_vulnerability.os.vendor + ignore_missing: true + - rename: + field: json.os_version + tag: rename_os_version + target_field: rapid7_insightvm.asset_vulnerability.os.version + ignore_missing: true + - set: + field: host.os.version + tag: set_host_os_version_from_asset_vulnerability_os_version + copy_from: rapid7_insightvm.asset_vulnerability.os.version + ignore_empty_value: true + - convert: + field: json.risk_score + tag: convert_risk_score_to_double + target_field: rapid7_insightvm.asset_vulnerability.risk_score + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: host.risk.static_score + tag: set_host_risk_static_score_from_asset_vulnerability_risk_score + copy_from: rapid7_insightvm.asset_vulnerability.risk_score + ignore_empty_value: true + - convert: + field: json.severe_vulnerabilities + tag: convert_severe_vulnerabilities_to_long + target_field: rapid7_insightvm.asset_vulnerability.severe_vulnerabilities + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.tags.name + tag: rename_tags_name + target_field: rapid7_insightvm.asset_vulnerability.tags.name + ignore_missing: true + - rename: + field: json.tags.type + tag: rename_tags_type + target_field: rapid7_insightvm.asset_vulnerability.tags.type + ignore_missing: true + - convert: + field: json.total_vulnerabilities + tag: convert_total_vulnerabilities_to_long + target_field: rapid7_insightvm.asset_vulnerability.total_vulnerabilities + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.type + tag: rename_type + target_field: rapid7_insightvm.asset_vulnerability.type + ignore_missing: true + - set: + field: host.type + tag: set_host_type_from_asset_vulnerability_type + copy_from: rapid7_insightvm.asset_vulnerability.type + ignore_empty_value: true + - rename: + field: json.unique_identifiers + tag: rename_unique_identifiers + target_field: rapid7_insightvm.asset_vulnerability.unique_identifiers + ignore_missing: true + - script: + description: Map vulnerability.scanner.name field. + tag: script_map_vulnerability_scanner_name + lang: painless + if: ctx.rapid7_insightvm?.asset_vulnerability?.unique_identifiers instanceof List + source: | + ctx.vulnerability = ctx.vulnerability ?: [:]; + ctx.vulnerability.scanner = ctx.vulnerability.scanner ?: [:]; + for (def o: ctx.rapid7_insightvm.asset_vulnerability.unique_identifiers) { + if (o.source == 'R7 Agent') { + ctx.vulnerability.scanner.put('name', o.id); + return; + } + } + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.vuln.added + tag: date_vuln_added + target_field: rapid7_insightvm.asset_vulnerability.vuln.added + formats: + - ISO8601 + if: ctx.json?.vuln?.added != null && ctx.json.vuln.added != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - split: + field: json.vuln.categories + separator: ',' + tag: split_vuln_categories + target_field: rapid7_insightvm.asset_vulnerability.vuln.categories + ignore_missing: true + if: ctx.json?.vuln?.categories instanceof String + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: vulnerability.category + tag: set_vulnerability_category_from_asset_vulnerability_vuln_categories + copy_from: rapid7_insightvm.asset_vulnerability.vuln.categories + ignore_empty_value: true + - rename: + field: json.vuln.check_id + tag: rename_vuln_check_id + target_field: rapid7_insightvm.asset_vulnerability.vuln.check_id + ignore_missing: true + - split: + field: json.vuln.cves + separator: ',' + tag: split_vuln_cves + target_field: rapid7_insightvm.asset_vulnerability.vuln.cves + ignore_missing: true + if: ctx.json?.vuln?.cves instanceof String + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: vulnerability.id + tag: set_vulnerability_id_from_asset_vulnerability_vuln_cves + copy_from: rapid7_insightvm.asset_vulnerability.vuln.cves + ignore_empty_value: true + - rename: + field: json.vuln.cvss_v2_access_complexity + tag: rename_vuln_cvss_v2_access_complexity + target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.access_complexity + ignore_missing: true + - rename: + field: json.vuln.cvss_v2_access_vector + tag: rename_vuln_cvss_v2_access_vector + target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.access_vector + ignore_missing: true + - rename: + field: json.vuln.cvss_v2_authentication + tag: rename_vuln_cvss_v2_authentication + target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.authentication + ignore_missing: true + - rename: + field: json.vuln.cvss_v2_availability_impact + tag: rename_vuln_cvss_v2_availability_impact + target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.availability_impact + ignore_missing: true + - rename: + field: json.vuln.cvss_v2_confidentiality_impact + tag: rename_vuln_cvss_v2_confidentiality_impact + target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.confidentiality_impact + ignore_missing: true + - convert: + field: json.vuln.cvss_v2_exploit_score + tag: convert_vuln_cvss_v2_exploit_score_to_double + target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.exploit_score + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.vuln.cvss_v2_impact_score + tag: convert_vuln_cvss_v2_impact_score_to_double + target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.impact_score + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.vuln.cvss_v2_integrity_impact + tag: rename_vuln_cvss_v2_integrity_impact + target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.integrity_impact + ignore_missing: true + - convert: + field: json.vuln.cvss_v2_score + tag: convert_vuln_cvss_v2_score_to_double + target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.score + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.vuln.cvss_v2_vector + tag: rename_vuln_cvss_v2_vector + target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.vector + ignore_missing: true + - rename: + field: json.vuln.cvss_v3_attack_complexity + tag: rename_vuln_cvss_v3_attack_complexity + target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.attack_complexity + ignore_missing: true + - rename: + field: json.vuln.cvss_v3_attack_vector + tag: rename_vuln_cvss_v3_attack_vector + target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.attack_vector + ignore_missing: true + - rename: + field: json.vuln.cvss_v3_availability_impact + tag: rename_vuln_cvss_v3_availability_impact + target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.availability_impact + ignore_missing: true + - rename: + field: json.vuln.cvss_v3_confidentiality_impact + tag: rename_vuln_cvss_v3_confidentiality_impact + target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.confidentiality_impact + ignore_missing: true + - convert: + field: json.vuln.cvss_v3_exploit_score + tag: convert_vuln_cvss_v3_exploit_score_to_double + target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.exploit_score + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.vuln.cvss_v3_impact_score + tag: convert_vuln_cvss_v3_impact_score_to_double + target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.impact_score + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.vuln.cvss_v3_integrity_impact + tag: rename_vuln_cvss_v3_integrity_impact + target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.integrity_impact + ignore_missing: true + - rename: + field: json.vuln.cvss_v3_privileges_required + tag: rename_vuln_cvss_v3_privileges_required + target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.privileges_required + ignore_missing: true + - rename: + field: json.vuln.cvss_v3_scope + tag: rename_vuln_cvss_v3_scope + target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.scope + ignore_missing: true + - convert: + field: json.vuln.cvss_v3_score + tag: convert_vuln_cvss_v3_score_to_double + target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.score + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: vulnerability.score.base + tag: set_vulnerability_score_base_from_asset_vulnerability_vuln_cvss_v3_score + copy_from: rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.score + ignore_empty_value: true + - set: + field: vulnerability.score.version + tag: set_vulnerability_score_version + value: '3.0' + - rename: + field: json.vuln.cvss_v3_user_interaction + tag: rename_vuln_cvss_v3_user_interaction + target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.user_interaction + ignore_missing: true + - rename: + field: json.vuln.cvss_v3_vector + tag: rename_vuln_cvss_v3_vector + target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.vector + ignore_missing: true + - convert: + field: json.vuln.denial_of_service + tag: convert_vuln_denial_of_service_to_boolean + target_field: rapid7_insightvm.asset_vulnerability.vuln.denial_of_service + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.vuln.description + tag: rename_vuln_description + target_field: rapid7_insightvm.asset_vulnerability.vuln.description + ignore_missing: true + - set: + field: vulnerability.description + tag: set_vulnerability_description_from_asset_vulnerability_vuln_description + copy_from: rapid7_insightvm.asset_vulnerability.vuln.description + ignore_empty_value: true + - rename: + field: json.vuln.exploits + tag: rename_vuln_exploits + target_field: rapid7_insightvm.asset_vulnerability.vuln.exploits + ignore_missing: true + - date: + field: json.vuln.first_found + tag: date_vuln_first_found + target_field: rapid7_insightvm.asset_vulnerability.vuln.first_found + formats: + - ISO8601 + if: ctx.json?.vuln?.first_found != null && ctx.json.vuln.first_found != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.created + tag: set_event_created_from_asset_vulnerability_vuln_first_found + copy_from: rapid7_insightvm.asset_vulnerability.vuln.first_found + ignore_empty_value: true + - rename: + field: json.vuln.id + tag: rename_vuln_id + target_field: rapid7_insightvm.asset_vulnerability.vuln.id + ignore_missing: true + - rename: + field: json.vuln.key + tag: rename_vuln_key + target_field: rapid7_insightvm.asset_vulnerability.vuln.key + ignore_missing: true + - date: + field: json.vuln.last_found + tag: date_vuln_last_found + target_field: rapid7_insightvm.asset_vulnerability.vuln.last_found + formats: + - ISO8601 + if: ctx.json?.vuln?.last_found != null && ctx.json.vuln.last_found != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: '@timestamp' + tag: set_timestamp_from_asset_vulnerability_vuln_last_found + copy_from: rapid7_insightvm.asset_vulnerability.vuln.last_found + ignore_empty_value: true + - set: + field: event.id + tag: set_event_id + value: '{{rapid7_insightvm.asset_vulnerability.id}}|{{rapid7_insightvm.asset_vulnerability.vuln.id}}|{{rapid7_insightvm.asset_vulnerability.vuln.last_found}}' + - rename: + field: json.vuln.links + tag: rename_vuln_links + target_field: rapid7_insightvm.asset_vulnerability.vuln.links + ignore_missing: true + - foreach: + field: rapid7_insightvm.asset_vulnerability.vuln.links + if: ctx.rapid7_insightvm?.asset_vulnerability?.vuln?.links instanceof List + processor: + append: + field: vulnerability.reference + tag: append_vuln_links_href_into_vulnerability_reference + value: '{{{_ingest._value.href}}}' + allow_duplicates: false + - rename: + field: json.vuln.malware_kits + tag: rename_vuln_malware_kits + target_field: rapid7_insightvm.asset_vulnerability.vuln.malware_kits + ignore_missing: true + - date: + field: json.vuln.modified + tag: date_vuln_modified + target_field: rapid7_insightvm.asset_vulnerability.vuln.modified + formats: + - ISO8601 + if: ctx.json?.vuln?.modified != null && ctx.json.vuln.modified != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.vuln.pci_cvss_score + tag: convert_vuln_pci_cvss_score_to_double + target_field: rapid7_insightvm.asset_vulnerability.vuln.pci.cvss_score + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.vuln.pci_fail + tag: convert_vuln_pci_fail_to_boolean + target_field: rapid7_insightvm.asset_vulnerability.vuln.pci.fail + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.vuln.pci_severity_score + tag: convert_vuln_pci_severity_score_to_long + target_field: rapid7_insightvm.asset_vulnerability.vuln.pci.severity_score + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.vuln.pci_special_notes + tag: rename_vuln_pci_special_notes + target_field: rapid7_insightvm.asset_vulnerability.vuln.pci.special_notes + ignore_missing: true + - rename: + field: json.vuln.pci_status + tag: rename_vuln_pci_status + target_field: rapid7_insightvm.asset_vulnerability.vuln.pci.status + ignore_missing: true + - convert: + field: json.vuln.port + tag: convert_vuln_port_to_long + target_field: rapid7_insightvm.asset_vulnerability.vuln.port + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.vuln.proof + tag: rename_vuln_proof + target_field: rapid7_insightvm.asset_vulnerability.vuln.proof + ignore_missing: true + - rename: + field: json.vuln.protocol + tag: rename_vuln_protocol + target_field: rapid7_insightvm.asset_vulnerability.vuln.protocol + ignore_missing: true + - date: + field: json.vuln.published + tag: date_vuln_published + target_field: rapid7_insightvm.asset_vulnerability.vuln.published + formats: + - ISO8601 + if: ctx.json?.vuln?.published != null && ctx.json.vuln.published != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: vulnerability.published_date + tag: set_vulnerability_published_date_from_asset_vulnerability_vuln_published + copy_from: rapid7_insightvm.asset_vulnerability.vuln.published + ignore_empty_value: true + - rename: + field: json.vuln.references + tag: rename_vuln_references + target_field: rapid7_insightvm.asset_vulnerability.vuln.references + ignore_missing: true + - convert: + field: json.vuln.risk_score + tag: convert_vuln_risk_score_to_double + target_field: rapid7_insightvm.asset_vulnerability.vuln.risk_score + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.vuln.severity + tag: rename_vuln_severity + target_field: rapid7_insightvm.asset_vulnerability.vuln.severity + ignore_missing: true + - script: + description: Map vulnerability.severity to CVSS standard + tag: script_to_map_severity_to_CVSS + lang: painless + if: ctx.rapid7_insightvm?.asset_vulnerability?.vuln?.severity != null + source: > + String severity = ctx.rapid7_insightvm.asset_vulnerability.vuln.severity.toLowerCase(); + if (severity == 'none') { + ctx.vulnerability.put('severity', 'None'); + } else if (severity == 'informational') { + ctx.vulnerability.put('severity', 'Low'); + } else if (severity == 'low') { + ctx.vulnerability.put('severity', 'Low'); + } else if (severity == 'moderate') { + ctx.vulnerability.put('severity', 'Medium'); + } else if (severity == 'severe') { + ctx.vulnerability.put('severity', 'High'); + } else if (severity == 'critical') { + ctx.vulnerability.put('severity', 'Critical'); + } + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.vuln.severity_score + tag: convert_vuln_severity_score_to_long + target_field: rapid7_insightvm.asset_vulnerability.vuln.severity_score + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.severity + tag: set_event_severity_from_asset_vulnerability_vuln_severity_score + copy_from: rapid7_insightvm.asset_vulnerability.vuln.severity_score + ignore_empty_value: true + - rename: + field: json.vuln.solution_fix + tag: rename_vuln_solution_fix + target_field: rapid7_insightvm.asset_vulnerability.vuln.solution.fix + ignore_missing: true + - rename: + field: json.vuln.solution_id + tag: rename_vuln_solution_id + target_field: rapid7_insightvm.asset_vulnerability.vuln.solution.id + ignore_missing: true + - rename: + field: json.vuln.solution_summary + tag: rename_vuln_solution_summary + target_field: rapid7_insightvm.asset_vulnerability.vuln.solution.summary + ignore_missing: true + - rename: + field: json.vuln.solution_type + tag: rename_vuln_solution_type + target_field: rapid7_insightvm.asset_vulnerability.vuln.solution.type + ignore_missing: true + - rename: + field: json.vuln.status + tag: rename_vuln_status + target_field: rapid7_insightvm.asset_vulnerability.vuln.status + ignore_missing: true + - rename: + field: json.vuln.title + tag: rename_vuln_title + target_field: rapid7_insightvm.asset_vulnerability.vuln.title + ignore_missing: true + - grok: + field: rapid7_insightvm.asset_vulnerability.vuln.title + tag: grok_parse_vuln_title + patterns: + - '^%{DATA:_temp.package}: CVE-%{DATA:_temp.cve_id}: %{GREEDYDATA:vulnerability.title}$' + - '^%{DATA:_temp.package}: %{GREEDYDATA:vulnerability.title}$' + - '^%{GREEDYDATA:vulnerability.title}$' + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - remove: + field: + - rapid7_insightvm.asset_vulnerability.ip + - rapid7_insightvm.asset_vulnerability.mac + - rapid7_insightvm.asset_vulnerability.os.architecture + - rapid7_insightvm.asset_vulnerability.os.description + - rapid7_insightvm.asset_vulnerability.os.family + - rapid7_insightvm.asset_vulnerability.os.name + - rapid7_insightvm.asset_vulnerability.os.version + - rapid7_insightvm.asset_vulnerability.risk_score + - rapid7_insightvm.asset_vulnerability.type + - rapid7_insightvm.asset_vulnerability.vuln.categories + - rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.score + - rapid7_insightvm.asset_vulnerability.vuln.description + - rapid7_insightvm.asset_vulnerability.vuln.id + - rapid7_insightvm.asset_vulnerability.vuln.links.rel + - rapid7_insightvm.asset_vulnerability.vuln.severity + - rapid7_insightvm.asset_vulnerability.vuln.severity_score + tag: remove_custom_duplicate_fields + ignore_missing: true + if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') + - remove: + field: + - json + - _temp + tag: remove_json + ignore_missing: true + - script: + tag: script_to_drop_null_values + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: |- + void handleMap(Map map) { + map.values().removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + void handleList(List list) { + list.removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + handleMap(ctx); + - set: + field: event.kind + tag: set_pipeline_error_into_event_kind + value: pipeline_error + if: ctx.error?.message != null + - append: + field: tags + value: preserve_original_event + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: |- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/base-fields.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/base-fields.yml new file mode 100644 index 00000000000..f819023beac --- /dev/null +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: rapid7_insightvm +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: rapid7_insightvm.asset_vulnerability +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/beats.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/beats.yml new file mode 100644 index 00000000000..4084f1dc7f5 --- /dev/null +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Type of filebeat input. +- name: log.offset + type: long + description: Log offset. diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/ecs.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/ecs.yml new file mode 100644 index 00000000000..cc61312ef72 --- /dev/null +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/ecs.yml @@ -0,0 +1,7 @@ +# Define ECS constant fields as constant_keyword +- name: observer.vendor + type: constant_keyword + external: ecs +- name: vulnerability.scanner.vendor + type: constant_keyword + external: ecs diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/fields.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/fields.yml new file mode 100644 index 00000000000..495cff8ac6a --- /dev/null +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/fields.yml @@ -0,0 +1,329 @@ +- name: rapid7_insightvm + type: group + fields: + - name: asset_vulnerability + type: group + fields: + - name: assessed_for_policies + type: boolean + description: Whether an asset was assessed for policies. + - name: assessed_for_vulnerabilities + type: boolean + description: Whether an asset was assessed for vulnerabilities. + - name: credential_assessments + type: group + fields: + - name: port + type: long + description: The port the authentication was used on. + - name: protocol + type: keyword + description: The protocol the authentication was used on. + - name: status + type: keyword + description: The authentication of the last scan performed. + - name: critical_vulnerabilities + type: long + description: The count of critical vulnerability findings. + - name: exploits + type: long + description: The count of known unique exploits that can be used to exploit vulnerabilities on the asset. + - name: host_name + type: keyword + description: The host name (local or FQDN). + - name: id + type: keyword + description: The identifier of the asset. + - name: ip + type: ip + description: The IPv4 or IPv6 address. + - name: last_assessed_for_vulnerabilities + type: date + description: The time at which an asset was assessed for vulnerabilities. + - name: last_scan_end + type: date + description: The time at which the last scan of the asset ended. + - name: last_scan_start + type: date + description: The time at which the last scan of the asset started. + - name: mac + type: keyword + description: The Media Access Control (MAC) address. The format is six groups of two hexadecimal digits separated by colons. + - name: malware_kits + type: long + description: The count of known unique malware kits that can be used to attack vulnerabilities on the asset. + - name: moderate_vulnerabilities + type: long + description: The count of moderate vulnerability findings. + - name: os + type: group + fields: + - name: architecture + type: keyword + description: The architecture of the operating system. + - name: description + type: keyword + description: The description of the operating system (containing vendor, family, product, version and architecture in a single string). + - name: family + type: keyword + description: The family of the operating system. + - name: name + type: keyword + description: The name of the operating system. + - name: system_name + type: keyword + description: A combination of vendor and family (with redundancies removed), suitable for grouping. + - name: type + type: keyword + description: The type of operating system. + - name: vendor + type: keyword + description: The vendor of the operating system. + - name: version + type: keyword + description: The version of the operating system. + - name: risk_score + type: double + description: The risk score (with criticality adjustments) of the asset. + - name: severe_vulnerabilities + type: long + description: The count of severe vulnerability findings. + - name: tags + type: group + fields: + - name: name + type: keyword + description: The stored value. + - name: type + type: keyword + description: The type of information stored and displayed. For sites, the value is "SITE". + - name: total_vulnerabilities + type: long + description: The total count of vulnerability findings. + - name: type + type: keyword + description: The type of asset. + - name: unique_identifiers + type: group + fields: + - name: id + type: keyword + description: The unique identifier. + - name: source + type: keyword + description: The source of the unique identifier. + - name: vuln + type: group + fields: + - name: added + type: date + description: The date the vulnerability coverage was added. The format is an ISO 8601 date, YYYY-MM-DD. + - name: categories + type: keyword + description: Comma-separated list of categories the vulnerability is classified under. + - name: check_id + type: keyword + description: The identifier of the vulnerability check. + - name: cves + type: keyword + description: All CVEs assigned to this vulnerability. + - name: cvss_v2 + type: group + fields: + - name: access_complexity + type: keyword + description: Access Complexity (AC) component which measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system. + - name: access_vector + type: keyword + description: Access Vector (Av) component which reflects how the vulnerability is exploited. + - name: authentication + type: keyword + description: Authentication (Au) component which measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. + - name: availability_impact + type: keyword + description: Availability Impact (A) component which measures the impact to availability of a successfully exploited vulnerability. + - name: confidentiality_impact + type: keyword + description: Confidentiality Impact (C) component which measures the impact on confidentiality of a successfully exploited vulnerability. + - name: exploit_score + type: double + description: The CVSS exploit score. + - name: impact_score + type: double + description: The CVSS impact score. + - name: integrity_impact + type: keyword + description: Integrity Impact (I) component measures the impact to integrity of a successfully exploited vulnerability. + - name: score + type: double + description: The CVSS score, which ranges from 0-10. + - name: vector + type: keyword + description: The CVSS v2 vector. + - name: cvss_v3 + type: group + fields: + - name: attack_complexity + type: keyword + description: Attack Complexity (AC) component with measures the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. + - name: attack_vector + type: keyword + description: Attack Vector (AV) component which measures context by which vulnerability exploitation is possible. + - name: availability_impact + type: keyword + description: Availability Impact (A) measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. + - name: confidentiality_impact + type: keyword + description: Confidentiality Impact (C) component which measures the impact on confidentiality of a successfully exploited vulnerability. + - name: exploit_score + type: double + description: The CVSS exploit score. + - name: impact_score + type: double + description: The CVSS impact score. + - name: integrity_impact + type: keyword + description: Integrity Impact (I) measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. + - name: privileges_required + type: keyword + description: Privileges Required (PR) measures the level of privileges an attacker must possess before successfully exploiting the vulnerability. + - name: scope + type: keyword + description: Scope (S) measures the collection of privileges defined by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization. + - name: score + type: double + description: The CVSS score, which ranges from 0-10. + - name: user_interaction + type: keyword + description: User Interaction (UI) measures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component. + - name: vector + type: keyword + description: The CVSS v3 vector. + - name: denial_of_service + type: boolean + description: Whether the vulnerability can lead to Denial of Service (DoS). + - name: description + type: keyword + description: A verbose description of the vulnerability. + - name: exploits + type: group + fields: + - name: description + type: keyword + description: A verbose description of the exploit. + - name: id + type: keyword + description: The identifier of the exploit. + - name: name + type: keyword + description: The name of the exploit. + - name: rank + type: keyword + description: How common the exploit is used. + - name: skill_level + type: keyword + description: The level of skill required to use the exploit. + - name: source + type: keyword + description: Details about where the exploit is defined. + - name: first_found + type: date + description: The first time the vulnerability was discovered. + - name: id + type: keyword + description: The identifier of the vulnerability. + - name: key + type: keyword + description: The identifier of the assessment key. + - name: last_found + type: date + description: The most recent time the vulnerability was discovered. + - name: links + type: group + fields: + - name: href + type: keyword + - name: id + type: keyword + - name: rel + type: keyword + - name: source + type: keyword + - name: malware_kits + type: group + fields: + - name: description + type: keyword + description: A known Malware Kit that can be used to compromise a vulnerability. + - name: name + type: keyword + description: The name of the malware kit. + - name: popularity + type: keyword + description: The popularity of the malware kit. + - name: modified + type: date + description: The last date the vulnerability was modified. The format is an ISO 8601 date, YYYY-MM-DD. + - name: pci + type: group + fields: + - name: cvss_score + type: double + description: The CVSS score of the vulnerability, adjusted for PCI rules and exceptions, on a scale of 0-10. + - name: fail + type: boolean + description: Whether if present on a host this vulnerability would cause a PCI failure. true if compliance status is "fail", false otherwise. + - name: severity_score + type: long + description: The severity score of the vulnerability, adjusted for PCI rules and exceptions, on a scale of 0-10. + - name: special_notes + type: keyword + description: Any special notes or remarks about the vulnerability that pertain to PCI compliance. + - name: status + type: keyword + description: The PCI compliance status. + - name: port + type: long + description: For services vulnerabilities, the port that is vulnerable. + - name: proof + type: keyword + description: The identifier of the vulnerability proof. + - name: protocol + type: keyword + description: For services vulnerabilities, the protocol that is vulnerable. + - name: published + type: date + description: The date the vulnerability was first published or announced. The format is an ISO 8601 date, YYYY-MM-DD. + - name: references + type: keyword + description: References to security standards this vulnerability is a part of, in condensed format (comma-separated). + - name: risk_score + type: double + description: The risk score of the vulnerability. If using the default Rapid7 Real Riskâ„¢ model, this value ranges from 0-1000. + - name: severity + type: keyword + description: The severity of the vulnerability. + - name: severity_score + type: long + description: The severity score of the vulnerability, on a scale of 0-10. + - name: solution + type: group + fields: + - name: fix + type: keyword + description: The solution fix for the vulnerability. + - name: id + type: keyword + description: The identifier of the solution for the vulnerability. + - name: summary + type: keyword + description: The summary for the solution for the vulnerability. + - name: type + type: keyword + description: The solution type for the vulnerability. + - name: status + type: keyword + description: The status of the vulnerability finding. + - name: title + type: keyword + description: The title (summary) of the vulnerability. diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/package.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/package.yml new file mode 100644 index 00000000000..dd2e5a96bb9 --- /dev/null +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/package.yml @@ -0,0 +1,11 @@ +- name: package + type: group + fields: + - name: fixed_version + type: keyword + - name: name + type: keyword + external: ecs + - name: version + type: keyword + external: ecs diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/resource.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/resource.yml new file mode 100644 index 00000000000..425eb9530e9 --- /dev/null +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/resource.yml @@ -0,0 +1,7 @@ +- name: resource + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/vulnerability.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/vulnerability.yml new file mode 100644 index 00000000000..c1e3f2fa6da --- /dev/null +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/vulnerability.yml @@ -0,0 +1,12 @@ +- name: vulnerability + type: group + fields: + - name: published_date + type: date + - name: scanner + type: group + fields: + - name: name + type: keyword + - name: title + type: keyword diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/manifest.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/manifest.yml new file mode 100644 index 00000000000..9d966f5d213 --- /dev/null +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/manifest.yml @@ -0,0 +1,78 @@ +title: Asset Vulnerability Event +type: logs +streams: + - input: cel + title: Asset Vulnerability Event + description: Collecting asset vulnerability events via API. + template_path: cel.yml.hbs + enabled: false + vars: + - name: interval + type: text + title: Interval + description: Duration between requests to the Rapid7 InsightVM API. Supported units for this parameter are h/m/s. + default: 24h + multi: false + required: true + show_user: true + - name: batch_size + type: integer + title: Batch Size + description: Batch size for the response of the Rapid7 InsightVM API. The maximum supported batch size value is 500. + default: 500 + multi: false + required: true + show_user: false + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 120s + - name: enable_request_tracer + type: bool + title: Enable request tracing + default: false + multi: false + required: false + show_user: false + description: >- + The request tracer logs requests and responses to the agent's local file-system for debugging configurations. + Enabling this request tracing compromises security and should only be used for debugging. Disabling the request + tracer will delete any stored traces. + See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) + for details. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - rapid7_insightvm-asset_vulnerability + - name: preserve_original_event + required: false + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: false + show_user: false + title: Preserve duplicate custom fields + description: Preserve rapid7_insightvm.asset_vulnerability fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/sample_event.json b/packages/rapid7_insightvm/data_stream/asset_vulnerability/sample_event.json new file mode 100644 index 00000000000..024a23e3e7e --- /dev/null +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/sample_event.json @@ -0,0 +1,207 @@ +{ + "@timestamp": "2025-05-27T18:21:36.279Z", + "agent": { + "ephemeral_id": "5b01a91a-b9d6-4c5a-bfd8-3f150d4ff3e5", + "id": "cc4f0351-6981-4455-8056-febadebbf0f2", + "name": "elastic-agent-52350", + "type": "filebeat", + "version": "8.18.0" + }, + "data_stream": { + "dataset": "rapid7_insightvm.asset_vulnerability", + "namespace": "60884", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "cc4f0351-6981-4455-8056-febadebbf0f2", + "snapshot": false, + "version": "8.18.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "vulnerability" + ], + "created": "2025-05-12T16:25:35.000Z", + "dataset": "rapid7_insightvm.asset_vulnerability", + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6|unix-anonymous-root-logins|2025-05-27T18:21:36.279Z", + "ingested": "2025-05-29T09:30:27Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":22,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":3,\"exploits\":0,\"host_name\":\"computer-test\",\"id\":\"8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6\",\"ip\":\"10.50.5.112\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T18:21:36.279Z\",\"last_scan_end\":\"2025-05-27T18:21:36.279Z\",\"last_scan_start\":\"2025-05-27T18:20:41.505Z\",\"mac\":\"00:00:5E:00:53:02\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Red Hat Enterprise Linux 7.9\",\"os_family\":\"Linux\",\"os_name\":\"Enterprise Linux\",\"os_system_name\":\"Red Hat Linux\",\"os_type\":\"\",\"os_vendor\":\"Red Hat\",\"os_version\":\"7.9\",\"risk_score\":18250,\"severe_vulnerabilities\":48,\"tags\":[{\"name\":\"Ahmedabad\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":52,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"CEF12345-ABCD-1234-ABCD-95ABCDEF1234\",\"source\":\"dmidecode\"},{\"id\":\"e80644e940123456789abcdef66a8b16\",\"source\":\"R7 Agent\"}],\"vuln\":{\"added\":\"2004-11-30T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,UNIX\",\"check_id\":null,\"cves\":\"\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"single\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":7.9520000338554375,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.5,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:S/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.515145325,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":8.4,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \\\"su\\\" to become root.\",\"exploits\":[],\"first_found\":\"2025-05-12T16:25:35Z\",\"id\":\"unix-anonymous-root-logins\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"links\":[],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"nic\":null,\"pci_cvss_score\":6.5,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"port\":null,\"proof\":\"\\u003cp\\u003e\\u003cp\\u003eFollowing entries in /etc/securetty \\n may allow anonymous root logins: \\u003cul\\u003e\\u003cli\\u003ettyS0\\u003c/li\\u003e\\u003cli\\u003ettysclp0\\u003c/li\\u003e\\u003cli\\u003esclp_line0\\u003c/li\\u003e\\u003cli\\u003e3270/tty1\\u003c/li\\u003e\\u003cli\\u003ehvc0\\u003c/li\\u003e\\u003cli\\u003ehvc1\\u003c/li\\u003e\\u003cli\\u003ehvc2\\u003c/li\\u003e\\u003cli\\u003ehvc3\\u003c/li\\u003e\\u003cli\\u003ehvc4\\u003c/li\\u003e\\u003cli\\u003ehvc5\\u003c/li\\u003e\\u003cli\\u003ehvc6\\u003c/li\\u003e\\u003cli\\u003ehvc7\\u003c/li\\u003e\\u003cli\\u003ehvsi0\\u003c/li\\u003e\\u003cli\\u003ehvsi1\\u003c/li\\u003e\\u003cli\\u003ehvsi2\\u003c/li\\u003e\\u003cli\\u003exvc0\\u003c/li\\u003e\\u003c/ul\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\",\"protocol\":null,\"published\":\"2004-11-30T00:00:00Z\",\"references\":\"\",\"reintroduced\":null,\"risk_score\":562,\"severity\":\"severe\",\"severity_score\":7,\"solution_fix\":\"\\u003cp\\u003e\\u003cp\\u003eRemove all the entries in /etc/securetty except console,\\n tty[0-9]* and vc\\\\[0-9]* \\u003c/p\\u003e\\u003cp\\u003eNote: ssh does not use /etc/securetty. To disable root login\\n through ssh, use the \\u0026quot;PermitRootLogin\\u0026quot; setting in /etc/ssh/sshd_config\\n and restart the ssh daemon. \\u003c/p\\u003e\\u003c/p\\u003e\",\"solution_id\":\"unix-anonymous-root-logins\",\"solution_summary\":\"Edit '/etc/securetty' entries\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"title\":\"Anonymous root login is allowed\",\"vulnerability_id\":\"unix-anonymous-root-logins\"},\"vulnerability\":[{\"check_id\":null,\"first_found\":\"2025-05-12T16:25:35Z\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"nic\":null,\"port\":null,\"proof\":\"\\u003cp\\u003e\\u003cp\\u003eFollowing entries in /etc/securetty \\n may allow anonymous root logins: \\u003cul\\u003e\\u003cli\\u003ettyS0\\u003c/li\\u003e\\u003cli\\u003ettysclp0\\u003c/li\\u003e\\u003cli\\u003esclp_line0\\u003c/li\\u003e\\u003cli\\u003e3270/tty1\\u003c/li\\u003e\\u003cli\\u003ehvc0\\u003c/li\\u003e\\u003cli\\u003ehvc1\\u003c/li\\u003e\\u003cli\\u003ehvc2\\u003c/li\\u003e\\u003cli\\u003ehvc3\\u003c/li\\u003e\\u003cli\\u003ehvc4\\u003c/li\\u003e\\u003cli\\u003ehvc5\\u003c/li\\u003e\\u003cli\\u003ehvc6\\u003c/li\\u003e\\u003cli\\u003ehvc7\\u003c/li\\u003e\\u003cli\\u003ehvsi0\\u003c/li\\u003e\\u003cli\\u003ehvsi1\\u003c/li\\u003e\\u003cli\\u003ehvsi2\\u003c/li\\u003e\\u003cli\\u003exvc0\\u003c/li\\u003e\\u003c/ul\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"\\u003cp\\u003e\\u003cp\\u003eRemove all the entries in /etc/securetty except console,\\n tty[0-9]* and vc\\\\[0-9]* \\u003c/p\\u003e\\u003cp\\u003eNote: ssh does not use /etc/securetty. To disable root login\\n through ssh, use the \\u0026quot;PermitRootLogin\\u0026quot; setting in /etc/ssh/sshd_config\\n and restart the ssh daemon. \\u003c/p\\u003e\\u003c/p\\u003e\",\"solution_id\":\"unix-anonymous-root-logins\",\"solution_summary\":\"Edit '/etc/securetty' entries\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"unix-anonymous-root-logins\"},{\"check_id\":null,\"first_found\":\"2025-05-14T13:52:10Z\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"nic\":null,\"port\":null,\"proof\":\"\\u003cp\\u003e\\u003cp\\u003eThe following world writable files were found.\\u003cul\\u003e\\u003cli\\u003e/var/.com.zerog.registry.xml (-rwxrwxrwx)\\u003c/li\\u003e\\u003c/ul\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"\\u003cp\\u003e\\u003cp\\u003eFor each world-writable file, determine whether there is a good reason for\\n it to be world writable. If not, remove world write permissions for the file.\\n The output here is limited to 50 files. In order to find all of these files without needing to\\n run another Nexpose scan run the following command:\\u003c/p\\u003e\\u003cpre\\u003e find / -type f -perm -02\\u003c/pre\\u003e\\u003cp\\u003ePlease note; it may be necessary exclude particular paths or file share types, run \\u0026#39;man find\\u0026#39; for information.\\u003c/p\\u003e\\u003c/p\\u003e\",\"solution_id\":\"unix-world-writable-files\",\"solution_summary\":\"Remove world write permissions\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"unix-world-writable-files\"}]}", + "severity": 7, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "computer-test", + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6", + "ip": [ + "10.50.5.112" + ], + "mac": [ + "00-00-5E-00-53-02" + ], + "name": "computer-test", + "os": { + "family": "Linux", + "full": "Red Hat Enterprise Linux 7.9", + "name": "Enterprise Linux", + "platform": "linux", + "type": "linux", + "version": "7.9" + }, + "risk": { + "static_score": 18250 + }, + "type": "guest" + }, + "input": { + "type": "cel" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 3, + "exploits": 0, + "host_name": "computer-test", + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6", + "ip": "10.50.5.112", + "last_assessed_for_vulnerabilities": "2025-05-27T18:21:36.279Z", + "last_scan_end": "2025-05-27T18:21:36.279Z", + "last_scan_start": "2025-05-27T18:20:41.505Z", + "mac": "00-00-5E-00-53-02", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os": { + "architecture": "x86_64", + "description": "Red Hat Enterprise Linux 7.9", + "family": "Linux", + "name": "Enterprise Linux", + "system_name": "Red Hat Linux", + "vendor": "Red Hat", + "version": "7.9" + }, + "risk_score": 18250, + "severe_vulnerabilities": 48, + "total_vulnerabilities": 52, + "type": "guest", + "unique_identifiers": [ + { + "id": "CEF12345-ABCD-1234-ABCD-95ABCDEF1234", + "source": "dmidecode" + }, + { + "id": "e80644e940123456789abcdef66a8b16", + "source": "R7 Agent" + } + ], + "vuln": { + "added": "2004-11-30T00:00:00.000Z", + "categories": [ + "CVSS Score Predicted with Rapid7 AI", + "UNIX" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "network", + "authentication": "single", + "availability_impact": "partial", + "confidentiality_impact": "partial", + "exploit_score": 7.9520000338554375, + "impact_score": 6.442976653521584, + "integrity_impact": "partial", + "score": 6.5, + "vector": "(AV:N/AC:L/Au:S/C:P/I:P/A:P)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "local", + "availability_impact": "high", + "confidentiality_impact": "high", + "exploit_score": 2.515145325, + "impact_score": 5.873118720000001, + "integrity_impact": "high", + "privileges_required": "none", + "scope": "unchanged", + "score": 8.4, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + "denial_of_service": false, + "description": "Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \"su\" to become root.", + "first_found": "2025-05-12T16:25:35.000Z", + "id": "unix-anonymous-root-logins", + "last_found": "2025-05-27T18:21:36.279Z", + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 6.5, + "fail": true, + "severity_score": 4, + "status": "fail" + }, + "proof": "

Following entries in /etc/securetty \n may allow anonymous root logins:

", + "published": "2004-11-30T00:00:00.000Z", + "risk_score": 562, + "severity": "severe", + "severity_score": 7, + "solution": { + "fix": "

Remove all the entries in /etc/securetty except console,\n tty[0-9]* and vc\\[0-9]*

Note: ssh does not use /etc/securetty. To disable root login\n through ssh, use the "PermitRootLogin" setting in /etc/ssh/sshd_config\n and restart the ssh daemon.

", + "id": "unix-anonymous-root-logins", + "summary": "Edit '/etc/securetty' entries", + "type": "workaround" + }, + "status": "VULNERABLE_EXPL", + "title": "Anonymous root login is allowed" + } + } + }, + "related": { + "hosts": [ + "computer-test", + "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6" + ], + "ip": [ + "10.50.5.112" + ] + }, + "resource": { + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6", + "name": "computer-test" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "rapid7_insightvm-asset_vulnerability" + ], + "vulnerability": { + "category": [ + "CVSS Score Predicted with Rapid7 AI", + "UNIX" + ], + "classification": "CVSS", + "description": "Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \"su\" to become root.", + "enumeration": "CVE", + "published_date": "2004-11-30T00:00:00.000Z", + "scanner": { + "name": "e80644e940123456789abcdef66a8b16", + "vendor": "Rapid7" + }, + "score": { + "base": 8.4, + "version": "3.0" + }, + "severity": "High", + "title": "Anonymous root login is allowed" + } +} diff --git a/packages/rapid7_insightvm/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json b/packages/rapid7_insightvm/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json index 43719aa976c..453b97d8582 100644 --- a/packages/rapid7_insightvm/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json +++ b/packages/rapid7_insightvm/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json @@ -325,4 +325,4 @@ }, null ] -} \ No newline at end of file +} diff --git a/packages/rapid7_insightvm/manifest.yml b/packages/rapid7_insightvm/manifest.yml index f86fc252ee3..be63258622e 100644 --- a/packages/rapid7_insightvm/manifest.yml +++ b/packages/rapid7_insightvm/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: rapid7_insightvm title: Rapid7 InsightVM -version: "1.16.0" +version: "2.0.0" source: license: "Elastic-2.0" description: Collect logs from Rapid7 InsightVM with Elastic Agent. @@ -11,7 +11,7 @@ categories: - vulnerability_management conditions: kibana: - version: "^8.13.0 || ^9.0.0" + version: "^8.18.0 || ^9.0.0" elastic: subscription: "basic" screenshots: @@ -34,8 +34,8 @@ policy_templates: description: Collect Rapid7 InsightVM logs. inputs: - type: httpjson - title: Collect Rapid7 InsightVM logs via API - description: Collecting Rapid7 InsightVM via API. + title: Collect Rapid7 InsightVM logs via HTTPJSON + description: Collecting Rapid7 InsightVM via HTTPJSON. vars: - name: hostname type: text @@ -95,6 +95,62 @@ policy_templates: # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk # sxSmbIUfc2SGJGCJD4I= # -----END CERTIFICATE----- + - type: cel + title: Collect Rapid7 InsightVM logs via CEL + description: Collecting Rapid7 InsightVM logs via CEL. + vars: + - name: url + type: url + title: URL + description: URL for the Rapid7 InsightVM API (Add https:// before the hostname). Add a region of the Insight Platform to the URL. + default: https://.api.insight.rapid7.com + multi: false + required: true + show_user: true + - name: api_key + type: password + title: API Key + description: API Key to access Insight platform. + multi: false + required: true + show_user: true + secret: true + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. + - name: ssl + type: yaml + title: SSL Configuration + description: SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- owner: github: elastic/security-service-integrations type: elastic From 1a45072cc8fdd9c731ddf1874302056fad73f8bd Mon Sep 17 00:00:00 2001 From: brijesh-elastic Date: Fri, 30 May 2025 11:25:16 +0530 Subject: [PATCH 02/19] add package.* mappings --- .../pipeline/test-asset-vulnerability.log | 14 + ...test-asset-vulnerability.log-expected.json | 3556 ++++++++++++++++- .../elasticsearch/ingest_pipeline/default.yml | 91 +- 3 files changed, 3643 insertions(+), 18 deletions(-) diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log index aea9dcbd927..df2eda72c7f 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log @@ -5,3 +5,17 @@ {"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":135,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":445,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":119,"exploits":4,"host_name":"Win11-50-13-52","id":"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1","ip":"10.50.13.52","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":8,"os_architecture":"x86_64","os_description":"Microsoft Windows 11 22H2","os_family":"Windows","os_name":"Windows 11","os_system_name":"Microsoft Windows","os_type":"Workstation","os_vendor":"Microsoft","os_version":"22H2","risk_score":181622,"severe_vulnerabilities":241,"tags":[{"name":"USA","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":368,"type":"guest","unique_identifiers":[{"id":"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050","source":"CSPRODUCT"},{"id":"c5cf46abcdef0123456789291c7d554a","source":"R7 Agent"}],"vuln":{"check_id":"WINDOWS-HOTFIX-MS13-098-x64","first_found":"2025-05-13T07:25:34Z","key":"","last_found":"2025-05-27T19:54:43.777Z","nic":null,"port":null,"proof":"

Vulnerable OS: Microsoft Windows 11 22H2

  • HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Wintrust\\Config - key does not exist
    • EnableCertPaddingCheck - value does not exist

","protocol":null,"reintroduced":null,"solution_fix":"

Download and apply the patch from: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900

","solution_id":"windows-hotfix-ms13-098","solution_summary":"Enable Certificate Padding Check for Windows Systems","solution_type":"patch","status":"VULNERABLE_EXPL","vulnerability_id":"windows-hotfix-ms13-098","added":"2013-12-10T00:00:00Z","categories":"CISA KEV,Exploited in the Wild,Microsoft,Microsoft Patch,Microsoft Windows,Remote Execution","cves":"CVE-2013-3900","cvss_v2_access_complexity":"medium","cvss_v2_access_vector":"local","cvss_v2_authentication":"none","cvss_v2_availability_impact":"none","cvss_v2_confidentiality_impact":"none","cvss_v2_exploit_score":3.392575981616974,"cvss_v2_impact_score":6.870600273013115,"cvss_v2_integrity_impact":"complete","cvss_v2_score":4.7,"cvss_v2_vector":"(AV:L/AC:M/Au:N/C:N/I:C/A:N)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"none","cvss_v3_exploit_score":1.8345765900000002,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":5.5,"cvss_v3_user_interaction":"required","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N","denial_of_service":false,"description":"This vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system. Note that this vulnerability was originally published by Microsoft as MS13-098, but has now been republished as CVE-2013-3900. Microsoft provides current information on the CVE-2013-3900 advisory.","exploits":[],"id":"windows-hotfix-ms13-098","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2013-3900","id":"CVE-2013-3900","source":"cve"},{"href":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900","id":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900","source":"url"}],"malware_kits":[],"modified":"2025-04-22T00:00:00Z","pci_cvss_score":4.7,"pci_fail":true,"pci_severity_score":3,"pci_special_notes":"","pci_status":"fail","published":"2013-12-10T00:00:00Z","references":"cve:CVE-2013-3900,url:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900","risk_score":450,"severity":"severe","severity_score":5,"title":"CVE-2013-3900: MS13-098: Vulnerability in Windows Could Allow Remote Code Execution"}} {"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":22,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":3,"exploits":0,"host_name":"computer-test","id":"8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6","ip":"10.50.5.112","last_assessed_for_vulnerabilities":"2025-05-27T18:21:36.279Z","last_scan_end":"2025-05-27T18:21:36.279Z","last_scan_start":"2025-05-27T18:20:41.505Z","mac":"00:00:5E:00:53:02","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Red Hat Enterprise Linux 7.9","os_family":"Linux","os_name":"Enterprise Linux","os_system_name":"Red Hat Linux","os_type":"","os_vendor":"Red Hat","os_version":"7.9","risk_score":18250,"severe_vulnerabilities":48,"tags":[{"name":"Ahmedabad","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":52,"type":"guest","unique_identifiers":[{"id":"CEF12345-ABCD-1234-ABCD-95ABCDEF1234","source":"dmidecode"},{"id":"e80644e940123456789abcdef66a8b16","source":"R7 Agent"}],"vuln":{"check_id":null,"first_found":"2025-05-12T16:25:35Z","key":"","last_found":"2025-05-27T18:21:36.279Z","nic":null,"port":null,"proof":"

Following entries in /etc/securetty \n may allow anonymous root logins:

  • ttyS0
  • ttysclp0
  • sclp_line0
  • 3270/tty1
  • hvc0
  • hvc1
  • hvc2
  • hvc3
  • hvc4
  • hvc5
  • hvc6
  • hvc7
  • hvsi0
  • hvsi1
  • hvsi2
  • xvc0

","protocol":null,"reintroduced":null,"solution_fix":"

Remove all the entries in /etc/securetty except console,\n tty[0-9]* and vc\\[0-9]*

Note: ssh does not use /etc/securetty. To disable root login\n through ssh, use the "PermitRootLogin" setting in /etc/ssh/sshd_config\n and restart the ssh daemon.

","solution_id":"unix-anonymous-root-logins","solution_summary":"Edit '/etc/securetty' entries","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"unix-anonymous-root-logins","added":"2004-11-30T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,UNIX","cves":"","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"single","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":7.9520000338554375,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":6.5,"cvss_v2_vector":"(AV:N/AC:L/Au:S/C:P/I:P/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.515145325,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":8.4,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \"su\" to become root.","exploits":[],"id":"unix-anonymous-root-logins","links":[],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":6.5,"pci_fail":true,"pci_severity_score":4,"pci_special_notes":"","pci_status":"fail","published":"2004-11-30T00:00:00Z","references":"","risk_score":562,"severity":"severe","severity_score":7,"title":"Anonymous root login is allowed"}} {"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":22,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":3,"exploits":0,"host_name":"computer-test","id":"8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6","ip":"10.50.5.112","last_assessed_for_vulnerabilities":"2025-05-27T18:21:36.279Z","last_scan_end":"2025-05-27T18:21:36.279Z","last_scan_start":"2025-05-27T18:20:41.505Z","mac":"00:00:5E:00:53:02","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Red Hat Enterprise Linux 7.9","os_family":"Linux","os_name":"Enterprise Linux","os_system_name":"Red Hat Linux","os_type":"","os_vendor":"Red Hat","os_version":"7.9","risk_score":18250,"severe_vulnerabilities":48,"tags":[{"name":"Ahmedabad","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":52,"type":"guest","unique_identifiers":[{"id":"CEF12345-ABCD-1234-ABCD-95ABCDEF1234","source":"dmidecode"},{"id":"e80644e940123456789abcdef66a8b16","source":"R7 Agent"}],"vuln":{"check_id":null,"first_found":"2025-05-14T13:52:10Z","key":"","last_found":"2025-05-27T18:21:36.279Z","nic":null,"port":null,"proof":"

The following world writable files were found.

  • /var/.com.zerog.registry.xml (-rwxrwxrwx)

","protocol":null,"reintroduced":null,"solution_fix":"

For each world-writable file, determine whether there is a good reason for\n it to be world writable. If not, remove world write permissions for the file.\n The output here is limited to 50 files. In order to find all of these files without needing to\n run another Nexpose scan run the following command:

 find / -type f -perm -02

Please note; it may be necessary exclude particular paths or file share types, run 'man find' for information.

","solution_id":"unix-world-writable-files","solution_summary":"Remove world write permissions","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"unix-world-writable-files","added":"2005-01-15T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,UNIX","cves":"","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"local","cvss_v2_authentication":"none","cvss_v2_availability_impact":"none","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":3.948735978603363,"cvss_v2_impact_score":4.938243839970231,"cvss_v2_integrity_impact":"partial","cvss_v2_score":3.6,"cvss_v2_vector":"(AV:L/AC:L/Au:N/C:P/I:P/A:N)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"low","cvss_v3_exploit_score":2.515145325,"cvss_v3_impact_score":1.4123999999999999,"cvss_v3_integrity_impact":"none","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":4,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","denial_of_service":false,"description":"World writable files were found on the system. A file that can be written by any user on the system could be a serious security flaw.","exploits":[],"id":"unix-world-writable-files","links":[],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":3.6,"pci_fail":false,"pci_severity_score":2,"pci_special_notes":"","pci_status":"pass","published":"2005-01-15T00:00:00Z","references":"","risk_score":268,"severity":"severe","severity_score":4,"title":"World writable files exist"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vuln":{"check_id":null,"first_found":"2020-07-23T20:11:10Z","key":"Debian Linux 8.0","last_found":"2020-07-23T20:11:10.304Z","nic":null,"port":null,"proof":"

Vulnerable OS: Debian Linux 8.0

","protocol":null,"reintroduced":null,"solution_fix":"

\n See the Debian 9 release notes for instructions on upgrading to Debian GNU/Linux 9, alias "stretch".\n

","solution_id":"debian-upgrade-to-stretch","solution_summary":"Upgrade to Debian GNU/Linux 9 or later","solution_type":"workaround","status":"VULNERABLE_VERS","vulnerability_id":"debian-obsolete","added":"2013-01-29T00:00:00Z","categories":"Debian Linux,Obsolete OS,Obsolete Software","cves":"","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"complete","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":10.000845454680942,"cvss_v2_integrity_impact":"complete","cvss_v2_score":10,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:C/I:C/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":3.8870427750000003,"cvss_v3_impact_score":6.0477304915445185,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"changed","cvss_v3_score":10,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","denial_of_service":false,"description":"Debian terminated support for Debian GNU/Linux 9 \"stretch\" on Jun 30, 2022. All Debian versions prior to 10.0 \"buster\" may have unpatched security vulnerabilities.","exploits":[],"id":"debian-obsolete","links":[{"href":"https://wiki.debian.org/LTS","id":"https://wiki.debian.org/LTS","source":"url"}],"malware_kits":[],"modified":"2025-03-28T00:00:00Z","pci_cvss_score":10,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"This operating system version is no longer supported by the vendor, and results in an automatic failure. ","pci_status":"fail","published":"2006-06-30T00:00:00Z","references":"url:https://wiki.debian.org/LTS","risk_score":911.42,"severity":"critical","severity_score":10,"title":"Obsolete Debian GNU/Linux Version"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vuln":{"check_id":null,"first_found":"2018-11-25T09:20:27Z","key":"","last_found":"2023-05-23T18:16:30.836Z","nic":null,"port":null,"proof":"

Vulnerable OS: Microsoft Windows Server 2003 SP1

Server responded with vulnerable error code: 2 and class: 1

","protocol":null,"reintroduced":null,"solution_fix":"Take a look at all possible solutions for vulnerability","solution_id":"unknown-windows-hotfix-ms06-035","solution_summary":"The solution is unknown for vuln windows-hotfix-ms06-035","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"windows-hotfix-ms06-035","added":"2006-07-12T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution","cves":"CVE-2006-1314,CVE-2006-1315","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":7.5,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:P/I:P/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.83525473,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"none","cvss_v3_privileges_required":"low","cvss_v3_scope":"unchanged","cvss_v3_score":6.5,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","denial_of_service":false,"description":"This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \"Vulnerability Details\" section of this bulletin. We recommend that customers apply the update immediately.","exploits":[{"description":"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)","id":"2057","name":"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module triggers a kernel pool corruption bug in SRV.SYS. Each\n call to the mailslot write function results in a two byte return value\n being written into the response packet. The code which creates this packet\n fails to consider these two bytes in the allocation routine, resulting in\n a slow corruption of the kernel memory pool. These two bytes are almost\n always set to \"\\xff\\xff\" (a short integer with value of -1).","id":"auxiliary/dos/windows/smb/ms06_035_mailslot","name":"Microsoft SRV.SYS Mailslot Write Corruption","rank":"normal","skill_level":"intermediate","source":"metasploit"}],"id":"windows-hotfix-ms06-035","links":[{"href":"http://www.kb.cert.org/vuls/id/189140","id":"189140","source":"cert-vn"},{"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/26818","id":"win-mailslot-bo(26818)","source":"xf"},{"href":"http://www.securityfocus.com/bid/18863","id":"18863","source":"bid"},{"href":"https://support.microsoft.com/en-us/kb/917159","id":"KB917159","source":"mskb"},{"href":"http://www.us-cert.gov/cas/techalerts/TA06-192A.html","id":"TA06-192A","source":"cert"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2006-1314","id":"CVE-2006-1314","source":"cve"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2006-1315","id":"CVE-2006-1315","source":"cve"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3","id":"3","source":"oval"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600","id":"600","source":"oval"},{"href":"http://www.osvdb.org/27155","id":"27155","source":"osvdb"},{"href":"http://www.osvdb.org/27154","id":"27154","source":"osvdb"},{"href":"http://technet.microsoft.com/security/bulletin/MS06-035","id":"MS06-035","source":"ms"},{"href":"http://www.securityfocus.com/bid/18891","id":"18891","source":"bid"},{"href":"http://technet.microsoft.com/en-us/security/bulletin/MS06-035","id":"http://technet.microsoft.com/en-us/security/bulletin/MS06-035","source":"url"},{"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/26820","id":"win-smb-information-disclosure(26820)","source":"xf"},{"href":"http://www.kb.cert.org/vuls/id/333636","id":"333636","source":"cert-vn"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":7.5,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"","pci_status":"fail","published":"2006-07-11T00:00:00Z","references":"bid:18863,bid:18891,cert-vn:189140,osvdb:27154,osvdb:27155,oval:3,cert-vn:333636,oval:600,cve:CVE-2006-1314,cve:CVE-2006-1315,mskb:KB917159,ms:MS06-035,cert:TA06-192A,url:http://technet.microsoft.com/en-us/security/bulletin/MS06-035,xf:win-mailslot-bo(26818),xf:win-smb-information-disclosure(26820)","risk_score":756.57,"severity":"critical","severity_score":8,"title":"MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vuln":{"check_id":null,"first_found":"2018-11-25T09:20:27Z","key":"","last_found":"2023-05-23T18:16:30.836Z","nic":null,"port":null,"proof":"

Vulnerable OS: Microsoft Windows Server 2003 SP1

Based on the result of the "dcerpc-ms-netapi-netpathcanonicalize-dos" test, this node is applicable to this issue.

","protocol":null,"reintroduced":null,"solution_fix":"Take a look at all possible solutions for vulnerability","solution_id":"unknown-windows-hotfix-ms06-035","solution_summary":"The solution is unknown for vuln windows-hotfix-ms06-035","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"windows-hotfix-ms06-035","added":"2006-07-12T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution","cves":"CVE-2006-1314,CVE-2006-1315","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":7.5,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:P/I:P/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.83525473,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"none","cvss_v3_privileges_required":"low","cvss_v3_scope":"unchanged","cvss_v3_score":6.5,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","denial_of_service":false,"description":"This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \"Vulnerability Details\" section of this bulletin. We recommend that customers apply the update immediately.","exploits":[{"description":"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)","id":"2057","name":"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module triggers a kernel pool corruption bug in SRV.SYS. Each\n call to the mailslot write function results in a two byte return value\n being written into the response packet. The code which creates this packet\n fails to consider these two bytes in the allocation routine, resulting in\n a slow corruption of the kernel memory pool. These two bytes are almost\n always set to \"\\xff\\xff\" (a short integer with value of -1).","id":"auxiliary/dos/windows/smb/ms06_035_mailslot","name":"Microsoft SRV.SYS Mailslot Write Corruption","rank":"normal","skill_level":"intermediate","source":"metasploit"}],"id":"windows-hotfix-ms06-035","links":[{"href":"http://www.kb.cert.org/vuls/id/189140","id":"189140","source":"cert-vn"},{"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/26818","id":"win-mailslot-bo(26818)","source":"xf"},{"href":"http://www.securityfocus.com/bid/18863","id":"18863","source":"bid"},{"href":"https://support.microsoft.com/en-us/kb/917159","id":"KB917159","source":"mskb"},{"href":"http://www.us-cert.gov/cas/techalerts/TA06-192A.html","id":"TA06-192A","source":"cert"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2006-1314","id":"CVE-2006-1314","source":"cve"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2006-1315","id":"CVE-2006-1315","source":"cve"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3","id":"3","source":"oval"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600","id":"600","source":"oval"},{"href":"http://www.osvdb.org/27155","id":"27155","source":"osvdb"},{"href":"http://www.osvdb.org/27154","id":"27154","source":"osvdb"},{"href":"http://technet.microsoft.com/security/bulletin/MS06-035","id":"MS06-035","source":"ms"},{"href":"http://www.securityfocus.com/bid/18891","id":"18891","source":"bid"},{"href":"http://technet.microsoft.com/en-us/security/bulletin/MS06-035","id":"http://technet.microsoft.com/en-us/security/bulletin/MS06-035","source":"url"},{"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/26820","id":"win-smb-information-disclosure(26820)","source":"xf"},{"href":"http://www.kb.cert.org/vuls/id/333636","id":"333636","source":"cert-vn"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":7.5,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"","pci_status":"fail","published":"2006-07-11T00:00:00Z","references":"bid:18863,bid:18891,cert-vn:189140,osvdb:27154,osvdb:27155,oval:3,cert-vn:333636,oval:600,cve:CVE-2006-1314,cve:CVE-2006-1315,mskb:KB917159,ms:MS06-035,cert:TA06-192A,url:http://technet.microsoft.com/en-us/security/bulletin/MS06-035,xf:win-mailslot-bo(26818),xf:win-smb-information-disclosure(26820)","risk_score":756.57,"severity":"critical","severity_score":8,"title":"MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":135,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":445,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":119,"exploits":4,"host_name":"Win11-50-13-52","id":"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1","ip":"10.50.13.52","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":8,"os_architecture":"x86_64","os_description":"Microsoft Windows 11 22H2","os_family":"Windows","os_name":"Windows 11","os_system_name":"Microsoft Windows","os_type":"Workstation","os_vendor":"Microsoft","os_version":"22H2","risk_score":181622,"severe_vulnerabilities":241,"tags":[{"name":"USA","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":368,"type":"guest","unique_identifiers":[{"id":"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050","source":"CSPRODUCT"},{"id":"c5cf46abcdef0123456789291c7d554a","source":"R7 Agent"}],"vuln":{"check_id":"msft-cve-2022-37967-kb5021288-c2d89794-10f9-459d-a1a9-79847eac03fc","first_found":"2022-12-23T18:40:29Z","key":"","last_found":"2023-06-23T17:29:23.453Z","nic":null,"port":null,"proof":"

Vulnerable OS: Microsoft Windows 7 Enterprise Edition SP1

Based on the following 2 results:

    • Found an applicable package: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Component Based Servicing\\Packages\\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.
      • HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\Winners\\amd64_Microsoft-Windows-Audio-DMusic_31bf3856ad364e35_none_6ddb350169ebdb56 - key exists
      • The above CBS component is currently version 6.1.7600.16385, expected version 6.1.7601.26262 or higher
      • 2022-12 Security Only Quality Update for Windows 7 for x64-based Systems (KB5021288) is applicable for this CBS component

    • HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion
      • UBR - contains 24443

","protocol":null,"reintroduced":null,"solution_fix":"

Download and apply the patch from: https://support.microsoft.com/kb/5021288

","solution_id":"msft-kb5021288-c2d89794-10f9-459d-a1a9-79847eac03fc","solution_summary":"2022-12 Security Only Quality Update for Windows 7 for x64-based Systems (KB5021288)","solution_type":"patch","status":"VULNERABLE_EXPL","vulnerability_id":"msft-cve-2022-37967","added":"2022-11-08T00:00:00Z","categories":"Microsoft,Microsoft Patch,Microsoft Windows,Privilege Escalation","cves":"CVE-2022-37967","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"multiple","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"complete","cvss_v2_exploit_score":6.389999830722808,"cvss_v2_impact_score":10.000845454680942,"cvss_v2_integrity_impact":"complete","cvss_v2_score":8.3,"cvss_v2_vector":"(AV:N/AC:L/Au:M/C:C/I:C/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":1.2347077050000002,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"high","cvss_v3_scope":"unchanged","cvss_v3_score":7.2,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"Windows Kerberos Elevation of Privilege Vulnerability.","exploits":[],"id":"msft-cve-2022-37967","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2022-37967","id":"CVE-2022-37967","source":"cve"},{"href":"https://support.microsoft.com/help/5031364","id":"https://support.microsoft.com/help/5031364","source":"url"},{"href":"https://support.microsoft.com/help/5031362","id":"https://support.microsoft.com/help/5031362","source":"url"},{"href":"https://support.microsoft.com/help/5031361","id":"https://support.microsoft.com/help/5031361","source":"url"},{"href":"https://support.microsoft.com/help/5031407","id":"https://support.microsoft.com/help/5031407","source":"url"},{"href":"https://support.microsoft.com/help/5031419","id":"https://support.microsoft.com/help/5031419","source":"url"},{"href":"https://support.microsoft.com/help/5031427","id":"https://support.microsoft.com/help/5031427","source":"url"}],"malware_kits":[],"modified":"2024-09-06T00:00:00Z","pci_cvss_score":8.3,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"","pci_status":"fail","published":"2022-11-08T00:00:00Z","references":"cve:CVE-2022-37967,url:https://support.microsoft.com/help/5031361,url:https://support.microsoft.com/help/5031362,url:https://support.microsoft.com/help/5031364,url:https://support.microsoft.com/help/5031407,url:https://support.microsoft.com/help/5031419,url:https://support.microsoft.com/help/5031427","risk_score":434.28,"severity":"critical","severity_score":8,"title":"Microsoft Windows: CVE-2022-37967: Windows Kerberos Elevation of Privilege Vulnerability"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":135,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":445,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":119,"exploits":4,"host_name":"Win11-50-13-52","id":"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1","ip":"10.50.13.52","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":8,"os_architecture":"x86_64","os_description":"Microsoft Windows 11 22H2","os_family":"Windows","os_name":"Windows 11","os_system_name":"Microsoft Windows","os_type":"Workstation","os_vendor":"Microsoft","os_version":"22H2","risk_score":181622,"severe_vulnerabilities":241,"tags":[{"name":"USA","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":368,"type":"guest","unique_identifiers":[{"id":"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050","source":"CSPRODUCT"},{"id":"c5cf46abcdef0123456789291c7d554a","source":"R7 Agent"}],"vuln":{"check_id":null,"first_found":"2022-12-23T18:40:29Z","key":"","last_found":"2023-06-23T17:29:23.453Z","nic":null,"port":null,"proof":"

Vulnerable OS: Microsoft Windows 7 Enterprise Edition SP1

Based on the following 4 results:

  1. Based on the following 2 results:

      • HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender - key does not exist

      • HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender
        • DisableAntiSpyware - contains 0

    • HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Signature Updates
      • EngineVersion - contains 1.1.9203.0

    • HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SepMasterService - key does not exist
      • Start - value does not exist

    • HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\MsMpSvc - key does not exist
      • Start - value does not exist

","protocol":null,"reintroduced":null,"solution_fix":"

Verify that the latest version of the Microsoft Malware Protection Engine\nand definition updates are being actively downloaded and installed for their Microsoft antimalware products.\nFor more information on how to verify the version number for the Microsoft Malware Protection Engine that your\nsoftware is currently using, see the section Verifying Update Installation\nin Microsoft Knowledge Base Article 2510781 https://support.microsoft.com/kb/2510781

","solution_id":"windows-defender-upgrade-latest","solution_summary":"Upgrade Microsoft Defender to the latest version.","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"windows-defender-cve-2022-24548","added":"2022-04-14T00:00:00Z","categories":"Denial of Service,Microsoft Windows Defender","cves":"CVE-2022-24548","cvss_v2_access_complexity":"medium","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"none","cvss_v2_exploit_score":8.588799953460693,"cvss_v2_impact_score":2.862749751806259,"cvss_v2_integrity_impact":"none","cvss_v2_score":4.3,"cvss_v2_vector":"(AV:N/AC:M/Au:N/C:N/I:N/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"none","cvss_v3_exploit_score":1.8345765900000002,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"none","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":5.5,"cvss_v3_user_interaction":"required","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","denial_of_service":true,"description":"Microsoft Defender Denial of Service Vulnerability","exploits":[],"id":"windows-defender-cve-2022-24548","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2022-24548","id":"CVE-2022-24548","source":"cve"},{"href":"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548","id":"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548","source":"url"}],"malware_kits":[],"modified":"2023-12-13T00:00:00Z","pci_cvss_score":4.3,"pci_fail":false,"pci_severity_score":2,"pci_special_notes":"Denial-of-Service-only vulnerability marked as compliant. ","pci_status":"pass","published":"2022-04-14T00:00:00Z","references":"cve:CVE-2022-24548,url:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548","risk_score":124.28,"severity":"severe","severity_score":4,"title":"Microsoft Defender Denial of Service Vulnerability (CVE-2022-24548)"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":135,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":445,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":119,"exploits":4,"host_name":"Win11-50-13-52","id":"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1","ip":"10.50.13.52","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":8,"os_architecture":"x86_64","os_description":"Microsoft Windows 11 22H2","os_family":"Windows","os_name":"Windows 11","os_system_name":"Microsoft Windows","os_type":"Workstation","os_vendor":"Microsoft","os_version":"22H2","risk_score":181622,"severe_vulnerabilities":241,"tags":[{"name":"USA","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":368,"type":"guest","unique_identifiers":[{"id":"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050","source":"CSPRODUCT"},{"id":"c5cf46abcdef0123456789291c7d554a","source":"R7 Agent"}],"vuln":{"check_id":null,"first_found":"2018-11-25T09:10:10Z","key":"","last_found":"2019-02-14T21:39:25.312Z","nic":null,"port":445,"proof":"

Vulnerable OS: Microsoft Windows Server 2008 Enterprise Edition SP2

System replied with a malformed SMB packet

","protocol":"TCP","reintroduced":null,"solution_fix":"Take a look at all possible solutions for vulnerability","solution_id":"unknown-windows-hotfix-ms09-050","solution_summary":"The solution is unknown for vuln windows-hotfix-ms09-050","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"windows-hotfix-ms09-050","added":"2009-10-13T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution","cves":"CVE-2009-2526,CVE-2009-2532,CVE-2009-3103","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"complete","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":10.000845454680942,"cvss_v2_integrity_impact":"complete","cvss_v2_score":10,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:C/I:C/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":3.8870427750000003,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":9.8,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"This security update resolves one publicly disclosed and two privately reported vulnerabilities in Server Message Block Version 2 (SMBv2). The most severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.","exploits":[{"description":"Microsoft Windows 7/2008 R2 - Remote Kernel Crash","id":"10005","name":"Microsoft Windows 7/2008 R2 - Remote Kernel Crash","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing\n an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.\n Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.","id":"auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff","name":"Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference","rank":"normal","skill_level":"intermediate","source":"metasploit"},{"description":"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)","id":"40280","name":"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service","id":"12524","name":"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\n without SP1 does not seem affected by this flaw.","id":"exploit/windows/smb/ms09_050_smb2_negotiate_func_index","name":"MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference","rank":"good","skill_level":"intermediate","source":"metasploit"},{"description":"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)","id":"14674","name":"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows\tVista\n without SP1 does not seem affected by this flaw.","id":"auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh","name":"Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference","rank":"normal","skill_level":"intermediate","source":"metasploit"},{"description":"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)","id":"9594","name":"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)","rank":"average","skill_level":"expert","source":"exploitdb"}],"id":"windows-hotfix-ms09-050","links":[{"href":"http://www.us-cert.gov/cas/techalerts/TA09-286A.html","id":"TA09-286A","source":"cert"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6489","id":"6489","source":"oval"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6336","id":"6336","source":"oval"},{"href":"http://www.securityfocus.com/bid/36299","id":"36299","source":"bid"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:5595","id":"5595","source":"oval"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2009-2526","id":"CVE-2009-2526","source":"cve"},{"href":"http://technet.microsoft.com/security/bulletin/MS09-050","id":"MS09-050","source":"ms"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2009-3103","id":"CVE-2009-3103","source":"cve"},{"href":"http://www.kb.cert.org/vuls/id/135940","id":"135940","source":"cert-vn"},{"href":"https://support.microsoft.com/en-us/kb/975517","id":"KB975517","source":"mskb"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2009-2532","id":"CVE-2009-2532","source":"cve"},{"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/53090","id":"53090","source":"xf"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":10,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"","pci_status":"fail","published":"2009-10-13T00:00:00Z","references":"cert-vn:135940,bid:36299,xf:53090,oval:5595,oval:6336,oval:6489,cve:CVE-2009-2526,cve:CVE-2009-2532,cve:CVE-2009-3103,mskb:KB975517,ms:MS09-050,cert:TA09-286A","risk_score":914.2,"severity":"critical","severity_score":10,"title":"MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vuln":{"check_id":null,"first_found":"2021-02-23T18:39:30Z","key":"","last_found":"2022-04-23T18:04:36.094Z","nic":null,"port":null,"proof":"

Vulnerable OS: CentOS Linux 7.6.1810

  • mariadb-libs - version 1:5.5.60-1.el7_5 is installed

","protocol":null,"reintroduced":null,"solution_fix":"Take a look at all possible solutions for vulnerability","solution_id":"unknown-centos_linux-cve-2020-2574","solution_summary":"The solution is unknown for vuln centos_linux-cve-2020-2574","solution_type":"workaround","status":"VULNERABLE_VERS","vulnerability_id":"centos_linux-cve-2020-2574","added":"2020-09-15T00:00:00Z","categories":"CentOS","cves":"CVE-2020-2574","cvss_v2_access_complexity":"medium","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"none","cvss_v2_exploit_score":8.588799953460693,"cvss_v2_impact_score":2.862749751806259,"cvss_v2_integrity_impact":"none","cvss_v2_score":4.3,"cvss_v2_vector":"(AV:N/AC:M/Au:N/C:N/I:N/A:P)","cvss_v3_attack_complexity":"high","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"none","cvss_v3_exploit_score":2.2211673,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"none","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":5.9,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","denial_of_service":true,"description":"Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).","exploits":[],"id":"centos_linux-cve-2020-2574","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2020-2574","id":"CVE-2020-2574","source":"nvd"}],"malware_kits":[],"modified":"2023-05-25T00:00:00Z","pci_cvss_score":4.3,"pci_fail":false,"pci_severity_score":2,"pci_special_notes":"Denial-of-Service-only vulnerability marked as compliant. ","pci_status":"pass","published":"2020-01-15T00:00:00Z","references":"nvd:CVE-2020-2574","risk_score":150.88,"severity":"severe","severity_score":4,"title":"CentOS Linux: CVE-2020-2574: Important: mysql:8.0 security update (Multiple Advisories)"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":135,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":445,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":119,"exploits":4,"host_name":"Win11-50-13-52","id":"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1","ip":"10.50.13.52","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":8,"os_architecture":"x86_64","os_description":"Microsoft Windows 11 22H2","os_family":"Windows","os_name":"Windows 11","os_system_name":"Microsoft Windows","os_type":"Workstation","os_vendor":"Microsoft","os_version":"22H2","risk_score":181622,"severe_vulnerabilities":241,"tags":[{"name":"USA","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":368,"type":"guest","unique_identifiers":[{"id":"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050","source":"CSPRODUCT"},{"id":"c5cf46abcdef0123456789291c7d554a","source":"R7 Agent"}],"vuln":{"check_id":null,"first_found":"2021-03-23T21:18:51Z","key":"","last_found":"2023-06-23T19:16:12.895Z","nic":null,"port":445,"proof":"

Vulnerable OS: Microsoft Windows Server 2008 Enterprise Edition

\\BROWSER: WriteAndX succeeded with offset 77

","protocol":"TCP","reintroduced":null,"solution_fix":"Take a look at all possible solutions for vulnerability","solution_id":"unknown-windows-hotfix-ms09-001","solution_summary":"The solution is unknown for vuln windows-hotfix-ms09-001","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"windows-hotfix-ms09-001","added":"2009-10-13T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution","cves":"CVE-2009-2526,CVE-2009-2532,CVE-2009-3103","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"complete","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":10.000845454680942,"cvss_v2_integrity_impact":"complete","cvss_v2_score":10,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:C/I:C/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":3.8870427750000003,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":9.8,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"This security update resolves one publicly disclosed and two privately reported vulnerabilities in Server Message Block Version 2 (SMBv2). The most severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.","exploits":[{"description":"Microsoft Windows 7/2008 R2 - Remote Kernel Crash","id":"10005","name":"Microsoft Windows 7/2008 R2 - Remote Kernel Crash","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing\n an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.\n Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.","id":"auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff","name":"Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference","rank":"normal","skill_level":"intermediate","source":"metasploit"},{"description":"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)","id":"40280","name":"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service","id":"12524","name":"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\n without SP1 does not seem affected by this flaw.","id":"exploit/windows/smb/ms09_050_smb2_negotiate_func_index","name":"MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference","rank":"good","skill_level":"intermediate","source":"metasploit"},{"description":"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)","id":"14674","name":"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows\tVista\n without SP1 does not seem affected by this flaw.","id":"auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh","name":"Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference","rank":"normal","skill_level":"intermediate","source":"metasploit"},{"description":"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)","id":"9594","name":"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)","rank":"average","skill_level":"expert","source":"exploitdb"}],"id":"windows-hotfix-ms09-050","links":[{"href":"http://www.us-cert.gov/cas/techalerts/TA09-286A.html","id":"TA09-286A","source":"cert"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6489","id":"6489","source":"oval"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6336","id":"6336","source":"oval"},{"href":"http://www.securityfocus.com/bid/36299","id":"36299","source":"bid"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:5595","id":"5595","source":"oval"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2009-2526","id":"CVE-2009-2526","source":"cve"},{"href":"http://technet.microsoft.com/security/bulletin/MS09-050","id":"MS09-050","source":"ms"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2009-3103","id":"CVE-2009-3103","source":"cve"},{"href":"http://www.kb.cert.org/vuls/id/135940","id":"135940","source":"cert-vn"},{"href":"https://support.microsoft.com/en-us/kb/975517","id":"KB975517","source":"mskb"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2009-2532","id":"CVE-2009-2532","source":"cve"},{"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/53090","id":"53090","source":"xf"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":10,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"","pci_status":"fail","published":"2009-10-13T00:00:00Z","references":"cert-vn:135940,bid:36299,xf:53090,oval:5595,oval:6336,oval:6489,cve:CVE-2009-2526,cve:CVE-2009-2532,cve:CVE-2009-3103,mskb:KB975517,ms:MS09-050,cert:TA09-286A","risk_score":914.2,"severity":"critical","severity_score":10,"title":"MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vuln":{"check_id":null,"first_found":"2018-11-25T09:16:57Z","key":"","last_found":"2022-02-23T20:10:02.535Z","nic":null,"port":53,"proof":"

Vulnerable OS: Debian Linux 6.0

  • Running DNS service
  • Product BIND exists -- ISC BIND 9.7.3
  • Vulnerable version of product BIND found -- ISC BIND 9.7.3

","protocol":"TCP","reintroduced":null,"solution_fix":"

\n More information about upgrading your version of ISC BIND is available on the ISC website.\n

","solution_id":"upgrade-isc-bind-latest","solution_summary":"Upgrade ISC BIND to latest version","solution_type":"workaround","status":"VULNERABLE_VERS","vulnerability_id":"dns-bind-cve-2015-4620","added":"2015-10-27T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,DNS,Denial of Service,ISC,ISC BIND","cves":"CVE-2015-4620","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"none","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":6.870600273013115,"cvss_v2_integrity_impact":"none","cvss_v2_score":7.8,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:N/I:N/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"none","cvss_v3_exploit_score":3.8870427750000003,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"none","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":7.5,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","denial_of_service":true,"description":"name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone.","exploits":[],"id":"dns-bind-cve-2015-4620","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2015-4620","id":"CVE-2015-4620","source":"cve"},{"href":"https://kb.isc.org/article/AA-01267/0","id":"https://kb.isc.org/article/AA-01267/0","source":"url"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":7.8,"pci_fail":false,"pci_severity_score":2,"pci_special_notes":"Denial-of-Service-only vulnerability marked as compliant. ","pci_status":"pass","published":"2015-07-08T00:00:00Z","references":"cve:CVE-2015-4620,url:https://kb.isc.org/article/AA-01267/0","risk_score":334.11,"severity":"critical","severity_score":8,"title":"ISC BIND: Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating (CVE-2015-4620)"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vuln":{"check_id":null,"first_found":"2023-03-23T19:23:01Z","key":"","last_found":"2023-06-23T19:36:17.715Z","nic":null,"port":445,"proof":"

  • Running CIFS service
  • Configuration item smb2-enabled set to 'true' matched
  • Configuration item smb2-signing set to 'enabled' matched

","protocol":"TCP","reintroduced":null,"solution_fix":"

\n Configure the system to enable or require SMB signing as appropriate.\n The method and effect of doing this is system specific so please see\n this Microsoft article for\n details. Note: ensure that SMB signing configuration is done for \n incoming connections (Server).\n

","solution_id":"cifs-smb-signing-windows","solution_summary":"Configure SMB signing for Windows","solution_type":"workaround","status":"VULNERABLE_VERS","vulnerability_id":"cifs-smb2-signing-not-required","added":"2015-10-27T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,DNS,Denial of Service,ISC,ISC BIND","cves":"CVE-2015-4620","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"none","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":6.870600273013115,"cvss_v2_integrity_impact":"none","cvss_v2_score":7.8,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:N/I:N/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"none","cvss_v3_exploit_score":3.8870427750000003,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"none","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":7.5,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","denial_of_service":true,"description":"name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone.","exploits":[],"id":"dns-bind-cve-2015-4620","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2015-4620","id":"CVE-2015-4620","source":"cve"},{"href":"https://kb.isc.org/article/AA-01267/0","id":"https://kb.isc.org/article/AA-01267/0","source":"url"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":7.8,"pci_fail":false,"pci_severity_score":2,"pci_special_notes":"Denial-of-Service-only vulnerability marked as compliant. ","pci_status":"pass","published":"2015-07-08T00:00:00Z","references":"cve:CVE-2015-4620,url:https://kb.isc.org/article/AA-01267/0","risk_score":334.11,"severity":"critical","severity_score":8,"title":"ISC BIND: Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating (CVE-2015-4620)"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vuln":{"check_id":null,"first_found":"2022-12-23T19:25:13Z","key":"VMware ESX Server 4.0.0 GA","last_found":"2023-06-23T18:08:29.154Z","nic":null,"port":null,"proof":"

Vulnerable OS: VMware ESX Server 4.0.0 GA

  • The property "build" contains: 164009.

","protocol":null,"reintroduced":null,"solution_fix":"

Download and apply the upgrade from: https://knowledge.broadcom.com/external/article?articleNumber=142814

","solution_id":"vmware-esx-upgrade-latest","solution_summary":"Upgrade VMware ESX to the latest version","solution_type":"rollup","status":"VULNERABLE_VERS","vulnerability_id":"vmsa-2012-0013-cve-2012-0815","added":"2012-09-17T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,Denial of Service,IAVM,Remote Execution,VMware,VMware ESX/ESXi","cves":"CVE-2012-0815","cvss_v2_access_complexity":"medium","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":8.588799953460693,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":6.8,"cvss_v2_vector":"(AV:N/AC:M/Au:N/C:P/I:P/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.515145325,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":8.4,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"The headerVerifyInfo function in lib/header.c in RPM before 4.9.1.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a negative value in a region offset of a package header, which is not properly handled in a numeric range comparison.","exploits":[],"id":"vmsa-2012-0013-cve-2012-0815","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2012-0815","id":"CVE-2012-0815","source":"cve"},{"href":"http://iase.disa.mil/stigs/iavm-cve.html","id":"V0033884","source":"disa_vmskey"},{"href":"http://iase.disa.mil/stigs/iavm-cve.html","id":"2012-A-0153","source":"iavm"},{"href":"http://www.vmware.com/security/advisories/VMSA-2012-0013.html","id":"http://www.vmware.com/security/advisories/VMSA-2012-0013.html","source":"url"},{"href":"http://iase.disa.mil/stigs/iavm-cve.html","id":"Category I","source":"disa_severity"},{"href":"http://iase.disa.mil/stigs/iavm-cve.html","id":"2012-A-0148","source":"iavm"},{"href":"http://iase.disa.mil/stigs/iavm-cve.html","id":"V0033794","source":"disa_vmskey"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":6.8,"pci_fail":true,"pci_severity_score":4,"pci_special_notes":"","pci_status":"fail","published":"2012-06-04T00:00:00Z","references":"iavm:2012-A-0148,iavm:2012-A-0153,cve:CVE-2012-0815,disa_severity:Category I,disa_vmskey:V0033794,disa_vmskey:V0033884,url:http://www.vmware.com/security/advisories/VMSA-2012-0013.html","risk_score":716.99,"severity":"severe","severity_score":7,"title":"VMSA-2012-0013: Update to ESX service console popt, rpm, rpm-libs, and rpm-python RPMS (CVE-2012-0815)"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vuln":{"check_id":null,"first_found":"2022-12-23T18:54:08Z","key":"","last_found":"2023-06-23T17:40:02.211Z","nic":null,"port":null,"proof":"

Vulnerable software installed: Wordpress 3.0

","protocol":null,"reintroduced":null,"solution_fix":"

\n Upgrade to the latest version of Wordpress from https://wordpress.org/download/release-archive/

","solution_id":"wordpress-upgrade-latest","solution_summary":"Upgrade to the latest version of Wordpress","solution_type":"workaround","status":"VULNERABLE_VERS","vulnerability_id":"wordpress-cve-2015-5731","added":"2017-05-16T00:00:00Z","categories":"CSRF,CVSS Score Predicted with Rapid7 AI,Denial of Service,WordPress","cves":"CVE-2015-5731","cvss_v2_access_complexity":"medium","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":8.588799953460693,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":6.8,"cvss_v2_vector":"(AV:N/AC:M/Au:N/C:P/I:P/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"none","cvss_v3_exploit_score":2.8352547300000004,"cvss_v3_impact_score":5.177088,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":8.1,"cvss_v3_user_interaction":"required","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H","denial_of_service":false,"description":"Cross-site request forgery (CSRF) vulnerability in wp-admin/post.php in WordPress before 4.2.4 allows remote attackers to hijack the authentication of administrators for requests that lock a post, and consequently cause a denial of service (editing blockage), via a get-post-lock action.","exploits":[],"id":"wordpress-cve-2015-5731","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2015-5731","id":"CVE-2015-5731","source":"cve"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":6.8,"pci_fail":true,"pci_severity_score":4,"pci_special_notes":"","pci_status":"fail","published":"2015-11-09T00:00:00Z","references":"cve:CVE-2015-5731","risk_score":676.67,"severity":"severe","severity_score":7,"title":"Wordpress: CVE-2015-5731: Cross-Site Request Forgery (CSRF)"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vuln":{"check_id":null,"first_found":"2022-12-23T18:55:39Z","key":"","last_found":"2023-06-23T17:41:50.071Z","nic":null,"port":80,"proof":"

  • Running HTTP service
  • Vulnerable version of component PHP found -- PHP 5.4.16

","protocol":"TCP","reintroduced":null,"solution_fix":"

Download and apply the upgrade from: http://www.php.net/downloads.php

","solution_id":"php-upgrade-latest","solution_summary":"Upgrade to the latest version of PHP","solution_type":"rollup","status":"VULNERABLE_VERS","vulnerability_id":"php-cve-2016-3171","added":"2019-09-30T00:00:00Z","categories":"HTTP,PHP,Remote Execution","cves":"CVE-2016-3171","cvss_v2_access_complexity":"medium","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":8.588799953460693,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":6.8,"cvss_v2_vector":"(AV:N/AC:M/Au:N/C:P/I:P/A:P)","cvss_v3_attack_complexity":"high","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.2211673,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":8.1,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.","exploits":[],"id":"php-cve-2016-3171","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2016-3171","id":"CVE-2016-3171","source":"cve"}],"malware_kits":[],"modified":"2024-11-27T00:00:00Z","pci_cvss_score":6.8,"pci_fail":true,"pci_severity_score":4,"pci_special_notes":"","pci_status":"fail","published":"2016-04-12T00:00:00Z","references":"cve:CVE-2016-3171","risk_score":669.57,"severity":"severe","severity_score":7,"title":"PHP Vulnerability: CVE-2016-3171"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":161,"protocol":"UDP","status":"NO_CREDS_SUPPLIED"},{"port":161,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":22,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":9,"exploits":5,"host_name":"BIG-IP-16-1-0.dev.test.rapid7.com","id":"12123455-abcd-5678-1234-01234567890e-default-asset-4123","ip":"175.16.199.1","last_assessed_for_vulnerabilities":"2024-06-23T17:54:28.107Z","last_scan_end":"2024-06-23T17:54:28.107Z","last_scan_start":"2024-06-23T17:44:15.351Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":10,"new":[],"os_architecture":"","os_description":"F5 BIG-IP 16.1.0.0","os_family":"BIG-IP","os_name":"BIG-IP","os_system_name":"F5 BIG-IP","os_type":"Network management device","os_vendor":"F5","os_version":"16.1.0.0","remediated":[],"risk_score":35804.71185,"vuln":{"check_id":null,"first_found":"2022-05-23T19:03:38Z","key":"F5 BIG-IP 16.1.0.0","last_found":"2024-06-23T17:54:28.107Z","nic":null,"port":null,"proof":"

Vulnerable OS: F5 BIG-IP 16.1.0.0

  • The property "ltm" contains: true.

","protocol":null,"reintroduced":null,"solution_fix":"

\n Upgrade to the latest available version of F5 BIG-IP. Refer to BIG-IP Hotfix Matrix for the latest hotfix information.\n

","solution_id":"f5-big-ip-upgrade-latest","solution_summary":"Upgrade to the latest available version of F5 BIG-IP","solution_type":"workaround","status":"VULNERABLE_VERS","vulnerability_id":"f5-big-ip-cve-2017-7656","added":"2022-04-20T00:00:00Z","categories":"F5,F5 BIG-IP,Web","cves":"CVE-2017-7656","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"none","cvss_v2_confidentiality_impact":"none","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":2.8627500620484354,"cvss_v2_integrity_impact":"partial","cvss_v2_score":5,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:N/I:P/A:N)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"none","cvss_v3_exploit_score":3.8870427750000003,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":7.5,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","denial_of_service":false,"description":"In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.","exploits":[],"id":"f5-big-ip-cve-2017-7656","links":[{"href":"https://my.f5.com/manage/s/article/K21054458","id":"https://my.f5.com/manage/s/article/K21054458","source":"url"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2017-7656","id":"CVE-2017-7656","source":"cve"}],"malware_kits":[],"modified":"2024-12-06T00:00:00Z","pci_cvss_score":5,"pci_fail":true,"pci_severity_score":3,"pci_special_notes":"","pci_status":"fail","published":"2018-06-26T00:00:00Z","references":"cve:CVE-2017-7656,url:https://my.f5.com/manage/s/article/K21054458","risk_score":229.89,"severity":"severe","severity_score":5,"title":"F5 Networks: CVE-2017-7656: K21054458: Eclipse Jetty vulnerability CVE-2017-7656"},"severe_vulnerabilities":94,"tags":[{"name":"snow_test","type":"CUSTOM"},{"name":"all_assets2","type":"CUSTOM"},{"name":"all_assets","type":"CUSTOM"},{"name":"my tag test","type":"CUSTOM"},{"name":"lab","type":"SITE"}],"total_vulnerabilities":113,"type":"guest","unique_identifiers":[]} diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log-expected.json b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log-expected.json index 620fc66f9c2..d2d1f2b9bd7 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log-expected.json +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log-expected.json @@ -46,6 +46,11 @@ "product": "Rapid7 InsightVM", "vendor": "Rapid7" }, + "package": { + "fixed_version": "latest", + "name": "Ubuntu Linux 22.04", + "version": "Ubuntu Linux 22.04" + }, "rapid7_insightvm": { "asset_vulnerability": { "assessed_for_policies": false, @@ -150,14 +155,14 @@ "severity_score": 3, "status": "fail" }, - "proof": "

Vulnerable OS: Ubuntu Linux 22.04

Vulnerable software installed: Azul Systems JRE 17.54.22 (/root/infaagent/jdk/lib/jrt-fs.jar)

", + "proof": "Vulnerable OS: Ubuntu Linux 22.04\n\n\n\nVulnerable software installed: Azul Systems JRE 17.54.22 (/root/infaagent/jdk/lib/jrt-fs.jar)", "published": "2025-01-21T00:00:00.000Z", "references": "cve:CVE-2025-21502,url:https://www.azul.com/downloads/", "risk_score": 321.0, "severity": "low", "severity_score": 4, "solution": { - "fix": "

\n Download and upgrade to the latest version of Azul Zulu from here.

", + "fix": "Download and upgrade to the latest version of Azul Zulu from here.", "id": "azul-zulu-upgrade-latest", "summary": "Upgrade Azul Zulu to the latest version", "type": "workaround" @@ -346,13 +351,13 @@ "severity_score": 3, "status": "fail" }, - "proof": "

Grub config with no password found.

  • Vulnerable file: /boot/grub/grub.cfg

", + "proof": "Grub config with no password found.\n\nVulnerable file: /boot/grub/grub.cfg", "published": "1999-01-01T00:00:00.000Z", "risk_score": 515.0, "severity": "critical", "severity_score": 5, "solution": { - "fix": "

Set a password in the GRUB configuration file. This\n is often located in one of several locations, but can really be\n anywhere:

\n          /etc/grub.conf\n          /boot/grub/grub.conf\n          /boot/grub/grub.cfg\n          /boot/grub/menu.lst\n

For all files mentioned above ensure that a password is set or that the files do not exist.

To set a plain-text password, edit your GRUB configuration file\n and add the following line before the first uncommented line:

   password <password>

To set an encrypted password, run grub-md5-crypt and use its\n output when adding the following line before the first\n uncommented line:

   password --md5 <encryptedpassword>

For either approach, choose an appropriately strong password.

", + "fix": "Set a password in the GRUB configuration file. This\n is often located in one of several locations, but can really be\n anywhere:\n\n\n /etc/grub.conf\n /boot/grub/grub.conf\n /boot/grub/grub.cfg\n /boot/grub/menu.lst\n \n\nFor all files mentioned above ensure that a password is set or that the files do not exist.\n\nTo set a plain-text password, edit your GRUB configuration file\n and add the following line before the first uncommented line:\n\n password \n\nTo set an encrypted password, run grub-md5-crypt and use its\n output when adding the following line before the first\n uncommented line:\n\n password --md5 \n\nFor either approach, choose an appropriately strong password.", "id": "linux-grub-missing-passwd", "summary": " Enable GRUB password ", "type": "workaround" @@ -531,14 +536,14 @@ "status": "fail" }, "port": 3389, - "proof": "

The subject common name found in the X.509 certificate does not seem to match the scan target:

  • Subject CN Win11-50-13-52.testad.local does not match target name specified in the site.

", + "proof": "The subject common name found in the X.509 certificate does not seem to match the scan target:\n\nSubject CN Win11-50-13-52.testad.local does not match target name specified in the site.", "protocol": "TCP", "published": "2007-08-03T00:00:00.000Z", "risk_score": 495.0, "severity": "none", "severity_score": 6, "solution": { - "fix": "

\n The subject's common name (CN) field in the X.509 certificate should be fixed\nto reflect the name of the entity presenting the certificate (e.g., the\nhostname). This is done by generating a new certificate usually signed by a\nCertification Authority (CA) trusted by both the client and server.\n

", + "fix": "The subject's common name (CN) field in the X.509 certificate should be fixed\nto reflect the name of the entity presenting the certificate (e.g., the\nhostname). This is done by generating a new certificate usually signed by a\nCertification Authority (CA) trusted by both the client and server.", "id": "certificate-common-name-mismatch", "summary": "Fix the subject's Common Name (CN) field in the certificate", "type": "workaround" @@ -633,6 +638,10 @@ "product": "Rapid7 InsightVM", "vendor": "Rapid7" }, + "package": { + "name": "Microsoft Windows 11 22H2", + "version": "Microsoft Windows 11 22H2" + }, "rapid7_insightvm": { "asset_vulnerability": { "assessed_for_policies": false, @@ -779,14 +788,14 @@ "severity_score": 4, "status": "fail" }, - "proof": "

Vulnerable OS: Microsoft Windows 11 22H2

  • HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion
    • UBR - contains 4317

", + "proof": "Vulnerable OS: Microsoft Windows 11 22H2\n\n\n\n\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\n\nUBR - contains 4317", "published": "2025-04-08T00:00:00.000Z", "references": "cve:CVE-2025-21204,url:https://support.microsoft.com/help/5055518,url:https://support.microsoft.com/help/5055519,url:https://support.microsoft.com/help/5055521,url:https://support.microsoft.com/help/5055523,url:https://support.microsoft.com/help/5055526,url:https://support.microsoft.com/help/5055527,url:https://support.microsoft.com/help/5055528,url:https://support.microsoft.com/help/5055547,url:https://support.microsoft.com/help/5055557,url:https://support.microsoft.com/help/5055581", "risk_score": 522.0, "severity": "informational", "severity_score": 7, "solution": { - "fix": "

Download and apply the patch from: https://support.microsoft.com/help/5058405

", + "fix": "Download and apply the patch from: https://support.microsoft.com/help/5058405", "id": "microsoft-windows-windows_11-22h2-kb5058405", "summary": "2025-05 Cumulative Update for Microsoft Windows 11, version 22H2 (KB5058405)", "type": "patch" @@ -898,6 +907,10 @@ "product": "Rapid7 InsightVM", "vendor": "Rapid7" }, + "package": { + "name": "Microsoft Windows 11 22H2", + "version": "Microsoft Windows 11 22H2" + }, "rapid7_insightvm": { "asset_vulnerability": { "assessed_for_policies": false, @@ -1001,14 +1014,14 @@ "severity_score": 3, "status": "fail" }, - "proof": "

Vulnerable OS: Microsoft Windows 11 22H2

  • HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Wintrust\\Config - key does not exist
    • EnableCertPaddingCheck - value does not exist

", + "proof": "Vulnerable OS: Microsoft Windows 11 22H2\n\n\n\n\n\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Wintrust\\Config - key does not exist\n\nEnableCertPaddingCheck - value does not exist", "published": "2013-12-10T00:00:00.000Z", "references": "cve:CVE-2013-3900,url:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900", "risk_score": 450.0, "severity": "severe", "severity_score": 5, "solution": { - "fix": "

Download and apply the patch from: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900

", + "fix": "Download and apply the patch from: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900", "id": "windows-hotfix-ms13-098", "summary": "Enable Certificate Padding Check for Windows Systems", "type": "patch" @@ -1195,13 +1208,13 @@ "severity_score": 4, "status": "fail" }, - "proof": "

Following entries in /etc/securetty \n may allow anonymous root logins:

  • ttyS0
  • ttysclp0
  • sclp_line0
  • 3270/tty1
  • hvc0
  • hvc1
  • hvc2
  • hvc3
  • hvc4
  • hvc5
  • hvc6
  • hvc7
  • hvsi0
  • hvsi1
  • hvsi2
  • xvc0

", + "proof": "Following entries in /etc/securetty \n may allow anonymous root logins: \n\nttyS0\n\nttysclp0\n\nsclp_line0\n\n3270/tty1\n\nhvc0\n\nhvc1\n\nhvc2\n\nhvc3\n\nhvc4\n\nhvc5\n\nhvc6\n\nhvc7\n\nhvsi0\n\nhvsi1\n\nhvsi2\n\nxvc0", "published": "2004-11-30T00:00:00.000Z", "risk_score": 562.0, "severity": "severe", "severity_score": 7, "solution": { - "fix": "

Remove all the entries in /etc/securetty except console,\n tty[0-9]* and vc\\[0-9]*

Note: ssh does not use /etc/securetty. To disable root login\n through ssh, use the "PermitRootLogin" setting in /etc/ssh/sshd_config\n and restart the ssh daemon.

", + "fix": "Remove all the entries in /etc/securetty except console,\n tty[0-9]* and vc\\[0-9]* \n\nNote: ssh does not use /etc/securetty. To disable root login\n through ssh, use the \"PermitRootLogin\" setting in /etc/ssh/sshd_config\n and restart the ssh daemon.", "id": "unix-anonymous-root-logins", "summary": "Edit '/etc/securetty' entries", "type": "workaround" @@ -1377,13 +1390,13 @@ "severity_score": 2, "status": "pass" }, - "proof": "

The following world writable files were found.

  • /var/.com.zerog.registry.xml (-rwxrwxrwx)

", + "proof": "The following world writable files were found.\n\n/var/.com.zerog.registry.xml (-rwxrwxrwx)", "published": "2005-01-15T00:00:00.000Z", "risk_score": 268.0, "severity": "severe", "severity_score": 4, "solution": { - "fix": "

For each world-writable file, determine whether there is a good reason for\n it to be world writable. If not, remove world write permissions for the file.\n The output here is limited to 50 files. In order to find all of these files without needing to\n run another Nexpose scan run the following command:

 find / -type f -perm -02

Please note; it may be necessary exclude particular paths or file share types, run 'man find' for information.

", + "fix": "For each world-writable file, determine whether there is a good reason for\n it to be world writable. If not, remove world write permissions for the file.\n The output here is limited to 50 files. In order to find all of these files without needing to\n run another Nexpose scan run the following command:\n\n find / -type f -perm -02\n\nPlease note; it may be necessary exclude particular paths or file share types, run 'man find' for information.", "id": "unix-world-writable-files", "summary": "Remove world write permissions", "type": "workaround" @@ -1430,6 +1443,3521 @@ "severity": "High", "title": "World writable files exist" } + }, + { + "@timestamp": "2020-07-23T20:11:10.304Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2020-07-23T20:11:10.000Z", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|debian-obsolete|2020-07-23T20:11:10.304Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2020-07-23T20:11:10Z\",\"key\":\"Debian Linux 8.0\",\"last_found\":\"2020-07-23T20:11:10.304Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: Debian Linux 8.0

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

\\n See the Debian 9 release notes for instructions on upgrading to Debian GNU/Linux 9, alias "stretch".\\n

\",\"solution_id\":\"debian-upgrade-to-stretch\",\"solution_summary\":\"Upgrade to Debian GNU/Linux 9 or later\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"debian-obsolete\",\"added\":\"2013-01-29T00:00:00Z\",\"categories\":\"Debian Linux,Obsolete OS,Obsolete Software\",\"cves\":\"\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":10.000845454680942,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":10,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:C/I:C/A:C)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":3.8870427750000003,\"cvss_v3_impact_score\":6.0477304915445185,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"changed\",\"cvss_v3_score\":10,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Debian terminated support for Debian GNU/Linux 9 \\\"stretch\\\" on Jun 30, 2022. All Debian versions prior to 10.0 \\\"buster\\\" may have unpatched security vulnerabilities.\",\"exploits\":[],\"id\":\"debian-obsolete\",\"links\":[{\"href\":\"https://wiki.debian.org/LTS\",\"id\":\"https://wiki.debian.org/LTS\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2025-03-28T00:00:00Z\",\"pci_cvss_score\":10,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"This operating system version is no longer supported by the vendor, and results in an automatic failure. \",\"pci_status\":\"fail\",\"published\":\"2006-06-30T00:00:00Z\",\"references\":\"url:https://wiki.debian.org/LTS\",\"risk_score\":911.42,\"severity\":\"critical\",\"severity_score\":10,\"title\":\"Obsolete Debian GNU/Linux Version\"}}", + "severity": 10, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": [ + "10.50.6.126" + ], + "mac": [ + "00-00-5E-00-53-01" + ], + "name": "ub22-50-6-126", + "os": { + "family": "Linux", + "full": "Ubuntu Linux 22.04", + "name": "Linux", + "platform": "linux", + "type": "linux", + "version": "22.04" + }, + "risk": { + "static_score": 5656.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "fixed_version": "Debian GNU/Linux 9 or later", + "name": "Debian Linux 8.0", + "version": "Debian Linux 8.0" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 5, + "exploits": 0, + "host_name": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": "10.50.6.126", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-01", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os": { + "architecture": "x86_64", + "description": "Ubuntu Linux 22.04", + "family": "Linux", + "name": "Linux", + "system_name": "Ubuntu Linux", + "vendor": "Ubuntu", + "version": "22.04" + }, + "risk_score": 5656.0, + "severe_vulnerabilities": 6, + "total_vulnerabilities": 12, + "type": "guest", + "unique_identifiers": [ + { + "id": "B7123456-5678-1234-ABCD-6F6ABCDEFA91", + "source": "dmidecode" + }, + { + "id": "cababcdefabcd0123456789f16d7061a", + "source": "R7 Agent" + }, + { + "id": "cab682b411e200123456789ab6d7061a", + "source": "Endpoint Agent" + } + ], + "vuln": { + "added": "2013-01-29T00:00:00.000Z", + "categories": [ + "Debian Linux", + "Obsolete OS", + "Obsolete Software" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "network", + "authentication": "none", + "availability_impact": "complete", + "confidentiality_impact": "complete", + "exploit_score": 9.996799945831299, + "impact_score": 10.000845454680942, + "integrity_impact": "complete", + "score": 10.0, + "vector": "(AV:N/AC:L/Au:N/C:C/I:C/A:C)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "network", + "availability_impact": "high", + "confidentiality_impact": "high", + "exploit_score": 3.8870427750000003, + "impact_score": 6.0477304915445185, + "integrity_impact": "high", + "privileges_required": "none", + "scope": "changed", + "score": 10.0, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + }, + "denial_of_service": false, + "description": "Debian terminated support for Debian GNU/Linux 9 \"stretch\" on Jun 30, 2022. All Debian versions prior to 10.0 \"buster\" may have unpatched security vulnerabilities.", + "first_found": "2020-07-23T20:11:10.000Z", + "id": "debian-obsolete", + "key": "Debian Linux 8.0", + "last_found": "2020-07-23T20:11:10.304Z", + "links": [ + { + "href": "https://wiki.debian.org/LTS", + "id": "https://wiki.debian.org/LTS", + "source": "url" + } + ], + "modified": "2025-03-28T00:00:00.000Z", + "pci": { + "cvss_score": 10.0, + "fail": true, + "severity_score": 5, + "special_notes": "This operating system version is no longer supported by the vendor, and results in an automatic failure. ", + "status": "fail" + }, + "proof": "Vulnerable OS: Debian Linux 8.0", + "published": "2006-06-30T00:00:00.000Z", + "references": "url:https://wiki.debian.org/LTS", + "risk_score": 911.42, + "severity": "critical", + "severity_score": 10, + "solution": { + "fix": "See the Debian 9 release notes for instructions on upgrading to Debian GNU/Linux 9, alias \"stretch\".", + "id": "debian-upgrade-to-stretch", + "summary": "Upgrade to Debian GNU/Linux 9 or later", + "type": "workaround" + }, + "status": "VULNERABLE_VERS", + "title": "Obsolete Debian GNU/Linux Version" + } + } + }, + "related": { + "hosts": [ + "ub22-50-6-126", + "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7" + ], + "ip": [ + "10.50.6.126" + ] + }, + "resource": { + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "name": "ub22-50-6-126" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "Debian Linux", + "Obsolete OS", + "Obsolete Software" + ], + "classification": "CVSS", + "description": "Debian terminated support for Debian GNU/Linux 9 \"stretch\" on Jun 30, 2022. All Debian versions prior to 10.0 \"buster\" may have unpatched security vulnerabilities.", + "enumeration": "CVE", + "published_date": "2006-06-30T00:00:00.000Z", + "reference": [ + "https://wiki.debian.org/LTS" + ], + "scanner": { + "name": "cababcdefabcd0123456789f16d7061a", + "vendor": "Rapid7" + }, + "score": { + "base": 10.0, + "version": "3.0" + }, + "severity": "Critical", + "title": "Obsolete Debian GNU/Linux Version" + } + }, + { + "@timestamp": "2023-05-23T18:16:30.836Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2018-11-25T09:20:27.000Z", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|windows-hotfix-ms06-035|2023-05-23T18:16:30.836Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2018-11-25T09:20:27Z\",\"key\":\"\",\"last_found\":\"2023-05-23T18:16:30.836Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: Microsoft Windows Server 2003 SP1

Server responded with vulnerable error code: 2 and class: 1

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"Take a look at all possible solutions for vulnerability\",\"solution_id\":\"unknown-windows-hotfix-ms06-035\",\"solution_summary\":\"The solution is unknown for vuln windows-hotfix-ms06-035\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"windows-hotfix-ms06-035\",\"added\":\"2006-07-12T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution\",\"cves\":\"CVE-2006-1314,CVE-2006-1315\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":7.5,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.83525473,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"none\",\"cvss_v3_privileges_required\":\"low\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":6.5,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"denial_of_service\":false,\"description\":\"This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \\\"Vulnerability Details\\\" section of this bulletin. We recommend that customers apply the update immediately.\",\"exploits\":[{\"description\":\"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)\",\"id\":\"2057\",\"name\":\"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module triggers a kernel pool corruption bug in SRV.SYS. Each\\n call to the mailslot write function results in a two byte return value\\n being written into the response packet. The code which creates this packet\\n fails to consider these two bytes in the allocation routine, resulting in\\n a slow corruption of the kernel memory pool. These two bytes are almost\\n always set to \\\"\\\\xff\\\\xff\\\" (a short integer with value of -1).\",\"id\":\"auxiliary/dos/windows/smb/ms06_035_mailslot\",\"name\":\"Microsoft SRV.SYS Mailslot Write Corruption\",\"rank\":\"normal\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"}],\"id\":\"windows-hotfix-ms06-035\",\"links\":[{\"href\":\"http://www.kb.cert.org/vuls/id/189140\",\"id\":\"189140\",\"source\":\"cert-vn\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/26818\",\"id\":\"win-mailslot-bo(26818)\",\"source\":\"xf\"},{\"href\":\"http://www.securityfocus.com/bid/18863\",\"id\":\"18863\",\"source\":\"bid\"},{\"href\":\"https://support.microsoft.com/en-us/kb/917159\",\"id\":\"KB917159\",\"source\":\"mskb\"},{\"href\":\"http://www.us-cert.gov/cas/techalerts/TA06-192A.html\",\"id\":\"TA06-192A\",\"source\":\"cert\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2006-1314\",\"id\":\"CVE-2006-1314\",\"source\":\"cve\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2006-1315\",\"id\":\"CVE-2006-1315\",\"source\":\"cve\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3\",\"id\":\"3\",\"source\":\"oval\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600\",\"id\":\"600\",\"source\":\"oval\"},{\"href\":\"http://www.osvdb.org/27155\",\"id\":\"27155\",\"source\":\"osvdb\"},{\"href\":\"http://www.osvdb.org/27154\",\"id\":\"27154\",\"source\":\"osvdb\"},{\"href\":\"http://technet.microsoft.com/security/bulletin/MS06-035\",\"id\":\"MS06-035\",\"source\":\"ms\"},{\"href\":\"http://www.securityfocus.com/bid/18891\",\"id\":\"18891\",\"source\":\"bid\"},{\"href\":\"http://technet.microsoft.com/en-us/security/bulletin/MS06-035\",\"id\":\"http://technet.microsoft.com/en-us/security/bulletin/MS06-035\",\"source\":\"url\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/26820\",\"id\":\"win-smb-information-disclosure(26820)\",\"source\":\"xf\"},{\"href\":\"http://www.kb.cert.org/vuls/id/333636\",\"id\":\"333636\",\"source\":\"cert-vn\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":7.5,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2006-07-11T00:00:00Z\",\"references\":\"bid:18863,bid:18891,cert-vn:189140,osvdb:27154,osvdb:27155,oval:3,cert-vn:333636,oval:600,cve:CVE-2006-1314,cve:CVE-2006-1315,mskb:KB917159,ms:MS06-035,cert:TA06-192A,url:http://technet.microsoft.com/en-us/security/bulletin/MS06-035,xf:win-mailslot-bo(26818),xf:win-smb-information-disclosure(26820)\",\"risk_score\":756.57,\"severity\":\"critical\",\"severity_score\":8,\"title\":\"MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)\"}}", + "severity": 8, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": [ + "10.50.6.126" + ], + "mac": [ + "00-00-5E-00-53-01" + ], + "name": "ub22-50-6-126", + "os": { + "family": "Linux", + "full": "Ubuntu Linux 22.04", + "name": "Linux", + "platform": "linux", + "type": "linux", + "version": "22.04" + }, + "risk": { + "static_score": 5656.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "name": "Microsoft Windows Server 2003 SP1", + "version": "Microsoft Windows Server 2003 SP1" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 5, + "exploits": 0, + "host_name": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": "10.50.6.126", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-01", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os": { + "architecture": "x86_64", + "description": "Ubuntu Linux 22.04", + "family": "Linux", + "name": "Linux", + "system_name": "Ubuntu Linux", + "vendor": "Ubuntu", + "version": "22.04" + }, + "risk_score": 5656.0, + "severe_vulnerabilities": 6, + "total_vulnerabilities": 12, + "type": "guest", + "unique_identifiers": [ + { + "id": "B7123456-5678-1234-ABCD-6F6ABCDEFA91", + "source": "dmidecode" + }, + { + "id": "cababcdefabcd0123456789f16d7061a", + "source": "R7 Agent" + }, + { + "id": "cab682b411e200123456789ab6d7061a", + "source": "Endpoint Agent" + } + ], + "vuln": { + "added": "2006-07-12T00:00:00.000Z", + "categories": [ + "CVSS Score Predicted with Rapid7 AI", + "Microsoft", + "Microsoft Patch", + "Remote Execution" + ], + "cves": [ + "CVE-2006-1314", + "CVE-2006-1315" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "network", + "authentication": "none", + "availability_impact": "partial", + "confidentiality_impact": "partial", + "exploit_score": 9.996799945831299, + "impact_score": 6.442976653521584, + "integrity_impact": "partial", + "score": 7.5, + "vector": "(AV:N/AC:L/Au:N/C:P/I:P/A:P)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "network", + "availability_impact": "none", + "confidentiality_impact": "high", + "exploit_score": 2.83525473, + "impact_score": 3.5952, + "integrity_impact": "none", + "privileges_required": "low", + "scope": "unchanged", + "score": 6.5, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "denial_of_service": false, + "description": "This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \"Vulnerability Details\" section of this bulletin. We recommend that customers apply the update immediately.", + "exploits": [ + { + "description": "Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)", + "id": "2057", + "name": "Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)", + "rank": "average", + "skill_level": "expert", + "source": "exploitdb" + }, + { + "description": "This module triggers a kernel pool corruption bug in SRV.SYS. Each\n call to the mailslot write function results in a two byte return value\n being written into the response packet. The code which creates this packet\n fails to consider these two bytes in the allocation routine, resulting in\n a slow corruption of the kernel memory pool. These two bytes are almost\n always set to \"\\xff\\xff\" (a short integer with value of -1).", + "id": "auxiliary/dos/windows/smb/ms06_035_mailslot", + "name": "Microsoft SRV.SYS Mailslot Write Corruption", + "rank": "normal", + "skill_level": "intermediate", + "source": "metasploit" + } + ], + "first_found": "2018-11-25T09:20:27.000Z", + "id": "windows-hotfix-ms06-035", + "last_found": "2023-05-23T18:16:30.836Z", + "links": [ + { + "href": "http://www.kb.cert.org/vuls/id/189140", + "id": "189140", + "source": "cert-vn" + }, + { + "href": "https://exchange.xforce.ibmcloud.com/vulnerabilities/26818", + "id": "win-mailslot-bo(26818)", + "source": "xf" + }, + { + "href": "http://www.securityfocus.com/bid/18863", + "id": "18863", + "source": "bid" + }, + { + "href": "https://support.microsoft.com/en-us/kb/917159", + "id": "KB917159", + "source": "mskb" + }, + { + "href": "http://www.us-cert.gov/cas/techalerts/TA06-192A.html", + "id": "TA06-192A", + "source": "cert" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2006-1314", + "id": "CVE-2006-1314", + "source": "cve" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2006-1315", + "id": "CVE-2006-1315", + "source": "cve" + }, + { + "href": "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3", + "id": "3", + "source": "oval" + }, + { + "href": "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600", + "id": "600", + "source": "oval" + }, + { + "href": "http://www.osvdb.org/27155", + "id": "27155", + "source": "osvdb" + }, + { + "href": "http://www.osvdb.org/27154", + "id": "27154", + "source": "osvdb" + }, + { + "href": "http://technet.microsoft.com/security/bulletin/MS06-035", + "id": "MS06-035", + "source": "ms" + }, + { + "href": "http://www.securityfocus.com/bid/18891", + "id": "18891", + "source": "bid" + }, + { + "href": "http://technet.microsoft.com/en-us/security/bulletin/MS06-035", + "id": "http://technet.microsoft.com/en-us/security/bulletin/MS06-035", + "source": "url" + }, + { + "href": "https://exchange.xforce.ibmcloud.com/vulnerabilities/26820", + "id": "win-smb-information-disclosure(26820)", + "source": "xf" + }, + { + "href": "http://www.kb.cert.org/vuls/id/333636", + "id": "333636", + "source": "cert-vn" + } + ], + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 7.5, + "fail": true, + "severity_score": 5, + "status": "fail" + }, + "proof": "Vulnerable OS: Microsoft Windows Server 2003 SP1\n\n\n\nServer responded with vulnerable error code: 2 and class: 1", + "published": "2006-07-11T00:00:00.000Z", + "references": "bid:18863,bid:18891,cert-vn:189140,osvdb:27154,osvdb:27155,oval:3,cert-vn:333636,oval:600,cve:CVE-2006-1314,cve:CVE-2006-1315,mskb:KB917159,ms:MS06-035,cert:TA06-192A,url:http://technet.microsoft.com/en-us/security/bulletin/MS06-035,xf:win-mailslot-bo(26818),xf:win-smb-information-disclosure(26820)", + "risk_score": 756.57, + "severity": "critical", + "severity_score": 8, + "solution": { + "fix": "Take a look at all possible solutions for vulnerability", + "id": "unknown-windows-hotfix-ms06-035", + "summary": "The solution is unknown for vuln windows-hotfix-ms06-035", + "type": "workaround" + }, + "status": "VULNERABLE_EXPL", + "title": "MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)" + } + } + }, + "related": { + "hosts": [ + "ub22-50-6-126", + "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7" + ], + "ip": [ + "10.50.6.126" + ] + }, + "resource": { + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "name": "ub22-50-6-126" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "CVSS Score Predicted with Rapid7 AI", + "Microsoft", + "Microsoft Patch", + "Remote Execution" + ], + "classification": "CVSS", + "description": "This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \"Vulnerability Details\" section of this bulletin. We recommend that customers apply the update immediately.", + "enumeration": "CVE", + "id": [ + "CVE-2006-1314", + "CVE-2006-1315" + ], + "published_date": "2006-07-11T00:00:00.000Z", + "reference": [ + "http://www.kb.cert.org/vuls/id/189140", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/26818", + "http://www.securityfocus.com/bid/18863", + "https://support.microsoft.com/en-us/kb/917159", + "http://www.us-cert.gov/cas/techalerts/TA06-192A.html", + "http://nvd.nist.gov/vuln/detail/CVE-2006-1314", + "http://nvd.nist.gov/vuln/detail/CVE-2006-1315", + "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3", + "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600", + "http://www.osvdb.org/27155", + "http://www.osvdb.org/27154", + "http://technet.microsoft.com/security/bulletin/MS06-035", + "http://www.securityfocus.com/bid/18891", + "http://technet.microsoft.com/en-us/security/bulletin/MS06-035", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/26820", + "http://www.kb.cert.org/vuls/id/333636" + ], + "scanner": { + "name": "cababcdefabcd0123456789f16d7061a", + "vendor": "Rapid7" + }, + "score": { + "base": 6.5, + "version": "3.0" + }, + "severity": "Critical", + "title": "Vulnerability in Server Service Could Allow Remote Code Execution (917159)" + } + }, + { + "@timestamp": "2023-05-23T18:16:30.836Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2018-11-25T09:20:27.000Z", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|windows-hotfix-ms06-035|2023-05-23T18:16:30.836Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2018-11-25T09:20:27Z\",\"key\":\"\",\"last_found\":\"2023-05-23T18:16:30.836Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: Microsoft Windows Server 2003 SP1

Based on the result of the "dcerpc-ms-netapi-netpathcanonicalize-dos" test, this node is applicable to this issue.

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"Take a look at all possible solutions for vulnerability\",\"solution_id\":\"unknown-windows-hotfix-ms06-035\",\"solution_summary\":\"The solution is unknown for vuln windows-hotfix-ms06-035\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"windows-hotfix-ms06-035\",\"added\":\"2006-07-12T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution\",\"cves\":\"CVE-2006-1314,CVE-2006-1315\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":7.5,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.83525473,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"none\",\"cvss_v3_privileges_required\":\"low\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":6.5,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"denial_of_service\":false,\"description\":\"This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \\\"Vulnerability Details\\\" section of this bulletin. We recommend that customers apply the update immediately.\",\"exploits\":[{\"description\":\"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)\",\"id\":\"2057\",\"name\":\"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module triggers a kernel pool corruption bug in SRV.SYS. Each\\n call to the mailslot write function results in a two byte return value\\n being written into the response packet. The code which creates this packet\\n fails to consider these two bytes in the allocation routine, resulting in\\n a slow corruption of the kernel memory pool. These two bytes are almost\\n always set to \\\"\\\\xff\\\\xff\\\" (a short integer with value of -1).\",\"id\":\"auxiliary/dos/windows/smb/ms06_035_mailslot\",\"name\":\"Microsoft SRV.SYS Mailslot Write Corruption\",\"rank\":\"normal\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"}],\"id\":\"windows-hotfix-ms06-035\",\"links\":[{\"href\":\"http://www.kb.cert.org/vuls/id/189140\",\"id\":\"189140\",\"source\":\"cert-vn\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/26818\",\"id\":\"win-mailslot-bo(26818)\",\"source\":\"xf\"},{\"href\":\"http://www.securityfocus.com/bid/18863\",\"id\":\"18863\",\"source\":\"bid\"},{\"href\":\"https://support.microsoft.com/en-us/kb/917159\",\"id\":\"KB917159\",\"source\":\"mskb\"},{\"href\":\"http://www.us-cert.gov/cas/techalerts/TA06-192A.html\",\"id\":\"TA06-192A\",\"source\":\"cert\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2006-1314\",\"id\":\"CVE-2006-1314\",\"source\":\"cve\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2006-1315\",\"id\":\"CVE-2006-1315\",\"source\":\"cve\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3\",\"id\":\"3\",\"source\":\"oval\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600\",\"id\":\"600\",\"source\":\"oval\"},{\"href\":\"http://www.osvdb.org/27155\",\"id\":\"27155\",\"source\":\"osvdb\"},{\"href\":\"http://www.osvdb.org/27154\",\"id\":\"27154\",\"source\":\"osvdb\"},{\"href\":\"http://technet.microsoft.com/security/bulletin/MS06-035\",\"id\":\"MS06-035\",\"source\":\"ms\"},{\"href\":\"http://www.securityfocus.com/bid/18891\",\"id\":\"18891\",\"source\":\"bid\"},{\"href\":\"http://technet.microsoft.com/en-us/security/bulletin/MS06-035\",\"id\":\"http://technet.microsoft.com/en-us/security/bulletin/MS06-035\",\"source\":\"url\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/26820\",\"id\":\"win-smb-information-disclosure(26820)\",\"source\":\"xf\"},{\"href\":\"http://www.kb.cert.org/vuls/id/333636\",\"id\":\"333636\",\"source\":\"cert-vn\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":7.5,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2006-07-11T00:00:00Z\",\"references\":\"bid:18863,bid:18891,cert-vn:189140,osvdb:27154,osvdb:27155,oval:3,cert-vn:333636,oval:600,cve:CVE-2006-1314,cve:CVE-2006-1315,mskb:KB917159,ms:MS06-035,cert:TA06-192A,url:http://technet.microsoft.com/en-us/security/bulletin/MS06-035,xf:win-mailslot-bo(26818),xf:win-smb-information-disclosure(26820)\",\"risk_score\":756.57,\"severity\":\"critical\",\"severity_score\":8,\"title\":\"MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)\"}}", + "severity": 8, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": [ + "10.50.6.126" + ], + "mac": [ + "00-00-5E-00-53-01" + ], + "name": "ub22-50-6-126", + "os": { + "family": "Linux", + "full": "Ubuntu Linux 22.04", + "name": "Linux", + "platform": "linux", + "type": "linux", + "version": "22.04" + }, + "risk": { + "static_score": 5656.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "name": "Microsoft Windows Server 2003 SP1", + "version": "Microsoft Windows Server 2003 SP1" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 5, + "exploits": 0, + "host_name": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": "10.50.6.126", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-01", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os": { + "architecture": "x86_64", + "description": "Ubuntu Linux 22.04", + "family": "Linux", + "name": "Linux", + "system_name": "Ubuntu Linux", + "vendor": "Ubuntu", + "version": "22.04" + }, + "risk_score": 5656.0, + "severe_vulnerabilities": 6, + "total_vulnerabilities": 12, + "type": "guest", + "unique_identifiers": [ + { + "id": "B7123456-5678-1234-ABCD-6F6ABCDEFA91", + "source": "dmidecode" + }, + { + "id": "cababcdefabcd0123456789f16d7061a", + "source": "R7 Agent" + }, + { + "id": "cab682b411e200123456789ab6d7061a", + "source": "Endpoint Agent" + } + ], + "vuln": { + "added": "2006-07-12T00:00:00.000Z", + "categories": [ + "CVSS Score Predicted with Rapid7 AI", + "Microsoft", + "Microsoft Patch", + "Remote Execution" + ], + "cves": [ + "CVE-2006-1314", + "CVE-2006-1315" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "network", + "authentication": "none", + "availability_impact": "partial", + "confidentiality_impact": "partial", + "exploit_score": 9.996799945831299, + "impact_score": 6.442976653521584, + "integrity_impact": "partial", + "score": 7.5, + "vector": "(AV:N/AC:L/Au:N/C:P/I:P/A:P)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "network", + "availability_impact": "none", + "confidentiality_impact": "high", + "exploit_score": 2.83525473, + "impact_score": 3.5952, + "integrity_impact": "none", + "privileges_required": "low", + "scope": "unchanged", + "score": 6.5, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "denial_of_service": false, + "description": "This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \"Vulnerability Details\" section of this bulletin. We recommend that customers apply the update immediately.", + "exploits": [ + { + "description": "Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)", + "id": "2057", + "name": "Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)", + "rank": "average", + "skill_level": "expert", + "source": "exploitdb" + }, + { + "description": "This module triggers a kernel pool corruption bug in SRV.SYS. Each\n call to the mailslot write function results in a two byte return value\n being written into the response packet. The code which creates this packet\n fails to consider these two bytes in the allocation routine, resulting in\n a slow corruption of the kernel memory pool. These two bytes are almost\n always set to \"\\xff\\xff\" (a short integer with value of -1).", + "id": "auxiliary/dos/windows/smb/ms06_035_mailslot", + "name": "Microsoft SRV.SYS Mailslot Write Corruption", + "rank": "normal", + "skill_level": "intermediate", + "source": "metasploit" + } + ], + "first_found": "2018-11-25T09:20:27.000Z", + "id": "windows-hotfix-ms06-035", + "last_found": "2023-05-23T18:16:30.836Z", + "links": [ + { + "href": "http://www.kb.cert.org/vuls/id/189140", + "id": "189140", + "source": "cert-vn" + }, + { + "href": "https://exchange.xforce.ibmcloud.com/vulnerabilities/26818", + "id": "win-mailslot-bo(26818)", + "source": "xf" + }, + { + "href": "http://www.securityfocus.com/bid/18863", + "id": "18863", + "source": "bid" + }, + { + "href": "https://support.microsoft.com/en-us/kb/917159", + "id": "KB917159", + "source": "mskb" + }, + { + "href": "http://www.us-cert.gov/cas/techalerts/TA06-192A.html", + "id": "TA06-192A", + "source": "cert" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2006-1314", + "id": "CVE-2006-1314", + "source": "cve" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2006-1315", + "id": "CVE-2006-1315", + "source": "cve" + }, + { + "href": "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3", + "id": "3", + "source": "oval" + }, + { + "href": "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600", + "id": "600", + "source": "oval" + }, + { + "href": "http://www.osvdb.org/27155", + "id": "27155", + "source": "osvdb" + }, + { + "href": "http://www.osvdb.org/27154", + "id": "27154", + "source": "osvdb" + }, + { + "href": "http://technet.microsoft.com/security/bulletin/MS06-035", + "id": "MS06-035", + "source": "ms" + }, + { + "href": "http://www.securityfocus.com/bid/18891", + "id": "18891", + "source": "bid" + }, + { + "href": "http://technet.microsoft.com/en-us/security/bulletin/MS06-035", + "id": "http://technet.microsoft.com/en-us/security/bulletin/MS06-035", + "source": "url" + }, + { + "href": "https://exchange.xforce.ibmcloud.com/vulnerabilities/26820", + "id": "win-smb-information-disclosure(26820)", + "source": "xf" + }, + { + "href": "http://www.kb.cert.org/vuls/id/333636", + "id": "333636", + "source": "cert-vn" + } + ], + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 7.5, + "fail": true, + "severity_score": 5, + "status": "fail" + }, + "proof": "Vulnerable OS: Microsoft Windows Server 2003 SP1\n\n\n\nBased on the result of the \"dcerpc-ms-netapi-netpathcanonicalize-dos\" test, this node is applicable to this issue.", + "published": "2006-07-11T00:00:00.000Z", + "references": "bid:18863,bid:18891,cert-vn:189140,osvdb:27154,osvdb:27155,oval:3,cert-vn:333636,oval:600,cve:CVE-2006-1314,cve:CVE-2006-1315,mskb:KB917159,ms:MS06-035,cert:TA06-192A,url:http://technet.microsoft.com/en-us/security/bulletin/MS06-035,xf:win-mailslot-bo(26818),xf:win-smb-information-disclosure(26820)", + "risk_score": 756.57, + "severity": "critical", + "severity_score": 8, + "solution": { + "fix": "Take a look at all possible solutions for vulnerability", + "id": "unknown-windows-hotfix-ms06-035", + "summary": "The solution is unknown for vuln windows-hotfix-ms06-035", + "type": "workaround" + }, + "status": "VULNERABLE_EXPL", + "title": "MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)" + } + } + }, + "related": { + "hosts": [ + "ub22-50-6-126", + "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7" + ], + "ip": [ + "10.50.6.126" + ] + }, + "resource": { + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "name": "ub22-50-6-126" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "CVSS Score Predicted with Rapid7 AI", + "Microsoft", + "Microsoft Patch", + "Remote Execution" + ], + "classification": "CVSS", + "description": "This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \"Vulnerability Details\" section of this bulletin. We recommend that customers apply the update immediately.", + "enumeration": "CVE", + "id": [ + "CVE-2006-1314", + "CVE-2006-1315" + ], + "published_date": "2006-07-11T00:00:00.000Z", + "reference": [ + "http://www.kb.cert.org/vuls/id/189140", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/26818", + "http://www.securityfocus.com/bid/18863", + "https://support.microsoft.com/en-us/kb/917159", + "http://www.us-cert.gov/cas/techalerts/TA06-192A.html", + "http://nvd.nist.gov/vuln/detail/CVE-2006-1314", + "http://nvd.nist.gov/vuln/detail/CVE-2006-1315", + "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3", + "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600", + "http://www.osvdb.org/27155", + "http://www.osvdb.org/27154", + "http://technet.microsoft.com/security/bulletin/MS06-035", + "http://www.securityfocus.com/bid/18891", + "http://technet.microsoft.com/en-us/security/bulletin/MS06-035", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/26820", + "http://www.kb.cert.org/vuls/id/333636" + ], + "scanner": { + "name": "cababcdefabcd0123456789f16d7061a", + "vendor": "Rapid7" + }, + "score": { + "base": 6.5, + "version": "3.0" + }, + "severity": "Critical", + "title": "Vulnerability in Server Service Could Allow Remote Code Execution (917159)" + } + }, + { + "@timestamp": "2023-06-23T17:29:23.453Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2022-12-23T18:40:29.000Z", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1|msft-cve-2022-37967|2023-06-23T17:29:23.453Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":135,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":445,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":119,\"exploits\":4,\"host_name\":\"Win11-50-13-52\",\"id\":\"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1\",\"ip\":\"10.50.13.52\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":8,\"os_architecture\":\"x86_64\",\"os_description\":\"Microsoft Windows 11 22H2\",\"os_family\":\"Windows\",\"os_name\":\"Windows 11\",\"os_system_name\":\"Microsoft Windows\",\"os_type\":\"Workstation\",\"os_vendor\":\"Microsoft\",\"os_version\":\"22H2\",\"risk_score\":181622,\"severe_vulnerabilities\":241,\"tags\":[{\"name\":\"USA\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":368,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050\",\"source\":\"CSPRODUCT\"},{\"id\":\"c5cf46abcdef0123456789291c7d554a\",\"source\":\"R7 Agent\"}],\"vuln\":{\"check_id\":\"msft-cve-2022-37967-kb5021288-c2d89794-10f9-459d-a1a9-79847eac03fc\",\"first_found\":\"2022-12-23T18:40:29Z\",\"key\":\"\",\"last_found\":\"2023-06-23T17:29:23.453Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: Microsoft Windows 7 Enterprise Edition SP1

Based on the following 2 results:

    • Found an applicable package: HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Component Based Servicing\\\\Packages\\\\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.
      • HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\SideBySide\\\\Winners\\\\amd64_Microsoft-Windows-Audio-DMusic_31bf3856ad364e35_none_6ddb350169ebdb56 - key exists
      • The above CBS component is currently version 6.1.7600.16385, expected version 6.1.7601.26262 or higher
      • 2022-12 Security Only Quality Update for Windows 7 for x64-based Systems (KB5021288) is applicable for this CBS component

    • HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion
      • UBR - contains 24443

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

Download and apply the patch from: https://support.microsoft.com/kb/5021288

\",\"solution_id\":\"msft-kb5021288-c2d89794-10f9-459d-a1a9-79847eac03fc\",\"solution_summary\":\"2022-12 Security Only Quality Update for Windows 7 for x64-based Systems (KB5021288)\",\"solution_type\":\"patch\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"msft-cve-2022-37967\",\"added\":\"2022-11-08T00:00:00Z\",\"categories\":\"Microsoft,Microsoft Patch,Microsoft Windows,Privilege Escalation\",\"cves\":\"CVE-2022-37967\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"multiple\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":6.389999830722808,\"cvss_v2_impact_score\":10.000845454680942,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":8.3,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:M/C:C/I:C/A:C)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":1.2347077050000002,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"high\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":7.2,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Windows Kerberos Elevation of Privilege Vulnerability.\",\"exploits\":[],\"id\":\"msft-cve-2022-37967\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2022-37967\",\"id\":\"CVE-2022-37967\",\"source\":\"cve\"},{\"href\":\"https://support.microsoft.com/help/5031364\",\"id\":\"https://support.microsoft.com/help/5031364\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5031362\",\"id\":\"https://support.microsoft.com/help/5031362\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5031361\",\"id\":\"https://support.microsoft.com/help/5031361\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5031407\",\"id\":\"https://support.microsoft.com/help/5031407\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5031419\",\"id\":\"https://support.microsoft.com/help/5031419\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5031427\",\"id\":\"https://support.microsoft.com/help/5031427\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2024-09-06T00:00:00Z\",\"pci_cvss_score\":8.3,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2022-11-08T00:00:00Z\",\"references\":\"cve:CVE-2022-37967,url:https://support.microsoft.com/help/5031361,url:https://support.microsoft.com/help/5031362,url:https://support.microsoft.com/help/5031364,url:https://support.microsoft.com/help/5031407,url:https://support.microsoft.com/help/5031419,url:https://support.microsoft.com/help/5031427\",\"risk_score\":434.28,\"severity\":\"critical\",\"severity_score\":8,\"title\":\"Microsoft Windows: CVE-2022-37967: Windows Kerberos Elevation of Privilege Vulnerability\"}}", + "severity": 8, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "Win11-50-13-52", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "ip": [ + "10.50.13.52" + ], + "mac": [ + "00-00-5E-00-53-00" + ], + "name": "Win11-50-13-52", + "os": { + "family": "Windows", + "full": "Microsoft Windows 11 22H2", + "name": "Windows 11", + "platform": "windows", + "type": "windows", + "version": "22H2" + }, + "risk": { + "static_score": 181622.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "name": "Microsoft Windows 7 Enterprise Edition SP1", + "version": "Microsoft Windows 7 Enterprise Edition SP1" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 119, + "exploits": 4, + "host_name": "Win11-50-13-52", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "ip": "10.50.13.52", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-00", + "malware_kits": 0, + "moderate_vulnerabilities": 8, + "os": { + "architecture": "x86_64", + "description": "Microsoft Windows 11 22H2", + "family": "Windows", + "name": "Windows 11", + "system_name": "Microsoft Windows", + "type": "Workstation", + "vendor": "Microsoft", + "version": "22H2" + }, + "risk_score": 181622.0, + "severe_vulnerabilities": 241, + "total_vulnerabilities": 368, + "type": "guest", + "unique_identifiers": [ + { + "id": "F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050", + "source": "CSPRODUCT" + }, + { + "id": "c5cf46abcdef0123456789291c7d554a", + "source": "R7 Agent" + } + ], + "vuln": { + "added": "2022-11-08T00:00:00.000Z", + "categories": [ + "Microsoft", + "Microsoft Patch", + "Microsoft Windows", + "Privilege Escalation" + ], + "check_id": "msft-cve-2022-37967-kb5021288-c2d89794-10f9-459d-a1a9-79847eac03fc", + "cves": [ + "CVE-2022-37967" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "network", + "authentication": "multiple", + "availability_impact": "complete", + "confidentiality_impact": "complete", + "exploit_score": 6.389999830722808, + "impact_score": 10.000845454680942, + "integrity_impact": "complete", + "score": 8.3, + "vector": "(AV:N/AC:L/Au:M/C:C/I:C/A:C)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "network", + "availability_impact": "high", + "confidentiality_impact": "high", + "exploit_score": 1.2347077050000002, + "impact_score": 5.873118720000001, + "integrity_impact": "high", + "privileges_required": "high", + "scope": "unchanged", + "score": 7.2, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + }, + "denial_of_service": false, + "description": "Windows Kerberos Elevation of Privilege Vulnerability.", + "first_found": "2022-12-23T18:40:29.000Z", + "id": "msft-cve-2022-37967", + "last_found": "2023-06-23T17:29:23.453Z", + "links": [ + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2022-37967", + "id": "CVE-2022-37967", + "source": "cve" + }, + { + "href": "https://support.microsoft.com/help/5031364", + "id": "https://support.microsoft.com/help/5031364", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5031362", + "id": "https://support.microsoft.com/help/5031362", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5031361", + "id": "https://support.microsoft.com/help/5031361", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5031407", + "id": "https://support.microsoft.com/help/5031407", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5031419", + "id": "https://support.microsoft.com/help/5031419", + "source": "url" + }, + { + "href": "https://support.microsoft.com/help/5031427", + "id": "https://support.microsoft.com/help/5031427", + "source": "url" + } + ], + "modified": "2024-09-06T00:00:00.000Z", + "pci": { + "cvss_score": 8.3, + "fail": true, + "severity_score": 5, + "status": "fail" + }, + "proof": "Vulnerable OS: Microsoft Windows 7 Enterprise Edition SP1\n\n\n\nBased on the following 2 results:\n\n\n\n\nFound an applicable package: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Component Based Servicing\\Packages\\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.\n\n\n\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\Winners\\amd64_Microsoft-Windows-Audio-DMusic_31bf3856ad364e35_none_6ddb350169ebdb56 - key exists\n\nThe above CBS component is currently version 6.1.7600.16385, expected version 6.1.7601.26262 or higher\n\n2022-12 Security Only Quality Update for Windows 7 for x64-based Systems (KB5021288) is applicable for this CBS component\n\n\n\n\n\n\n\n\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\n\nUBR - contains 24443", + "published": "2022-11-08T00:00:00.000Z", + "references": "cve:CVE-2022-37967,url:https://support.microsoft.com/help/5031361,url:https://support.microsoft.com/help/5031362,url:https://support.microsoft.com/help/5031364,url:https://support.microsoft.com/help/5031407,url:https://support.microsoft.com/help/5031419,url:https://support.microsoft.com/help/5031427", + "risk_score": 434.28, + "severity": "critical", + "severity_score": 8, + "solution": { + "fix": "Download and apply the patch from: https://support.microsoft.com/kb/5021288", + "id": "msft-kb5021288-c2d89794-10f9-459d-a1a9-79847eac03fc", + "summary": "2022-12 Security Only Quality Update for Windows 7 for x64-based Systems (KB5021288)", + "type": "patch" + }, + "status": "VULNERABLE_EXPL", + "title": "Microsoft Windows: CVE-2022-37967: Windows Kerberos Elevation of Privilege Vulnerability" + } + } + }, + "related": { + "hosts": [ + "Win11-50-13-52", + "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1" + ], + "ip": [ + "10.50.13.52" + ] + }, + "resource": { + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "name": "Win11-50-13-52" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "Microsoft", + "Microsoft Patch", + "Microsoft Windows", + "Privilege Escalation" + ], + "classification": "CVSS", + "description": "Windows Kerberos Elevation of Privilege Vulnerability.", + "enumeration": "CVE", + "id": [ + "CVE-2022-37967" + ], + "published_date": "2022-11-08T00:00:00.000Z", + "reference": [ + "http://nvd.nist.gov/vuln/detail/CVE-2022-37967", + "https://support.microsoft.com/help/5031364", + "https://support.microsoft.com/help/5031362", + "https://support.microsoft.com/help/5031361", + "https://support.microsoft.com/help/5031407", + "https://support.microsoft.com/help/5031419", + "https://support.microsoft.com/help/5031427" + ], + "scanner": { + "name": "c5cf46abcdef0123456789291c7d554a", + "vendor": "Rapid7" + }, + "score": { + "base": 7.2, + "version": "3.0" + }, + "severity": "Critical", + "title": "Windows Kerberos Elevation of Privilege Vulnerability" + } + }, + { + "@timestamp": "2023-06-23T17:29:23.453Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2022-12-23T18:40:29.000Z", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1|windows-defender-cve-2022-24548|2023-06-23T17:29:23.453Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":135,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":445,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":119,\"exploits\":4,\"host_name\":\"Win11-50-13-52\",\"id\":\"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1\",\"ip\":\"10.50.13.52\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":8,\"os_architecture\":\"x86_64\",\"os_description\":\"Microsoft Windows 11 22H2\",\"os_family\":\"Windows\",\"os_name\":\"Windows 11\",\"os_system_name\":\"Microsoft Windows\",\"os_type\":\"Workstation\",\"os_vendor\":\"Microsoft\",\"os_version\":\"22H2\",\"risk_score\":181622,\"severe_vulnerabilities\":241,\"tags\":[{\"name\":\"USA\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":368,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050\",\"source\":\"CSPRODUCT\"},{\"id\":\"c5cf46abcdef0123456789291c7d554a\",\"source\":\"R7 Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2022-12-23T18:40:29Z\",\"key\":\"\",\"last_found\":\"2023-06-23T17:29:23.453Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: Microsoft Windows 7 Enterprise Edition SP1

Based on the following 4 results:

  1. Based on the following 2 results:

      • HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender - key does not exist

      • HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender
        • DisableAntiSpyware - contains 0

    • HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Signature Updates
      • EngineVersion - contains 1.1.9203.0

    • HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SepMasterService - key does not exist
      • Start - value does not exist

    • HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\MsMpSvc - key does not exist
      • Start - value does not exist

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

Verify that the latest version of the Microsoft Malware Protection Engine\\nand definition updates are being actively downloaded and installed for their Microsoft antimalware products.\\nFor more information on how to verify the version number for the Microsoft Malware Protection Engine that your\\nsoftware is currently using, see the section Verifying Update Installation\\nin Microsoft Knowledge Base Article 2510781 https://support.microsoft.com/kb/2510781

\",\"solution_id\":\"windows-defender-upgrade-latest\",\"solution_summary\":\"Upgrade Microsoft Defender to the latest version.\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"windows-defender-cve-2022-24548\",\"added\":\"2022-04-14T00:00:00Z\",\"categories\":\"Denial of Service,Microsoft Windows Defender\",\"cves\":\"CVE-2022-24548\",\"cvss_v2_access_complexity\":\"medium\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"none\",\"cvss_v2_exploit_score\":8.588799953460693,\"cvss_v2_impact_score\":2.862749751806259,\"cvss_v2_integrity_impact\":\"none\",\"cvss_v2_score\":4.3,\"cvss_v2_vector\":\"(AV:N/AC:M/Au:N/C:N/I:N/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"none\",\"cvss_v3_exploit_score\":1.8345765900000002,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"none\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":5.5,\"cvss_v3_user_interaction\":\"required\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\"denial_of_service\":true,\"description\":\"Microsoft Defender Denial of Service Vulnerability\",\"exploits\":[],\"id\":\"windows-defender-cve-2022-24548\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2022-24548\",\"id\":\"CVE-2022-24548\",\"source\":\"cve\"},{\"href\":\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548\",\"id\":\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2023-12-13T00:00:00Z\",\"pci_cvss_score\":4.3,\"pci_fail\":false,\"pci_severity_score\":2,\"pci_special_notes\":\"Denial-of-Service-only vulnerability marked as compliant. \",\"pci_status\":\"pass\",\"published\":\"2022-04-14T00:00:00Z\",\"references\":\"cve:CVE-2022-24548,url:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548\",\"risk_score\":124.28,\"severity\":\"severe\",\"severity_score\":4,\"title\":\"Microsoft Defender Denial of Service Vulnerability (CVE-2022-24548)\"}}", + "severity": 4, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "Win11-50-13-52", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "ip": [ + "10.50.13.52" + ], + "mac": [ + "00-00-5E-00-53-00" + ], + "name": "Win11-50-13-52", + "os": { + "family": "Windows", + "full": "Microsoft Windows 11 22H2", + "name": "Windows 11", + "platform": "windows", + "type": "windows", + "version": "22H2" + }, + "risk": { + "static_score": 181622.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "fixed_version": "latest", + "name": "Microsoft Windows 7 Enterprise Edition SP1", + "version": "Microsoft Windows 7 Enterprise Edition SP1" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 119, + "exploits": 4, + "host_name": "Win11-50-13-52", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "ip": "10.50.13.52", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-00", + "malware_kits": 0, + "moderate_vulnerabilities": 8, + "os": { + "architecture": "x86_64", + "description": "Microsoft Windows 11 22H2", + "family": "Windows", + "name": "Windows 11", + "system_name": "Microsoft Windows", + "type": "Workstation", + "vendor": "Microsoft", + "version": "22H2" + }, + "risk_score": 181622.0, + "severe_vulnerabilities": 241, + "total_vulnerabilities": 368, + "type": "guest", + "unique_identifiers": [ + { + "id": "F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050", + "source": "CSPRODUCT" + }, + { + "id": "c5cf46abcdef0123456789291c7d554a", + "source": "R7 Agent" + } + ], + "vuln": { + "added": "2022-04-14T00:00:00.000Z", + "categories": [ + "Denial of Service", + "Microsoft Windows Defender" + ], + "cves": [ + "CVE-2022-24548" + ], + "cvss_v2": { + "access_complexity": "medium", + "access_vector": "network", + "authentication": "none", + "availability_impact": "partial", + "confidentiality_impact": "none", + "exploit_score": 8.588799953460693, + "impact_score": 2.862749751806259, + "integrity_impact": "none", + "score": 4.3, + "vector": "(AV:N/AC:M/Au:N/C:N/I:N/A:P)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "local", + "availability_impact": "high", + "confidentiality_impact": "none", + "exploit_score": 1.8345765900000002, + "impact_score": 3.5952, + "integrity_impact": "none", + "privileges_required": "none", + "scope": "unchanged", + "score": 5.5, + "user_interaction": "required", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + }, + "denial_of_service": true, + "description": "Microsoft Defender Denial of Service Vulnerability", + "first_found": "2022-12-23T18:40:29.000Z", + "id": "windows-defender-cve-2022-24548", + "last_found": "2023-06-23T17:29:23.453Z", + "links": [ + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2022-24548", + "id": "CVE-2022-24548", + "source": "cve" + }, + { + "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548", + "id": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548", + "source": "url" + } + ], + "modified": "2023-12-13T00:00:00.000Z", + "pci": { + "cvss_score": 4.3, + "fail": false, + "severity_score": 2, + "special_notes": "Denial-of-Service-only vulnerability marked as compliant. ", + "status": "pass" + }, + "proof": "Vulnerable OS: Microsoft Windows 7 Enterprise Edition SP1\n\n\n\nBased on the following 4 results:\n\n\n\nBased on the following 2 results:\n\n\n\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender - key does not exist\n\n\n\n\n\n\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\n\nDisableAntiSpyware - contains 0\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Signature Updates\n\nEngineVersion - contains 1.1.9203.0\n\n\n\n\n\n\n\n\n\n\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SepMasterService - key does not exist\n\nStart - value does not exist\n\n\n\n\n\n\n\n\n\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\MsMpSvc - key does not exist\n\nStart - value does not exist", + "published": "2022-04-14T00:00:00.000Z", + "references": "cve:CVE-2022-24548,url:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548", + "risk_score": 124.28, + "severity": "severe", + "severity_score": 4, + "solution": { + "fix": "Verify that the latest version of the Microsoft Malware Protection Engine\nand definition updates are being actively downloaded and installed for their Microsoft antimalware products.\nFor more information on how to verify the version number for the Microsoft Malware Protection Engine that your\nsoftware is currently using, see the section Verifying Update Installation\nin Microsoft Knowledge Base Article 2510781 https://support.microsoft.com/kb/2510781", + "id": "windows-defender-upgrade-latest", + "summary": "Upgrade Microsoft Defender to the latest version.", + "type": "workaround" + }, + "status": "VULNERABLE_EXPL", + "title": "Microsoft Defender Denial of Service Vulnerability (CVE-2022-24548)" + } + } + }, + "related": { + "hosts": [ + "Win11-50-13-52", + "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1" + ], + "ip": [ + "10.50.13.52" + ] + }, + "resource": { + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "name": "Win11-50-13-52" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "Denial of Service", + "Microsoft Windows Defender" + ], + "classification": "CVSS", + "description": "Microsoft Defender Denial of Service Vulnerability", + "enumeration": "CVE", + "id": [ + "CVE-2022-24548" + ], + "published_date": "2022-04-14T00:00:00.000Z", + "reference": [ + "http://nvd.nist.gov/vuln/detail/CVE-2022-24548", + "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548" + ], + "scanner": { + "name": "c5cf46abcdef0123456789291c7d554a", + "vendor": "Rapid7" + }, + "score": { + "base": 5.5, + "version": "3.0" + }, + "severity": "High", + "title": "Microsoft Defender Denial of Service Vulnerability (CVE-2022-24548)" + } + }, + { + "@timestamp": "2019-02-14T21:39:25.312Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2018-11-25T09:10:10.000Z", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1|windows-hotfix-ms09-050|2019-02-14T21:39:25.312Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":135,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":445,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":119,\"exploits\":4,\"host_name\":\"Win11-50-13-52\",\"id\":\"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1\",\"ip\":\"10.50.13.52\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":8,\"os_architecture\":\"x86_64\",\"os_description\":\"Microsoft Windows 11 22H2\",\"os_family\":\"Windows\",\"os_name\":\"Windows 11\",\"os_system_name\":\"Microsoft Windows\",\"os_type\":\"Workstation\",\"os_vendor\":\"Microsoft\",\"os_version\":\"22H2\",\"risk_score\":181622,\"severe_vulnerabilities\":241,\"tags\":[{\"name\":\"USA\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":368,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050\",\"source\":\"CSPRODUCT\"},{\"id\":\"c5cf46abcdef0123456789291c7d554a\",\"source\":\"R7 Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2018-11-25T09:10:10Z\",\"key\":\"\",\"last_found\":\"2019-02-14T21:39:25.312Z\",\"nic\":null,\"port\":445,\"proof\":\"

Vulnerable OS: Microsoft Windows Server 2008 Enterprise Edition SP2

System replied with a malformed SMB packet

\",\"protocol\":\"TCP\",\"reintroduced\":null,\"solution_fix\":\"Take a look at all possible solutions for vulnerability\",\"solution_id\":\"unknown-windows-hotfix-ms09-050\",\"solution_summary\":\"The solution is unknown for vuln windows-hotfix-ms09-050\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"windows-hotfix-ms09-050\",\"added\":\"2009-10-13T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution\",\"cves\":\"CVE-2009-2526,CVE-2009-2532,CVE-2009-3103\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":10.000845454680942,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":10,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:C/I:C/A:C)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":3.8870427750000003,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":9.8,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"This security update resolves one publicly disclosed and two privately reported vulnerabilities in Server Message Block Version 2 (SMBv2). The most severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.\",\"exploits\":[{\"description\":\"Microsoft Windows 7/2008 R2 - Remote Kernel Crash\",\"id\":\"10005\",\"name\":\"Microsoft Windows 7/2008 R2 - Remote Kernel Crash\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing\\n an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.\\n Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.\",\"id\":\"auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff\",\"name\":\"Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference\",\"rank\":\"normal\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"},{\"description\":\"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)\",\"id\":\"40280\",\"name\":\"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service\",\"id\":\"12524\",\"name\":\"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module exploits an out of bounds function table dereference in the SMB\\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\\n without SP1 does not seem affected by this flaw.\",\"id\":\"exploit/windows/smb/ms09_050_smb2_negotiate_func_index\",\"name\":\"MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference\",\"rank\":\"good\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"},{\"description\":\"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)\",\"id\":\"14674\",\"name\":\"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module exploits an out of bounds function table dereference in the SMB\\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows\\tVista\\n without SP1 does not seem affected by this flaw.\",\"id\":\"auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh\",\"name\":\"Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference\",\"rank\":\"normal\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"},{\"description\":\"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)\",\"id\":\"9594\",\"name\":\"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"}],\"id\":\"windows-hotfix-ms09-050\",\"links\":[{\"href\":\"http://www.us-cert.gov/cas/techalerts/TA09-286A.html\",\"id\":\"TA09-286A\",\"source\":\"cert\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6489\",\"id\":\"6489\",\"source\":\"oval\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6336\",\"id\":\"6336\",\"source\":\"oval\"},{\"href\":\"http://www.securityfocus.com/bid/36299\",\"id\":\"36299\",\"source\":\"bid\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:5595\",\"id\":\"5595\",\"source\":\"oval\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2009-2526\",\"id\":\"CVE-2009-2526\",\"source\":\"cve\"},{\"href\":\"http://technet.microsoft.com/security/bulletin/MS09-050\",\"id\":\"MS09-050\",\"source\":\"ms\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2009-3103\",\"id\":\"CVE-2009-3103\",\"source\":\"cve\"},{\"href\":\"http://www.kb.cert.org/vuls/id/135940\",\"id\":\"135940\",\"source\":\"cert-vn\"},{\"href\":\"https://support.microsoft.com/en-us/kb/975517\",\"id\":\"KB975517\",\"source\":\"mskb\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2009-2532\",\"id\":\"CVE-2009-2532\",\"source\":\"cve\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/53090\",\"id\":\"53090\",\"source\":\"xf\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":10,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2009-10-13T00:00:00Z\",\"references\":\"cert-vn:135940,bid:36299,xf:53090,oval:5595,oval:6336,oval:6489,cve:CVE-2009-2526,cve:CVE-2009-2532,cve:CVE-2009-3103,mskb:KB975517,ms:MS09-050,cert:TA09-286A\",\"risk_score\":914.2,\"severity\":\"critical\",\"severity_score\":10,\"title\":\"MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)\"}}", + "severity": 10, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "Win11-50-13-52", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "ip": [ + "10.50.13.52" + ], + "mac": [ + "00-00-5E-00-53-00" + ], + "name": "Win11-50-13-52", + "os": { + "family": "Windows", + "full": "Microsoft Windows 11 22H2", + "name": "Windows 11", + "platform": "windows", + "type": "windows", + "version": "22H2" + }, + "risk": { + "static_score": 181622.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "name": "Microsoft Windows Server 2008 Enterprise Edition SP2", + "version": "Microsoft Windows Server 2008 Enterprise Edition SP2" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 119, + "exploits": 4, + "host_name": "Win11-50-13-52", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "ip": "10.50.13.52", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-00", + "malware_kits": 0, + "moderate_vulnerabilities": 8, + "os": { + "architecture": "x86_64", + "description": "Microsoft Windows 11 22H2", + "family": "Windows", + "name": "Windows 11", + "system_name": "Microsoft Windows", + "type": "Workstation", + "vendor": "Microsoft", + "version": "22H2" + }, + "risk_score": 181622.0, + "severe_vulnerabilities": 241, + "total_vulnerabilities": 368, + "type": "guest", + "unique_identifiers": [ + { + "id": "F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050", + "source": "CSPRODUCT" + }, + { + "id": "c5cf46abcdef0123456789291c7d554a", + "source": "R7 Agent" + } + ], + "vuln": { + "added": "2009-10-13T00:00:00.000Z", + "categories": [ + "CVSS Score Predicted with Rapid7 AI", + "Microsoft", + "Microsoft Patch", + "Remote Execution" + ], + "cves": [ + "CVE-2009-2526", + "CVE-2009-2532", + "CVE-2009-3103" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "network", + "authentication": "none", + "availability_impact": "complete", + "confidentiality_impact": "complete", + "exploit_score": 9.996799945831299, + "impact_score": 10.000845454680942, + "integrity_impact": "complete", + "score": 10.0, + "vector": "(AV:N/AC:L/Au:N/C:C/I:C/A:C)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "network", + "availability_impact": "high", + "confidentiality_impact": "high", + "exploit_score": 3.8870427750000003, + "impact_score": 5.873118720000001, + "integrity_impact": "high", + "privileges_required": "none", + "scope": "unchanged", + "score": 9.8, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + "denial_of_service": false, + "description": "This security update resolves one publicly disclosed and two privately reported vulnerabilities in Server Message Block Version 2 (SMBv2). The most severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.", + "exploits": [ + { + "description": "Microsoft Windows 7/2008 R2 - Remote Kernel Crash", + "id": "10005", + "name": "Microsoft Windows 7/2008 R2 - Remote Kernel Crash", + "rank": "average", + "skill_level": "expert", + "source": "exploitdb" + }, + { + "description": "This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing\n an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.\n Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.", + "id": "auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff", + "name": "Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference", + "rank": "normal", + "skill_level": "intermediate", + "source": "metasploit" + }, + { + "description": "Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)", + "id": "40280", + "name": "Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)", + "rank": "average", + "skill_level": "expert", + "source": "exploitdb" + }, + { + "description": "Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service", + "id": "12524", + "name": "Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service", + "rank": "average", + "skill_level": "expert", + "source": "exploitdb" + }, + { + "description": "This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\n without SP1 does not seem affected by this flaw.", + "id": "exploit/windows/smb/ms09_050_smb2_negotiate_func_index", + "name": "MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference", + "rank": "good", + "skill_level": "intermediate", + "source": "metasploit" + }, + { + "description": "Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)", + "id": "14674", + "name": "Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)", + "rank": "average", + "skill_level": "expert", + "source": "exploitdb" + }, + { + "description": "This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows\tVista\n without SP1 does not seem affected by this flaw.", + "id": "auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh", + "name": "Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference", + "rank": "normal", + "skill_level": "intermediate", + "source": "metasploit" + }, + { + "description": "Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)", + "id": "9594", + "name": "Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)", + "rank": "average", + "skill_level": "expert", + "source": "exploitdb" + } + ], + "first_found": "2018-11-25T09:10:10.000Z", + "id": "windows-hotfix-ms09-050", + "last_found": "2019-02-14T21:39:25.312Z", + "links": [ + { + "href": "http://www.us-cert.gov/cas/techalerts/TA09-286A.html", + "id": "TA09-286A", + "source": "cert" + }, + { + "href": "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6489", + "id": "6489", + "source": "oval" + }, + { + "href": "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6336", + "id": "6336", + "source": "oval" + }, + { + "href": "http://www.securityfocus.com/bid/36299", + "id": "36299", + "source": "bid" + }, + { + "href": "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:5595", + "id": "5595", + "source": "oval" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2009-2526", + "id": "CVE-2009-2526", + "source": "cve" + }, + { + "href": "http://technet.microsoft.com/security/bulletin/MS09-050", + "id": "MS09-050", + "source": "ms" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2009-3103", + "id": "CVE-2009-3103", + "source": "cve" + }, + { + "href": "http://www.kb.cert.org/vuls/id/135940", + "id": "135940", + "source": "cert-vn" + }, + { + "href": "https://support.microsoft.com/en-us/kb/975517", + "id": "KB975517", + "source": "mskb" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2009-2532", + "id": "CVE-2009-2532", + "source": "cve" + }, + { + "href": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53090", + "id": "53090", + "source": "xf" + } + ], + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 10.0, + "fail": true, + "severity_score": 5, + "status": "fail" + }, + "port": 445, + "proof": "Vulnerable OS: Microsoft Windows Server 2008 Enterprise Edition SP2\n\n\n\nSystem replied with a malformed SMB packet", + "protocol": "TCP", + "published": "2009-10-13T00:00:00.000Z", + "references": "cert-vn:135940,bid:36299,xf:53090,oval:5595,oval:6336,oval:6489,cve:CVE-2009-2526,cve:CVE-2009-2532,cve:CVE-2009-3103,mskb:KB975517,ms:MS09-050,cert:TA09-286A", + "risk_score": 914.2, + "severity": "critical", + "severity_score": 10, + "solution": { + "fix": "Take a look at all possible solutions for vulnerability", + "id": "unknown-windows-hotfix-ms09-050", + "summary": "The solution is unknown for vuln windows-hotfix-ms09-050", + "type": "workaround" + }, + "status": "VULNERABLE_EXPL", + "title": "MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)" + } + } + }, + "related": { + "hosts": [ + "Win11-50-13-52", + "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1" + ], + "ip": [ + "10.50.13.52" + ] + }, + "resource": { + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "name": "Win11-50-13-52" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "CVSS Score Predicted with Rapid7 AI", + "Microsoft", + "Microsoft Patch", + "Remote Execution" + ], + "classification": "CVSS", + "description": "This security update resolves one publicly disclosed and two privately reported vulnerabilities in Server Message Block Version 2 (SMBv2). The most severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.", + "enumeration": "CVE", + "id": [ + "CVE-2009-2526", + "CVE-2009-2532", + "CVE-2009-3103" + ], + "published_date": "2009-10-13T00:00:00.000Z", + "reference": [ + "http://www.us-cert.gov/cas/techalerts/TA09-286A.html", + "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6489", + "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6336", + "http://www.securityfocus.com/bid/36299", + "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:5595", + "http://nvd.nist.gov/vuln/detail/CVE-2009-2526", + "http://technet.microsoft.com/security/bulletin/MS09-050", + "http://nvd.nist.gov/vuln/detail/CVE-2009-3103", + "http://www.kb.cert.org/vuls/id/135940", + "https://support.microsoft.com/en-us/kb/975517", + "http://nvd.nist.gov/vuln/detail/CVE-2009-2532", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/53090" + ], + "scanner": { + "name": "c5cf46abcdef0123456789291c7d554a", + "vendor": "Rapid7" + }, + "score": { + "base": 9.8, + "version": "3.0" + }, + "severity": "Critical", + "title": "Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)" + } + }, + { + "@timestamp": "2022-04-23T18:04:36.094Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2021-02-23T18:39:30.000Z", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|centos_linux-cve-2020-2574|2022-04-23T18:04:36.094Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2021-02-23T18:39:30Z\",\"key\":\"\",\"last_found\":\"2022-04-23T18:04:36.094Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: CentOS Linux 7.6.1810

  • mariadb-libs - version 1:5.5.60-1.el7_5 is installed

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"Take a look at all possible solutions for vulnerability\",\"solution_id\":\"unknown-centos_linux-cve-2020-2574\",\"solution_summary\":\"The solution is unknown for vuln centos_linux-cve-2020-2574\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"centos_linux-cve-2020-2574\",\"added\":\"2020-09-15T00:00:00Z\",\"categories\":\"CentOS\",\"cves\":\"CVE-2020-2574\",\"cvss_v2_access_complexity\":\"medium\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"none\",\"cvss_v2_exploit_score\":8.588799953460693,\"cvss_v2_impact_score\":2.862749751806259,\"cvss_v2_integrity_impact\":\"none\",\"cvss_v2_score\":4.3,\"cvss_v2_vector\":\"(AV:N/AC:M/Au:N/C:N/I:N/A:P)\",\"cvss_v3_attack_complexity\":\"high\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"none\",\"cvss_v3_exploit_score\":2.2211673,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"none\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":5.9,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"denial_of_service\":true,\"description\":\"Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).\",\"exploits\":[],\"id\":\"centos_linux-cve-2020-2574\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2020-2574\",\"id\":\"CVE-2020-2574\",\"source\":\"nvd\"}],\"malware_kits\":[],\"modified\":\"2023-05-25T00:00:00Z\",\"pci_cvss_score\":4.3,\"pci_fail\":false,\"pci_severity_score\":2,\"pci_special_notes\":\"Denial-of-Service-only vulnerability marked as compliant. \",\"pci_status\":\"pass\",\"published\":\"2020-01-15T00:00:00Z\",\"references\":\"nvd:CVE-2020-2574\",\"risk_score\":150.88,\"severity\":\"severe\",\"severity_score\":4,\"title\":\"CentOS Linux: CVE-2020-2574: Important: mysql:8.0 security update (Multiple Advisories)\"}}", + "severity": 4, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": [ + "10.50.6.126" + ], + "mac": [ + "00-00-5E-00-53-01" + ], + "name": "ub22-50-6-126", + "os": { + "family": "Linux", + "full": "Ubuntu Linux 22.04", + "name": "Linux", + "platform": "linux", + "type": "linux", + "version": "22.04" + }, + "risk": { + "static_score": 5656.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "name": "CentOS Linux 7.6.1810", + "version": "CentOS Linux 7.6.1810" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 5, + "exploits": 0, + "host_name": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": "10.50.6.126", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-01", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os": { + "architecture": "x86_64", + "description": "Ubuntu Linux 22.04", + "family": "Linux", + "name": "Linux", + "system_name": "Ubuntu Linux", + "vendor": "Ubuntu", + "version": "22.04" + }, + "risk_score": 5656.0, + "severe_vulnerabilities": 6, + "total_vulnerabilities": 12, + "type": "guest", + "unique_identifiers": [ + { + "id": "B7123456-5678-1234-ABCD-6F6ABCDEFA91", + "source": "dmidecode" + }, + { + "id": "cababcdefabcd0123456789f16d7061a", + "source": "R7 Agent" + }, + { + "id": "cab682b411e200123456789ab6d7061a", + "source": "Endpoint Agent" + } + ], + "vuln": { + "added": "2020-09-15T00:00:00.000Z", + "categories": [ + "CentOS" + ], + "cves": [ + "CVE-2020-2574" + ], + "cvss_v2": { + "access_complexity": "medium", + "access_vector": "network", + "authentication": "none", + "availability_impact": "partial", + "confidentiality_impact": "none", + "exploit_score": 8.588799953460693, + "impact_score": 2.862749751806259, + "integrity_impact": "none", + "score": 4.3, + "vector": "(AV:N/AC:M/Au:N/C:N/I:N/A:P)" + }, + "cvss_v3": { + "attack_complexity": "high", + "attack_vector": "network", + "availability_impact": "high", + "confidentiality_impact": "none", + "exploit_score": 2.2211673, + "impact_score": 3.5952, + "integrity_impact": "none", + "privileges_required": "none", + "scope": "unchanged", + "score": 5.9, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "denial_of_service": true, + "description": "Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).", + "first_found": "2021-02-23T18:39:30.000Z", + "id": "centos_linux-cve-2020-2574", + "last_found": "2022-04-23T18:04:36.094Z", + "links": [ + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2020-2574", + "id": "CVE-2020-2574", + "source": "nvd" + } + ], + "modified": "2023-05-25T00:00:00.000Z", + "pci": { + "cvss_score": 4.3, + "fail": false, + "severity_score": 2, + "special_notes": "Denial-of-Service-only vulnerability marked as compliant. ", + "status": "pass" + }, + "proof": "Vulnerable OS: CentOS Linux 7.6.1810\n\n\n\n\n\n\nmariadb-libs - version 1:5.5.60-1.el7_5 is installed", + "published": "2020-01-15T00:00:00.000Z", + "references": "nvd:CVE-2020-2574", + "risk_score": 150.88, + "severity": "severe", + "severity_score": 4, + "solution": { + "fix": "Take a look at all possible solutions for vulnerability", + "id": "unknown-centos_linux-cve-2020-2574", + "summary": "The solution is unknown for vuln centos_linux-cve-2020-2574", + "type": "workaround" + }, + "status": "VULNERABLE_VERS", + "title": "CentOS Linux: CVE-2020-2574: Important: mysql:8.0 security update (Multiple Advisories)" + } + } + }, + "related": { + "hosts": [ + "ub22-50-6-126", + "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7" + ], + "ip": [ + "10.50.6.126" + ] + }, + "resource": { + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "name": "ub22-50-6-126" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "CentOS" + ], + "classification": "CVSS", + "description": "Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).", + "enumeration": "CVE", + "id": [ + "CVE-2020-2574" + ], + "published_date": "2020-01-15T00:00:00.000Z", + "reference": [ + "http://nvd.nist.gov/vuln/detail/CVE-2020-2574" + ], + "scanner": { + "name": "cababcdefabcd0123456789f16d7061a", + "vendor": "Rapid7" + }, + "score": { + "base": 5.9, + "version": "3.0" + }, + "severity": "High", + "title": "Important: mysql:8.0 security update (Multiple Advisories)" + } + }, + { + "@timestamp": "2023-06-23T19:16:12.895Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2021-03-23T21:18:51.000Z", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1|windows-hotfix-ms09-050|2023-06-23T19:16:12.895Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":135,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":445,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":119,\"exploits\":4,\"host_name\":\"Win11-50-13-52\",\"id\":\"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1\",\"ip\":\"10.50.13.52\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":8,\"os_architecture\":\"x86_64\",\"os_description\":\"Microsoft Windows 11 22H2\",\"os_family\":\"Windows\",\"os_name\":\"Windows 11\",\"os_system_name\":\"Microsoft Windows\",\"os_type\":\"Workstation\",\"os_vendor\":\"Microsoft\",\"os_version\":\"22H2\",\"risk_score\":181622,\"severe_vulnerabilities\":241,\"tags\":[{\"name\":\"USA\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":368,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050\",\"source\":\"CSPRODUCT\"},{\"id\":\"c5cf46abcdef0123456789291c7d554a\",\"source\":\"R7 Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2021-03-23T21:18:51Z\",\"key\":\"\",\"last_found\":\"2023-06-23T19:16:12.895Z\",\"nic\":null,\"port\":445,\"proof\":\"

Vulnerable OS: Microsoft Windows Server 2008 Enterprise Edition

\\\\BROWSER: WriteAndX succeeded with offset 77

\",\"protocol\":\"TCP\",\"reintroduced\":null,\"solution_fix\":\"Take a look at all possible solutions for vulnerability\",\"solution_id\":\"unknown-windows-hotfix-ms09-001\",\"solution_summary\":\"The solution is unknown for vuln windows-hotfix-ms09-001\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"windows-hotfix-ms09-001\",\"added\":\"2009-10-13T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution\",\"cves\":\"CVE-2009-2526,CVE-2009-2532,CVE-2009-3103\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":10.000845454680942,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":10,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:C/I:C/A:C)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":3.8870427750000003,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":9.8,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"This security update resolves one publicly disclosed and two privately reported vulnerabilities in Server Message Block Version 2 (SMBv2). The most severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.\",\"exploits\":[{\"description\":\"Microsoft Windows 7/2008 R2 - Remote Kernel Crash\",\"id\":\"10005\",\"name\":\"Microsoft Windows 7/2008 R2 - Remote Kernel Crash\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing\\n an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.\\n Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.\",\"id\":\"auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff\",\"name\":\"Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference\",\"rank\":\"normal\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"},{\"description\":\"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)\",\"id\":\"40280\",\"name\":\"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service\",\"id\":\"12524\",\"name\":\"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module exploits an out of bounds function table dereference in the SMB\\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\\n without SP1 does not seem affected by this flaw.\",\"id\":\"exploit/windows/smb/ms09_050_smb2_negotiate_func_index\",\"name\":\"MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference\",\"rank\":\"good\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"},{\"description\":\"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)\",\"id\":\"14674\",\"name\":\"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module exploits an out of bounds function table dereference in the SMB\\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows\\tVista\\n without SP1 does not seem affected by this flaw.\",\"id\":\"auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh\",\"name\":\"Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference\",\"rank\":\"normal\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"},{\"description\":\"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)\",\"id\":\"9594\",\"name\":\"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"}],\"id\":\"windows-hotfix-ms09-050\",\"links\":[{\"href\":\"http://www.us-cert.gov/cas/techalerts/TA09-286A.html\",\"id\":\"TA09-286A\",\"source\":\"cert\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6489\",\"id\":\"6489\",\"source\":\"oval\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6336\",\"id\":\"6336\",\"source\":\"oval\"},{\"href\":\"http://www.securityfocus.com/bid/36299\",\"id\":\"36299\",\"source\":\"bid\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:5595\",\"id\":\"5595\",\"source\":\"oval\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2009-2526\",\"id\":\"CVE-2009-2526\",\"source\":\"cve\"},{\"href\":\"http://technet.microsoft.com/security/bulletin/MS09-050\",\"id\":\"MS09-050\",\"source\":\"ms\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2009-3103\",\"id\":\"CVE-2009-3103\",\"source\":\"cve\"},{\"href\":\"http://www.kb.cert.org/vuls/id/135940\",\"id\":\"135940\",\"source\":\"cert-vn\"},{\"href\":\"https://support.microsoft.com/en-us/kb/975517\",\"id\":\"KB975517\",\"source\":\"mskb\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2009-2532\",\"id\":\"CVE-2009-2532\",\"source\":\"cve\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/53090\",\"id\":\"53090\",\"source\":\"xf\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":10,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2009-10-13T00:00:00Z\",\"references\":\"cert-vn:135940,bid:36299,xf:53090,oval:5595,oval:6336,oval:6489,cve:CVE-2009-2526,cve:CVE-2009-2532,cve:CVE-2009-3103,mskb:KB975517,ms:MS09-050,cert:TA09-286A\",\"risk_score\":914.2,\"severity\":\"critical\",\"severity_score\":10,\"title\":\"MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)\"}}", + "severity": 10, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "Win11-50-13-52", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "ip": [ + "10.50.13.52" + ], + "mac": [ + "00-00-5E-00-53-00" + ], + "name": "Win11-50-13-52", + "os": { + "family": "Windows", + "full": "Microsoft Windows 11 22H2", + "name": "Windows 11", + "platform": "windows", + "type": "windows", + "version": "22H2" + }, + "risk": { + "static_score": 181622.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "name": "Microsoft Windows Server 2008 Enterprise Edition", + "version": "Microsoft Windows Server 2008 Enterprise Edition" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 119, + "exploits": 4, + "host_name": "Win11-50-13-52", + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "ip": "10.50.13.52", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-00", + "malware_kits": 0, + "moderate_vulnerabilities": 8, + "os": { + "architecture": "x86_64", + "description": "Microsoft Windows 11 22H2", + "family": "Windows", + "name": "Windows 11", + "system_name": "Microsoft Windows", + "type": "Workstation", + "vendor": "Microsoft", + "version": "22H2" + }, + "risk_score": 181622.0, + "severe_vulnerabilities": 241, + "total_vulnerabilities": 368, + "type": "guest", + "unique_identifiers": [ + { + "id": "F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050", + "source": "CSPRODUCT" + }, + { + "id": "c5cf46abcdef0123456789291c7d554a", + "source": "R7 Agent" + } + ], + "vuln": { + "added": "2009-10-13T00:00:00.000Z", + "categories": [ + "CVSS Score Predicted with Rapid7 AI", + "Microsoft", + "Microsoft Patch", + "Remote Execution" + ], + "cves": [ + "CVE-2009-2526", + "CVE-2009-2532", + "CVE-2009-3103" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "network", + "authentication": "none", + "availability_impact": "complete", + "confidentiality_impact": "complete", + "exploit_score": 9.996799945831299, + "impact_score": 10.000845454680942, + "integrity_impact": "complete", + "score": 10.0, + "vector": "(AV:N/AC:L/Au:N/C:C/I:C/A:C)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "network", + "availability_impact": "high", + "confidentiality_impact": "high", + "exploit_score": 3.8870427750000003, + "impact_score": 5.873118720000001, + "integrity_impact": "high", + "privileges_required": "none", + "scope": "unchanged", + "score": 9.8, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + "denial_of_service": false, + "description": "This security update resolves one publicly disclosed and two privately reported vulnerabilities in Server Message Block Version 2 (SMBv2). The most severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.", + "exploits": [ + { + "description": "Microsoft Windows 7/2008 R2 - Remote Kernel Crash", + "id": "10005", + "name": "Microsoft Windows 7/2008 R2 - Remote Kernel Crash", + "rank": "average", + "skill_level": "expert", + "source": "exploitdb" + }, + { + "description": "This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing\n an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.\n Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.", + "id": "auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff", + "name": "Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference", + "rank": "normal", + "skill_level": "intermediate", + "source": "metasploit" + }, + { + "description": "Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)", + "id": "40280", + "name": "Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)", + "rank": "average", + "skill_level": "expert", + "source": "exploitdb" + }, + { + "description": "Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service", + "id": "12524", + "name": "Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service", + "rank": "average", + "skill_level": "expert", + "source": "exploitdb" + }, + { + "description": "This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\n without SP1 does not seem affected by this flaw.", + "id": "exploit/windows/smb/ms09_050_smb2_negotiate_func_index", + "name": "MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference", + "rank": "good", + "skill_level": "intermediate", + "source": "metasploit" + }, + { + "description": "Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)", + "id": "14674", + "name": "Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)", + "rank": "average", + "skill_level": "expert", + "source": "exploitdb" + }, + { + "description": "This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows\tVista\n without SP1 does not seem affected by this flaw.", + "id": "auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh", + "name": "Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference", + "rank": "normal", + "skill_level": "intermediate", + "source": "metasploit" + }, + { + "description": "Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)", + "id": "9594", + "name": "Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)", + "rank": "average", + "skill_level": "expert", + "source": "exploitdb" + } + ], + "first_found": "2021-03-23T21:18:51.000Z", + "id": "windows-hotfix-ms09-050", + "last_found": "2023-06-23T19:16:12.895Z", + "links": [ + { + "href": "http://www.us-cert.gov/cas/techalerts/TA09-286A.html", + "id": "TA09-286A", + "source": "cert" + }, + { + "href": "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6489", + "id": "6489", + "source": "oval" + }, + { + "href": "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6336", + "id": "6336", + "source": "oval" + }, + { + "href": "http://www.securityfocus.com/bid/36299", + "id": "36299", + "source": "bid" + }, + { + "href": "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:5595", + "id": "5595", + "source": "oval" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2009-2526", + "id": "CVE-2009-2526", + "source": "cve" + }, + { + "href": "http://technet.microsoft.com/security/bulletin/MS09-050", + "id": "MS09-050", + "source": "ms" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2009-3103", + "id": "CVE-2009-3103", + "source": "cve" + }, + { + "href": "http://www.kb.cert.org/vuls/id/135940", + "id": "135940", + "source": "cert-vn" + }, + { + "href": "https://support.microsoft.com/en-us/kb/975517", + "id": "KB975517", + "source": "mskb" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2009-2532", + "id": "CVE-2009-2532", + "source": "cve" + }, + { + "href": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53090", + "id": "53090", + "source": "xf" + } + ], + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 10.0, + "fail": true, + "severity_score": 5, + "status": "fail" + }, + "port": 445, + "proof": "Vulnerable OS: Microsoft Windows Server 2008 Enterprise Edition\n\n\n\n\\BROWSER: WriteAndX succeeded with offset 77", + "protocol": "TCP", + "published": "2009-10-13T00:00:00.000Z", + "references": "cert-vn:135940,bid:36299,xf:53090,oval:5595,oval:6336,oval:6489,cve:CVE-2009-2526,cve:CVE-2009-2532,cve:CVE-2009-3103,mskb:KB975517,ms:MS09-050,cert:TA09-286A", + "risk_score": 914.2, + "severity": "critical", + "severity_score": 10, + "solution": { + "fix": "Take a look at all possible solutions for vulnerability", + "id": "unknown-windows-hotfix-ms09-001", + "summary": "The solution is unknown for vuln windows-hotfix-ms09-001", + "type": "workaround" + }, + "status": "VULNERABLE_EXPL", + "title": "MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)" + } + } + }, + "related": { + "hosts": [ + "Win11-50-13-52", + "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1" + ], + "ip": [ + "10.50.13.52" + ] + }, + "resource": { + "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1", + "name": "Win11-50-13-52" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "CVSS Score Predicted with Rapid7 AI", + "Microsoft", + "Microsoft Patch", + "Remote Execution" + ], + "classification": "CVSS", + "description": "This security update resolves one publicly disclosed and two privately reported vulnerabilities in Server Message Block Version 2 (SMBv2). The most severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.", + "enumeration": "CVE", + "id": [ + "CVE-2009-2526", + "CVE-2009-2532", + "CVE-2009-3103" + ], + "published_date": "2009-10-13T00:00:00.000Z", + "reference": [ + "http://www.us-cert.gov/cas/techalerts/TA09-286A.html", + "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6489", + "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6336", + "http://www.securityfocus.com/bid/36299", + "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:5595", + "http://nvd.nist.gov/vuln/detail/CVE-2009-2526", + "http://technet.microsoft.com/security/bulletin/MS09-050", + "http://nvd.nist.gov/vuln/detail/CVE-2009-3103", + "http://www.kb.cert.org/vuls/id/135940", + "https://support.microsoft.com/en-us/kb/975517", + "http://nvd.nist.gov/vuln/detail/CVE-2009-2532", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/53090" + ], + "scanner": { + "name": "c5cf46abcdef0123456789291c7d554a", + "vendor": "Rapid7" + }, + "score": { + "base": 9.8, + "version": "3.0" + }, + "severity": "Critical", + "title": "Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)" + } + }, + { + "@timestamp": "2022-02-23T20:10:02.535Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2018-11-25T09:16:57.000Z", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|dns-bind-cve-2015-4620|2022-02-23T20:10:02.535Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2018-11-25T09:16:57Z\",\"key\":\"\",\"last_found\":\"2022-02-23T20:10:02.535Z\",\"nic\":null,\"port\":53,\"proof\":\"

Vulnerable OS: Debian Linux 6.0

  • Running DNS service
  • Product BIND exists -- ISC BIND 9.7.3
  • Vulnerable version of product BIND found -- ISC BIND 9.7.3

\",\"protocol\":\"TCP\",\"reintroduced\":null,\"solution_fix\":\"

\\n More information about upgrading your version of ISC BIND is available on the ISC website.\\n

\",\"solution_id\":\"upgrade-isc-bind-latest\",\"solution_summary\":\"Upgrade ISC BIND to latest version\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"dns-bind-cve-2015-4620\",\"added\":\"2015-10-27T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,DNS,Denial of Service,ISC,ISC BIND\",\"cves\":\"CVE-2015-4620\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"none\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":6.870600273013115,\"cvss_v2_integrity_impact\":\"none\",\"cvss_v2_score\":7.8,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:N/I:N/A:C)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"none\",\"cvss_v3_exploit_score\":3.8870427750000003,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"none\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":7.5,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"denial_of_service\":true,\"description\":\"name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone.\",\"exploits\":[],\"id\":\"dns-bind-cve-2015-4620\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2015-4620\",\"id\":\"CVE-2015-4620\",\"source\":\"cve\"},{\"href\":\"https://kb.isc.org/article/AA-01267/0\",\"id\":\"https://kb.isc.org/article/AA-01267/0\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":7.8,\"pci_fail\":false,\"pci_severity_score\":2,\"pci_special_notes\":\"Denial-of-Service-only vulnerability marked as compliant. \",\"pci_status\":\"pass\",\"published\":\"2015-07-08T00:00:00Z\",\"references\":\"cve:CVE-2015-4620,url:https://kb.isc.org/article/AA-01267/0\",\"risk_score\":334.11,\"severity\":\"critical\",\"severity_score\":8,\"title\":\"ISC BIND: Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating (CVE-2015-4620)\"}}", + "severity": 8, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": [ + "10.50.6.126" + ], + "mac": [ + "00-00-5E-00-53-01" + ], + "name": "ub22-50-6-126", + "os": { + "family": "Linux", + "full": "Ubuntu Linux 22.04", + "name": "Linux", + "platform": "linux", + "type": "linux", + "version": "22.04" + }, + "risk": { + "static_score": 5656.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "fixed_version": "latest", + "name": "Debian Linux 6.0", + "version": "Debian Linux 6.0" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 5, + "exploits": 0, + "host_name": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": "10.50.6.126", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-01", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os": { + "architecture": "x86_64", + "description": "Ubuntu Linux 22.04", + "family": "Linux", + "name": "Linux", + "system_name": "Ubuntu Linux", + "vendor": "Ubuntu", + "version": "22.04" + }, + "risk_score": 5656.0, + "severe_vulnerabilities": 6, + "total_vulnerabilities": 12, + "type": "guest", + "unique_identifiers": [ + { + "id": "B7123456-5678-1234-ABCD-6F6ABCDEFA91", + "source": "dmidecode" + }, + { + "id": "cababcdefabcd0123456789f16d7061a", + "source": "R7 Agent" + }, + { + "id": "cab682b411e200123456789ab6d7061a", + "source": "Endpoint Agent" + } + ], + "vuln": { + "added": "2015-10-27T00:00:00.000Z", + "categories": [ + "CVSS Score Predicted with Rapid7 AI", + "DNS", + "Denial of Service", + "ISC", + "ISC BIND" + ], + "cves": [ + "CVE-2015-4620" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "network", + "authentication": "none", + "availability_impact": "complete", + "confidentiality_impact": "none", + "exploit_score": 9.996799945831299, + "impact_score": 6.870600273013115, + "integrity_impact": "none", + "score": 7.8, + "vector": "(AV:N/AC:L/Au:N/C:N/I:N/A:C)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "network", + "availability_impact": "high", + "confidentiality_impact": "none", + "exploit_score": 3.8870427750000003, + "impact_score": 3.5952, + "integrity_impact": "none", + "privileges_required": "none", + "scope": "unchanged", + "score": 7.5, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "denial_of_service": true, + "description": "name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone.", + "first_found": "2018-11-25T09:16:57.000Z", + "id": "dns-bind-cve-2015-4620", + "last_found": "2022-02-23T20:10:02.535Z", + "links": [ + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2015-4620", + "id": "CVE-2015-4620", + "source": "cve" + }, + { + "href": "https://kb.isc.org/article/AA-01267/0", + "id": "https://kb.isc.org/article/AA-01267/0", + "source": "url" + } + ], + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 7.8, + "fail": false, + "severity_score": 2, + "special_notes": "Denial-of-Service-only vulnerability marked as compliant. ", + "status": "pass" + }, + "port": 53, + "proof": "Vulnerable OS: Debian Linux 6.0\n\n\nRunning DNS service\n\nProduct BIND exists -- ISC BIND 9.7.3\n\nVulnerable version of product BIND found -- ISC BIND 9.7.3", + "protocol": "TCP", + "published": "2015-07-08T00:00:00.000Z", + "references": "cve:CVE-2015-4620,url:https://kb.isc.org/article/AA-01267/0", + "risk_score": 334.11, + "severity": "critical", + "severity_score": 8, + "solution": { + "fix": "More information about upgrading your version of ISC BIND is available on the ISC website.", + "id": "upgrade-isc-bind-latest", + "summary": "Upgrade ISC BIND to latest version", + "type": "workaround" + }, + "status": "VULNERABLE_VERS", + "title": "ISC BIND: Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating (CVE-2015-4620)" + } + } + }, + "related": { + "hosts": [ + "ub22-50-6-126", + "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7" + ], + "ip": [ + "10.50.6.126" + ] + }, + "resource": { + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "name": "ub22-50-6-126" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "CVSS Score Predicted with Rapid7 AI", + "DNS", + "Denial of Service", + "ISC", + "ISC BIND" + ], + "classification": "CVSS", + "description": "name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone.", + "enumeration": "CVE", + "id": [ + "CVE-2015-4620" + ], + "published_date": "2015-07-08T00:00:00.000Z", + "reference": [ + "http://nvd.nist.gov/vuln/detail/CVE-2015-4620", + "https://kb.isc.org/article/AA-01267/0" + ], + "scanner": { + "name": "cababcdefabcd0123456789f16d7061a", + "vendor": "Rapid7" + }, + "score": { + "base": 7.5, + "version": "3.0" + }, + "severity": "Critical", + "title": "Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating (CVE-2015-4620)" + } + }, + { + "@timestamp": "2023-06-23T19:36:17.715Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2023-03-23T19:23:01.000Z", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|dns-bind-cve-2015-4620|2023-06-23T19:36:17.715Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2023-03-23T19:23:01Z\",\"key\":\"\",\"last_found\":\"2023-06-23T19:36:17.715Z\",\"nic\":null,\"port\":445,\"proof\":\"

  • Running CIFS service
  • Configuration item smb2-enabled set to 'true' matched
  • Configuration item smb2-signing set to 'enabled' matched

\",\"protocol\":\"TCP\",\"reintroduced\":null,\"solution_fix\":\"

\\n Configure the system to enable or require SMB signing as appropriate.\\n The method and effect of doing this is system specific so please see\\n this Microsoft article for\\n details. Note: ensure that SMB signing configuration is done for \\n incoming connections (Server).\\n

\",\"solution_id\":\"cifs-smb-signing-windows\",\"solution_summary\":\"Configure SMB signing for Windows\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"cifs-smb2-signing-not-required\",\"added\":\"2015-10-27T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,DNS,Denial of Service,ISC,ISC BIND\",\"cves\":\"CVE-2015-4620\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"none\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":6.870600273013115,\"cvss_v2_integrity_impact\":\"none\",\"cvss_v2_score\":7.8,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:N/I:N/A:C)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"none\",\"cvss_v3_exploit_score\":3.8870427750000003,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"none\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":7.5,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"denial_of_service\":true,\"description\":\"name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone.\",\"exploits\":[],\"id\":\"dns-bind-cve-2015-4620\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2015-4620\",\"id\":\"CVE-2015-4620\",\"source\":\"cve\"},{\"href\":\"https://kb.isc.org/article/AA-01267/0\",\"id\":\"https://kb.isc.org/article/AA-01267/0\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":7.8,\"pci_fail\":false,\"pci_severity_score\":2,\"pci_special_notes\":\"Denial-of-Service-only vulnerability marked as compliant. \",\"pci_status\":\"pass\",\"published\":\"2015-07-08T00:00:00Z\",\"references\":\"cve:CVE-2015-4620,url:https://kb.isc.org/article/AA-01267/0\",\"risk_score\":334.11,\"severity\":\"critical\",\"severity_score\":8,\"title\":\"ISC BIND: Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating (CVE-2015-4620)\"}}", + "severity": 8, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": [ + "10.50.6.126" + ], + "mac": [ + "00-00-5E-00-53-01" + ], + "name": "ub22-50-6-126", + "os": { + "family": "Linux", + "full": "Ubuntu Linux 22.04", + "name": "Linux", + "platform": "linux", + "type": "linux", + "version": "22.04" + }, + "risk": { + "static_score": 5656.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 5, + "exploits": 0, + "host_name": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": "10.50.6.126", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-01", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os": { + "architecture": "x86_64", + "description": "Ubuntu Linux 22.04", + "family": "Linux", + "name": "Linux", + "system_name": "Ubuntu Linux", + "vendor": "Ubuntu", + "version": "22.04" + }, + "risk_score": 5656.0, + "severe_vulnerabilities": 6, + "total_vulnerabilities": 12, + "type": "guest", + "unique_identifiers": [ + { + "id": "B7123456-5678-1234-ABCD-6F6ABCDEFA91", + "source": "dmidecode" + }, + { + "id": "cababcdefabcd0123456789f16d7061a", + "source": "R7 Agent" + }, + { + "id": "cab682b411e200123456789ab6d7061a", + "source": "Endpoint Agent" + } + ], + "vuln": { + "added": "2015-10-27T00:00:00.000Z", + "categories": [ + "CVSS Score Predicted with Rapid7 AI", + "DNS", + "Denial of Service", + "ISC", + "ISC BIND" + ], + "cves": [ + "CVE-2015-4620" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "network", + "authentication": "none", + "availability_impact": "complete", + "confidentiality_impact": "none", + "exploit_score": 9.996799945831299, + "impact_score": 6.870600273013115, + "integrity_impact": "none", + "score": 7.8, + "vector": "(AV:N/AC:L/Au:N/C:N/I:N/A:C)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "network", + "availability_impact": "high", + "confidentiality_impact": "none", + "exploit_score": 3.8870427750000003, + "impact_score": 3.5952, + "integrity_impact": "none", + "privileges_required": "none", + "scope": "unchanged", + "score": 7.5, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "denial_of_service": true, + "description": "name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone.", + "first_found": "2023-03-23T19:23:01.000Z", + "id": "dns-bind-cve-2015-4620", + "last_found": "2023-06-23T19:36:17.715Z", + "links": [ + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2015-4620", + "id": "CVE-2015-4620", + "source": "cve" + }, + { + "href": "https://kb.isc.org/article/AA-01267/0", + "id": "https://kb.isc.org/article/AA-01267/0", + "source": "url" + } + ], + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 7.8, + "fail": false, + "severity_score": 2, + "special_notes": "Denial-of-Service-only vulnerability marked as compliant. ", + "status": "pass" + }, + "port": 445, + "proof": "Running CIFS service\n\nConfiguration item smb2-enabled set to 'true' matched\n\nConfiguration item smb2-signing set to 'enabled' matched", + "protocol": "TCP", + "published": "2015-07-08T00:00:00.000Z", + "references": "cve:CVE-2015-4620,url:https://kb.isc.org/article/AA-01267/0", + "risk_score": 334.11, + "severity": "critical", + "severity_score": 8, + "solution": { + "fix": "Configure the system to enable or require SMB signing as appropriate.\n The method and effect of doing this is system specific so please see\n this Microsoft article for\n details. Note: ensure that SMB signing configuration is done for \n incoming connections (Server).", + "id": "cifs-smb-signing-windows", + "summary": "Configure SMB signing for Windows", + "type": "workaround" + }, + "status": "VULNERABLE_VERS", + "title": "ISC BIND: Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating (CVE-2015-4620)" + } + } + }, + "related": { + "hosts": [ + "ub22-50-6-126", + "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7" + ], + "ip": [ + "10.50.6.126" + ] + }, + "resource": { + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "name": "ub22-50-6-126" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "CVSS Score Predicted with Rapid7 AI", + "DNS", + "Denial of Service", + "ISC", + "ISC BIND" + ], + "classification": "CVSS", + "description": "name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone.", + "enumeration": "CVE", + "id": [ + "CVE-2015-4620" + ], + "published_date": "2015-07-08T00:00:00.000Z", + "reference": [ + "http://nvd.nist.gov/vuln/detail/CVE-2015-4620", + "https://kb.isc.org/article/AA-01267/0" + ], + "scanner": { + "name": "cababcdefabcd0123456789f16d7061a", + "vendor": "Rapid7" + }, + "score": { + "base": 7.5, + "version": "3.0" + }, + "severity": "Critical", + "title": "Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating (CVE-2015-4620)" + } + }, + { + "@timestamp": "2023-06-23T18:08:29.154Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2022-12-23T19:25:13.000Z", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|vmsa-2012-0013-cve-2012-0815|2023-06-23T18:08:29.154Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2022-12-23T19:25:13Z\",\"key\":\"VMware ESX Server 4.0.0 GA\",\"last_found\":\"2023-06-23T18:08:29.154Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: VMware ESX Server 4.0.0 GA

  • The property "build" contains: 164009.

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

Download and apply the upgrade from: https://knowledge.broadcom.com/external/article?articleNumber=142814

\",\"solution_id\":\"vmware-esx-upgrade-latest\",\"solution_summary\":\"Upgrade VMware ESX to the latest version\",\"solution_type\":\"rollup\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"vmsa-2012-0013-cve-2012-0815\",\"added\":\"2012-09-17T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,Denial of Service,IAVM,Remote Execution,VMware,VMware ESX/ESXi\",\"cves\":\"CVE-2012-0815\",\"cvss_v2_access_complexity\":\"medium\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":8.588799953460693,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.8,\"cvss_v2_vector\":\"(AV:N/AC:M/Au:N/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.515145325,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":8.4,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"The headerVerifyInfo function in lib/header.c in RPM before 4.9.1.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a negative value in a region offset of a package header, which is not properly handled in a numeric range comparison.\",\"exploits\":[],\"id\":\"vmsa-2012-0013-cve-2012-0815\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2012-0815\",\"id\":\"CVE-2012-0815\",\"source\":\"cve\"},{\"href\":\"http://iase.disa.mil/stigs/iavm-cve.html\",\"id\":\"V0033884\",\"source\":\"disa_vmskey\"},{\"href\":\"http://iase.disa.mil/stigs/iavm-cve.html\",\"id\":\"2012-A-0153\",\"source\":\"iavm\"},{\"href\":\"http://www.vmware.com/security/advisories/VMSA-2012-0013.html\",\"id\":\"http://www.vmware.com/security/advisories/VMSA-2012-0013.html\",\"source\":\"url\"},{\"href\":\"http://iase.disa.mil/stigs/iavm-cve.html\",\"id\":\"Category I\",\"source\":\"disa_severity\"},{\"href\":\"http://iase.disa.mil/stigs/iavm-cve.html\",\"id\":\"2012-A-0148\",\"source\":\"iavm\"},{\"href\":\"http://iase.disa.mil/stigs/iavm-cve.html\",\"id\":\"V0033794\",\"source\":\"disa_vmskey\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":6.8,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2012-06-04T00:00:00Z\",\"references\":\"iavm:2012-A-0148,iavm:2012-A-0153,cve:CVE-2012-0815,disa_severity:Category I,disa_vmskey:V0033794,disa_vmskey:V0033884,url:http://www.vmware.com/security/advisories/VMSA-2012-0013.html\",\"risk_score\":716.99,\"severity\":\"severe\",\"severity_score\":7,\"title\":\"VMSA-2012-0013: Update to ESX service console popt, rpm, rpm-libs, and rpm-python RPMS (CVE-2012-0815)\"}}", + "severity": 7, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": [ + "10.50.6.126" + ], + "mac": [ + "00-00-5E-00-53-01" + ], + "name": "ub22-50-6-126", + "os": { + "family": "Linux", + "full": "Ubuntu Linux 22.04", + "name": "Linux", + "platform": "linux", + "type": "linux", + "version": "22.04" + }, + "risk": { + "static_score": 5656.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "fixed_version": "latest", + "name": "VMware ESX Server 4.0.0 GA", + "version": "VMware ESX Server 4.0.0 GA" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 5, + "exploits": 0, + "host_name": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": "10.50.6.126", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-01", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os": { + "architecture": "x86_64", + "description": "Ubuntu Linux 22.04", + "family": "Linux", + "name": "Linux", + "system_name": "Ubuntu Linux", + "vendor": "Ubuntu", + "version": "22.04" + }, + "risk_score": 5656.0, + "severe_vulnerabilities": 6, + "total_vulnerabilities": 12, + "type": "guest", + "unique_identifiers": [ + { + "id": "B7123456-5678-1234-ABCD-6F6ABCDEFA91", + "source": "dmidecode" + }, + { + "id": "cababcdefabcd0123456789f16d7061a", + "source": "R7 Agent" + }, + { + "id": "cab682b411e200123456789ab6d7061a", + "source": "Endpoint Agent" + } + ], + "vuln": { + "added": "2012-09-17T00:00:00.000Z", + "categories": [ + "CVSS Score Predicted with Rapid7 AI", + "Denial of Service", + "IAVM", + "Remote Execution", + "VMware", + "VMware ESX/ESXi" + ], + "cves": [ + "CVE-2012-0815" + ], + "cvss_v2": { + "access_complexity": "medium", + "access_vector": "network", + "authentication": "none", + "availability_impact": "partial", + "confidentiality_impact": "partial", + "exploit_score": 8.588799953460693, + "impact_score": 6.442976653521584, + "integrity_impact": "partial", + "score": 6.8, + "vector": "(AV:N/AC:M/Au:N/C:P/I:P/A:P)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "local", + "availability_impact": "high", + "confidentiality_impact": "high", + "exploit_score": 2.515145325, + "impact_score": 5.873118720000001, + "integrity_impact": "high", + "privileges_required": "none", + "scope": "unchanged", + "score": 8.4, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + "denial_of_service": false, + "description": "The headerVerifyInfo function in lib/header.c in RPM before 4.9.1.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a negative value in a region offset of a package header, which is not properly handled in a numeric range comparison.", + "first_found": "2022-12-23T19:25:13.000Z", + "id": "vmsa-2012-0013-cve-2012-0815", + "key": "VMware ESX Server 4.0.0 GA", + "last_found": "2023-06-23T18:08:29.154Z", + "links": [ + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2012-0815", + "id": "CVE-2012-0815", + "source": "cve" + }, + { + "href": "http://iase.disa.mil/stigs/iavm-cve.html", + "id": "V0033884", + "source": "disa_vmskey" + }, + { + "href": "http://iase.disa.mil/stigs/iavm-cve.html", + "id": "2012-A-0153", + "source": "iavm" + }, + { + "href": "http://www.vmware.com/security/advisories/VMSA-2012-0013.html", + "id": "http://www.vmware.com/security/advisories/VMSA-2012-0013.html", + "source": "url" + }, + { + "href": "http://iase.disa.mil/stigs/iavm-cve.html", + "id": "Category I", + "source": "disa_severity" + }, + { + "href": "http://iase.disa.mil/stigs/iavm-cve.html", + "id": "2012-A-0148", + "source": "iavm" + }, + { + "href": "http://iase.disa.mil/stigs/iavm-cve.html", + "id": "V0033794", + "source": "disa_vmskey" + } + ], + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 6.8, + "fail": true, + "severity_score": 4, + "status": "fail" + }, + "proof": "Vulnerable OS: VMware ESX Server 4.0.0 GA\n\n\nThe property \"build\" contains: 164009.", + "published": "2012-06-04T00:00:00.000Z", + "references": "iavm:2012-A-0148,iavm:2012-A-0153,cve:CVE-2012-0815,disa_severity:Category I,disa_vmskey:V0033794,disa_vmskey:V0033884,url:http://www.vmware.com/security/advisories/VMSA-2012-0013.html", + "risk_score": 716.99, + "severity": "severe", + "severity_score": 7, + "solution": { + "fix": "Download and apply the upgrade from: https://knowledge.broadcom.com/external/article?articleNumber=142814", + "id": "vmware-esx-upgrade-latest", + "summary": "Upgrade VMware ESX to the latest version", + "type": "rollup" + }, + "status": "VULNERABLE_VERS", + "title": "VMSA-2012-0013: Update to ESX service console popt, rpm, rpm-libs, and rpm-python RPMS (CVE-2012-0815)" + } + } + }, + "related": { + "hosts": [ + "ub22-50-6-126", + "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7" + ], + "ip": [ + "10.50.6.126" + ] + }, + "resource": { + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "name": "ub22-50-6-126" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "CVSS Score Predicted with Rapid7 AI", + "Denial of Service", + "IAVM", + "Remote Execution", + "VMware", + "VMware ESX/ESXi" + ], + "classification": "CVSS", + "description": "The headerVerifyInfo function in lib/header.c in RPM before 4.9.1.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a negative value in a region offset of a package header, which is not properly handled in a numeric range comparison.", + "enumeration": "CVE", + "id": [ + "CVE-2012-0815" + ], + "published_date": "2012-06-04T00:00:00.000Z", + "reference": [ + "http://nvd.nist.gov/vuln/detail/CVE-2012-0815", + "http://iase.disa.mil/stigs/iavm-cve.html", + "http://www.vmware.com/security/advisories/VMSA-2012-0013.html" + ], + "scanner": { + "name": "cababcdefabcd0123456789f16d7061a", + "vendor": "Rapid7" + }, + "score": { + "base": 8.4, + "version": "3.0" + }, + "severity": "High", + "title": "Update to ESX service console popt, rpm, rpm-libs, and rpm-python RPMS (CVE-2012-0815)" + } + }, + { + "@timestamp": "2023-06-23T17:40:02.211Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2022-12-23T18:54:08.000Z", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|wordpress-cve-2015-5731|2023-06-23T17:40:02.211Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2022-12-23T18:54:08Z\",\"key\":\"\",\"last_found\":\"2023-06-23T17:40:02.211Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable software installed: Wordpress 3.0

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

\\n Upgrade to the latest version of Wordpress from https://wordpress.org/download/release-archive/

\",\"solution_id\":\"wordpress-upgrade-latest\",\"solution_summary\":\"Upgrade to the latest version of Wordpress\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"wordpress-cve-2015-5731\",\"added\":\"2017-05-16T00:00:00Z\",\"categories\":\"CSRF,CVSS Score Predicted with Rapid7 AI,Denial of Service,WordPress\",\"cves\":\"CVE-2015-5731\",\"cvss_v2_access_complexity\":\"medium\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":8.588799953460693,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.8,\"cvss_v2_vector\":\"(AV:N/AC:M/Au:N/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"none\",\"cvss_v3_exploit_score\":2.8352547300000004,\"cvss_v3_impact_score\":5.177088,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":8.1,\"cvss_v3_user_interaction\":\"required\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Cross-site request forgery (CSRF) vulnerability in wp-admin/post.php in WordPress before 4.2.4 allows remote attackers to hijack the authentication of administrators for requests that lock a post, and consequently cause a denial of service (editing blockage), via a get-post-lock action.\",\"exploits\":[],\"id\":\"wordpress-cve-2015-5731\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2015-5731\",\"id\":\"CVE-2015-5731\",\"source\":\"cve\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":6.8,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2015-11-09T00:00:00Z\",\"references\":\"cve:CVE-2015-5731\",\"risk_score\":676.67,\"severity\":\"severe\",\"severity_score\":7,\"title\":\"Wordpress: CVE-2015-5731: Cross-Site Request Forgery (CSRF)\"}}", + "severity": 7, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": [ + "10.50.6.126" + ], + "mac": [ + "00-00-5E-00-53-01" + ], + "name": "ub22-50-6-126", + "os": { + "family": "Linux", + "full": "Ubuntu Linux 22.04", + "name": "Linux", + "platform": "linux", + "type": "linux", + "version": "22.04" + }, + "risk": { + "static_score": 5656.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "fixed_version": "latest", + "name": "Wordpress 3.0", + "version": "Wordpress 3.0" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 5, + "exploits": 0, + "host_name": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": "10.50.6.126", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-01", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os": { + "architecture": "x86_64", + "description": "Ubuntu Linux 22.04", + "family": "Linux", + "name": "Linux", + "system_name": "Ubuntu Linux", + "vendor": "Ubuntu", + "version": "22.04" + }, + "risk_score": 5656.0, + "severe_vulnerabilities": 6, + "total_vulnerabilities": 12, + "type": "guest", + "unique_identifiers": [ + { + "id": "B7123456-5678-1234-ABCD-6F6ABCDEFA91", + "source": "dmidecode" + }, + { + "id": "cababcdefabcd0123456789f16d7061a", + "source": "R7 Agent" + }, + { + "id": "cab682b411e200123456789ab6d7061a", + "source": "Endpoint Agent" + } + ], + "vuln": { + "added": "2017-05-16T00:00:00.000Z", + "categories": [ + "CSRF", + "CVSS Score Predicted with Rapid7 AI", + "Denial of Service", + "WordPress" + ], + "cves": [ + "CVE-2015-5731" + ], + "cvss_v2": { + "access_complexity": "medium", + "access_vector": "network", + "authentication": "none", + "availability_impact": "partial", + "confidentiality_impact": "partial", + "exploit_score": 8.588799953460693, + "impact_score": 6.442976653521584, + "integrity_impact": "partial", + "score": 6.8, + "vector": "(AV:N/AC:M/Au:N/C:P/I:P/A:P)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "network", + "availability_impact": "high", + "confidentiality_impact": "none", + "exploit_score": 2.8352547300000004, + "impact_score": 5.177088, + "integrity_impact": "high", + "privileges_required": "none", + "scope": "unchanged", + "score": 8.1, + "user_interaction": "required", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H" + }, + "denial_of_service": false, + "description": "Cross-site request forgery (CSRF) vulnerability in wp-admin/post.php in WordPress before 4.2.4 allows remote attackers to hijack the authentication of administrators for requests that lock a post, and consequently cause a denial of service (editing blockage), via a get-post-lock action.", + "first_found": "2022-12-23T18:54:08.000Z", + "id": "wordpress-cve-2015-5731", + "last_found": "2023-06-23T17:40:02.211Z", + "links": [ + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2015-5731", + "id": "CVE-2015-5731", + "source": "cve" + } + ], + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 6.8, + "fail": true, + "severity_score": 4, + "status": "fail" + }, + "proof": "Vulnerable software installed: Wordpress 3.0", + "published": "2015-11-09T00:00:00.000Z", + "references": "cve:CVE-2015-5731", + "risk_score": 676.67, + "severity": "severe", + "severity_score": 7, + "solution": { + "fix": "Upgrade to the latest version of Wordpress from https://wordpress.org/download/release-archive/", + "id": "wordpress-upgrade-latest", + "summary": "Upgrade to the latest version of Wordpress", + "type": "workaround" + }, + "status": "VULNERABLE_VERS", + "title": "Wordpress: CVE-2015-5731: Cross-Site Request Forgery (CSRF)" + } + } + }, + "related": { + "hosts": [ + "ub22-50-6-126", + "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7" + ], + "ip": [ + "10.50.6.126" + ] + }, + "resource": { + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "name": "ub22-50-6-126" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "CSRF", + "CVSS Score Predicted with Rapid7 AI", + "Denial of Service", + "WordPress" + ], + "classification": "CVSS", + "description": "Cross-site request forgery (CSRF) vulnerability in wp-admin/post.php in WordPress before 4.2.4 allows remote attackers to hijack the authentication of administrators for requests that lock a post, and consequently cause a denial of service (editing blockage), via a get-post-lock action.", + "enumeration": "CVE", + "id": [ + "CVE-2015-5731" + ], + "published_date": "2015-11-09T00:00:00.000Z", + "reference": [ + "http://nvd.nist.gov/vuln/detail/CVE-2015-5731" + ], + "scanner": { + "name": "cababcdefabcd0123456789f16d7061a", + "vendor": "Rapid7" + }, + "score": { + "base": 8.1, + "version": "3.0" + }, + "severity": "High", + "title": "Cross-Site Request Forgery (CSRF)" + } + }, + { + "@timestamp": "2023-06-23T17:41:50.071Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2022-12-23T18:55:39.000Z", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|php-cve-2016-3171|2023-06-23T17:41:50.071Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2022-12-23T18:55:39Z\",\"key\":\"\",\"last_found\":\"2023-06-23T17:41:50.071Z\",\"nic\":null,\"port\":80,\"proof\":\"

  • Running HTTP service
  • Vulnerable version of component PHP found -- PHP 5.4.16

\",\"protocol\":\"TCP\",\"reintroduced\":null,\"solution_fix\":\"

Download and apply the upgrade from: http://www.php.net/downloads.php

\",\"solution_id\":\"php-upgrade-latest\",\"solution_summary\":\"Upgrade to the latest version of PHP\",\"solution_type\":\"rollup\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"php-cve-2016-3171\",\"added\":\"2019-09-30T00:00:00Z\",\"categories\":\"HTTP,PHP,Remote Execution\",\"cves\":\"CVE-2016-3171\",\"cvss_v2_access_complexity\":\"medium\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":8.588799953460693,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.8,\"cvss_v2_vector\":\"(AV:N/AC:M/Au:N/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"high\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.2211673,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":8.1,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.\",\"exploits\":[],\"id\":\"php-cve-2016-3171\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2016-3171\",\"id\":\"CVE-2016-3171\",\"source\":\"cve\"}],\"malware_kits\":[],\"modified\":\"2024-11-27T00:00:00Z\",\"pci_cvss_score\":6.8,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2016-04-12T00:00:00Z\",\"references\":\"cve:CVE-2016-3171\",\"risk_score\":669.57,\"severity\":\"severe\",\"severity_score\":7,\"title\":\"PHP Vulnerability: CVE-2016-3171\"}}", + "severity": 7, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": [ + "10.50.6.126" + ], + "mac": [ + "00-00-5E-00-53-01" + ], + "name": "ub22-50-6-126", + "os": { + "family": "Linux", + "full": "Ubuntu Linux 22.04", + "name": "Linux", + "platform": "linux", + "type": "linux", + "version": "22.04" + }, + "risk": { + "static_score": 5656.0 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "fixed_version": "latest", + "name": "PHP" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 5, + "exploits": 0, + "host_name": "ub22-50-6-126", + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "ip": "10.50.6.126", + "last_assessed_for_vulnerabilities": "2025-05-27T19:54:43.777Z", + "last_scan_end": "2025-05-27T19:54:43.777Z", + "last_scan_start": "2025-05-27T19:53:43.777Z", + "mac": "00-00-5E-00-53-01", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os": { + "architecture": "x86_64", + "description": "Ubuntu Linux 22.04", + "family": "Linux", + "name": "Linux", + "system_name": "Ubuntu Linux", + "vendor": "Ubuntu", + "version": "22.04" + }, + "risk_score": 5656.0, + "severe_vulnerabilities": 6, + "total_vulnerabilities": 12, + "type": "guest", + "unique_identifiers": [ + { + "id": "B7123456-5678-1234-ABCD-6F6ABCDEFA91", + "source": "dmidecode" + }, + { + "id": "cababcdefabcd0123456789f16d7061a", + "source": "R7 Agent" + }, + { + "id": "cab682b411e200123456789ab6d7061a", + "source": "Endpoint Agent" + } + ], + "vuln": { + "added": "2019-09-30T00:00:00.000Z", + "categories": [ + "HTTP", + "PHP", + "Remote Execution" + ], + "cves": [ + "CVE-2016-3171" + ], + "cvss_v2": { + "access_complexity": "medium", + "access_vector": "network", + "authentication": "none", + "availability_impact": "partial", + "confidentiality_impact": "partial", + "exploit_score": 8.588799953460693, + "impact_score": 6.442976653521584, + "integrity_impact": "partial", + "score": 6.8, + "vector": "(AV:N/AC:M/Au:N/C:P/I:P/A:P)" + }, + "cvss_v3": { + "attack_complexity": "high", + "attack_vector": "network", + "availability_impact": "high", + "confidentiality_impact": "high", + "exploit_score": 2.2211673, + "impact_score": 5.873118720000001, + "integrity_impact": "high", + "privileges_required": "none", + "scope": "unchanged", + "score": 8.1, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + "denial_of_service": false, + "description": "Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.", + "first_found": "2022-12-23T18:55:39.000Z", + "id": "php-cve-2016-3171", + "last_found": "2023-06-23T17:41:50.071Z", + "links": [ + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2016-3171", + "id": "CVE-2016-3171", + "source": "cve" + } + ], + "modified": "2024-11-27T00:00:00.000Z", + "pci": { + "cvss_score": 6.8, + "fail": true, + "severity_score": 4, + "status": "fail" + }, + "port": 80, + "proof": "Running HTTP service\n\nVulnerable version of component PHP found -- PHP 5.4.16", + "protocol": "TCP", + "published": "2016-04-12T00:00:00.000Z", + "references": "cve:CVE-2016-3171", + "risk_score": 669.57, + "severity": "severe", + "severity_score": 7, + "solution": { + "fix": "Download and apply the upgrade from: http://www.php.net/downloads.php", + "id": "php-upgrade-latest", + "summary": "Upgrade to the latest version of PHP", + "type": "rollup" + }, + "status": "VULNERABLE_VERS", + "title": "PHP Vulnerability: CVE-2016-3171" + } + } + }, + "related": { + "hosts": [ + "ub22-50-6-126", + "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7" + ], + "ip": [ + "10.50.6.126" + ] + }, + "resource": { + "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7", + "name": "ub22-50-6-126" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "HTTP", + "PHP", + "Remote Execution" + ], + "classification": "CVSS", + "description": "Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.", + "enumeration": "CVE", + "id": [ + "CVE-2016-3171" + ], + "published_date": "2016-04-12T00:00:00.000Z", + "reference": [ + "http://nvd.nist.gov/vuln/detail/CVE-2016-3171" + ], + "scanner": { + "name": "cababcdefabcd0123456789f16d7061a", + "vendor": "Rapid7" + }, + "score": { + "base": 8.1, + "version": "3.0" + }, + "severity": "High", + "title": "CVE-2016-3171" + } + }, + { + "@timestamp": "2024-06-23T17:54:28.107Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2022-05-23T19:03:38.000Z", + "id": "12123455-abcd-5678-1234-01234567890e-default-asset-4123|f5-big-ip-cve-2017-7656|2024-06-23T17:54:28.107Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":161,\"protocol\":\"UDP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":161,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":22,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":9,\"exploits\":5,\"host_name\":\"BIG-IP-16-1-0.dev.test.rapid7.com\",\"id\":\"12123455-abcd-5678-1234-01234567890e-default-asset-4123\",\"ip\":\"175.16.199.1\",\"last_assessed_for_vulnerabilities\":\"2024-06-23T17:54:28.107Z\",\"last_scan_end\":\"2024-06-23T17:54:28.107Z\",\"last_scan_start\":\"2024-06-23T17:44:15.351Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":10,\"new\":[],\"os_architecture\":\"\",\"os_description\":\"F5 BIG-IP 16.1.0.0\",\"os_family\":\"BIG-IP\",\"os_name\":\"BIG-IP\",\"os_system_name\":\"F5 BIG-IP\",\"os_type\":\"Network management device\",\"os_vendor\":\"F5\",\"os_version\":\"16.1.0.0\",\"remediated\":[],\"risk_score\":35804.71185,\"vuln\":{\"check_id\":null,\"first_found\":\"2022-05-23T19:03:38Z\",\"key\":\"F5 BIG-IP 16.1.0.0\",\"last_found\":\"2024-06-23T17:54:28.107Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: F5 BIG-IP 16.1.0.0

  • The property "ltm" contains: true.

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

\\n Upgrade to the latest available version of F5 BIG-IP. Refer to BIG-IP Hotfix Matrix for the latest hotfix information.\\n

\",\"solution_id\":\"f5-big-ip-upgrade-latest\",\"solution_summary\":\"Upgrade to the latest available version of F5 BIG-IP\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"f5-big-ip-cve-2017-7656\",\"added\":\"2022-04-20T00:00:00Z\",\"categories\":\"F5,F5 BIG-IP,Web\",\"cves\":\"CVE-2017-7656\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"none\",\"cvss_v2_confidentiality_impact\":\"none\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":2.8627500620484354,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":5,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:N/I:P/A:N)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"none\",\"cvss_v3_exploit_score\":3.8870427750000003,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":7.5,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"denial_of_service\":false,\"description\":\"In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.\",\"exploits\":[],\"id\":\"f5-big-ip-cve-2017-7656\",\"links\":[{\"href\":\"https://my.f5.com/manage/s/article/K21054458\",\"id\":\"https://my.f5.com/manage/s/article/K21054458\",\"source\":\"url\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2017-7656\",\"id\":\"CVE-2017-7656\",\"source\":\"cve\"}],\"malware_kits\":[],\"modified\":\"2024-12-06T00:00:00Z\",\"pci_cvss_score\":5,\"pci_fail\":true,\"pci_severity_score\":3,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2018-06-26T00:00:00Z\",\"references\":\"cve:CVE-2017-7656,url:https://my.f5.com/manage/s/article/K21054458\",\"risk_score\":229.89,\"severity\":\"severe\",\"severity_score\":5,\"title\":\"F5 Networks: CVE-2017-7656: K21054458: Eclipse Jetty vulnerability CVE-2017-7656\"},\"severe_vulnerabilities\":94,\"tags\":[{\"name\":\"snow_test\",\"type\":\"CUSTOM\"},{\"name\":\"all_assets2\",\"type\":\"CUSTOM\"},{\"name\":\"all_assets\",\"type\":\"CUSTOM\"},{\"name\":\"my tag test\",\"type\":\"CUSTOM\"},{\"name\":\"lab\",\"type\":\"SITE\"}],\"total_vulnerabilities\":113,\"type\":\"guest\",\"unique_identifiers\":[]}", + "severity": 5, + "type": [ + "info" + ] + }, + "host": { + "hostname": "BIG-IP-16-1-0.dev.test.rapid7.com", + "id": "12123455-abcd-5678-1234-01234567890e-default-asset-4123", + "ip": [ + "175.16.199.1" + ], + "mac": [ + "00-00-5E-00-53-00" + ], + "name": "BIG-IP-16-1-0.dev.test.rapid7.com", + "os": { + "family": "BIG-IP", + "full": "F5 BIG-IP 16.1.0.0", + "name": "BIG-IP", + "version": "16.1.0.0" + }, + "risk": { + "static_score": 35804.71185 + }, + "type": "guest" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "fixed_version": "latest", + "name": "F5 BIG-IP 16.1.0.0", + "version": "F5 BIG-IP 16.1.0.0" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 9, + "exploits": 5, + "host_name": "BIG-IP-16-1-0.dev.test.rapid7.com", + "id": "12123455-abcd-5678-1234-01234567890e-default-asset-4123", + "ip": "175.16.199.1", + "last_assessed_for_vulnerabilities": "2024-06-23T17:54:28.107Z", + "last_scan_end": "2024-06-23T17:54:28.107Z", + "last_scan_start": "2024-06-23T17:44:15.351Z", + "mac": "00-00-5E-00-53-00", + "malware_kits": 0, + "moderate_vulnerabilities": 10, + "os": { + "description": "F5 BIG-IP 16.1.0.0", + "family": "BIG-IP", + "name": "BIG-IP", + "system_name": "F5 BIG-IP", + "type": "Network management device", + "vendor": "F5", + "version": "16.1.0.0" + }, + "risk_score": 35804.71185, + "severe_vulnerabilities": 94, + "total_vulnerabilities": 113, + "type": "guest", + "vuln": { + "added": "2022-04-20T00:00:00.000Z", + "categories": [ + "F5", + "F5 BIG-IP", + "Web" + ], + "cves": [ + "CVE-2017-7656" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "network", + "authentication": "none", + "availability_impact": "none", + "confidentiality_impact": "none", + "exploit_score": 9.996799945831299, + "impact_score": 2.8627500620484354, + "integrity_impact": "partial", + "score": 5.0, + "vector": "(AV:N/AC:L/Au:N/C:N/I:P/A:N)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "network", + "availability_impact": "none", + "confidentiality_impact": "none", + "exploit_score": 3.8870427750000003, + "impact_score": 3.5952, + "integrity_impact": "high", + "privileges_required": "none", + "scope": "unchanged", + "score": 7.5, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + }, + "denial_of_service": false, + "description": "In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.", + "first_found": "2022-05-23T19:03:38.000Z", + "id": "f5-big-ip-cve-2017-7656", + "key": "F5 BIG-IP 16.1.0.0", + "last_found": "2024-06-23T17:54:28.107Z", + "links": [ + { + "href": "https://my.f5.com/manage/s/article/K21054458", + "id": "https://my.f5.com/manage/s/article/K21054458", + "source": "url" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2017-7656", + "id": "CVE-2017-7656", + "source": "cve" + } + ], + "modified": "2024-12-06T00:00:00.000Z", + "pci": { + "cvss_score": 5.0, + "fail": true, + "severity_score": 3, + "status": "fail" + }, + "proof": "Vulnerable OS: F5 BIG-IP 16.1.0.0\n\n\nThe property \"ltm\" contains: true.", + "published": "2018-06-26T00:00:00.000Z", + "references": "cve:CVE-2017-7656,url:https://my.f5.com/manage/s/article/K21054458", + "risk_score": 229.89, + "severity": "severe", + "severity_score": 5, + "solution": { + "fix": "Upgrade to the latest available version of F5 BIG-IP. Refer to BIG-IP Hotfix Matrix for the latest hotfix information.", + "id": "f5-big-ip-upgrade-latest", + "summary": "Upgrade to the latest available version of F5 BIG-IP", + "type": "workaround" + }, + "status": "VULNERABLE_VERS", + "title": "F5 Networks: CVE-2017-7656: K21054458: Eclipse Jetty vulnerability CVE-2017-7656" + } + } + }, + "related": { + "hosts": [ + "BIG-IP-16-1-0.dev.test.rapid7.com", + "12123455-abcd-5678-1234-01234567890e-default-asset-4123" + ], + "ip": [ + "175.16.199.1" + ] + }, + "resource": { + "id": "12123455-abcd-5678-1234-01234567890e-default-asset-4123", + "name": "BIG-IP-16-1-0.dev.test.rapid7.com" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "F5", + "F5 BIG-IP", + "Web" + ], + "classification": "CVSS", + "description": "In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.", + "enumeration": "CVE", + "id": [ + "CVE-2017-7656" + ], + "published_date": "2018-06-26T00:00:00.000Z", + "reference": [ + "https://my.f5.com/manage/s/article/K21054458", + "http://nvd.nist.gov/vuln/detail/CVE-2017-7656" + ], + "scanner": { + "vendor": "Rapid7" + }, + "score": { + "base": 7.5, + "version": "3.0" + }, + "severity": "High", + "title": "K21054458: Eclipse Jetty vulnerability CVE-2017-7656" + } } ] } diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml index be28064c3d1..a74fc48af7e 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml @@ -808,11 +808,23 @@ processors: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - rename: + - html_strip: field: json.vuln.proof - tag: rename_vuln_proof + tag: html_strip_vuln_proof target_field: rapid7_insightvm.asset_vulnerability.vuln.proof ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - trim: + field: rapid7_insightvm.asset_vulnerability.vuln.proof + tag: trim_vuln_proof + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: field: json.vuln.protocol tag: rename_vuln_protocol @@ -893,11 +905,23 @@ processors: tag: set_event_severity_from_asset_vulnerability_vuln_severity_score copy_from: rapid7_insightvm.asset_vulnerability.vuln.severity_score ignore_empty_value: true - - rename: + - html_strip: field: json.vuln.solution_fix - tag: rename_vuln_solution_fix + tag: html_strip_vuln_solution_fix target_field: rapid7_insightvm.asset_vulnerability.vuln.solution.fix ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - trim: + field: rapid7_insightvm.asset_vulnerability.vuln.solution.fix + tag: trim_vuln_solution_fix + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: field: json.vuln.solution_id tag: rename_vuln_solution_id @@ -913,6 +937,65 @@ processors: tag: rename_vuln_solution_type target_field: rapid7_insightvm.asset_vulnerability.vuln.solution.type ignore_missing: true + - grok: + field: rapid7_insightvm.asset_vulnerability.vuln.proof + tag: grok_parse_vuln_proof + patterns: + - '^Vulnerable OS: %{DATA:_temp.os} Vulnerable software installed: %{DATA:package.name} Required patch %{GREEDYDATA}$' + - '^Vulnerable OS: %{DATA:_temp.os} Vulnerable software installed: %{DATA:package.name} Running HTTPS service %{GREEDYDATA}$' + - '^Vulnerable OS: %{DATA:_temp.os} Vulnerable software installed: %{DATA:package.name}$' + - '^Vulnerable OS: %{DATA:_temp.os} Running %{DATA:_temp.service} service%{DATA}Vulnerable version of %{DATA} found -- %{DATA:package.name}$' + - '^Vulnerable OS: %{DATA:package.name} The property %{GREEDYDATA}$' + - '^Vulnerable OS: %{DATA:package.name} Based on the result of the %{GREEDYDATA}$' + - '^Vulnerable OS: %{DATA:package.name} succeeded with offset %{GREEDYDATA}$' + - '^Vulnerable OS: %{DATA:package.name} is installed$' + - '^Vulnerable OS: %{DATA:package.name} System replied with a malformed SMB packet$' + - '^Vulnerable OS: %{DATA:package.name} Based on the following %{DATA} results: %{GREEDYDATA}$' + - '^Vulnerable OS: %{DATA:package.name} Found an applicable package: %{GREEDYDATA}$' + - '^Vulnerable OS: %{DATA:package.name} Server responded with vulnerable error code: %{GREEDYDATA}$' + - '^Vulnerable OS: %{DATA:package.name}$' + - '^Vulnerable software installed: %{DATA:package.name} Vulnerable OS: %{DATA:_temp.os}$' + - '^Vulnerable software installed: %{DATA:package.name}$' + - '^Vulnerable: %{DATA:package.name}$' + - '^Running CIFS service Vulnerable OS: %{DATA:package.name} Based on the result of the %{GREEDYDATA}$' + - '^Running CIFS service Vulnerable OS: %{DATA:package.name} Received vulnerable status reply$' + - '^Running %{DATA:_temp.service} service%{DATA}Vulnerable version of %{DATA} found -- %{DATA:package.name}$' + - '^%{GREEDYDATA}$' + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: package.version + tag: set_package_version_from_package_name + copy_from: package.name + ignore_empty_value: true + - grok: + field: rapid7_insightvm.asset_vulnerability.vuln.solution.summary + tag: grok_parse_vuln_solution_summary + patterns: + - '^Upgrade to the %{DATA:package.fixed_version}( available)? version of %{DATA:_temp.package_name}$' + - '^(Upgrade|Update) %{DATA:_temp.package_name} to (the )?%{DATA:package.fixed_version}( version)?(.)?$' + - '^(Upgrade|Update) to (a|an|the)?%{DATA:package.fixed_version}$' + - '^%{GREEDYDATA}$' + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: package.name + tag: set_package_name_from_temp_package_name + copy_from: _temp.package_name + ignore_empty_value: true + if: ctx.package?.name == null + - set: + field: package.version + tag: set_package_version_from_vuln_key + copy_from: rapid7_insightvm.asset_vulnerability.vuln.key + ignore_empty_value: true + if: ctx.package?.version == null - rename: field: json.vuln.status tag: rename_vuln_status From a908189a8d3b087bc84dd84074256fe0ebe7de37 Mon Sep 17 00:00:00 2001 From: brijesh-elastic Date: Fri, 30 May 2025 15:58:00 +0530 Subject: [PATCH 03/19] add transform --- .../data_stream/asset/sample_event.json | 24 +- .../fields/base-fields.yml | 16 +- .../asset_vulnerability/sample_event.json | 16 +- .../vulnerability/sample_event.json | 20 +- packages/rapid7_insightvm/docs/README.md | 40 +-- .../fields/base-fields.yml | 17 + .../fields/beats.yml | 6 + .../latest_cdr_vulnerabilities/fields/ecs.yml | 102 ++++++ .../fields/fields.yml | 329 ++++++++++++++++++ .../fields/package.yml | 11 + .../fields/resource.yml | 7 + .../fields/vulnerability.yml | 12 + .../latest_cdr_vulnerabilities/transform.yml | 31 ++ 13 files changed, 571 insertions(+), 60 deletions(-) create mode 100644 packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/base-fields.yml create mode 100644 packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/beats.yml create mode 100644 packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs.yml create mode 100644 packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml create mode 100644 packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/package.yml create mode 100644 packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/resource.yml create mode 100644 packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/vulnerability.yml create mode 100644 packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml diff --git a/packages/rapid7_insightvm/data_stream/asset/sample_event.json b/packages/rapid7_insightvm/data_stream/asset/sample_event.json index ae8e306a6f3..d462f23d2cb 100644 --- a/packages/rapid7_insightvm/data_stream/asset/sample_event.json +++ b/packages/rapid7_insightvm/data_stream/asset/sample_event.json @@ -1,33 +1,33 @@ { - "@timestamp": "2023-05-23T16:17:06.996Z", + "@timestamp": "2025-05-30T08:45:28.249Z", "agent": { - "ephemeral_id": "163d2260-4499-492b-bbd5-4d90487865b9", - "id": "c157ef08-38bb-40dd-bae1-c6bc8c8f02fa", - "name": "docker-fleet-agent", + "ephemeral_id": "949db32c-9ca8-41ae-a908-2a8e8166cbac", + "id": "87221170-ce21-40cd-ae6a-780544239840", + "name": "elastic-agent-91445", "type": "filebeat", - "version": "8.9.0" + "version": "8.18.0" }, "data_stream": { "dataset": "rapid7_insightvm.asset", - "namespace": "ep", + "namespace": "87300", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "c157ef08-38bb-40dd-bae1-c6bc8c8f02fa", - "snapshot": true, - "version": "8.9.0" + "id": "87221170-ce21-40cd-ae6a-780544239840", + "snapshot": false, + "version": "8.18.0" }, "event": { "agent_id_status": "verified", "category": [ "host" ], - "created": "2023-05-23T16:17:06.996Z", + "created": "2025-05-30T08:45:28.249Z", "dataset": "rapid7_insightvm.asset", - "ingested": "2023-05-23T16:17:08Z", + "ingested": "2025-05-30T08:45:31Z", "kind": "state", "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"critical_vulnerabilities\":0,\"exploits\":0,\"id\":\"452534235-25a7-40a3-9321-28ce0b5cc90e-default-asset-199\",\"ip\":\"10.1.0.128\",\"last_assessed_for_vulnerabilities\":\"2020-03-20T19:19:42.611Z\",\"last_scan_end\":\"2020-03-20T19:19:42.611Z\",\"last_scan_start\":\"2020-03-20T19:18:13.611Z\",\"malware_kits\":0,\"moderate_vulnerabilities\":2,\"new\":[],\"os_architecture\":\"x86_64\",\"os_description\":\"CentOS Linux 2.6.18\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"CentOS Linux\",\"os_type\":\"General\",\"os_vendor\":\"CentOS\",\"os_version\":\"2.6.18\",\"remediated\":[],\"risk_score\":0,\"severe_vulnerabilities\":0,\"tags\":[{\"name\":\"lab\",\"type\":\"SITE\"}],\"total_vulnerabilities\":2}", "type": [ @@ -100,4 +100,4 @@ "forwarded", "rapid7_insightvm-asset" ] -} \ No newline at end of file +} diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/base-fields.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/base-fields.yml index f819023beac..56ffab0744f 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/base-fields.yml +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/base-fields.yml @@ -1,20 +1,16 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: event.module + external: ecs type: constant_keyword - description: Event module. value: rapid7_insightvm - name: event.dataset + external: ecs type: constant_keyword - description: Event dataset. value: rapid7_insightvm.asset_vulnerability - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/sample_event.json b/packages/rapid7_insightvm/data_stream/asset_vulnerability/sample_event.json index 024a23e3e7e..7e72d7a8c71 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/sample_event.json +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/sample_event.json @@ -1,22 +1,22 @@ { "@timestamp": "2025-05-27T18:21:36.279Z", "agent": { - "ephemeral_id": "5b01a91a-b9d6-4c5a-bfd8-3f150d4ff3e5", - "id": "cc4f0351-6981-4455-8056-febadebbf0f2", - "name": "elastic-agent-52350", + "ephemeral_id": "843312ee-1b90-4305-b2a4-ad903d21aad6", + "id": "e08b1df5-acc0-426e-8e25-090ccc2ed0ac", + "name": "elastic-agent-39481", "type": "filebeat", "version": "8.18.0" }, "data_stream": { "dataset": "rapid7_insightvm.asset_vulnerability", - "namespace": "60884", + "namespace": "63091", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "cc4f0351-6981-4455-8056-febadebbf0f2", + "id": "e08b1df5-acc0-426e-8e25-090ccc2ed0ac", "snapshot": false, "version": "8.18.0" }, @@ -28,7 +28,7 @@ "created": "2025-05-12T16:25:35.000Z", "dataset": "rapid7_insightvm.asset_vulnerability", "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6|unix-anonymous-root-logins|2025-05-27T18:21:36.279Z", - "ingested": "2025-05-29T09:30:27Z", + "ingested": "2025-05-30T08:46:29Z", "kind": "event", "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":22,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":3,\"exploits\":0,\"host_name\":\"computer-test\",\"id\":\"8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6\",\"ip\":\"10.50.5.112\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T18:21:36.279Z\",\"last_scan_end\":\"2025-05-27T18:21:36.279Z\",\"last_scan_start\":\"2025-05-27T18:20:41.505Z\",\"mac\":\"00:00:5E:00:53:02\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Red Hat Enterprise Linux 7.9\",\"os_family\":\"Linux\",\"os_name\":\"Enterprise Linux\",\"os_system_name\":\"Red Hat Linux\",\"os_type\":\"\",\"os_vendor\":\"Red Hat\",\"os_version\":\"7.9\",\"risk_score\":18250,\"severe_vulnerabilities\":48,\"tags\":[{\"name\":\"Ahmedabad\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":52,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"CEF12345-ABCD-1234-ABCD-95ABCDEF1234\",\"source\":\"dmidecode\"},{\"id\":\"e80644e940123456789abcdef66a8b16\",\"source\":\"R7 Agent\"}],\"vuln\":{\"added\":\"2004-11-30T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,UNIX\",\"check_id\":null,\"cves\":\"\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"single\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":7.9520000338554375,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.5,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:S/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.515145325,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":8.4,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \\\"su\\\" to become root.\",\"exploits\":[],\"first_found\":\"2025-05-12T16:25:35Z\",\"id\":\"unix-anonymous-root-logins\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"links\":[],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"nic\":null,\"pci_cvss_score\":6.5,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"port\":null,\"proof\":\"\\u003cp\\u003e\\u003cp\\u003eFollowing entries in /etc/securetty \\n may allow anonymous root logins: \\u003cul\\u003e\\u003cli\\u003ettyS0\\u003c/li\\u003e\\u003cli\\u003ettysclp0\\u003c/li\\u003e\\u003cli\\u003esclp_line0\\u003c/li\\u003e\\u003cli\\u003e3270/tty1\\u003c/li\\u003e\\u003cli\\u003ehvc0\\u003c/li\\u003e\\u003cli\\u003ehvc1\\u003c/li\\u003e\\u003cli\\u003ehvc2\\u003c/li\\u003e\\u003cli\\u003ehvc3\\u003c/li\\u003e\\u003cli\\u003ehvc4\\u003c/li\\u003e\\u003cli\\u003ehvc5\\u003c/li\\u003e\\u003cli\\u003ehvc6\\u003c/li\\u003e\\u003cli\\u003ehvc7\\u003c/li\\u003e\\u003cli\\u003ehvsi0\\u003c/li\\u003e\\u003cli\\u003ehvsi1\\u003c/li\\u003e\\u003cli\\u003ehvsi2\\u003c/li\\u003e\\u003cli\\u003exvc0\\u003c/li\\u003e\\u003c/ul\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\",\"protocol\":null,\"published\":\"2004-11-30T00:00:00Z\",\"references\":\"\",\"reintroduced\":null,\"risk_score\":562,\"severity\":\"severe\",\"severity_score\":7,\"solution_fix\":\"\\u003cp\\u003e\\u003cp\\u003eRemove all the entries in /etc/securetty except console,\\n tty[0-9]* and vc\\\\[0-9]* \\u003c/p\\u003e\\u003cp\\u003eNote: ssh does not use /etc/securetty. To disable root login\\n through ssh, use the \\u0026quot;PermitRootLogin\\u0026quot; setting in /etc/ssh/sshd_config\\n and restart the ssh daemon. \\u003c/p\\u003e\\u003c/p\\u003e\",\"solution_id\":\"unix-anonymous-root-logins\",\"solution_summary\":\"Edit '/etc/securetty' entries\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"title\":\"Anonymous root login is allowed\",\"vulnerability_id\":\"unix-anonymous-root-logins\"},\"vulnerability\":[{\"check_id\":null,\"first_found\":\"2025-05-12T16:25:35Z\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"nic\":null,\"port\":null,\"proof\":\"\\u003cp\\u003e\\u003cp\\u003eFollowing entries in /etc/securetty \\n may allow anonymous root logins: \\u003cul\\u003e\\u003cli\\u003ettyS0\\u003c/li\\u003e\\u003cli\\u003ettysclp0\\u003c/li\\u003e\\u003cli\\u003esclp_line0\\u003c/li\\u003e\\u003cli\\u003e3270/tty1\\u003c/li\\u003e\\u003cli\\u003ehvc0\\u003c/li\\u003e\\u003cli\\u003ehvc1\\u003c/li\\u003e\\u003cli\\u003ehvc2\\u003c/li\\u003e\\u003cli\\u003ehvc3\\u003c/li\\u003e\\u003cli\\u003ehvc4\\u003c/li\\u003e\\u003cli\\u003ehvc5\\u003c/li\\u003e\\u003cli\\u003ehvc6\\u003c/li\\u003e\\u003cli\\u003ehvc7\\u003c/li\\u003e\\u003cli\\u003ehvsi0\\u003c/li\\u003e\\u003cli\\u003ehvsi1\\u003c/li\\u003e\\u003cli\\u003ehvsi2\\u003c/li\\u003e\\u003cli\\u003exvc0\\u003c/li\\u003e\\u003c/ul\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"\\u003cp\\u003e\\u003cp\\u003eRemove all the entries in /etc/securetty except console,\\n tty[0-9]* and vc\\\\[0-9]* \\u003c/p\\u003e\\u003cp\\u003eNote: ssh does not use /etc/securetty. To disable root login\\n through ssh, use the \\u0026quot;PermitRootLogin\\u0026quot; setting in /etc/ssh/sshd_config\\n and restart the ssh daemon. \\u003c/p\\u003e\\u003c/p\\u003e\",\"solution_id\":\"unix-anonymous-root-logins\",\"solution_summary\":\"Edit '/etc/securetty' entries\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"unix-anonymous-root-logins\"},{\"check_id\":null,\"first_found\":\"2025-05-14T13:52:10Z\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"nic\":null,\"port\":null,\"proof\":\"\\u003cp\\u003e\\u003cp\\u003eThe following world writable files were found.\\u003cul\\u003e\\u003cli\\u003e/var/.com.zerog.registry.xml (-rwxrwxrwx)\\u003c/li\\u003e\\u003c/ul\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"\\u003cp\\u003e\\u003cp\\u003eFor each world-writable file, determine whether there is a good reason for\\n it to be world writable. If not, remove world write permissions for the file.\\n The output here is limited to 50 files. In order to find all of these files without needing to\\n run another Nexpose scan run the following command:\\u003c/p\\u003e\\u003cpre\\u003e find / -type f -perm -02\\u003c/pre\\u003e\\u003cp\\u003ePlease note; it may be necessary exclude particular paths or file share types, run \\u0026#39;man find\\u0026#39; for information.\\u003c/p\\u003e\\u003c/p\\u003e\",\"solution_id\":\"unix-world-writable-files\",\"solution_summary\":\"Remove world write permissions\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"unix-world-writable-files\"}]}", "severity": 7, @@ -149,13 +149,13 @@ "severity_score": 4, "status": "fail" }, - "proof": "

Following entries in /etc/securetty \n may allow anonymous root logins:

  • ttyS0
  • ttysclp0
  • sclp_line0
  • 3270/tty1
  • hvc0
  • hvc1
  • hvc2
  • hvc3
  • hvc4
  • hvc5
  • hvc6
  • hvc7
  • hvsi0
  • hvsi1
  • hvsi2
  • xvc0

", + "proof": "Following entries in /etc/securetty \n may allow anonymous root logins: \n\nttyS0\n\nttysclp0\n\nsclp_line0\n\n3270/tty1\n\nhvc0\n\nhvc1\n\nhvc2\n\nhvc3\n\nhvc4\n\nhvc5\n\nhvc6\n\nhvc7\n\nhvsi0\n\nhvsi1\n\nhvsi2\n\nxvc0", "published": "2004-11-30T00:00:00.000Z", "risk_score": 562, "severity": "severe", "severity_score": 7, "solution": { - "fix": "

Remove all the entries in /etc/securetty except console,\n tty[0-9]* and vc\\[0-9]*

Note: ssh does not use /etc/securetty. To disable root login\n through ssh, use the "PermitRootLogin" setting in /etc/ssh/sshd_config\n and restart the ssh daemon.

", + "fix": "Remove all the entries in /etc/securetty except console,\n tty[0-9]* and vc\\[0-9]* \n\nNote: ssh does not use /etc/securetty. To disable root login\n through ssh, use the \"PermitRootLogin\" setting in /etc/ssh/sshd_config\n and restart the ssh daemon.", "id": "unix-anonymous-root-logins", "summary": "Edit '/etc/securetty' entries", "type": "workaround" diff --git a/packages/rapid7_insightvm/data_stream/vulnerability/sample_event.json b/packages/rapid7_insightvm/data_stream/vulnerability/sample_event.json index 3fa547df0e5..3eada690a25 100644 --- a/packages/rapid7_insightvm/data_stream/vulnerability/sample_event.json +++ b/packages/rapid7_insightvm/data_stream/vulnerability/sample_event.json @@ -1,34 +1,34 @@ { "@timestamp": "2018-06-08T00:00:00.000Z", "agent": { - "ephemeral_id": "9844171e-82cf-4571-bba2-2256a2464500", - "id": "e4354c0c-ca75-448a-b886-ec73a12bce07", - "name": "docker-fleet-agent", + "ephemeral_id": "30ed4ebf-b82c-4ad8-b690-2ed0455d3454", + "id": "3b4ebced-1156-411e-9160-ed235c2109b8", + "name": "elastic-agent-78422", "type": "filebeat", - "version": "8.11.0" + "version": "8.18.0" }, "data_stream": { "dataset": "rapid7_insightvm.vulnerability", - "namespace": "ep", + "namespace": "46101", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "e4354c0c-ca75-448a-b886-ec73a12bce07", + "id": "3b4ebced-1156-411e-9160-ed235c2109b8", "snapshot": false, - "version": "8.11.0" + "version": "8.18.0" }, "event": { "agent_id_status": "verified", "category": [ "vulnerability" ], - "created": "2023-12-20T15:51:20.233Z", + "created": "2025-05-30T08:47:25.492Z", "dataset": "rapid7_insightvm.vulnerability", "id": "7-zip-cve-2008-6536", - "ingested": "2023-12-20T15:51:23Z", + "ingested": "2025-05-30T08:47:27Z", "kind": "event", "original": "{\"added\":\"2018-05-16T00:00:00Z\",\"categories\":\"7-Zip\",\"cves\":\"CVE-2008-6536\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":9.996799,\"cvss_v2_impact_score\":10.000845,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":10,\"cvss_v2_vector\":\"AV:N/AC:L/Au:N/C:C/I:C/A:C\",\"cvss_v3_attack_complexity\":null,\"cvss_v3_attack_vector\":null,\"cvss_v3_availability_impact\":null,\"cvss_v3_confidentiality_impact\":null,\"cvss_v3_exploit_score\":0,\"cvss_v3_impact_score\":0,\"cvss_v3_integrity_impact\":null,\"cvss_v3_privileges_required\":null,\"cvss_v3_scope\":null,\"cvss_v3_score\":0,\"cvss_v3_user_interaction\":null,\"cvss_v3_vector\":null,\"denial_of_service\":false,\"description\":\"Unspecified vulnerability in 7-zip before 4.5.7 has unknown impact and remote attack vectors, as demonstrated by the PROTOS GENOME test suite for Archive Formats (c10).\",\"exploits\":[],\"id\":\"7-zip-cve-2008-6536\",\"links\":[{\"href\":\"http://www.securityfocus.com/bid/28285\",\"id\":\"28285\",\"rel\":\"advisory\",\"source\":\"bid\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/41247\",\"id\":\"41247\",\"rel\":\"advisory\",\"source\":\"xf\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2008-6536\",\"id\":\"CVE-2008-6536\",\"rel\":\"advisory\",\"source\":\"cve\"},{\"href\":\"http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html\",\"id\":\"http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html\",\"rel\":\"advisory\",\"source\":\"url\"},{\"href\":\"http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/\",\"id\":\"http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/\",\"rel\":\"advisory\",\"source\":\"url\"},{\"href\":\"http://www.securityfocus.com/bid/28285\",\"id\":\"http://www.securityfocus.com/bid/28285\",\"rel\":\"advisory\",\"source\":\"url\"},{\"href\":\"http://www.vupen.com/english/advisories/2008/0914/references\",\"id\":\"http://www.vupen.com/english/advisories/2008/0914/references\",\"rel\":\"advisory\",\"source\":\"url\"},{\"href\":\"http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf\",\"id\":\"http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf\",\"rel\":\"advisory\",\"source\":\"url\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/41247\",\"id\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/41247\",\"rel\":\"advisory\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2018-06-08T00:00:00Z\",\"pci_cvss_score\":10,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2009-03-29T00:00:00Z\",\"references\":\"bid:28285,xf:41247,cve:CVE-2008-6536,url:http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html,url:http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/,url:http://www.securityfocus.com/bid/28285,url:http://www.vupen.com/english/advisories/2008/0914/references,url:http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf,url:https://exchange.xforce.ibmcloud.com/vulnerabilities/41247\",\"risk_score\":885.16,\"severity\":\"critical\",\"severity_score\":10,\"title\":\"7-Zip: CVE-2008-6536: Unspecified vulnerability in 7-zip before 4.5.7\"}", "risk_score": 885.16, @@ -173,4 +173,4 @@ }, "severity": "critical" } -} \ No newline at end of file +} diff --git a/packages/rapid7_insightvm/docs/README.md b/packages/rapid7_insightvm/docs/README.md index 3d8cc0ce549..5c7a64434fb 100644 --- a/packages/rapid7_insightvm/docs/README.md +++ b/packages/rapid7_insightvm/docs/README.md @@ -38,35 +38,35 @@ An example event for `asset` looks as following: ```json { - "@timestamp": "2023-05-23T16:17:06.996Z", + "@timestamp": "2025-05-30T08:45:28.249Z", "agent": { - "ephemeral_id": "163d2260-4499-492b-bbd5-4d90487865b9", - "id": "c157ef08-38bb-40dd-bae1-c6bc8c8f02fa", - "name": "docker-fleet-agent", + "ephemeral_id": "949db32c-9ca8-41ae-a908-2a8e8166cbac", + "id": "87221170-ce21-40cd-ae6a-780544239840", + "name": "elastic-agent-91445", "type": "filebeat", - "version": "8.9.0" + "version": "8.18.0" }, "data_stream": { "dataset": "rapid7_insightvm.asset", - "namespace": "ep", + "namespace": "87300", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "c157ef08-38bb-40dd-bae1-c6bc8c8f02fa", - "snapshot": true, - "version": "8.9.0" + "id": "87221170-ce21-40cd-ae6a-780544239840", + "snapshot": false, + "version": "8.18.0" }, "event": { "agent_id_status": "verified", "category": [ "host" ], - "created": "2023-05-23T16:17:06.996Z", + "created": "2025-05-30T08:45:28.249Z", "dataset": "rapid7_insightvm.asset", - "ingested": "2023-05-23T16:17:08Z", + "ingested": "2025-05-30T08:45:31Z", "kind": "state", "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"critical_vulnerabilities\":0,\"exploits\":0,\"id\":\"452534235-25a7-40a3-9321-28ce0b5cc90e-default-asset-199\",\"ip\":\"10.1.0.128\",\"last_assessed_for_vulnerabilities\":\"2020-03-20T19:19:42.611Z\",\"last_scan_end\":\"2020-03-20T19:19:42.611Z\",\"last_scan_start\":\"2020-03-20T19:18:13.611Z\",\"malware_kits\":0,\"moderate_vulnerabilities\":2,\"new\":[],\"os_architecture\":\"x86_64\",\"os_description\":\"CentOS Linux 2.6.18\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"CentOS Linux\",\"os_type\":\"General\",\"os_vendor\":\"CentOS\",\"os_version\":\"2.6.18\",\"remediated\":[],\"risk_score\":0,\"severe_vulnerabilities\":0,\"tags\":[{\"name\":\"lab\",\"type\":\"SITE\"}],\"total_vulnerabilities\":2}", "type": [ @@ -239,34 +239,34 @@ An example event for `vulnerability` looks as following: { "@timestamp": "2018-06-08T00:00:00.000Z", "agent": { - "ephemeral_id": "9844171e-82cf-4571-bba2-2256a2464500", - "id": "e4354c0c-ca75-448a-b886-ec73a12bce07", - "name": "docker-fleet-agent", + "ephemeral_id": "30ed4ebf-b82c-4ad8-b690-2ed0455d3454", + "id": "3b4ebced-1156-411e-9160-ed235c2109b8", + "name": "elastic-agent-78422", "type": "filebeat", - "version": "8.11.0" + "version": "8.18.0" }, "data_stream": { "dataset": "rapid7_insightvm.vulnerability", - "namespace": "ep", + "namespace": "46101", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "e4354c0c-ca75-448a-b886-ec73a12bce07", + "id": "3b4ebced-1156-411e-9160-ed235c2109b8", "snapshot": false, - "version": "8.11.0" + "version": "8.18.0" }, "event": { "agent_id_status": "verified", "category": [ "vulnerability" ], - "created": "2023-12-20T15:51:20.233Z", + "created": "2025-05-30T08:47:25.492Z", "dataset": "rapid7_insightvm.vulnerability", "id": "7-zip-cve-2008-6536", - "ingested": "2023-12-20T15:51:23Z", + "ingested": "2025-05-30T08:47:27Z", "kind": "event", "original": "{\"added\":\"2018-05-16T00:00:00Z\",\"categories\":\"7-Zip\",\"cves\":\"CVE-2008-6536\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":9.996799,\"cvss_v2_impact_score\":10.000845,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":10,\"cvss_v2_vector\":\"AV:N/AC:L/Au:N/C:C/I:C/A:C\",\"cvss_v3_attack_complexity\":null,\"cvss_v3_attack_vector\":null,\"cvss_v3_availability_impact\":null,\"cvss_v3_confidentiality_impact\":null,\"cvss_v3_exploit_score\":0,\"cvss_v3_impact_score\":0,\"cvss_v3_integrity_impact\":null,\"cvss_v3_privileges_required\":null,\"cvss_v3_scope\":null,\"cvss_v3_score\":0,\"cvss_v3_user_interaction\":null,\"cvss_v3_vector\":null,\"denial_of_service\":false,\"description\":\"Unspecified vulnerability in 7-zip before 4.5.7 has unknown impact and remote attack vectors, as demonstrated by the PROTOS GENOME test suite for Archive Formats (c10).\",\"exploits\":[],\"id\":\"7-zip-cve-2008-6536\",\"links\":[{\"href\":\"http://www.securityfocus.com/bid/28285\",\"id\":\"28285\",\"rel\":\"advisory\",\"source\":\"bid\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/41247\",\"id\":\"41247\",\"rel\":\"advisory\",\"source\":\"xf\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2008-6536\",\"id\":\"CVE-2008-6536\",\"rel\":\"advisory\",\"source\":\"cve\"},{\"href\":\"http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html\",\"id\":\"http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html\",\"rel\":\"advisory\",\"source\":\"url\"},{\"href\":\"http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/\",\"id\":\"http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/\",\"rel\":\"advisory\",\"source\":\"url\"},{\"href\":\"http://www.securityfocus.com/bid/28285\",\"id\":\"http://www.securityfocus.com/bid/28285\",\"rel\":\"advisory\",\"source\":\"url\"},{\"href\":\"http://www.vupen.com/english/advisories/2008/0914/references\",\"id\":\"http://www.vupen.com/english/advisories/2008/0914/references\",\"rel\":\"advisory\",\"source\":\"url\"},{\"href\":\"http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf\",\"id\":\"http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf\",\"rel\":\"advisory\",\"source\":\"url\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/41247\",\"id\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/41247\",\"rel\":\"advisory\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2018-06-08T00:00:00Z\",\"pci_cvss_score\":10,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2009-03-29T00:00:00Z\",\"references\":\"bid:28285,xf:41247,cve:CVE-2008-6536,url:http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html,url:http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/,url:http://www.securityfocus.com/bid/28285,url:http://www.vupen.com/english/advisories/2008/0914/references,url:http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf,url:https://exchange.xforce.ibmcloud.com/vulnerabilities/41247\",\"risk_score\":885.16,\"severity\":\"critical\",\"severity_score\":10,\"title\":\"7-Zip: CVE-2008-6536: Unspecified vulnerability in 7-zip before 4.5.7\"}", "risk_score": 885.16, diff --git a/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/base-fields.yml b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/base-fields.yml new file mode 100644 index 00000000000..32066c5865d --- /dev/null +++ b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/base-fields.yml @@ -0,0 +1,17 @@ +- name: data_stream.type + external: ecs +- name: data_stream.dataset + external: ecs +- name: data_stream.namespace + external: ecs + type: keyword +- name: event.module + external: ecs + type: constant_keyword + value: rapid7_insightvm +- name: event.dataset + external: ecs + type: constant_keyword + value: rapid7_insightvm.asset_vulnerability +- name: '@timestamp' + external: ecs diff --git a/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/beats.yml b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/beats.yml new file mode 100644 index 00000000000..4084f1dc7f5 --- /dev/null +++ b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Type of filebeat input. +- name: log.offset + type: long + description: Log offset. diff --git a/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs.yml b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs.yml new file mode 100644 index 00000000000..436631adbbd --- /dev/null +++ b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs.yml @@ -0,0 +1,102 @@ +# Define ECS constant fields as constant_keyword +- name: observer.vendor + type: constant_keyword + external: ecs +- name: vulnerability.scanner.vendor + type: constant_keyword + external: ecs +# Other ECS fields +- name: agent.ephemeral_id + external: ecs +- name: agent.id + external: ecs +- name: agent.name + external: ecs +- name: agent.type + external: ecs +- name: agent.version + external: ecs +- name: ecs.version + external: ecs +- name: error.code + external: ecs +- name: error.id + external: ecs +- name: error.message + external: ecs +- name: event.agent_id_status + external: ecs +- name: event.category + external: ecs +- name: event.created + external: ecs +- name: event.id + external: ecs +- name: event.ingested + external: ecs +- name: event.kind + external: ecs +- name: event.original + external: ecs +- name: event.severity + external: ecs +- name: event.type + external: ecs +- name: host.architecture + external: ecs +- name: host.hostname + external: ecs +- name: host.id + external: ecs +- name: host.ip + external: ecs +- name: host.mac + external: ecs +- name: host.name + external: ecs +- name: host.os.family + external: ecs +- name: host.os.full + external: ecs +- name: host.os.name + external: ecs +- name: host.os.platform + external: ecs +- name: host.os.type + external: ecs +- name: host.os.version + external: ecs +- name: host.type + external: ecs +- name: host.risk.static_score + external: ecs +- name: observer.product + external: ecs +- name: package.name + external: ecs +- name: package.version + external: ecs +- name: related.hosts + external: ecs +- name: related.ip + external: ecs +- name: tags + external: ecs +- name: vulnerability.category + external: ecs +- name: vulnerability.classification + external: ecs +- name: vulnerability.description + external: ecs +- name: vulnerability.enumeration + external: ecs +- name: vulnerability.id + external: ecs +- name: vulnerability.reference + external: ecs +- name: vulnerability.score.base + external: ecs +- name: vulnerability.score.version + external: ecs +- name: vulnerability.severity + external: ecs diff --git a/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml new file mode 100644 index 00000000000..495cff8ac6a --- /dev/null +++ b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml @@ -0,0 +1,329 @@ +- name: rapid7_insightvm + type: group + fields: + - name: asset_vulnerability + type: group + fields: + - name: assessed_for_policies + type: boolean + description: Whether an asset was assessed for policies. + - name: assessed_for_vulnerabilities + type: boolean + description: Whether an asset was assessed for vulnerabilities. + - name: credential_assessments + type: group + fields: + - name: port + type: long + description: The port the authentication was used on. + - name: protocol + type: keyword + description: The protocol the authentication was used on. + - name: status + type: keyword + description: The authentication of the last scan performed. + - name: critical_vulnerabilities + type: long + description: The count of critical vulnerability findings. + - name: exploits + type: long + description: The count of known unique exploits that can be used to exploit vulnerabilities on the asset. + - name: host_name + type: keyword + description: The host name (local or FQDN). + - name: id + type: keyword + description: The identifier of the asset. + - name: ip + type: ip + description: The IPv4 or IPv6 address. + - name: last_assessed_for_vulnerabilities + type: date + description: The time at which an asset was assessed for vulnerabilities. + - name: last_scan_end + type: date + description: The time at which the last scan of the asset ended. + - name: last_scan_start + type: date + description: The time at which the last scan of the asset started. + - name: mac + type: keyword + description: The Media Access Control (MAC) address. The format is six groups of two hexadecimal digits separated by colons. + - name: malware_kits + type: long + description: The count of known unique malware kits that can be used to attack vulnerabilities on the asset. + - name: moderate_vulnerabilities + type: long + description: The count of moderate vulnerability findings. + - name: os + type: group + fields: + - name: architecture + type: keyword + description: The architecture of the operating system. + - name: description + type: keyword + description: The description of the operating system (containing vendor, family, product, version and architecture in a single string). + - name: family + type: keyword + description: The family of the operating system. + - name: name + type: keyword + description: The name of the operating system. + - name: system_name + type: keyword + description: A combination of vendor and family (with redundancies removed), suitable for grouping. + - name: type + type: keyword + description: The type of operating system. + - name: vendor + type: keyword + description: The vendor of the operating system. + - name: version + type: keyword + description: The version of the operating system. + - name: risk_score + type: double + description: The risk score (with criticality adjustments) of the asset. + - name: severe_vulnerabilities + type: long + description: The count of severe vulnerability findings. + - name: tags + type: group + fields: + - name: name + type: keyword + description: The stored value. + - name: type + type: keyword + description: The type of information stored and displayed. For sites, the value is "SITE". + - name: total_vulnerabilities + type: long + description: The total count of vulnerability findings. + - name: type + type: keyword + description: The type of asset. + - name: unique_identifiers + type: group + fields: + - name: id + type: keyword + description: The unique identifier. + - name: source + type: keyword + description: The source of the unique identifier. + - name: vuln + type: group + fields: + - name: added + type: date + description: The date the vulnerability coverage was added. The format is an ISO 8601 date, YYYY-MM-DD. + - name: categories + type: keyword + description: Comma-separated list of categories the vulnerability is classified under. + - name: check_id + type: keyword + description: The identifier of the vulnerability check. + - name: cves + type: keyword + description: All CVEs assigned to this vulnerability. + - name: cvss_v2 + type: group + fields: + - name: access_complexity + type: keyword + description: Access Complexity (AC) component which measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system. + - name: access_vector + type: keyword + description: Access Vector (Av) component which reflects how the vulnerability is exploited. + - name: authentication + type: keyword + description: Authentication (Au) component which measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. + - name: availability_impact + type: keyword + description: Availability Impact (A) component which measures the impact to availability of a successfully exploited vulnerability. + - name: confidentiality_impact + type: keyword + description: Confidentiality Impact (C) component which measures the impact on confidentiality of a successfully exploited vulnerability. + - name: exploit_score + type: double + description: The CVSS exploit score. + - name: impact_score + type: double + description: The CVSS impact score. + - name: integrity_impact + type: keyword + description: Integrity Impact (I) component measures the impact to integrity of a successfully exploited vulnerability. + - name: score + type: double + description: The CVSS score, which ranges from 0-10. + - name: vector + type: keyword + description: The CVSS v2 vector. + - name: cvss_v3 + type: group + fields: + - name: attack_complexity + type: keyword + description: Attack Complexity (AC) component with measures the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. + - name: attack_vector + type: keyword + description: Attack Vector (AV) component which measures context by which vulnerability exploitation is possible. + - name: availability_impact + type: keyword + description: Availability Impact (A) measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. + - name: confidentiality_impact + type: keyword + description: Confidentiality Impact (C) component which measures the impact on confidentiality of a successfully exploited vulnerability. + - name: exploit_score + type: double + description: The CVSS exploit score. + - name: impact_score + type: double + description: The CVSS impact score. + - name: integrity_impact + type: keyword + description: Integrity Impact (I) measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. + - name: privileges_required + type: keyword + description: Privileges Required (PR) measures the level of privileges an attacker must possess before successfully exploiting the vulnerability. + - name: scope + type: keyword + description: Scope (S) measures the collection of privileges defined by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization. + - name: score + type: double + description: The CVSS score, which ranges from 0-10. + - name: user_interaction + type: keyword + description: User Interaction (UI) measures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component. + - name: vector + type: keyword + description: The CVSS v3 vector. + - name: denial_of_service + type: boolean + description: Whether the vulnerability can lead to Denial of Service (DoS). + - name: description + type: keyword + description: A verbose description of the vulnerability. + - name: exploits + type: group + fields: + - name: description + type: keyword + description: A verbose description of the exploit. + - name: id + type: keyword + description: The identifier of the exploit. + - name: name + type: keyword + description: The name of the exploit. + - name: rank + type: keyword + description: How common the exploit is used. + - name: skill_level + type: keyword + description: The level of skill required to use the exploit. + - name: source + type: keyword + description: Details about where the exploit is defined. + - name: first_found + type: date + description: The first time the vulnerability was discovered. + - name: id + type: keyword + description: The identifier of the vulnerability. + - name: key + type: keyword + description: The identifier of the assessment key. + - name: last_found + type: date + description: The most recent time the vulnerability was discovered. + - name: links + type: group + fields: + - name: href + type: keyword + - name: id + type: keyword + - name: rel + type: keyword + - name: source + type: keyword + - name: malware_kits + type: group + fields: + - name: description + type: keyword + description: A known Malware Kit that can be used to compromise a vulnerability. + - name: name + type: keyword + description: The name of the malware kit. + - name: popularity + type: keyword + description: The popularity of the malware kit. + - name: modified + type: date + description: The last date the vulnerability was modified. The format is an ISO 8601 date, YYYY-MM-DD. + - name: pci + type: group + fields: + - name: cvss_score + type: double + description: The CVSS score of the vulnerability, adjusted for PCI rules and exceptions, on a scale of 0-10. + - name: fail + type: boolean + description: Whether if present on a host this vulnerability would cause a PCI failure. true if compliance status is "fail", false otherwise. + - name: severity_score + type: long + description: The severity score of the vulnerability, adjusted for PCI rules and exceptions, on a scale of 0-10. + - name: special_notes + type: keyword + description: Any special notes or remarks about the vulnerability that pertain to PCI compliance. + - name: status + type: keyword + description: The PCI compliance status. + - name: port + type: long + description: For services vulnerabilities, the port that is vulnerable. + - name: proof + type: keyword + description: The identifier of the vulnerability proof. + - name: protocol + type: keyword + description: For services vulnerabilities, the protocol that is vulnerable. + - name: published + type: date + description: The date the vulnerability was first published or announced. The format is an ISO 8601 date, YYYY-MM-DD. + - name: references + type: keyword + description: References to security standards this vulnerability is a part of, in condensed format (comma-separated). + - name: risk_score + type: double + description: The risk score of the vulnerability. If using the default Rapid7 Real Riskâ„¢ model, this value ranges from 0-1000. + - name: severity + type: keyword + description: The severity of the vulnerability. + - name: severity_score + type: long + description: The severity score of the vulnerability, on a scale of 0-10. + - name: solution + type: group + fields: + - name: fix + type: keyword + description: The solution fix for the vulnerability. + - name: id + type: keyword + description: The identifier of the solution for the vulnerability. + - name: summary + type: keyword + description: The summary for the solution for the vulnerability. + - name: type + type: keyword + description: The solution type for the vulnerability. + - name: status + type: keyword + description: The status of the vulnerability finding. + - name: title + type: keyword + description: The title (summary) of the vulnerability. diff --git a/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/package.yml b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/package.yml new file mode 100644 index 00000000000..dd2e5a96bb9 --- /dev/null +++ b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/package.yml @@ -0,0 +1,11 @@ +- name: package + type: group + fields: + - name: fixed_version + type: keyword + - name: name + type: keyword + external: ecs + - name: version + type: keyword + external: ecs diff --git a/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/resource.yml b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/resource.yml new file mode 100644 index 00000000000..425eb9530e9 --- /dev/null +++ b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/resource.yml @@ -0,0 +1,7 @@ +- name: resource + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword diff --git a/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/vulnerability.yml b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/vulnerability.yml new file mode 100644 index 00000000000..c1e3f2fa6da --- /dev/null +++ b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/vulnerability.yml @@ -0,0 +1,12 @@ +- name: vulnerability + type: group + fields: + - name: published_date + type: date + - name: scanner + type: group + fields: + - name: name + type: keyword + - name: title + type: keyword diff --git a/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml new file mode 100644 index 00000000000..61949fca15a --- /dev/null +++ b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml @@ -0,0 +1,31 @@ +source: + index: + - "logs-rapid7_insightvm.asset_vulnerability-*" +dest: + index: "security_solution-rapid7_insightvm.vulnerability_latest-v1" + aliases: + - alias: "security_solution-rapid7_insightvm.vulnerability_latest" + move_on_creation: true +latest: + unique_key: + - event.id + - resource.id + - data_stream.namespace + sort: "@timestamp" +description: Latest Vulnerabilities Findings from Rapid7 InsightVM. +settings: + unattended: true +frequency: 5m +sync: + time: + field: event.ingested +retention_policy: + time: + field: "@timestamp" + max_age: 90d +_meta: + managed: true + # Bump this version to delete, reinstall, and restart the transform during package. + # Version bump is needed if there is any code change in transform. + fleet_transform_version: 0.2.0 + run_as_kibana_system: false From 697f7e1f28a970963c6aee60040faa7fcdda3478 Mon Sep 17 00:00:00 2001 From: brijesh-elastic Date: Fri, 30 May 2025 16:08:40 +0530 Subject: [PATCH 04/19] add agentless deployment option --- .../_dev/build/docs/README.md | 22 +- .../elasticsearch/ingest_pipeline/default.yml | 8 + .../elasticsearch/ingest_pipeline/default.yml | 8 + packages/rapid7_insightvm/docs/README.md | 351 +++++++++++++++++- packages/rapid7_insightvm/manifest.yml | 10 +- 5 files changed, 396 insertions(+), 3 deletions(-) diff --git a/packages/rapid7_insightvm/_dev/build/docs/README.md b/packages/rapid7_insightvm/_dev/build/docs/README.md index e6bc33a7dfb..53079cfddf3 100644 --- a/packages/rapid7_insightvm/_dev/build/docs/README.md +++ b/packages/rapid7_insightvm/_dev/build/docs/README.md @@ -14,9 +14,19 @@ The Rapid7 InsightVM integration collects two type of events: Asset and Vulnerab **Vulnerability** is used to retrieve all vulnerabilities that can be assessed. See more details in the API documentation [here](https://help.rapid7.com/insightvm/en-us/api/integrations.html#operation/searchIntegrationVulnerabilities). +**Asset Vulnerability** is used to gather and aggregate data on assets and vulnerabilities to support Native CDR Workflows. + ## Requirements -Elasticsearch is needed to store and search data, and Kibana is needed for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your hardware. +### Agent-based installation + +Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). + +### Agentless-enabled integration + +Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). + +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. This module uses **InsightVM Cloud Integrations API v4**. @@ -38,6 +48,16 @@ This is the `asset` dataset. {{fields "asset"}} +### asset_vulnerability + +This is the `asset_vulnerability` dataset. + +#### Example + +{{event "asset_vulnerability"}} + +{{fields "asset_vulnerability"}} + ### vulnerability This is the `vulnerability` dataset. diff --git a/packages/rapid7_insightvm/data_stream/asset/elasticsearch/ingest_pipeline/default.yml b/packages/rapid7_insightvm/data_stream/asset/elasticsearch/ingest_pipeline/default.yml index 3facf5cda33..0570e8ac01e 100644 --- a/packages/rapid7_insightvm/data_stream/asset/elasticsearch/ingest_pipeline/default.yml +++ b/packages/rapid7_insightvm/data_stream/asset/elasticsearch/ingest_pipeline/default.yml @@ -15,9 +15,17 @@ processors: value: [info] - rename: field: message + tag: rename_message_to_event_original target_field: event.original ignore_missing: true + description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document. if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null - json: field: event.original tag: 'json_decoding' diff --git a/packages/rapid7_insightvm/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml b/packages/rapid7_insightvm/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml index c81d19bd9b3..8db4753f6b2 100644 --- a/packages/rapid7_insightvm/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml +++ b/packages/rapid7_insightvm/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml @@ -15,9 +15,17 @@ processors: value: [info] - rename: field: message + tag: rename_message_to_event_original target_field: event.original ignore_missing: true + description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document. if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null - json: field: event.original tag: 'json_decoding' diff --git a/packages/rapid7_insightvm/docs/README.md b/packages/rapid7_insightvm/docs/README.md index 5c7a64434fb..187f7d3c4e5 100644 --- a/packages/rapid7_insightvm/docs/README.md +++ b/packages/rapid7_insightvm/docs/README.md @@ -14,9 +14,19 @@ The Rapid7 InsightVM integration collects two type of events: Asset and Vulnerab **Vulnerability** is used to retrieve all vulnerabilities that can be assessed. See more details in the API documentation [here](https://help.rapid7.com/insightvm/en-us/api/integrations.html#operation/searchIntegrationVulnerabilities). +**Asset Vulnerability** is used to gather and aggregate data on assets and vulnerabilities to support Native CDR Workflows. + ## Requirements -Elasticsearch is needed to store and search data, and Kibana is needed for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your hardware. +### Agent-based installation + +Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). + +### Agentless-enabled integration + +Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). + +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. This module uses **InsightVM Cloud Integrations API v4**. @@ -227,6 +237,345 @@ An example event for `asset` looks as following: | rapid7.insightvm.asset.unique_identifiers.source | The source of the unique identifier. | keyword | +### asset_vulnerability + +This is the `asset_vulnerability` dataset. + +#### Example + +An example event for `asset_vulnerability` looks as following: + +```json +{ + "@timestamp": "2025-05-27T18:21:36.279Z", + "agent": { + "ephemeral_id": "843312ee-1b90-4305-b2a4-ad903d21aad6", + "id": "e08b1df5-acc0-426e-8e25-090ccc2ed0ac", + "name": "elastic-agent-39481", + "type": "filebeat", + "version": "8.18.0" + }, + "data_stream": { + "dataset": "rapid7_insightvm.asset_vulnerability", + "namespace": "63091", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "e08b1df5-acc0-426e-8e25-090ccc2ed0ac", + "snapshot": false, + "version": "8.18.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "vulnerability" + ], + "created": "2025-05-12T16:25:35.000Z", + "dataset": "rapid7_insightvm.asset_vulnerability", + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6|unix-anonymous-root-logins|2025-05-27T18:21:36.279Z", + "ingested": "2025-05-30T08:46:29Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":22,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":3,\"exploits\":0,\"host_name\":\"computer-test\",\"id\":\"8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6\",\"ip\":\"10.50.5.112\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T18:21:36.279Z\",\"last_scan_end\":\"2025-05-27T18:21:36.279Z\",\"last_scan_start\":\"2025-05-27T18:20:41.505Z\",\"mac\":\"00:00:5E:00:53:02\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Red Hat Enterprise Linux 7.9\",\"os_family\":\"Linux\",\"os_name\":\"Enterprise Linux\",\"os_system_name\":\"Red Hat Linux\",\"os_type\":\"\",\"os_vendor\":\"Red Hat\",\"os_version\":\"7.9\",\"risk_score\":18250,\"severe_vulnerabilities\":48,\"tags\":[{\"name\":\"Ahmedabad\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":52,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"CEF12345-ABCD-1234-ABCD-95ABCDEF1234\",\"source\":\"dmidecode\"},{\"id\":\"e80644e940123456789abcdef66a8b16\",\"source\":\"R7 Agent\"}],\"vuln\":{\"added\":\"2004-11-30T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,UNIX\",\"check_id\":null,\"cves\":\"\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"single\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":7.9520000338554375,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.5,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:S/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.515145325,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":8.4,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \\\"su\\\" to become root.\",\"exploits\":[],\"first_found\":\"2025-05-12T16:25:35Z\",\"id\":\"unix-anonymous-root-logins\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"links\":[],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"nic\":null,\"pci_cvss_score\":6.5,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"port\":null,\"proof\":\"\\u003cp\\u003e\\u003cp\\u003eFollowing entries in /etc/securetty \\n may allow anonymous root logins: \\u003cul\\u003e\\u003cli\\u003ettyS0\\u003c/li\\u003e\\u003cli\\u003ettysclp0\\u003c/li\\u003e\\u003cli\\u003esclp_line0\\u003c/li\\u003e\\u003cli\\u003e3270/tty1\\u003c/li\\u003e\\u003cli\\u003ehvc0\\u003c/li\\u003e\\u003cli\\u003ehvc1\\u003c/li\\u003e\\u003cli\\u003ehvc2\\u003c/li\\u003e\\u003cli\\u003ehvc3\\u003c/li\\u003e\\u003cli\\u003ehvc4\\u003c/li\\u003e\\u003cli\\u003ehvc5\\u003c/li\\u003e\\u003cli\\u003ehvc6\\u003c/li\\u003e\\u003cli\\u003ehvc7\\u003c/li\\u003e\\u003cli\\u003ehvsi0\\u003c/li\\u003e\\u003cli\\u003ehvsi1\\u003c/li\\u003e\\u003cli\\u003ehvsi2\\u003c/li\\u003e\\u003cli\\u003exvc0\\u003c/li\\u003e\\u003c/ul\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\",\"protocol\":null,\"published\":\"2004-11-30T00:00:00Z\",\"references\":\"\",\"reintroduced\":null,\"risk_score\":562,\"severity\":\"severe\",\"severity_score\":7,\"solution_fix\":\"\\u003cp\\u003e\\u003cp\\u003eRemove all the entries in /etc/securetty except console,\\n tty[0-9]* and vc\\\\[0-9]* \\u003c/p\\u003e\\u003cp\\u003eNote: ssh does not use /etc/securetty. To disable root login\\n through ssh, use the \\u0026quot;PermitRootLogin\\u0026quot; setting in /etc/ssh/sshd_config\\n and restart the ssh daemon. \\u003c/p\\u003e\\u003c/p\\u003e\",\"solution_id\":\"unix-anonymous-root-logins\",\"solution_summary\":\"Edit '/etc/securetty' entries\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"title\":\"Anonymous root login is allowed\",\"vulnerability_id\":\"unix-anonymous-root-logins\"},\"vulnerability\":[{\"check_id\":null,\"first_found\":\"2025-05-12T16:25:35Z\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"nic\":null,\"port\":null,\"proof\":\"\\u003cp\\u003e\\u003cp\\u003eFollowing entries in /etc/securetty \\n may allow anonymous root logins: \\u003cul\\u003e\\u003cli\\u003ettyS0\\u003c/li\\u003e\\u003cli\\u003ettysclp0\\u003c/li\\u003e\\u003cli\\u003esclp_line0\\u003c/li\\u003e\\u003cli\\u003e3270/tty1\\u003c/li\\u003e\\u003cli\\u003ehvc0\\u003c/li\\u003e\\u003cli\\u003ehvc1\\u003c/li\\u003e\\u003cli\\u003ehvc2\\u003c/li\\u003e\\u003cli\\u003ehvc3\\u003c/li\\u003e\\u003cli\\u003ehvc4\\u003c/li\\u003e\\u003cli\\u003ehvc5\\u003c/li\\u003e\\u003cli\\u003ehvc6\\u003c/li\\u003e\\u003cli\\u003ehvc7\\u003c/li\\u003e\\u003cli\\u003ehvsi0\\u003c/li\\u003e\\u003cli\\u003ehvsi1\\u003c/li\\u003e\\u003cli\\u003ehvsi2\\u003c/li\\u003e\\u003cli\\u003exvc0\\u003c/li\\u003e\\u003c/ul\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"\\u003cp\\u003e\\u003cp\\u003eRemove all the entries in /etc/securetty except console,\\n tty[0-9]* and vc\\\\[0-9]* \\u003c/p\\u003e\\u003cp\\u003eNote: ssh does not use /etc/securetty. To disable root login\\n through ssh, use the \\u0026quot;PermitRootLogin\\u0026quot; setting in /etc/ssh/sshd_config\\n and restart the ssh daemon. \\u003c/p\\u003e\\u003c/p\\u003e\",\"solution_id\":\"unix-anonymous-root-logins\",\"solution_summary\":\"Edit '/etc/securetty' entries\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"unix-anonymous-root-logins\"},{\"check_id\":null,\"first_found\":\"2025-05-14T13:52:10Z\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"nic\":null,\"port\":null,\"proof\":\"\\u003cp\\u003e\\u003cp\\u003eThe following world writable files were found.\\u003cul\\u003e\\u003cli\\u003e/var/.com.zerog.registry.xml (-rwxrwxrwx)\\u003c/li\\u003e\\u003c/ul\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"\\u003cp\\u003e\\u003cp\\u003eFor each world-writable file, determine whether there is a good reason for\\n it to be world writable. If not, remove world write permissions for the file.\\n The output here is limited to 50 files. In order to find all of these files without needing to\\n run another Nexpose scan run the following command:\\u003c/p\\u003e\\u003cpre\\u003e find / -type f -perm -02\\u003c/pre\\u003e\\u003cp\\u003ePlease note; it may be necessary exclude particular paths or file share types, run \\u0026#39;man find\\u0026#39; for information.\\u003c/p\\u003e\\u003c/p\\u003e\",\"solution_id\":\"unix-world-writable-files\",\"solution_summary\":\"Remove world write permissions\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"unix-world-writable-files\"}]}", + "severity": 7, + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "computer-test", + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6", + "ip": [ + "10.50.5.112" + ], + "mac": [ + "00-00-5E-00-53-02" + ], + "name": "computer-test", + "os": { + "family": "Linux", + "full": "Red Hat Enterprise Linux 7.9", + "name": "Enterprise Linux", + "platform": "linux", + "type": "linux", + "version": "7.9" + }, + "risk": { + "static_score": 18250 + }, + "type": "guest" + }, + "input": { + "type": "cel" + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 3, + "exploits": 0, + "host_name": "computer-test", + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6", + "ip": "10.50.5.112", + "last_assessed_for_vulnerabilities": "2025-05-27T18:21:36.279Z", + "last_scan_end": "2025-05-27T18:21:36.279Z", + "last_scan_start": "2025-05-27T18:20:41.505Z", + "mac": "00-00-5E-00-53-02", + "malware_kits": 0, + "moderate_vulnerabilities": 1, + "os": { + "architecture": "x86_64", + "description": "Red Hat Enterprise Linux 7.9", + "family": "Linux", + "name": "Enterprise Linux", + "system_name": "Red Hat Linux", + "vendor": "Red Hat", + "version": "7.9" + }, + "risk_score": 18250, + "severe_vulnerabilities": 48, + "total_vulnerabilities": 52, + "type": "guest", + "unique_identifiers": [ + { + "id": "CEF12345-ABCD-1234-ABCD-95ABCDEF1234", + "source": "dmidecode" + }, + { + "id": "e80644e940123456789abcdef66a8b16", + "source": "R7 Agent" + } + ], + "vuln": { + "added": "2004-11-30T00:00:00.000Z", + "categories": [ + "CVSS Score Predicted with Rapid7 AI", + "UNIX" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "network", + "authentication": "single", + "availability_impact": "partial", + "confidentiality_impact": "partial", + "exploit_score": 7.9520000338554375, + "impact_score": 6.442976653521584, + "integrity_impact": "partial", + "score": 6.5, + "vector": "(AV:N/AC:L/Au:S/C:P/I:P/A:P)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "local", + "availability_impact": "high", + "confidentiality_impact": "high", + "exploit_score": 2.515145325, + "impact_score": 5.873118720000001, + "integrity_impact": "high", + "privileges_required": "none", + "scope": "unchanged", + "score": 8.4, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + "denial_of_service": false, + "description": "Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \"su\" to become root.", + "first_found": "2025-05-12T16:25:35.000Z", + "id": "unix-anonymous-root-logins", + "last_found": "2025-05-27T18:21:36.279Z", + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 6.5, + "fail": true, + "severity_score": 4, + "status": "fail" + }, + "proof": "Following entries in /etc/securetty \n may allow anonymous root logins: \n\nttyS0\n\nttysclp0\n\nsclp_line0\n\n3270/tty1\n\nhvc0\n\nhvc1\n\nhvc2\n\nhvc3\n\nhvc4\n\nhvc5\n\nhvc6\n\nhvc7\n\nhvsi0\n\nhvsi1\n\nhvsi2\n\nxvc0", + "published": "2004-11-30T00:00:00.000Z", + "risk_score": 562, + "severity": "severe", + "severity_score": 7, + "solution": { + "fix": "Remove all the entries in /etc/securetty except console,\n tty[0-9]* and vc\\[0-9]* \n\nNote: ssh does not use /etc/securetty. To disable root login\n through ssh, use the \"PermitRootLogin\" setting in /etc/ssh/sshd_config\n and restart the ssh daemon.", + "id": "unix-anonymous-root-logins", + "summary": "Edit '/etc/securetty' entries", + "type": "workaround" + }, + "status": "VULNERABLE_EXPL", + "title": "Anonymous root login is allowed" + } + } + }, + "related": { + "hosts": [ + "computer-test", + "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6" + ], + "ip": [ + "10.50.5.112" + ] + }, + "resource": { + "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6", + "name": "computer-test" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "rapid7_insightvm-asset_vulnerability" + ], + "vulnerability": { + "category": [ + "CVSS Score Predicted with Rapid7 AI", + "UNIX" + ], + "classification": "CVSS", + "description": "Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \"su\" to become root.", + "enumeration": "CVE", + "published_date": "2004-11-30T00:00:00.000Z", + "scanner": { + "name": "e80644e940123456789abcdef66a8b16", + "vendor": "Rapid7" + }, + "score": { + "base": 8.4, + "version": "3.0" + }, + "severity": "High", + "title": "Anonymous root login is allowed" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | +| input.type | Type of filebeat input. | keyword | +| log.offset | Log offset. | long | +| observer.vendor | Vendor name of the observer. | constant_keyword | +| package.fixed_version | | keyword | +| package.name | Package name | keyword | +| package.version | Package version | keyword | +| rapid7_insightvm.asset_vulnerability.assessed_for_policies | Whether an asset was assessed for policies. | boolean | +| rapid7_insightvm.asset_vulnerability.assessed_for_vulnerabilities | Whether an asset was assessed for vulnerabilities. | boolean | +| rapid7_insightvm.asset_vulnerability.credential_assessments.port | The port the authentication was used on. | long | +| rapid7_insightvm.asset_vulnerability.credential_assessments.protocol | The protocol the authentication was used on. | keyword | +| rapid7_insightvm.asset_vulnerability.credential_assessments.status | The authentication of the last scan performed. | keyword | +| rapid7_insightvm.asset_vulnerability.critical_vulnerabilities | The count of critical vulnerability findings. | long | +| rapid7_insightvm.asset_vulnerability.exploits | The count of known unique exploits that can be used to exploit vulnerabilities on the asset. | long | +| rapid7_insightvm.asset_vulnerability.host_name | The host name (local or FQDN). | keyword | +| rapid7_insightvm.asset_vulnerability.id | The identifier of the asset. | keyword | +| rapid7_insightvm.asset_vulnerability.ip | The IPv4 or IPv6 address. | ip | +| rapid7_insightvm.asset_vulnerability.last_assessed_for_vulnerabilities | The time at which an asset was assessed for vulnerabilities. | date | +| rapid7_insightvm.asset_vulnerability.last_scan_end | The time at which the last scan of the asset ended. | date | +| rapid7_insightvm.asset_vulnerability.last_scan_start | The time at which the last scan of the asset started. | date | +| rapid7_insightvm.asset_vulnerability.mac | The Media Access Control (MAC) address. The format is six groups of two hexadecimal digits separated by colons. | keyword | +| rapid7_insightvm.asset_vulnerability.malware_kits | The count of known unique malware kits that can be used to attack vulnerabilities on the asset. | long | +| rapid7_insightvm.asset_vulnerability.moderate_vulnerabilities | The count of moderate vulnerability findings. | long | +| rapid7_insightvm.asset_vulnerability.os.architecture | The architecture of the operating system. | keyword | +| rapid7_insightvm.asset_vulnerability.os.description | The description of the operating system (containing vendor, family, product, version and architecture in a single string). | keyword | +| rapid7_insightvm.asset_vulnerability.os.family | The family of the operating system. | keyword | +| rapid7_insightvm.asset_vulnerability.os.name | The name of the operating system. | keyword | +| rapid7_insightvm.asset_vulnerability.os.system_name | A combination of vendor and family (with redundancies removed), suitable for grouping. | keyword | +| rapid7_insightvm.asset_vulnerability.os.type | The type of operating system. | keyword | +| rapid7_insightvm.asset_vulnerability.os.vendor | The vendor of the operating system. | keyword | +| rapid7_insightvm.asset_vulnerability.os.version | The version of the operating system. | keyword | +| rapid7_insightvm.asset_vulnerability.risk_score | The risk score (with criticality adjustments) of the asset. | double | +| rapid7_insightvm.asset_vulnerability.severe_vulnerabilities | The count of severe vulnerability findings. | long | +| rapid7_insightvm.asset_vulnerability.tags.name | The stored value. | keyword | +| rapid7_insightvm.asset_vulnerability.tags.type | The type of information stored and displayed. For sites, the value is "SITE". | keyword | +| rapid7_insightvm.asset_vulnerability.total_vulnerabilities | The total count of vulnerability findings. | long | +| rapid7_insightvm.asset_vulnerability.type | The type of asset. | keyword | +| rapid7_insightvm.asset_vulnerability.unique_identifiers.id | The unique identifier. | keyword | +| rapid7_insightvm.asset_vulnerability.unique_identifiers.source | The source of the unique identifier. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.added | The date the vulnerability coverage was added. The format is an ISO 8601 date, YYYY-MM-DD. | date | +| rapid7_insightvm.asset_vulnerability.vuln.categories | Comma-separated list of categories the vulnerability is classified under. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.check_id | The identifier of the vulnerability check. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.cves | All CVEs assigned to this vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.access_complexity | Access Complexity (AC) component which measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.access_vector | Access Vector (Av) component which reflects how the vulnerability is exploited. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.authentication | Authentication (Au) component which measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.availability_impact | Availability Impact (A) component which measures the impact to availability of a successfully exploited vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.confidentiality_impact | Confidentiality Impact (C) component which measures the impact on confidentiality of a successfully exploited vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.exploit_score | The CVSS exploit score. | double | +| rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.impact_score | The CVSS impact score. | double | +| rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.integrity_impact | Integrity Impact (I) component measures the impact to integrity of a successfully exploited vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.score | The CVSS score, which ranges from 0-10. | double | +| rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.vector | The CVSS v2 vector. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.attack_complexity | Attack Complexity (AC) component with measures the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.attack_vector | Attack Vector (AV) component which measures context by which vulnerability exploitation is possible. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.availability_impact | Availability Impact (A) measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.confidentiality_impact | Confidentiality Impact (C) component which measures the impact on confidentiality of a successfully exploited vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.exploit_score | The CVSS exploit score. | double | +| rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.impact_score | The CVSS impact score. | double | +| rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.integrity_impact | Integrity Impact (I) measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.privileges_required | Privileges Required (PR) measures the level of privileges an attacker must possess before successfully exploiting the vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.scope | Scope (S) measures the collection of privileges defined by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.score | The CVSS score, which ranges from 0-10. | double | +| rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.user_interaction | User Interaction (UI) measures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.vector | The CVSS v3 vector. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.denial_of_service | Whether the vulnerability can lead to Denial of Service (DoS). | boolean | +| rapid7_insightvm.asset_vulnerability.vuln.description | A verbose description of the vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.exploits.description | A verbose description of the exploit. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.exploits.id | The identifier of the exploit. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.exploits.name | The name of the exploit. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.exploits.rank | How common the exploit is used. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.exploits.skill_level | The level of skill required to use the exploit. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.exploits.source | Details about where the exploit is defined. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.first_found | The first time the vulnerability was discovered. | date | +| rapid7_insightvm.asset_vulnerability.vuln.id | The identifier of the vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.key | The identifier of the assessment key. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.last_found | The most recent time the vulnerability was discovered. | date | +| rapid7_insightvm.asset_vulnerability.vuln.links.href | | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.links.id | | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.links.rel | | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.links.source | | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.malware_kits.description | A known Malware Kit that can be used to compromise a vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.malware_kits.name | The name of the malware kit. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.malware_kits.popularity | The popularity of the malware kit. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.modified | The last date the vulnerability was modified. The format is an ISO 8601 date, YYYY-MM-DD. | date | +| rapid7_insightvm.asset_vulnerability.vuln.pci.cvss_score | The CVSS score of the vulnerability, adjusted for PCI rules and exceptions, on a scale of 0-10. | double | +| rapid7_insightvm.asset_vulnerability.vuln.pci.fail | Whether if present on a host this vulnerability would cause a PCI failure. true if compliance status is "fail", false otherwise. | boolean | +| rapid7_insightvm.asset_vulnerability.vuln.pci.severity_score | The severity score of the vulnerability, adjusted for PCI rules and exceptions, on a scale of 0-10. | long | +| rapid7_insightvm.asset_vulnerability.vuln.pci.special_notes | Any special notes or remarks about the vulnerability that pertain to PCI compliance. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.pci.status | The PCI compliance status. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.port | For services vulnerabilities, the port that is vulnerable. | long | +| rapid7_insightvm.asset_vulnerability.vuln.proof | The identifier of the vulnerability proof. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.protocol | For services vulnerabilities, the protocol that is vulnerable. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.published | The date the vulnerability was first published or announced. The format is an ISO 8601 date, YYYY-MM-DD. | date | +| rapid7_insightvm.asset_vulnerability.vuln.references | References to security standards this vulnerability is a part of, in condensed format (comma-separated). | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.risk_score | The risk score of the vulnerability. If using the default Rapid7 Real Riskâ„¢ model, this value ranges from 0-1000. | double | +| rapid7_insightvm.asset_vulnerability.vuln.severity | The severity of the vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.severity_score | The severity score of the vulnerability, on a scale of 0-10. | long | +| rapid7_insightvm.asset_vulnerability.vuln.solution.fix | The solution fix for the vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.solution.id | The identifier of the solution for the vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.solution.summary | The summary for the solution for the vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.solution.type | The solution type for the vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.status | The status of the vulnerability finding. | keyword | +| rapid7_insightvm.asset_vulnerability.vuln.title | The title (summary) of the vulnerability. | keyword | +| resource.id | | keyword | +| resource.name | | keyword | +| vulnerability.published_date | | date | +| vulnerability.scanner.name | | keyword | +| vulnerability.scanner.vendor | The name of the vulnerability scanner vendor. | constant_keyword | +| vulnerability.title | | keyword | + + ### vulnerability This is the `vulnerability` dataset. diff --git a/packages/rapid7_insightvm/manifest.yml b/packages/rapid7_insightvm/manifest.yml index be63258622e..cd15f06aaab 100644 --- a/packages/rapid7_insightvm/manifest.yml +++ b/packages/rapid7_insightvm/manifest.yml @@ -1,4 +1,4 @@ -format_version: "3.0.2" +format_version: "3.2.3" name: rapid7_insightvm title: Rapid7 InsightVM version: "2.0.0" @@ -32,6 +32,14 @@ policy_templates: - name: rapid7_insightvm title: Rapid7 InsightVM logs description: Collect Rapid7 InsightVM logs. + deployment_modes: + default: + enabled: true + agentless: + enabled: true + organization: security + division: engineering + team: security-service-integrations inputs: - type: httpjson title: Collect Rapid7 InsightVM logs via HTTPJSON From 4d6902aa2dc9bf34a0a8e43417f95630e1b46a97 Mon Sep 17 00:00:00 2001 From: brijesh-elastic Date: Fri, 30 May 2025 16:45:10 +0530 Subject: [PATCH 05/19] Remove unwanted code and update changelog entry --- packages/rapid7_insightvm/changelog.yml | 2 +- .../data_stream/asset/sample_event.json | 16 +++---- .../agent/stream/cel.yml.hbs | 7 +--- .../elasticsearch/ingest_pipeline/default.yml | 11 ++--- .../asset_vulnerability/sample_event.json | 12 +++--- .../vulnerability/sample_event.json | 14 +++---- packages/rapid7_insightvm/docs/README.md | 42 +++++++++---------- 7 files changed, 49 insertions(+), 55 deletions(-) diff --git a/packages/rapid7_insightvm/changelog.yml b/packages/rapid7_insightvm/changelog.yml index 243f3fd966f..3838e4ff926 100644 --- a/packages/rapid7_insightvm/changelog.yml +++ b/packages/rapid7_insightvm/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Add asset_vulnerability datastream support for Cloud Detection and Response (CDR) vulnerability workflow. type: enhancement - link: https://github.com/elastic/integrations/pull/1 + link: https://github.com/elastic/integrations/pull/14079 - version: "1.16.0" changes: - description: Update Kibana constraint to support 9.0.0. diff --git a/packages/rapid7_insightvm/data_stream/asset/sample_event.json b/packages/rapid7_insightvm/data_stream/asset/sample_event.json index d462f23d2cb..7ef0024c98a 100644 --- a/packages/rapid7_insightvm/data_stream/asset/sample_event.json +++ b/packages/rapid7_insightvm/data_stream/asset/sample_event.json @@ -1,22 +1,22 @@ { - "@timestamp": "2025-05-30T08:45:28.249Z", + "@timestamp": "2025-05-30T11:10:37.869Z", "agent": { - "ephemeral_id": "949db32c-9ca8-41ae-a908-2a8e8166cbac", - "id": "87221170-ce21-40cd-ae6a-780544239840", - "name": "elastic-agent-91445", + "ephemeral_id": "6545769f-e426-4e1c-9549-44bd7f788ee4", + "id": "afb159d9-5bc3-429a-b8a7-3cda969112a5", + "name": "elastic-agent-88629", "type": "filebeat", "version": "8.18.0" }, "data_stream": { "dataset": "rapid7_insightvm.asset", - "namespace": "87300", + "namespace": "81787", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "87221170-ce21-40cd-ae6a-780544239840", + "id": "afb159d9-5bc3-429a-b8a7-3cda969112a5", "snapshot": false, "version": "8.18.0" }, @@ -25,9 +25,9 @@ "category": [ "host" ], - "created": "2025-05-30T08:45:28.249Z", + "created": "2025-05-30T11:10:37.869Z", "dataset": "rapid7_insightvm.asset", - "ingested": "2025-05-30T08:45:31Z", + "ingested": "2025-05-30T11:10:40Z", "kind": "state", "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"critical_vulnerabilities\":0,\"exploits\":0,\"id\":\"452534235-25a7-40a3-9321-28ce0b5cc90e-default-asset-199\",\"ip\":\"10.1.0.128\",\"last_assessed_for_vulnerabilities\":\"2020-03-20T19:19:42.611Z\",\"last_scan_end\":\"2020-03-20T19:19:42.611Z\",\"last_scan_start\":\"2020-03-20T19:18:13.611Z\",\"malware_kits\":0,\"moderate_vulnerabilities\":2,\"new\":[],\"os_architecture\":\"x86_64\",\"os_description\":\"CentOS Linux 2.6.18\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"CentOS Linux\",\"os_type\":\"General\",\"os_vendor\":\"CentOS\",\"os_version\":\"2.6.18\",\"remediated\":[],\"risk_score\":0,\"severe_vulnerabilities\":0,\"tags\":[{\"name\":\"lab\",\"type\":\"SITE\"}],\"total_vulnerabilities\":2}", "type": [ diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs b/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs index 5346f790048..94ed5e17782 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs @@ -91,10 +91,7 @@ program: | state.url.trim_right("/") + "/vm/v4/integration/vulnerabilities?" + { "size": ["500"], ?"cursor": state.?next_cursor.optMap(v, [v]), - }.format_query(), - { - "vulnerability": "modified >= 2025-05-01T00:00:00Z" - }.encode_json() + }.format_query() ).with({ "Header": { "X-Api-Key": [state.api_key], @@ -154,7 +151,7 @@ program: | work.?vulnerabilities[v.vulnerability_id].orValue("not present") != "not present" ? work.vulnerabilities[v.vulnerability_id] : - {"key": "not present"} + {"is_present": "no"} )}).encode_json() })).flatten(), "cursor": { diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml index a74fc48af7e..96f2fd051e3 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml @@ -68,11 +68,6 @@ processors: field: cloud ignore_missing: true description: Remove ECS cloud fields that are populated from EA metadata. - - rename: - field: json.key - tag: rename_key - target_field: rapid7_insightvm.asset_vulnerability.key - ignore_missing: true - convert: field: json.assessed_for_policies tag: convert_assessed_for_policies_to_boolean @@ -1020,6 +1015,8 @@ processors: value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - remove: field: + - rapid7_insightvm.asset_vulnerability.host_name + - rapid7_insightvm.asset_vulnerability.id - rapid7_insightvm.asset_vulnerability.ip - rapid7_insightvm.asset_vulnerability.mac - rapid7_insightvm.asset_vulnerability.os.architecture @@ -1030,11 +1027,11 @@ processors: - rapid7_insightvm.asset_vulnerability.risk_score - rapid7_insightvm.asset_vulnerability.type - rapid7_insightvm.asset_vulnerability.vuln.categories + - rapid7_insightvm.asset_vulnerability.vuln.first_found + - rapid7_insightvm.asset_vulnerability.vuln.published - rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.score - rapid7_insightvm.asset_vulnerability.vuln.description - rapid7_insightvm.asset_vulnerability.vuln.id - - rapid7_insightvm.asset_vulnerability.vuln.links.rel - - rapid7_insightvm.asset_vulnerability.vuln.severity - rapid7_insightvm.asset_vulnerability.vuln.severity_score tag: remove_custom_duplicate_fields ignore_missing: true diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/sample_event.json b/packages/rapid7_insightvm/data_stream/asset_vulnerability/sample_event.json index 7e72d7a8c71..56dc613d705 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/sample_event.json +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/sample_event.json @@ -1,22 +1,22 @@ { "@timestamp": "2025-05-27T18:21:36.279Z", "agent": { - "ephemeral_id": "843312ee-1b90-4305-b2a4-ad903d21aad6", - "id": "e08b1df5-acc0-426e-8e25-090ccc2ed0ac", - "name": "elastic-agent-39481", + "ephemeral_id": "1f134173-6086-4111-ab6c-78895b63908d", + "id": "d16b29fe-9b2e-43cf-b0e1-82325680132b", + "name": "elastic-agent-34771", "type": "filebeat", "version": "8.18.0" }, "data_stream": { "dataset": "rapid7_insightvm.asset_vulnerability", - "namespace": "63091", + "namespace": "27649", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "e08b1df5-acc0-426e-8e25-090ccc2ed0ac", + "id": "d16b29fe-9b2e-43cf-b0e1-82325680132b", "snapshot": false, "version": "8.18.0" }, @@ -28,7 +28,7 @@ "created": "2025-05-12T16:25:35.000Z", "dataset": "rapid7_insightvm.asset_vulnerability", "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6|unix-anonymous-root-logins|2025-05-27T18:21:36.279Z", - "ingested": "2025-05-30T08:46:29Z", + "ingested": "2025-05-30T11:11:51Z", "kind": "event", "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":22,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":3,\"exploits\":0,\"host_name\":\"computer-test\",\"id\":\"8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6\",\"ip\":\"10.50.5.112\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T18:21:36.279Z\",\"last_scan_end\":\"2025-05-27T18:21:36.279Z\",\"last_scan_start\":\"2025-05-27T18:20:41.505Z\",\"mac\":\"00:00:5E:00:53:02\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Red Hat Enterprise Linux 7.9\",\"os_family\":\"Linux\",\"os_name\":\"Enterprise Linux\",\"os_system_name\":\"Red Hat Linux\",\"os_type\":\"\",\"os_vendor\":\"Red Hat\",\"os_version\":\"7.9\",\"risk_score\":18250,\"severe_vulnerabilities\":48,\"tags\":[{\"name\":\"Ahmedabad\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":52,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"CEF12345-ABCD-1234-ABCD-95ABCDEF1234\",\"source\":\"dmidecode\"},{\"id\":\"e80644e940123456789abcdef66a8b16\",\"source\":\"R7 Agent\"}],\"vuln\":{\"added\":\"2004-11-30T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,UNIX\",\"check_id\":null,\"cves\":\"\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"single\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":7.9520000338554375,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.5,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:S/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.515145325,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":8.4,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \\\"su\\\" to become root.\",\"exploits\":[],\"first_found\":\"2025-05-12T16:25:35Z\",\"id\":\"unix-anonymous-root-logins\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"links\":[],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"nic\":null,\"pci_cvss_score\":6.5,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"port\":null,\"proof\":\"\\u003cp\\u003e\\u003cp\\u003eFollowing entries in /etc/securetty \\n may allow anonymous root logins: \\u003cul\\u003e\\u003cli\\u003ettyS0\\u003c/li\\u003e\\u003cli\\u003ettysclp0\\u003c/li\\u003e\\u003cli\\u003esclp_line0\\u003c/li\\u003e\\u003cli\\u003e3270/tty1\\u003c/li\\u003e\\u003cli\\u003ehvc0\\u003c/li\\u003e\\u003cli\\u003ehvc1\\u003c/li\\u003e\\u003cli\\u003ehvc2\\u003c/li\\u003e\\u003cli\\u003ehvc3\\u003c/li\\u003e\\u003cli\\u003ehvc4\\u003c/li\\u003e\\u003cli\\u003ehvc5\\u003c/li\\u003e\\u003cli\\u003ehvc6\\u003c/li\\u003e\\u003cli\\u003ehvc7\\u003c/li\\u003e\\u003cli\\u003ehvsi0\\u003c/li\\u003e\\u003cli\\u003ehvsi1\\u003c/li\\u003e\\u003cli\\u003ehvsi2\\u003c/li\\u003e\\u003cli\\u003exvc0\\u003c/li\\u003e\\u003c/ul\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\",\"protocol\":null,\"published\":\"2004-11-30T00:00:00Z\",\"references\":\"\",\"reintroduced\":null,\"risk_score\":562,\"severity\":\"severe\",\"severity_score\":7,\"solution_fix\":\"\\u003cp\\u003e\\u003cp\\u003eRemove all the entries in /etc/securetty except console,\\n tty[0-9]* and vc\\\\[0-9]* \\u003c/p\\u003e\\u003cp\\u003eNote: ssh does not use /etc/securetty. To disable root login\\n through ssh, use the \\u0026quot;PermitRootLogin\\u0026quot; setting in /etc/ssh/sshd_config\\n and restart the ssh daemon. \\u003c/p\\u003e\\u003c/p\\u003e\",\"solution_id\":\"unix-anonymous-root-logins\",\"solution_summary\":\"Edit '/etc/securetty' entries\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"title\":\"Anonymous root login is allowed\",\"vulnerability_id\":\"unix-anonymous-root-logins\"},\"vulnerability\":[{\"check_id\":null,\"first_found\":\"2025-05-12T16:25:35Z\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"nic\":null,\"port\":null,\"proof\":\"\\u003cp\\u003e\\u003cp\\u003eFollowing entries in /etc/securetty \\n may allow anonymous root logins: \\u003cul\\u003e\\u003cli\\u003ettyS0\\u003c/li\\u003e\\u003cli\\u003ettysclp0\\u003c/li\\u003e\\u003cli\\u003esclp_line0\\u003c/li\\u003e\\u003cli\\u003e3270/tty1\\u003c/li\\u003e\\u003cli\\u003ehvc0\\u003c/li\\u003e\\u003cli\\u003ehvc1\\u003c/li\\u003e\\u003cli\\u003ehvc2\\u003c/li\\u003e\\u003cli\\u003ehvc3\\u003c/li\\u003e\\u003cli\\u003ehvc4\\u003c/li\\u003e\\u003cli\\u003ehvc5\\u003c/li\\u003e\\u003cli\\u003ehvc6\\u003c/li\\u003e\\u003cli\\u003ehvc7\\u003c/li\\u003e\\u003cli\\u003ehvsi0\\u003c/li\\u003e\\u003cli\\u003ehvsi1\\u003c/li\\u003e\\u003cli\\u003ehvsi2\\u003c/li\\u003e\\u003cli\\u003exvc0\\u003c/li\\u003e\\u003c/ul\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"\\u003cp\\u003e\\u003cp\\u003eRemove all the entries in /etc/securetty except console,\\n tty[0-9]* and vc\\\\[0-9]* \\u003c/p\\u003e\\u003cp\\u003eNote: ssh does not use /etc/securetty. To disable root login\\n through ssh, use the \\u0026quot;PermitRootLogin\\u0026quot; setting in /etc/ssh/sshd_config\\n and restart the ssh daemon. \\u003c/p\\u003e\\u003c/p\\u003e\",\"solution_id\":\"unix-anonymous-root-logins\",\"solution_summary\":\"Edit '/etc/securetty' entries\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"unix-anonymous-root-logins\"},{\"check_id\":null,\"first_found\":\"2025-05-14T13:52:10Z\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"nic\":null,\"port\":null,\"proof\":\"\\u003cp\\u003e\\u003cp\\u003eThe following world writable files were found.\\u003cul\\u003e\\u003cli\\u003e/var/.com.zerog.registry.xml (-rwxrwxrwx)\\u003c/li\\u003e\\u003c/ul\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"\\u003cp\\u003e\\u003cp\\u003eFor each world-writable file, determine whether there is a good reason for\\n it to be world writable. If not, remove world write permissions for the file.\\n The output here is limited to 50 files. In order to find all of these files without needing to\\n run another Nexpose scan run the following command:\\u003c/p\\u003e\\u003cpre\\u003e find / -type f -perm -02\\u003c/pre\\u003e\\u003cp\\u003ePlease note; it may be necessary exclude particular paths or file share types, run \\u0026#39;man find\\u0026#39; for information.\\u003c/p\\u003e\\u003c/p\\u003e\",\"solution_id\":\"unix-world-writable-files\",\"solution_summary\":\"Remove world write permissions\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"unix-world-writable-files\"}]}", "severity": 7, diff --git a/packages/rapid7_insightvm/data_stream/vulnerability/sample_event.json b/packages/rapid7_insightvm/data_stream/vulnerability/sample_event.json index 3eada690a25..2334f389ffe 100644 --- a/packages/rapid7_insightvm/data_stream/vulnerability/sample_event.json +++ b/packages/rapid7_insightvm/data_stream/vulnerability/sample_event.json @@ -1,22 +1,22 @@ { "@timestamp": "2018-06-08T00:00:00.000Z", "agent": { - "ephemeral_id": "30ed4ebf-b82c-4ad8-b690-2ed0455d3454", - "id": "3b4ebced-1156-411e-9160-ed235c2109b8", - "name": "elastic-agent-78422", + "ephemeral_id": "dbee2821-362a-4d7a-9e8e-0fcd816d4696", + "id": "6a264171-bdc2-47a0-a131-9a515aa1c01f", + "name": "elastic-agent-42291", "type": "filebeat", "version": "8.18.0" }, "data_stream": { "dataset": "rapid7_insightvm.vulnerability", - "namespace": "46101", + "namespace": "75615", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "3b4ebced-1156-411e-9160-ed235c2109b8", + "id": "6a264171-bdc2-47a0-a131-9a515aa1c01f", "snapshot": false, "version": "8.18.0" }, @@ -25,10 +25,10 @@ "category": [ "vulnerability" ], - "created": "2025-05-30T08:47:25.492Z", + "created": "2025-05-30T11:12:58.134Z", "dataset": "rapid7_insightvm.vulnerability", "id": "7-zip-cve-2008-6536", - "ingested": "2025-05-30T08:47:27Z", + "ingested": "2025-05-30T11:13:00Z", "kind": "event", "original": "{\"added\":\"2018-05-16T00:00:00Z\",\"categories\":\"7-Zip\",\"cves\":\"CVE-2008-6536\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":9.996799,\"cvss_v2_impact_score\":10.000845,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":10,\"cvss_v2_vector\":\"AV:N/AC:L/Au:N/C:C/I:C/A:C\",\"cvss_v3_attack_complexity\":null,\"cvss_v3_attack_vector\":null,\"cvss_v3_availability_impact\":null,\"cvss_v3_confidentiality_impact\":null,\"cvss_v3_exploit_score\":0,\"cvss_v3_impact_score\":0,\"cvss_v3_integrity_impact\":null,\"cvss_v3_privileges_required\":null,\"cvss_v3_scope\":null,\"cvss_v3_score\":0,\"cvss_v3_user_interaction\":null,\"cvss_v3_vector\":null,\"denial_of_service\":false,\"description\":\"Unspecified vulnerability in 7-zip before 4.5.7 has unknown impact and remote attack vectors, as demonstrated by the PROTOS GENOME test suite for Archive Formats (c10).\",\"exploits\":[],\"id\":\"7-zip-cve-2008-6536\",\"links\":[{\"href\":\"http://www.securityfocus.com/bid/28285\",\"id\":\"28285\",\"rel\":\"advisory\",\"source\":\"bid\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/41247\",\"id\":\"41247\",\"rel\":\"advisory\",\"source\":\"xf\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2008-6536\",\"id\":\"CVE-2008-6536\",\"rel\":\"advisory\",\"source\":\"cve\"},{\"href\":\"http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html\",\"id\":\"http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html\",\"rel\":\"advisory\",\"source\":\"url\"},{\"href\":\"http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/\",\"id\":\"http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/\",\"rel\":\"advisory\",\"source\":\"url\"},{\"href\":\"http://www.securityfocus.com/bid/28285\",\"id\":\"http://www.securityfocus.com/bid/28285\",\"rel\":\"advisory\",\"source\":\"url\"},{\"href\":\"http://www.vupen.com/english/advisories/2008/0914/references\",\"id\":\"http://www.vupen.com/english/advisories/2008/0914/references\",\"rel\":\"advisory\",\"source\":\"url\"},{\"href\":\"http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf\",\"id\":\"http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf\",\"rel\":\"advisory\",\"source\":\"url\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/41247\",\"id\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/41247\",\"rel\":\"advisory\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2018-06-08T00:00:00Z\",\"pci_cvss_score\":10,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2009-03-29T00:00:00Z\",\"references\":\"bid:28285,xf:41247,cve:CVE-2008-6536,url:http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html,url:http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/,url:http://www.securityfocus.com/bid/28285,url:http://www.vupen.com/english/advisories/2008/0914/references,url:http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf,url:https://exchange.xforce.ibmcloud.com/vulnerabilities/41247\",\"risk_score\":885.16,\"severity\":\"critical\",\"severity_score\":10,\"title\":\"7-Zip: CVE-2008-6536: Unspecified vulnerability in 7-zip before 4.5.7\"}", "risk_score": 885.16, diff --git a/packages/rapid7_insightvm/docs/README.md b/packages/rapid7_insightvm/docs/README.md index 187f7d3c4e5..6a88ecd394d 100644 --- a/packages/rapid7_insightvm/docs/README.md +++ b/packages/rapid7_insightvm/docs/README.md @@ -48,24 +48,24 @@ An example event for `asset` looks as following: ```json { - "@timestamp": "2025-05-30T08:45:28.249Z", + "@timestamp": "2025-05-30T11:10:37.869Z", "agent": { - "ephemeral_id": "949db32c-9ca8-41ae-a908-2a8e8166cbac", - "id": "87221170-ce21-40cd-ae6a-780544239840", - "name": "elastic-agent-91445", + "ephemeral_id": "6545769f-e426-4e1c-9549-44bd7f788ee4", + "id": "afb159d9-5bc3-429a-b8a7-3cda969112a5", + "name": "elastic-agent-88629", "type": "filebeat", "version": "8.18.0" }, "data_stream": { "dataset": "rapid7_insightvm.asset", - "namespace": "87300", + "namespace": "81787", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "87221170-ce21-40cd-ae6a-780544239840", + "id": "afb159d9-5bc3-429a-b8a7-3cda969112a5", "snapshot": false, "version": "8.18.0" }, @@ -74,9 +74,9 @@ An example event for `asset` looks as following: "category": [ "host" ], - "created": "2025-05-30T08:45:28.249Z", + "created": "2025-05-30T11:10:37.869Z", "dataset": "rapid7_insightvm.asset", - "ingested": "2025-05-30T08:45:31Z", + "ingested": "2025-05-30T11:10:40Z", "kind": "state", "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"critical_vulnerabilities\":0,\"exploits\":0,\"id\":\"452534235-25a7-40a3-9321-28ce0b5cc90e-default-asset-199\",\"ip\":\"10.1.0.128\",\"last_assessed_for_vulnerabilities\":\"2020-03-20T19:19:42.611Z\",\"last_scan_end\":\"2020-03-20T19:19:42.611Z\",\"last_scan_start\":\"2020-03-20T19:18:13.611Z\",\"malware_kits\":0,\"moderate_vulnerabilities\":2,\"new\":[],\"os_architecture\":\"x86_64\",\"os_description\":\"CentOS Linux 2.6.18\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"CentOS Linux\",\"os_type\":\"General\",\"os_vendor\":\"CentOS\",\"os_version\":\"2.6.18\",\"remediated\":[],\"risk_score\":0,\"severe_vulnerabilities\":0,\"tags\":[{\"name\":\"lab\",\"type\":\"SITE\"}],\"total_vulnerabilities\":2}", "type": [ @@ -249,22 +249,22 @@ An example event for `asset_vulnerability` looks as following: { "@timestamp": "2025-05-27T18:21:36.279Z", "agent": { - "ephemeral_id": "843312ee-1b90-4305-b2a4-ad903d21aad6", - "id": "e08b1df5-acc0-426e-8e25-090ccc2ed0ac", - "name": "elastic-agent-39481", + "ephemeral_id": "1f134173-6086-4111-ab6c-78895b63908d", + "id": "d16b29fe-9b2e-43cf-b0e1-82325680132b", + "name": "elastic-agent-34771", "type": "filebeat", "version": "8.18.0" }, "data_stream": { "dataset": "rapid7_insightvm.asset_vulnerability", - "namespace": "63091", + "namespace": "27649", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "e08b1df5-acc0-426e-8e25-090ccc2ed0ac", + "id": "d16b29fe-9b2e-43cf-b0e1-82325680132b", "snapshot": false, "version": "8.18.0" }, @@ -276,7 +276,7 @@ An example event for `asset_vulnerability` looks as following: "created": "2025-05-12T16:25:35.000Z", "dataset": "rapid7_insightvm.asset_vulnerability", "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6|unix-anonymous-root-logins|2025-05-27T18:21:36.279Z", - "ingested": "2025-05-30T08:46:29Z", + "ingested": "2025-05-30T11:11:51Z", "kind": "event", "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":22,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":3,\"exploits\":0,\"host_name\":\"computer-test\",\"id\":\"8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6\",\"ip\":\"10.50.5.112\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T18:21:36.279Z\",\"last_scan_end\":\"2025-05-27T18:21:36.279Z\",\"last_scan_start\":\"2025-05-27T18:20:41.505Z\",\"mac\":\"00:00:5E:00:53:02\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Red Hat Enterprise Linux 7.9\",\"os_family\":\"Linux\",\"os_name\":\"Enterprise Linux\",\"os_system_name\":\"Red Hat Linux\",\"os_type\":\"\",\"os_vendor\":\"Red Hat\",\"os_version\":\"7.9\",\"risk_score\":18250,\"severe_vulnerabilities\":48,\"tags\":[{\"name\":\"Ahmedabad\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":52,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"CEF12345-ABCD-1234-ABCD-95ABCDEF1234\",\"source\":\"dmidecode\"},{\"id\":\"e80644e940123456789abcdef66a8b16\",\"source\":\"R7 Agent\"}],\"vuln\":{\"added\":\"2004-11-30T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,UNIX\",\"check_id\":null,\"cves\":\"\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"single\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":7.9520000338554375,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.5,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:S/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.515145325,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":8.4,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \\\"su\\\" to become root.\",\"exploits\":[],\"first_found\":\"2025-05-12T16:25:35Z\",\"id\":\"unix-anonymous-root-logins\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"links\":[],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"nic\":null,\"pci_cvss_score\":6.5,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"port\":null,\"proof\":\"\\u003cp\\u003e\\u003cp\\u003eFollowing entries in /etc/securetty \\n may allow anonymous root logins: \\u003cul\\u003e\\u003cli\\u003ettyS0\\u003c/li\\u003e\\u003cli\\u003ettysclp0\\u003c/li\\u003e\\u003cli\\u003esclp_line0\\u003c/li\\u003e\\u003cli\\u003e3270/tty1\\u003c/li\\u003e\\u003cli\\u003ehvc0\\u003c/li\\u003e\\u003cli\\u003ehvc1\\u003c/li\\u003e\\u003cli\\u003ehvc2\\u003c/li\\u003e\\u003cli\\u003ehvc3\\u003c/li\\u003e\\u003cli\\u003ehvc4\\u003c/li\\u003e\\u003cli\\u003ehvc5\\u003c/li\\u003e\\u003cli\\u003ehvc6\\u003c/li\\u003e\\u003cli\\u003ehvc7\\u003c/li\\u003e\\u003cli\\u003ehvsi0\\u003c/li\\u003e\\u003cli\\u003ehvsi1\\u003c/li\\u003e\\u003cli\\u003ehvsi2\\u003c/li\\u003e\\u003cli\\u003exvc0\\u003c/li\\u003e\\u003c/ul\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\",\"protocol\":null,\"published\":\"2004-11-30T00:00:00Z\",\"references\":\"\",\"reintroduced\":null,\"risk_score\":562,\"severity\":\"severe\",\"severity_score\":7,\"solution_fix\":\"\\u003cp\\u003e\\u003cp\\u003eRemove all the entries in /etc/securetty except console,\\n tty[0-9]* and vc\\\\[0-9]* \\u003c/p\\u003e\\u003cp\\u003eNote: ssh does not use /etc/securetty. To disable root login\\n through ssh, use the \\u0026quot;PermitRootLogin\\u0026quot; setting in /etc/ssh/sshd_config\\n and restart the ssh daemon. \\u003c/p\\u003e\\u003c/p\\u003e\",\"solution_id\":\"unix-anonymous-root-logins\",\"solution_summary\":\"Edit '/etc/securetty' entries\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"title\":\"Anonymous root login is allowed\",\"vulnerability_id\":\"unix-anonymous-root-logins\"},\"vulnerability\":[{\"check_id\":null,\"first_found\":\"2025-05-12T16:25:35Z\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"nic\":null,\"port\":null,\"proof\":\"\\u003cp\\u003e\\u003cp\\u003eFollowing entries in /etc/securetty \\n may allow anonymous root logins: \\u003cul\\u003e\\u003cli\\u003ettyS0\\u003c/li\\u003e\\u003cli\\u003ettysclp0\\u003c/li\\u003e\\u003cli\\u003esclp_line0\\u003c/li\\u003e\\u003cli\\u003e3270/tty1\\u003c/li\\u003e\\u003cli\\u003ehvc0\\u003c/li\\u003e\\u003cli\\u003ehvc1\\u003c/li\\u003e\\u003cli\\u003ehvc2\\u003c/li\\u003e\\u003cli\\u003ehvc3\\u003c/li\\u003e\\u003cli\\u003ehvc4\\u003c/li\\u003e\\u003cli\\u003ehvc5\\u003c/li\\u003e\\u003cli\\u003ehvc6\\u003c/li\\u003e\\u003cli\\u003ehvc7\\u003c/li\\u003e\\u003cli\\u003ehvsi0\\u003c/li\\u003e\\u003cli\\u003ehvsi1\\u003c/li\\u003e\\u003cli\\u003ehvsi2\\u003c/li\\u003e\\u003cli\\u003exvc0\\u003c/li\\u003e\\u003c/ul\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"\\u003cp\\u003e\\u003cp\\u003eRemove all the entries in /etc/securetty except console,\\n tty[0-9]* and vc\\\\[0-9]* \\u003c/p\\u003e\\u003cp\\u003eNote: ssh does not use /etc/securetty. To disable root login\\n through ssh, use the \\u0026quot;PermitRootLogin\\u0026quot; setting in /etc/ssh/sshd_config\\n and restart the ssh daemon. \\u003c/p\\u003e\\u003c/p\\u003e\",\"solution_id\":\"unix-anonymous-root-logins\",\"solution_summary\":\"Edit '/etc/securetty' entries\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"unix-anonymous-root-logins\"},{\"check_id\":null,\"first_found\":\"2025-05-14T13:52:10Z\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"nic\":null,\"port\":null,\"proof\":\"\\u003cp\\u003e\\u003cp\\u003eThe following world writable files were found.\\u003cul\\u003e\\u003cli\\u003e/var/.com.zerog.registry.xml (-rwxrwxrwx)\\u003c/li\\u003e\\u003c/ul\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"\\u003cp\\u003e\\u003cp\\u003eFor each world-writable file, determine whether there is a good reason for\\n it to be world writable. If not, remove world write permissions for the file.\\n The output here is limited to 50 files. In order to find all of these files without needing to\\n run another Nexpose scan run the following command:\\u003c/p\\u003e\\u003cpre\\u003e find / -type f -perm -02\\u003c/pre\\u003e\\u003cp\\u003ePlease note; it may be necessary exclude particular paths or file share types, run \\u0026#39;man find\\u0026#39; for information.\\u003c/p\\u003e\\u003c/p\\u003e\",\"solution_id\":\"unix-world-writable-files\",\"solution_summary\":\"Remove world write permissions\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"unix-world-writable-files\"}]}", "severity": 7, @@ -588,22 +588,22 @@ An example event for `vulnerability` looks as following: { "@timestamp": "2018-06-08T00:00:00.000Z", "agent": { - "ephemeral_id": "30ed4ebf-b82c-4ad8-b690-2ed0455d3454", - "id": "3b4ebced-1156-411e-9160-ed235c2109b8", - "name": "elastic-agent-78422", + "ephemeral_id": "dbee2821-362a-4d7a-9e8e-0fcd816d4696", + "id": "6a264171-bdc2-47a0-a131-9a515aa1c01f", + "name": "elastic-agent-42291", "type": "filebeat", "version": "8.18.0" }, "data_stream": { "dataset": "rapid7_insightvm.vulnerability", - "namespace": "46101", + "namespace": "75615", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "3b4ebced-1156-411e-9160-ed235c2109b8", + "id": "6a264171-bdc2-47a0-a131-9a515aa1c01f", "snapshot": false, "version": "8.18.0" }, @@ -612,10 +612,10 @@ An example event for `vulnerability` looks as following: "category": [ "vulnerability" ], - "created": "2025-05-30T08:47:25.492Z", + "created": "2025-05-30T11:12:58.134Z", "dataset": "rapid7_insightvm.vulnerability", "id": "7-zip-cve-2008-6536", - "ingested": "2025-05-30T08:47:27Z", + "ingested": "2025-05-30T11:13:00Z", "kind": "event", "original": "{\"added\":\"2018-05-16T00:00:00Z\",\"categories\":\"7-Zip\",\"cves\":\"CVE-2008-6536\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":9.996799,\"cvss_v2_impact_score\":10.000845,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":10,\"cvss_v2_vector\":\"AV:N/AC:L/Au:N/C:C/I:C/A:C\",\"cvss_v3_attack_complexity\":null,\"cvss_v3_attack_vector\":null,\"cvss_v3_availability_impact\":null,\"cvss_v3_confidentiality_impact\":null,\"cvss_v3_exploit_score\":0,\"cvss_v3_impact_score\":0,\"cvss_v3_integrity_impact\":null,\"cvss_v3_privileges_required\":null,\"cvss_v3_scope\":null,\"cvss_v3_score\":0,\"cvss_v3_user_interaction\":null,\"cvss_v3_vector\":null,\"denial_of_service\":false,\"description\":\"Unspecified vulnerability in 7-zip before 4.5.7 has unknown impact and remote attack vectors, as demonstrated by the PROTOS GENOME test suite for Archive Formats (c10).\",\"exploits\":[],\"id\":\"7-zip-cve-2008-6536\",\"links\":[{\"href\":\"http://www.securityfocus.com/bid/28285\",\"id\":\"28285\",\"rel\":\"advisory\",\"source\":\"bid\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/41247\",\"id\":\"41247\",\"rel\":\"advisory\",\"source\":\"xf\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2008-6536\",\"id\":\"CVE-2008-6536\",\"rel\":\"advisory\",\"source\":\"cve\"},{\"href\":\"http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html\",\"id\":\"http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html\",\"rel\":\"advisory\",\"source\":\"url\"},{\"href\":\"http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/\",\"id\":\"http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/\",\"rel\":\"advisory\",\"source\":\"url\"},{\"href\":\"http://www.securityfocus.com/bid/28285\",\"id\":\"http://www.securityfocus.com/bid/28285\",\"rel\":\"advisory\",\"source\":\"url\"},{\"href\":\"http://www.vupen.com/english/advisories/2008/0914/references\",\"id\":\"http://www.vupen.com/english/advisories/2008/0914/references\",\"rel\":\"advisory\",\"source\":\"url\"},{\"href\":\"http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf\",\"id\":\"http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf\",\"rel\":\"advisory\",\"source\":\"url\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/41247\",\"id\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/41247\",\"rel\":\"advisory\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2018-06-08T00:00:00Z\",\"pci_cvss_score\":10,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2009-03-29T00:00:00Z\",\"references\":\"bid:28285,xf:41247,cve:CVE-2008-6536,url:http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html,url:http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/,url:http://www.securityfocus.com/bid/28285,url:http://www.vupen.com/english/advisories/2008/0914/references,url:http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf,url:https://exchange.xforce.ibmcloud.com/vulnerabilities/41247\",\"risk_score\":885.16,\"severity\":\"critical\",\"severity_score\":10,\"title\":\"7-Zip: CVE-2008-6536: Unspecified vulnerability in 7-zip before 4.5.7\"}", "risk_score": 885.16, From 68e3b42320f24717a4fd30b18cb4be737008e294 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Mon, 2 Jun 2025 13:26:44 +0530 Subject: [PATCH 06/19] Add grok description --- .../elasticsearch/ingest_pipeline/default.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml index 96f2fd051e3..b26a02123d1 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml @@ -934,6 +934,7 @@ processors: ignore_missing: true - grok: field: rapid7_insightvm.asset_vulnerability.vuln.proof + description: Extract package fields from proof. tag: grok_parse_vuln_proof patterns: - '^Vulnerable OS: %{DATA:_temp.os} Vulnerable software installed: %{DATA:package.name} Required patch %{GREEDYDATA}$' From 46a452bd4b99ba332389afbb6af3b52d5abf0847 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Thu, 5 Jun 2025 10:43:51 +0530 Subject: [PATCH 07/19] Add vuln_id filters --- .../agent/stream/cel.yml.hbs | 17 +++++++++++++---- .../asset_vulnerability/sample_event.json | 18 +++++++++--------- packages/rapid7_insightvm/manifest.yml | 2 +- 3 files changed, 23 insertions(+), 14 deletions(-) diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs b/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs index 94ed5e17782..2c12fd7a0a2 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs @@ -26,7 +26,7 @@ program: | state.interval_time : now - ).as(interval_time, + ).as(interval_time, debug("DEBUG_work", has(state.assets) && state.is_all_assets_fetched ? { "assets": state.assets, @@ -55,6 +55,11 @@ program: | ?"next_cursor": has(body.?metadata.cursor) && body.metadata.cursor != null ? optional.of(body.metadata.cursor) : optional.none(), "is_all_assets_fetched": has(body.metadata.cursor) && body.metadata.cursor != null ? false : true, "assets": (state.?assets.orValue([]) + body.data).flatten(), + "asset_vuln_ids": debug("DEBUG_asset_vuln_ids", debug("DEBUG_vuln_ids", (state.?assets.orValue([]) + body.data).flatten().map(a, + a.?same.orValue([]).map(s, s.vulnerability_id) + a.?new.orValue([]).map(n, n.vulnerability_id) + a.?remediated.orValue([]).map(r, r.vulnerability_id) + ).flatten()).as(vuln_ids, + vuln_ids.map(vuln_id, string(vuln_id)).as(str_vuln_ids, zip(str_vuln_ids, vuln_ids)) + ).keys()), "interval_time": interval_time, "want_more": true }) @@ -77,7 +82,7 @@ program: | "batch_size": state.batch_size } ) - ).as(work, + )).as(work, has(work.events) ? work : // Exit early ( has(state.vulnerabilities) && state.is_all_vulnerabilities_fetched ? @@ -96,8 +101,12 @@ program: | "Header": { "X-Api-Key": [state.api_key], "Content-Type": ["application/json"] - } - }).do_request().as(resp, resp.StatusCode == 200 ? + }, + }).as(req, !has(work.asset_vuln_ids) ? req : req.with({ + "Body": { + "vulnerability": work.asset_vuln_ids.as(x, sprintf("id IN ['%s']", [x.join("','")])), + }.encode_json(), + })).do_request().as(resp, resp.StatusCode == 200 ? resp.Body.decode_json().as(body, { "events": [{"message": "retry"}], "batch_size": state.batch_size, diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/sample_event.json b/packages/rapid7_insightvm/data_stream/asset_vulnerability/sample_event.json index 56dc613d705..e5934891166 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/sample_event.json +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2025-05-27T18:21:36.279Z", "agent": { - "ephemeral_id": "1f134173-6086-4111-ab6c-78895b63908d", - "id": "d16b29fe-9b2e-43cf-b0e1-82325680132b", - "name": "elastic-agent-34771", + "ephemeral_id": "73ea1f6b-6078-4924-89a9-b450335edc95", + "id": "b012c8e8-a961-4eb0-aacd-93b21a297b5e", + "name": "elastic-agent-36163", "type": "filebeat", - "version": "8.18.0" + "version": "8.19.0" }, "data_stream": { "dataset": "rapid7_insightvm.asset_vulnerability", - "namespace": "27649", + "namespace": "78624", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d16b29fe-9b2e-43cf-b0e1-82325680132b", - "snapshot": false, - "version": "8.18.0" + "id": "b012c8e8-a961-4eb0-aacd-93b21a297b5e", + "snapshot": true, + "version": "8.19.0" }, "event": { "agent_id_status": "verified", @@ -28,7 +28,7 @@ "created": "2025-05-12T16:25:35.000Z", "dataset": "rapid7_insightvm.asset_vulnerability", "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6|unix-anonymous-root-logins|2025-05-27T18:21:36.279Z", - "ingested": "2025-05-30T11:11:51Z", + "ingested": "2025-06-05T04:34:26Z", "kind": "event", "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":22,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":3,\"exploits\":0,\"host_name\":\"computer-test\",\"id\":\"8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6\",\"ip\":\"10.50.5.112\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T18:21:36.279Z\",\"last_scan_end\":\"2025-05-27T18:21:36.279Z\",\"last_scan_start\":\"2025-05-27T18:20:41.505Z\",\"mac\":\"00:00:5E:00:53:02\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Red Hat Enterprise Linux 7.9\",\"os_family\":\"Linux\",\"os_name\":\"Enterprise Linux\",\"os_system_name\":\"Red Hat Linux\",\"os_type\":\"\",\"os_vendor\":\"Red Hat\",\"os_version\":\"7.9\",\"risk_score\":18250,\"severe_vulnerabilities\":48,\"tags\":[{\"name\":\"Ahmedabad\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":52,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"CEF12345-ABCD-1234-ABCD-95ABCDEF1234\",\"source\":\"dmidecode\"},{\"id\":\"e80644e940123456789abcdef66a8b16\",\"source\":\"R7 Agent\"}],\"vuln\":{\"added\":\"2004-11-30T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,UNIX\",\"check_id\":null,\"cves\":\"\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"single\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":7.9520000338554375,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.5,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:S/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.515145325,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":8.4,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \\\"su\\\" to become root.\",\"exploits\":[],\"first_found\":\"2025-05-12T16:25:35Z\",\"id\":\"unix-anonymous-root-logins\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"links\":[],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"nic\":null,\"pci_cvss_score\":6.5,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"port\":null,\"proof\":\"\\u003cp\\u003e\\u003cp\\u003eFollowing entries in /etc/securetty \\n may allow anonymous root logins: \\u003cul\\u003e\\u003cli\\u003ettyS0\\u003c/li\\u003e\\u003cli\\u003ettysclp0\\u003c/li\\u003e\\u003cli\\u003esclp_line0\\u003c/li\\u003e\\u003cli\\u003e3270/tty1\\u003c/li\\u003e\\u003cli\\u003ehvc0\\u003c/li\\u003e\\u003cli\\u003ehvc1\\u003c/li\\u003e\\u003cli\\u003ehvc2\\u003c/li\\u003e\\u003cli\\u003ehvc3\\u003c/li\\u003e\\u003cli\\u003ehvc4\\u003c/li\\u003e\\u003cli\\u003ehvc5\\u003c/li\\u003e\\u003cli\\u003ehvc6\\u003c/li\\u003e\\u003cli\\u003ehvc7\\u003c/li\\u003e\\u003cli\\u003ehvsi0\\u003c/li\\u003e\\u003cli\\u003ehvsi1\\u003c/li\\u003e\\u003cli\\u003ehvsi2\\u003c/li\\u003e\\u003cli\\u003exvc0\\u003c/li\\u003e\\u003c/ul\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\",\"protocol\":null,\"published\":\"2004-11-30T00:00:00Z\",\"references\":\"\",\"reintroduced\":null,\"risk_score\":562,\"severity\":\"severe\",\"severity_score\":7,\"solution_fix\":\"\\u003cp\\u003e\\u003cp\\u003eRemove all the entries in /etc/securetty except console,\\n tty[0-9]* and vc\\\\[0-9]* \\u003c/p\\u003e\\u003cp\\u003eNote: ssh does not use /etc/securetty. To disable root login\\n through ssh, use the \\u0026quot;PermitRootLogin\\u0026quot; setting in /etc/ssh/sshd_config\\n and restart the ssh daemon. \\u003c/p\\u003e\\u003c/p\\u003e\",\"solution_id\":\"unix-anonymous-root-logins\",\"solution_summary\":\"Edit '/etc/securetty' entries\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"title\":\"Anonymous root login is allowed\",\"vulnerability_id\":\"unix-anonymous-root-logins\"},\"vulnerability\":[{\"check_id\":null,\"first_found\":\"2025-05-12T16:25:35Z\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"nic\":null,\"port\":null,\"proof\":\"\\u003cp\\u003e\\u003cp\\u003eFollowing entries in /etc/securetty \\n may allow anonymous root logins: \\u003cul\\u003e\\u003cli\\u003ettyS0\\u003c/li\\u003e\\u003cli\\u003ettysclp0\\u003c/li\\u003e\\u003cli\\u003esclp_line0\\u003c/li\\u003e\\u003cli\\u003e3270/tty1\\u003c/li\\u003e\\u003cli\\u003ehvc0\\u003c/li\\u003e\\u003cli\\u003ehvc1\\u003c/li\\u003e\\u003cli\\u003ehvc2\\u003c/li\\u003e\\u003cli\\u003ehvc3\\u003c/li\\u003e\\u003cli\\u003ehvc4\\u003c/li\\u003e\\u003cli\\u003ehvc5\\u003c/li\\u003e\\u003cli\\u003ehvc6\\u003c/li\\u003e\\u003cli\\u003ehvc7\\u003c/li\\u003e\\u003cli\\u003ehvsi0\\u003c/li\\u003e\\u003cli\\u003ehvsi1\\u003c/li\\u003e\\u003cli\\u003ehvsi2\\u003c/li\\u003e\\u003cli\\u003exvc0\\u003c/li\\u003e\\u003c/ul\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"\\u003cp\\u003e\\u003cp\\u003eRemove all the entries in /etc/securetty except console,\\n tty[0-9]* and vc\\\\[0-9]* \\u003c/p\\u003e\\u003cp\\u003eNote: ssh does not use /etc/securetty. To disable root login\\n through ssh, use the \\u0026quot;PermitRootLogin\\u0026quot; setting in /etc/ssh/sshd_config\\n and restart the ssh daemon. \\u003c/p\\u003e\\u003c/p\\u003e\",\"solution_id\":\"unix-anonymous-root-logins\",\"solution_summary\":\"Edit '/etc/securetty' entries\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"unix-anonymous-root-logins\"},{\"check_id\":null,\"first_found\":\"2025-05-14T13:52:10Z\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"nic\":null,\"port\":null,\"proof\":\"\\u003cp\\u003e\\u003cp\\u003eThe following world writable files were found.\\u003cul\\u003e\\u003cli\\u003e/var/.com.zerog.registry.xml (-rwxrwxrwx)\\u003c/li\\u003e\\u003c/ul\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"\\u003cp\\u003e\\u003cp\\u003eFor each world-writable file, determine whether there is a good reason for\\n it to be world writable. If not, remove world write permissions for the file.\\n The output here is limited to 50 files. In order to find all of these files without needing to\\n run another Nexpose scan run the following command:\\u003c/p\\u003e\\u003cpre\\u003e find / -type f -perm -02\\u003c/pre\\u003e\\u003cp\\u003ePlease note; it may be necessary exclude particular paths or file share types, run \\u0026#39;man find\\u0026#39; for information.\\u003c/p\\u003e\\u003c/p\\u003e\",\"solution_id\":\"unix-world-writable-files\",\"solution_summary\":\"Remove world write permissions\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"unix-world-writable-files\"}]}", "severity": 7, diff --git a/packages/rapid7_insightvm/manifest.yml b/packages/rapid7_insightvm/manifest.yml index cd15f06aaab..1437788ca49 100644 --- a/packages/rapid7_insightvm/manifest.yml +++ b/packages/rapid7_insightvm/manifest.yml @@ -11,7 +11,7 @@ categories: - vulnerability_management conditions: kibana: - version: "^8.18.0 || ^9.0.0" + version: "^8.19.0 || ^9.0.0" elastic: subscription: "basic" screenshots: From 13fff4473b6c32ed90da89142afc9aa2784ecd7d Mon Sep 17 00:00:00 2001 From: kcreddy Date: Sat, 7 Jun 2025 17:57:03 +0530 Subject: [PATCH 08/19] Update CEL program to publish events as they become available --- .../_dev/deploy/docker/files/config.yml | 17 + .../pipeline/test-asset-vulnerability.log | 42 +- ...test-asset-vulnerability.log-expected.json | 84 ++-- .../_dev/test/system/test-default-config.yml | 5 +- .../agent/stream/cel.yml.hbs | 106 +++-- .../elasticsearch/ingest_pipeline/default.yml | 441 +++++++++--------- .../asset_vulnerability/fields/fields.yml | 5 +- .../asset_vulnerability/sample_event.json | 16 +- packages/rapid7_insightvm/docs/README.md | 153 +++--- .../fields/fields.yml | 5 +- 10 files changed, 469 insertions(+), 405 deletions(-) diff --git a/packages/rapid7_insightvm/_dev/deploy/docker/files/config.yml b/packages/rapid7_insightvm/_dev/deploy/docker/files/config.yml index 70c75fb4aa2..c0afda0e742 100644 --- a/packages/rapid7_insightvm/_dev/deploy/docker/files/config.yml +++ b/packages/rapid7_insightvm/_dev/deploy/docker/files/config.yml @@ -100,6 +100,23 @@ rules: "solution_type": "workaround", "status": "VULNERABLE_EXPL", "vulnerability_id": "linux-grub-missing-passwd" + }, + { + "check_id": null, + "first_found": "2025-05-13T13:25:40Z", + "key": "", + "last_found": "2025-05-27T19:54:43.777Z", + "nic": null, + "port": null, + "proof": "

Grub config with no password found.

  • Vulnerable file: /boot/grub/grub.cfg

", + "protocol": null, + "reintroduced": null, + "solution_fix": "

Set a password in the GRUB configuration file. This\n is often located in one of several locations, but can really be\n anywhere:

\n          /etc/grub.conf\n          /boot/grub/grub.conf\n          /boot/grub/grub.cfg\n          /boot/grub/menu.lst\n

For all files mentioned above ensure that a password is set or that the files do not exist.

To set a plain-text password, edit your GRUB configuration file\n and add the following line before the first uncommented line:

   password <password>

To set an encrypted password, run grub-md5-crypt and use its\n output when adding the following line before the first\n uncommented line:

   password --md5 <encryptedpassword>

For either approach, choose an appropriately strong password.

", + "solution_id": "linux-grub-missing-passwd", + "solution_summary": " Enable GRUB password ", + "solution_type": "workaround", + "status": "VULNERABLE_EXPL", + "vulnerability_id": "id-not-enriched" } ] }, diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log index df2eda72c7f..612af355d3f 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log @@ -1,21 +1,21 @@ -{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vuln":{"check_id":null,"first_found":"2025-05-14T13:52:10Z","key":"/root/infaagent/jdk/lib/jrt-fs.jar","last_found":"2025-05-27T19:54:43.777Z","nic":null,"port":null,"proof":"

Vulnerable OS: Ubuntu Linux 22.04

Vulnerable software installed: Azul Systems JRE 17.54.22 (/root/infaagent/jdk/lib/jrt-fs.jar)

","protocol":null,"reintroduced":null,"solution_fix":"

\n Download and upgrade to the latest version of Azul Zulu from here.

","solution_id":"azul-zulu-upgrade-latest","solution_summary":"Upgrade Azul Zulu to the latest version","solution_type":"workaround","status":"VULNERABLE_VERS","vulnerability_id":"azul-zulu-cve-2025-21502","added":"2025-02-05T00:00:00Z","categories":"Azul Systems,Azul Zulu,Java,Web","cves":"CVE-2025-21502","cvss_v2_access_complexity":"high","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"none","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":4.927999973297119,"cvss_v2_impact_score":4.938243839970231,"cvss_v2_integrity_impact":"partial","cvss_v2_score":4,"cvss_v2_vector":"(AV:N/AC:H/Au:N/C:P/I:P/A:N)","cvss_v3_attack_complexity":"high","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"low","cvss_v3_exploit_score":2.2211673,"cvss_v3_impact_score":2.5140719999999996,"cvss_v3_integrity_impact":"low","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":4.8,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N","denial_of_service":false,"description":"Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM for JDK: 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM Enterprise Edition: 20.3.16 and 21.3.12. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).","exploits":[],"id":"azul-zulu-cve-2025-21502","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2025-21502","id":"CVE-2025-21502","source":"cve"},{"href":"https://www.azul.com/downloads/","id":"https://www.azul.com/downloads/","source":"url"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":4,"pci_fail":true,"pci_severity_score":3,"pci_special_notes":"","pci_status":"fail","published":"2025-01-21T00:00:00Z","references":"cve:CVE-2025-21502,url:https://www.azul.com/downloads/","risk_score":321,"severity":"low","severity_score":4,"title":"Azul Zulu: CVE-2025-21502: Vulnerability in the Azul Zulu OpenJDK component"}} -{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vuln":{"check_id":null,"first_found":"2025-05-13T13:25:40Z","key":"","last_found":"2025-05-27T19:54:43.777Z","nic":null,"port":null,"proof":"

Grub config with no password found.

  • Vulnerable file: /boot/grub/grub.cfg

","protocol":null,"reintroduced":null,"solution_fix":"

Set a password in the GRUB configuration file. This\n is often located in one of several locations, but can really be\n anywhere:

\n          /etc/grub.conf\n          /boot/grub/grub.conf\n          /boot/grub/grub.cfg\n          /boot/grub/menu.lst\n

For all files mentioned above ensure that a password is set or that the files do not exist.

To set a plain-text password, edit your GRUB configuration file\n and add the following line before the first uncommented line:

   password <password>

To set an encrypted password, run grub-md5-crypt and use its\n output when adding the following line before the first\n uncommented line:

   password --md5 <encryptedpassword>

For either approach, choose an appropriately strong password.

","solution_id":"linux-grub-missing-passwd","solution_summary":" Enable GRUB password ","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"linux-grub-missing-passwd","added":"2004-11-30T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,UNIX","cves":"","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"local","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":3.948735978603363,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":4.6,"cvss_v2_vector":"(AV:L/AC:L/Au:N/C:P/I:P/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.515145325,"cvss_v3_impact_score":5.177088,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":7.7,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","denial_of_service":false,"description":"GRUB bootloader is not password protected. An attacker can use the GRUB editor interface to change its configuration or to gather information using the cat command. It can also be exploited to boot into single user mode as root or boot into an insecure operating system.","exploits":[],"id":"linux-grub-missing-passwd","links":[],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":4.6,"pci_fail":true,"pci_severity_score":3,"pci_special_notes":"","pci_status":"fail","published":"1999-01-01T00:00:00Z","references":"","risk_score":515,"severity":"critical","severity_score":5,"title":"No password for Grub"}} -{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":135,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":445,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":119,"exploits":4,"host_name":"Win11-50-13-52","id":"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1","ip":"10.50.13.52","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":8,"os_architecture":"x86_64","os_description":"Microsoft Windows 11 22H2","os_family":"Windows","os_name":"Windows 11","os_system_name":"Microsoft Windows","os_type":"Workstation","os_vendor":"Microsoft","os_version":"22H2","risk_score":181622,"severe_vulnerabilities":241,"tags":[{"name":"USA","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":368,"type":"guest","unique_identifiers":[{"id":"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050","source":"CSPRODUCT"},{"id":"c5cf46abcdef0123456789291c7d554a","source":"R7 Agent"}],"vuln":{"check_id":null,"first_found":"2025-04-30T06:21:05Z","key":"","last_found":"2025-05-27T19:54:43.777Z","nic":null,"port":3389,"proof":"

The subject common name found in the X.509 certificate does not seem to match the scan target:

  • Subject CN Win11-50-13-52.testad.local does not match target name specified in the site.

","protocol":"TCP","reintroduced":"2025-05-27T13:34:19Z","solution_fix":"

\n The subject's common name (CN) field in the X.509 certificate should be fixed\nto reflect the name of the entity presenting the certificate (e.g., the\nhostname). This is done by generating a new certificate usually signed by a\nCertification Authority (CA) trusted by both the client and server.\n

","solution_id":"certificate-common-name-mismatch","solution_summary":"Fix the subject's Common Name (CN) field in the certificate","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"certificate-common-name-mismatch","added":"2007-08-03T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,HTTP,Web","cves":"","cvss_v2_access_complexity":"high","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"none","cvss_v2_confidentiality_impact":"complete","cvss_v2_exploit_score":4.927999973297119,"cvss_v2_impact_score":7.843935219030975,"cvss_v2_integrity_impact":"partial","cvss_v2_score":6.1,"cvss_v2_vector":"(AV:N/AC:H/Au:N/C:C/I:P/A:N)","cvss_v3_attack_complexity":"high","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.2211673,"cvss_v3_impact_score":5.177088,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":7.4,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","denial_of_service":false,"description":"The subject common name (CN) field in the X.509 certificate does not match the name of the entity presenting the certificate.\n\nBefore issuing a certificate, a Certification Authority (CA) must check the identity of the entity requesting the certificate, as specified in the CA's Certification Practice Statement (CPS). Thus, standard certificate validation procedures require the subject CN field of a certificate to match the actual name of the entity presenting the certificate. For example, in a certificate presented by \"https://www.example.com/\", the CN should be \"www.example.com\". \n\nIn order to detect and prevent active eavesdropping attacks, the validity of a certificate must be verified, or else an attacker could then launch a man-in-the-middle attack and gain full control of the data stream. Of particular importance is the validity of the subject's CN, that should match the name of the entity (hostname).\n\nA CN mismatch most often occurs due to a configuration error, though it can also indicate that a man-in-the-middle attack is being conducted.","exploits":[],"id":"certificate-common-name-mismatch","links":[],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":6.1,"pci_fail":true,"pci_severity_score":4,"pci_special_notes":"","pci_status":"fail","published":"2007-08-03T00:00:00Z","references":"","risk_score":495,"severity":"none","severity_score":6,"title":"X.509 Certificate Subject CN Does Not Match the Entity Name"}} -{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":135,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":445,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":119,"exploits":4,"host_name":"Win11-50-13-52","id":"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1","ip":"10.50.13.52","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":8,"os_architecture":"x86_64","os_description":"Microsoft Windows 11 22H2","os_family":"Windows","os_name":"Windows 11","os_system_name":"Microsoft Windows","os_type":"Workstation","os_vendor":"Microsoft","os_version":"22H2","risk_score":181622,"severe_vulnerabilities":241,"tags":[{"name":"USA","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":368,"type":"guest","unique_identifiers":[{"id":"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050","source":"CSPRODUCT"},{"id":"c5cf46abcdef0123456789291c7d554a","source":"R7 Agent"}],"vuln":{"check_id":"microsoft-windows-cve-2025-21204-windows_11-22h2-kb5055528","first_found":"2025-05-13T07:25:34Z","key":"","last_found":"2025-05-27T19:54:43.777Z","nic":null,"port":null,"proof":"

Vulnerable OS: Microsoft Windows 11 22H2

  • HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion
    • UBR - contains 4317

","protocol":null,"reintroduced":null,"solution_fix":"

Download and apply the patch from: https://support.microsoft.com/help/5058405

","solution_id":"microsoft-windows-windows_11-22h2-kb5058405","solution_summary":"2025-05 Cumulative Update for Microsoft Windows 11, version 22H2 (KB5058405)","solution_type":"patch","status":"VULNERABLE_EXPL","vulnerability_id":"microsoft-windows-cve-2025-21204","added":"2025-04-08T00:00:00Z","categories":"Microsoft,Microsoft Patch,Microsoft Windows,Privilege Escalation","cves":"CVE-2025-21204","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"local","cvss_v2_authentication":"single","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"complete","cvss_v2_exploit_score":3.141040013372898,"cvss_v2_impact_score":10.000845454680942,"cvss_v2_integrity_impact":"complete","cvss_v2_score":6.8,"cvss_v2_vector":"(AV:L/AC:L/Au:S/C:C/I:C/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":1.8345765900000002,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"low","cvss_v3_scope":"unchanged","cvss_v3_score":7.8,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"Microsoft Windows: CVE-2025-21204: Windows Process Activation Elevation of Privilege Vulnerability","exploits":[],"id":"microsoft-windows-cve-2025-21204","links":[{"href":"https://support.microsoft.com/help/5055557","id":"https://support.microsoft.com/help/5055557","source":"url"},{"href":"https://support.microsoft.com/help/5055547","id":"https://support.microsoft.com/help/5055547","source":"url"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2025-21204","id":"CVE-2025-21204","source":"cve"},{"href":"https://support.microsoft.com/help/5055526","id":"https://support.microsoft.com/help/5055526","source":"url"},{"href":"https://support.microsoft.com/help/5055527","id":"https://support.microsoft.com/help/5055527","source":"url"},{"href":"https://support.microsoft.com/help/5055521","id":"https://support.microsoft.com/help/5055521","source":"url"},{"href":"https://support.microsoft.com/help/5055523","id":"https://support.microsoft.com/help/5055523","source":"url"},{"href":"https://support.microsoft.com/help/5055528","id":"https://support.microsoft.com/help/5055528","source":"url"},{"href":"https://support.microsoft.com/help/5055518","id":"https://support.microsoft.com/help/5055518","source":"url"},{"href":"https://support.microsoft.com/help/5055519","id":"https://support.microsoft.com/help/5055519","source":"url"},{"href":"https://support.microsoft.com/help/5055581","id":"https://support.microsoft.com/help/5055581","source":"url"}],"malware_kits":[],"modified":"2025-04-14T00:00:00Z","pci_cvss_score":6.8,"pci_fail":true,"pci_severity_score":4,"pci_special_notes":"","pci_status":"fail","published":"2025-04-08T00:00:00Z","references":"cve:CVE-2025-21204,url:https://support.microsoft.com/help/5055518,url:https://support.microsoft.com/help/5055519,url:https://support.microsoft.com/help/5055521,url:https://support.microsoft.com/help/5055523,url:https://support.microsoft.com/help/5055526,url:https://support.microsoft.com/help/5055527,url:https://support.microsoft.com/help/5055528,url:https://support.microsoft.com/help/5055547,url:https://support.microsoft.com/help/5055557,url:https://support.microsoft.com/help/5055581","risk_score":522,"severity":"informational","severity_score":7,"title":"Microsoft Windows: CVE-2025-21204: Windows Process Activation Elevation of Privilege Vulnerability"}} -{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":135,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":445,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":119,"exploits":4,"host_name":"Win11-50-13-52","id":"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1","ip":"10.50.13.52","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":8,"os_architecture":"x86_64","os_description":"Microsoft Windows 11 22H2","os_family":"Windows","os_name":"Windows 11","os_system_name":"Microsoft Windows","os_type":"Workstation","os_vendor":"Microsoft","os_version":"22H2","risk_score":181622,"severe_vulnerabilities":241,"tags":[{"name":"USA","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":368,"type":"guest","unique_identifiers":[{"id":"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050","source":"CSPRODUCT"},{"id":"c5cf46abcdef0123456789291c7d554a","source":"R7 Agent"}],"vuln":{"check_id":"WINDOWS-HOTFIX-MS13-098-x64","first_found":"2025-05-13T07:25:34Z","key":"","last_found":"2025-05-27T19:54:43.777Z","nic":null,"port":null,"proof":"

Vulnerable OS: Microsoft Windows 11 22H2

  • HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Wintrust\\Config - key does not exist
    • EnableCertPaddingCheck - value does not exist

","protocol":null,"reintroduced":null,"solution_fix":"

Download and apply the patch from: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900

","solution_id":"windows-hotfix-ms13-098","solution_summary":"Enable Certificate Padding Check for Windows Systems","solution_type":"patch","status":"VULNERABLE_EXPL","vulnerability_id":"windows-hotfix-ms13-098","added":"2013-12-10T00:00:00Z","categories":"CISA KEV,Exploited in the Wild,Microsoft,Microsoft Patch,Microsoft Windows,Remote Execution","cves":"CVE-2013-3900","cvss_v2_access_complexity":"medium","cvss_v2_access_vector":"local","cvss_v2_authentication":"none","cvss_v2_availability_impact":"none","cvss_v2_confidentiality_impact":"none","cvss_v2_exploit_score":3.392575981616974,"cvss_v2_impact_score":6.870600273013115,"cvss_v2_integrity_impact":"complete","cvss_v2_score":4.7,"cvss_v2_vector":"(AV:L/AC:M/Au:N/C:N/I:C/A:N)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"none","cvss_v3_exploit_score":1.8345765900000002,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":5.5,"cvss_v3_user_interaction":"required","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N","denial_of_service":false,"description":"This vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system. Note that this vulnerability was originally published by Microsoft as MS13-098, but has now been republished as CVE-2013-3900. Microsoft provides current information on the CVE-2013-3900 advisory.","exploits":[],"id":"windows-hotfix-ms13-098","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2013-3900","id":"CVE-2013-3900","source":"cve"},{"href":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900","id":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900","source":"url"}],"malware_kits":[],"modified":"2025-04-22T00:00:00Z","pci_cvss_score":4.7,"pci_fail":true,"pci_severity_score":3,"pci_special_notes":"","pci_status":"fail","published":"2013-12-10T00:00:00Z","references":"cve:CVE-2013-3900,url:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900","risk_score":450,"severity":"severe","severity_score":5,"title":"CVE-2013-3900: MS13-098: Vulnerability in Windows Could Allow Remote Code Execution"}} -{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":22,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":3,"exploits":0,"host_name":"computer-test","id":"8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6","ip":"10.50.5.112","last_assessed_for_vulnerabilities":"2025-05-27T18:21:36.279Z","last_scan_end":"2025-05-27T18:21:36.279Z","last_scan_start":"2025-05-27T18:20:41.505Z","mac":"00:00:5E:00:53:02","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Red Hat Enterprise Linux 7.9","os_family":"Linux","os_name":"Enterprise Linux","os_system_name":"Red Hat Linux","os_type":"","os_vendor":"Red Hat","os_version":"7.9","risk_score":18250,"severe_vulnerabilities":48,"tags":[{"name":"Ahmedabad","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":52,"type":"guest","unique_identifiers":[{"id":"CEF12345-ABCD-1234-ABCD-95ABCDEF1234","source":"dmidecode"},{"id":"e80644e940123456789abcdef66a8b16","source":"R7 Agent"}],"vuln":{"check_id":null,"first_found":"2025-05-12T16:25:35Z","key":"","last_found":"2025-05-27T18:21:36.279Z","nic":null,"port":null,"proof":"

Following entries in /etc/securetty \n may allow anonymous root logins:

  • ttyS0
  • ttysclp0
  • sclp_line0
  • 3270/tty1
  • hvc0
  • hvc1
  • hvc2
  • hvc3
  • hvc4
  • hvc5
  • hvc6
  • hvc7
  • hvsi0
  • hvsi1
  • hvsi2
  • xvc0

","protocol":null,"reintroduced":null,"solution_fix":"

Remove all the entries in /etc/securetty except console,\n tty[0-9]* and vc\\[0-9]*

Note: ssh does not use /etc/securetty. To disable root login\n through ssh, use the "PermitRootLogin" setting in /etc/ssh/sshd_config\n and restart the ssh daemon.

","solution_id":"unix-anonymous-root-logins","solution_summary":"Edit '/etc/securetty' entries","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"unix-anonymous-root-logins","added":"2004-11-30T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,UNIX","cves":"","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"single","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":7.9520000338554375,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":6.5,"cvss_v2_vector":"(AV:N/AC:L/Au:S/C:P/I:P/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.515145325,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":8.4,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \"su\" to become root.","exploits":[],"id":"unix-anonymous-root-logins","links":[],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":6.5,"pci_fail":true,"pci_severity_score":4,"pci_special_notes":"","pci_status":"fail","published":"2004-11-30T00:00:00Z","references":"","risk_score":562,"severity":"severe","severity_score":7,"title":"Anonymous root login is allowed"}} -{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":22,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":3,"exploits":0,"host_name":"computer-test","id":"8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6","ip":"10.50.5.112","last_assessed_for_vulnerabilities":"2025-05-27T18:21:36.279Z","last_scan_end":"2025-05-27T18:21:36.279Z","last_scan_start":"2025-05-27T18:20:41.505Z","mac":"00:00:5E:00:53:02","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Red Hat Enterprise Linux 7.9","os_family":"Linux","os_name":"Enterprise Linux","os_system_name":"Red Hat Linux","os_type":"","os_vendor":"Red Hat","os_version":"7.9","risk_score":18250,"severe_vulnerabilities":48,"tags":[{"name":"Ahmedabad","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":52,"type":"guest","unique_identifiers":[{"id":"CEF12345-ABCD-1234-ABCD-95ABCDEF1234","source":"dmidecode"},{"id":"e80644e940123456789abcdef66a8b16","source":"R7 Agent"}],"vuln":{"check_id":null,"first_found":"2025-05-14T13:52:10Z","key":"","last_found":"2025-05-27T18:21:36.279Z","nic":null,"port":null,"proof":"

The following world writable files were found.

  • /var/.com.zerog.registry.xml (-rwxrwxrwx)

","protocol":null,"reintroduced":null,"solution_fix":"

For each world-writable file, determine whether there is a good reason for\n it to be world writable. If not, remove world write permissions for the file.\n The output here is limited to 50 files. In order to find all of these files without needing to\n run another Nexpose scan run the following command:

 find / -type f -perm -02

Please note; it may be necessary exclude particular paths or file share types, run 'man find' for information.

","solution_id":"unix-world-writable-files","solution_summary":"Remove world write permissions","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"unix-world-writable-files","added":"2005-01-15T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,UNIX","cves":"","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"local","cvss_v2_authentication":"none","cvss_v2_availability_impact":"none","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":3.948735978603363,"cvss_v2_impact_score":4.938243839970231,"cvss_v2_integrity_impact":"partial","cvss_v2_score":3.6,"cvss_v2_vector":"(AV:L/AC:L/Au:N/C:P/I:P/A:N)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"low","cvss_v3_exploit_score":2.515145325,"cvss_v3_impact_score":1.4123999999999999,"cvss_v3_integrity_impact":"none","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":4,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","denial_of_service":false,"description":"World writable files were found on the system. A file that can be written by any user on the system could be a serious security flaw.","exploits":[],"id":"unix-world-writable-files","links":[],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":3.6,"pci_fail":false,"pci_severity_score":2,"pci_special_notes":"","pci_status":"pass","published":"2005-01-15T00:00:00Z","references":"","risk_score":268,"severity":"severe","severity_score":4,"title":"World writable files exist"}} -{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vuln":{"check_id":null,"first_found":"2020-07-23T20:11:10Z","key":"Debian Linux 8.0","last_found":"2020-07-23T20:11:10.304Z","nic":null,"port":null,"proof":"

Vulnerable OS: Debian Linux 8.0

","protocol":null,"reintroduced":null,"solution_fix":"

\n See the Debian 9 release notes for instructions on upgrading to Debian GNU/Linux 9, alias "stretch".\n

","solution_id":"debian-upgrade-to-stretch","solution_summary":"Upgrade to Debian GNU/Linux 9 or later","solution_type":"workaround","status":"VULNERABLE_VERS","vulnerability_id":"debian-obsolete","added":"2013-01-29T00:00:00Z","categories":"Debian Linux,Obsolete OS,Obsolete Software","cves":"","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"complete","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":10.000845454680942,"cvss_v2_integrity_impact":"complete","cvss_v2_score":10,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:C/I:C/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":3.8870427750000003,"cvss_v3_impact_score":6.0477304915445185,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"changed","cvss_v3_score":10,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","denial_of_service":false,"description":"Debian terminated support for Debian GNU/Linux 9 \"stretch\" on Jun 30, 2022. All Debian versions prior to 10.0 \"buster\" may have unpatched security vulnerabilities.","exploits":[],"id":"debian-obsolete","links":[{"href":"https://wiki.debian.org/LTS","id":"https://wiki.debian.org/LTS","source":"url"}],"malware_kits":[],"modified":"2025-03-28T00:00:00Z","pci_cvss_score":10,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"This operating system version is no longer supported by the vendor, and results in an automatic failure. ","pci_status":"fail","published":"2006-06-30T00:00:00Z","references":"url:https://wiki.debian.org/LTS","risk_score":911.42,"severity":"critical","severity_score":10,"title":"Obsolete Debian GNU/Linux Version"}} -{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vuln":{"check_id":null,"first_found":"2018-11-25T09:20:27Z","key":"","last_found":"2023-05-23T18:16:30.836Z","nic":null,"port":null,"proof":"

Vulnerable OS: Microsoft Windows Server 2003 SP1

Server responded with vulnerable error code: 2 and class: 1

","protocol":null,"reintroduced":null,"solution_fix":"Take a look at all possible solutions for vulnerability","solution_id":"unknown-windows-hotfix-ms06-035","solution_summary":"The solution is unknown for vuln windows-hotfix-ms06-035","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"windows-hotfix-ms06-035","added":"2006-07-12T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution","cves":"CVE-2006-1314,CVE-2006-1315","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":7.5,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:P/I:P/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.83525473,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"none","cvss_v3_privileges_required":"low","cvss_v3_scope":"unchanged","cvss_v3_score":6.5,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","denial_of_service":false,"description":"This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \"Vulnerability Details\" section of this bulletin. We recommend that customers apply the update immediately.","exploits":[{"description":"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)","id":"2057","name":"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module triggers a kernel pool corruption bug in SRV.SYS. Each\n call to the mailslot write function results in a two byte return value\n being written into the response packet. The code which creates this packet\n fails to consider these two bytes in the allocation routine, resulting in\n a slow corruption of the kernel memory pool. These two bytes are almost\n always set to \"\\xff\\xff\" (a short integer with value of -1).","id":"auxiliary/dos/windows/smb/ms06_035_mailslot","name":"Microsoft SRV.SYS Mailslot Write Corruption","rank":"normal","skill_level":"intermediate","source":"metasploit"}],"id":"windows-hotfix-ms06-035","links":[{"href":"http://www.kb.cert.org/vuls/id/189140","id":"189140","source":"cert-vn"},{"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/26818","id":"win-mailslot-bo(26818)","source":"xf"},{"href":"http://www.securityfocus.com/bid/18863","id":"18863","source":"bid"},{"href":"https://support.microsoft.com/en-us/kb/917159","id":"KB917159","source":"mskb"},{"href":"http://www.us-cert.gov/cas/techalerts/TA06-192A.html","id":"TA06-192A","source":"cert"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2006-1314","id":"CVE-2006-1314","source":"cve"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2006-1315","id":"CVE-2006-1315","source":"cve"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3","id":"3","source":"oval"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600","id":"600","source":"oval"},{"href":"http://www.osvdb.org/27155","id":"27155","source":"osvdb"},{"href":"http://www.osvdb.org/27154","id":"27154","source":"osvdb"},{"href":"http://technet.microsoft.com/security/bulletin/MS06-035","id":"MS06-035","source":"ms"},{"href":"http://www.securityfocus.com/bid/18891","id":"18891","source":"bid"},{"href":"http://technet.microsoft.com/en-us/security/bulletin/MS06-035","id":"http://technet.microsoft.com/en-us/security/bulletin/MS06-035","source":"url"},{"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/26820","id":"win-smb-information-disclosure(26820)","source":"xf"},{"href":"http://www.kb.cert.org/vuls/id/333636","id":"333636","source":"cert-vn"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":7.5,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"","pci_status":"fail","published":"2006-07-11T00:00:00Z","references":"bid:18863,bid:18891,cert-vn:189140,osvdb:27154,osvdb:27155,oval:3,cert-vn:333636,oval:600,cve:CVE-2006-1314,cve:CVE-2006-1315,mskb:KB917159,ms:MS06-035,cert:TA06-192A,url:http://technet.microsoft.com/en-us/security/bulletin/MS06-035,xf:win-mailslot-bo(26818),xf:win-smb-information-disclosure(26820)","risk_score":756.57,"severity":"critical","severity_score":8,"title":"MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)"}} -{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vuln":{"check_id":null,"first_found":"2018-11-25T09:20:27Z","key":"","last_found":"2023-05-23T18:16:30.836Z","nic":null,"port":null,"proof":"

Vulnerable OS: Microsoft Windows Server 2003 SP1

Based on the result of the "dcerpc-ms-netapi-netpathcanonicalize-dos" test, this node is applicable to this issue.

","protocol":null,"reintroduced":null,"solution_fix":"Take a look at all possible solutions for vulnerability","solution_id":"unknown-windows-hotfix-ms06-035","solution_summary":"The solution is unknown for vuln windows-hotfix-ms06-035","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"windows-hotfix-ms06-035","added":"2006-07-12T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution","cves":"CVE-2006-1314,CVE-2006-1315","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":7.5,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:P/I:P/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.83525473,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"none","cvss_v3_privileges_required":"low","cvss_v3_scope":"unchanged","cvss_v3_score":6.5,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","denial_of_service":false,"description":"This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \"Vulnerability Details\" section of this bulletin. We recommend that customers apply the update immediately.","exploits":[{"description":"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)","id":"2057","name":"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module triggers a kernel pool corruption bug in SRV.SYS. Each\n call to the mailslot write function results in a two byte return value\n being written into the response packet. The code which creates this packet\n fails to consider these two bytes in the allocation routine, resulting in\n a slow corruption of the kernel memory pool. These two bytes are almost\n always set to \"\\xff\\xff\" (a short integer with value of -1).","id":"auxiliary/dos/windows/smb/ms06_035_mailslot","name":"Microsoft SRV.SYS Mailslot Write Corruption","rank":"normal","skill_level":"intermediate","source":"metasploit"}],"id":"windows-hotfix-ms06-035","links":[{"href":"http://www.kb.cert.org/vuls/id/189140","id":"189140","source":"cert-vn"},{"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/26818","id":"win-mailslot-bo(26818)","source":"xf"},{"href":"http://www.securityfocus.com/bid/18863","id":"18863","source":"bid"},{"href":"https://support.microsoft.com/en-us/kb/917159","id":"KB917159","source":"mskb"},{"href":"http://www.us-cert.gov/cas/techalerts/TA06-192A.html","id":"TA06-192A","source":"cert"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2006-1314","id":"CVE-2006-1314","source":"cve"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2006-1315","id":"CVE-2006-1315","source":"cve"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3","id":"3","source":"oval"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600","id":"600","source":"oval"},{"href":"http://www.osvdb.org/27155","id":"27155","source":"osvdb"},{"href":"http://www.osvdb.org/27154","id":"27154","source":"osvdb"},{"href":"http://technet.microsoft.com/security/bulletin/MS06-035","id":"MS06-035","source":"ms"},{"href":"http://www.securityfocus.com/bid/18891","id":"18891","source":"bid"},{"href":"http://technet.microsoft.com/en-us/security/bulletin/MS06-035","id":"http://technet.microsoft.com/en-us/security/bulletin/MS06-035","source":"url"},{"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/26820","id":"win-smb-information-disclosure(26820)","source":"xf"},{"href":"http://www.kb.cert.org/vuls/id/333636","id":"333636","source":"cert-vn"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":7.5,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"","pci_status":"fail","published":"2006-07-11T00:00:00Z","references":"bid:18863,bid:18891,cert-vn:189140,osvdb:27154,osvdb:27155,oval:3,cert-vn:333636,oval:600,cve:CVE-2006-1314,cve:CVE-2006-1315,mskb:KB917159,ms:MS06-035,cert:TA06-192A,url:http://technet.microsoft.com/en-us/security/bulletin/MS06-035,xf:win-mailslot-bo(26818),xf:win-smb-information-disclosure(26820)","risk_score":756.57,"severity":"critical","severity_score":8,"title":"MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)"}} -{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":135,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":445,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":119,"exploits":4,"host_name":"Win11-50-13-52","id":"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1","ip":"10.50.13.52","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":8,"os_architecture":"x86_64","os_description":"Microsoft Windows 11 22H2","os_family":"Windows","os_name":"Windows 11","os_system_name":"Microsoft Windows","os_type":"Workstation","os_vendor":"Microsoft","os_version":"22H2","risk_score":181622,"severe_vulnerabilities":241,"tags":[{"name":"USA","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":368,"type":"guest","unique_identifiers":[{"id":"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050","source":"CSPRODUCT"},{"id":"c5cf46abcdef0123456789291c7d554a","source":"R7 Agent"}],"vuln":{"check_id":"msft-cve-2022-37967-kb5021288-c2d89794-10f9-459d-a1a9-79847eac03fc","first_found":"2022-12-23T18:40:29Z","key":"","last_found":"2023-06-23T17:29:23.453Z","nic":null,"port":null,"proof":"

Vulnerable OS: Microsoft Windows 7 Enterprise Edition SP1

Based on the following 2 results:

    • Found an applicable package: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Component Based Servicing\\Packages\\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.
      • HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\Winners\\amd64_Microsoft-Windows-Audio-DMusic_31bf3856ad364e35_none_6ddb350169ebdb56 - key exists
      • The above CBS component is currently version 6.1.7600.16385, expected version 6.1.7601.26262 or higher
      • 2022-12 Security Only Quality Update for Windows 7 for x64-based Systems (KB5021288) is applicable for this CBS component

    • HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion
      • UBR - contains 24443

","protocol":null,"reintroduced":null,"solution_fix":"

Download and apply the patch from: https://support.microsoft.com/kb/5021288

","solution_id":"msft-kb5021288-c2d89794-10f9-459d-a1a9-79847eac03fc","solution_summary":"2022-12 Security Only Quality Update for Windows 7 for x64-based Systems (KB5021288)","solution_type":"patch","status":"VULNERABLE_EXPL","vulnerability_id":"msft-cve-2022-37967","added":"2022-11-08T00:00:00Z","categories":"Microsoft,Microsoft Patch,Microsoft Windows,Privilege Escalation","cves":"CVE-2022-37967","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"multiple","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"complete","cvss_v2_exploit_score":6.389999830722808,"cvss_v2_impact_score":10.000845454680942,"cvss_v2_integrity_impact":"complete","cvss_v2_score":8.3,"cvss_v2_vector":"(AV:N/AC:L/Au:M/C:C/I:C/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":1.2347077050000002,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"high","cvss_v3_scope":"unchanged","cvss_v3_score":7.2,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"Windows Kerberos Elevation of Privilege Vulnerability.","exploits":[],"id":"msft-cve-2022-37967","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2022-37967","id":"CVE-2022-37967","source":"cve"},{"href":"https://support.microsoft.com/help/5031364","id":"https://support.microsoft.com/help/5031364","source":"url"},{"href":"https://support.microsoft.com/help/5031362","id":"https://support.microsoft.com/help/5031362","source":"url"},{"href":"https://support.microsoft.com/help/5031361","id":"https://support.microsoft.com/help/5031361","source":"url"},{"href":"https://support.microsoft.com/help/5031407","id":"https://support.microsoft.com/help/5031407","source":"url"},{"href":"https://support.microsoft.com/help/5031419","id":"https://support.microsoft.com/help/5031419","source":"url"},{"href":"https://support.microsoft.com/help/5031427","id":"https://support.microsoft.com/help/5031427","source":"url"}],"malware_kits":[],"modified":"2024-09-06T00:00:00Z","pci_cvss_score":8.3,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"","pci_status":"fail","published":"2022-11-08T00:00:00Z","references":"cve:CVE-2022-37967,url:https://support.microsoft.com/help/5031361,url:https://support.microsoft.com/help/5031362,url:https://support.microsoft.com/help/5031364,url:https://support.microsoft.com/help/5031407,url:https://support.microsoft.com/help/5031419,url:https://support.microsoft.com/help/5031427","risk_score":434.28,"severity":"critical","severity_score":8,"title":"Microsoft Windows: CVE-2022-37967: Windows Kerberos Elevation of Privilege Vulnerability"}} -{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":135,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":445,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":119,"exploits":4,"host_name":"Win11-50-13-52","id":"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1","ip":"10.50.13.52","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":8,"os_architecture":"x86_64","os_description":"Microsoft Windows 11 22H2","os_family":"Windows","os_name":"Windows 11","os_system_name":"Microsoft Windows","os_type":"Workstation","os_vendor":"Microsoft","os_version":"22H2","risk_score":181622,"severe_vulnerabilities":241,"tags":[{"name":"USA","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":368,"type":"guest","unique_identifiers":[{"id":"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050","source":"CSPRODUCT"},{"id":"c5cf46abcdef0123456789291c7d554a","source":"R7 Agent"}],"vuln":{"check_id":null,"first_found":"2022-12-23T18:40:29Z","key":"","last_found":"2023-06-23T17:29:23.453Z","nic":null,"port":null,"proof":"

Vulnerable OS: Microsoft Windows 7 Enterprise Edition SP1

Based on the following 4 results:

  1. Based on the following 2 results:

      • HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender - key does not exist

      • HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender
        • DisableAntiSpyware - contains 0

    • HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Signature Updates
      • EngineVersion - contains 1.1.9203.0

    • HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SepMasterService - key does not exist
      • Start - value does not exist

    • HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\MsMpSvc - key does not exist
      • Start - value does not exist

","protocol":null,"reintroduced":null,"solution_fix":"

Verify that the latest version of the Microsoft Malware Protection Engine\nand definition updates are being actively downloaded and installed for their Microsoft antimalware products.\nFor more information on how to verify the version number for the Microsoft Malware Protection Engine that your\nsoftware is currently using, see the section Verifying Update Installation\nin Microsoft Knowledge Base Article 2510781 https://support.microsoft.com/kb/2510781

","solution_id":"windows-defender-upgrade-latest","solution_summary":"Upgrade Microsoft Defender to the latest version.","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"windows-defender-cve-2022-24548","added":"2022-04-14T00:00:00Z","categories":"Denial of Service,Microsoft Windows Defender","cves":"CVE-2022-24548","cvss_v2_access_complexity":"medium","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"none","cvss_v2_exploit_score":8.588799953460693,"cvss_v2_impact_score":2.862749751806259,"cvss_v2_integrity_impact":"none","cvss_v2_score":4.3,"cvss_v2_vector":"(AV:N/AC:M/Au:N/C:N/I:N/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"none","cvss_v3_exploit_score":1.8345765900000002,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"none","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":5.5,"cvss_v3_user_interaction":"required","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","denial_of_service":true,"description":"Microsoft Defender Denial of Service Vulnerability","exploits":[],"id":"windows-defender-cve-2022-24548","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2022-24548","id":"CVE-2022-24548","source":"cve"},{"href":"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548","id":"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548","source":"url"}],"malware_kits":[],"modified":"2023-12-13T00:00:00Z","pci_cvss_score":4.3,"pci_fail":false,"pci_severity_score":2,"pci_special_notes":"Denial-of-Service-only vulnerability marked as compliant. ","pci_status":"pass","published":"2022-04-14T00:00:00Z","references":"cve:CVE-2022-24548,url:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548","risk_score":124.28,"severity":"severe","severity_score":4,"title":"Microsoft Defender Denial of Service Vulnerability (CVE-2022-24548)"}} -{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":135,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":445,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":119,"exploits":4,"host_name":"Win11-50-13-52","id":"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1","ip":"10.50.13.52","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":8,"os_architecture":"x86_64","os_description":"Microsoft Windows 11 22H2","os_family":"Windows","os_name":"Windows 11","os_system_name":"Microsoft Windows","os_type":"Workstation","os_vendor":"Microsoft","os_version":"22H2","risk_score":181622,"severe_vulnerabilities":241,"tags":[{"name":"USA","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":368,"type":"guest","unique_identifiers":[{"id":"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050","source":"CSPRODUCT"},{"id":"c5cf46abcdef0123456789291c7d554a","source":"R7 Agent"}],"vuln":{"check_id":null,"first_found":"2018-11-25T09:10:10Z","key":"","last_found":"2019-02-14T21:39:25.312Z","nic":null,"port":445,"proof":"

Vulnerable OS: Microsoft Windows Server 2008 Enterprise Edition SP2

System replied with a malformed SMB packet

","protocol":"TCP","reintroduced":null,"solution_fix":"Take a look at all possible solutions for vulnerability","solution_id":"unknown-windows-hotfix-ms09-050","solution_summary":"The solution is unknown for vuln windows-hotfix-ms09-050","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"windows-hotfix-ms09-050","added":"2009-10-13T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution","cves":"CVE-2009-2526,CVE-2009-2532,CVE-2009-3103","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"complete","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":10.000845454680942,"cvss_v2_integrity_impact":"complete","cvss_v2_score":10,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:C/I:C/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":3.8870427750000003,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":9.8,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"This security update resolves one publicly disclosed and two privately reported vulnerabilities in Server Message Block Version 2 (SMBv2). The most severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.","exploits":[{"description":"Microsoft Windows 7/2008 R2 - Remote Kernel Crash","id":"10005","name":"Microsoft Windows 7/2008 R2 - Remote Kernel Crash","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing\n an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.\n Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.","id":"auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff","name":"Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference","rank":"normal","skill_level":"intermediate","source":"metasploit"},{"description":"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)","id":"40280","name":"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service","id":"12524","name":"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\n without SP1 does not seem affected by this flaw.","id":"exploit/windows/smb/ms09_050_smb2_negotiate_func_index","name":"MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference","rank":"good","skill_level":"intermediate","source":"metasploit"},{"description":"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)","id":"14674","name":"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows\tVista\n without SP1 does not seem affected by this flaw.","id":"auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh","name":"Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference","rank":"normal","skill_level":"intermediate","source":"metasploit"},{"description":"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)","id":"9594","name":"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)","rank":"average","skill_level":"expert","source":"exploitdb"}],"id":"windows-hotfix-ms09-050","links":[{"href":"http://www.us-cert.gov/cas/techalerts/TA09-286A.html","id":"TA09-286A","source":"cert"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6489","id":"6489","source":"oval"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6336","id":"6336","source":"oval"},{"href":"http://www.securityfocus.com/bid/36299","id":"36299","source":"bid"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:5595","id":"5595","source":"oval"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2009-2526","id":"CVE-2009-2526","source":"cve"},{"href":"http://technet.microsoft.com/security/bulletin/MS09-050","id":"MS09-050","source":"ms"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2009-3103","id":"CVE-2009-3103","source":"cve"},{"href":"http://www.kb.cert.org/vuls/id/135940","id":"135940","source":"cert-vn"},{"href":"https://support.microsoft.com/en-us/kb/975517","id":"KB975517","source":"mskb"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2009-2532","id":"CVE-2009-2532","source":"cve"},{"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/53090","id":"53090","source":"xf"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":10,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"","pci_status":"fail","published":"2009-10-13T00:00:00Z","references":"cert-vn:135940,bid:36299,xf:53090,oval:5595,oval:6336,oval:6489,cve:CVE-2009-2526,cve:CVE-2009-2532,cve:CVE-2009-3103,mskb:KB975517,ms:MS09-050,cert:TA09-286A","risk_score":914.2,"severity":"critical","severity_score":10,"title":"MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)"}} -{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vuln":{"check_id":null,"first_found":"2021-02-23T18:39:30Z","key":"","last_found":"2022-04-23T18:04:36.094Z","nic":null,"port":null,"proof":"

Vulnerable OS: CentOS Linux 7.6.1810

  • mariadb-libs - version 1:5.5.60-1.el7_5 is installed

","protocol":null,"reintroduced":null,"solution_fix":"Take a look at all possible solutions for vulnerability","solution_id":"unknown-centos_linux-cve-2020-2574","solution_summary":"The solution is unknown for vuln centos_linux-cve-2020-2574","solution_type":"workaround","status":"VULNERABLE_VERS","vulnerability_id":"centos_linux-cve-2020-2574","added":"2020-09-15T00:00:00Z","categories":"CentOS","cves":"CVE-2020-2574","cvss_v2_access_complexity":"medium","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"none","cvss_v2_exploit_score":8.588799953460693,"cvss_v2_impact_score":2.862749751806259,"cvss_v2_integrity_impact":"none","cvss_v2_score":4.3,"cvss_v2_vector":"(AV:N/AC:M/Au:N/C:N/I:N/A:P)","cvss_v3_attack_complexity":"high","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"none","cvss_v3_exploit_score":2.2211673,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"none","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":5.9,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","denial_of_service":true,"description":"Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).","exploits":[],"id":"centos_linux-cve-2020-2574","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2020-2574","id":"CVE-2020-2574","source":"nvd"}],"malware_kits":[],"modified":"2023-05-25T00:00:00Z","pci_cvss_score":4.3,"pci_fail":false,"pci_severity_score":2,"pci_special_notes":"Denial-of-Service-only vulnerability marked as compliant. ","pci_status":"pass","published":"2020-01-15T00:00:00Z","references":"nvd:CVE-2020-2574","risk_score":150.88,"severity":"severe","severity_score":4,"title":"CentOS Linux: CVE-2020-2574: Important: mysql:8.0 security update (Multiple Advisories)"}} -{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":135,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":445,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":119,"exploits":4,"host_name":"Win11-50-13-52","id":"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1","ip":"10.50.13.52","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":8,"os_architecture":"x86_64","os_description":"Microsoft Windows 11 22H2","os_family":"Windows","os_name":"Windows 11","os_system_name":"Microsoft Windows","os_type":"Workstation","os_vendor":"Microsoft","os_version":"22H2","risk_score":181622,"severe_vulnerabilities":241,"tags":[{"name":"USA","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":368,"type":"guest","unique_identifiers":[{"id":"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050","source":"CSPRODUCT"},{"id":"c5cf46abcdef0123456789291c7d554a","source":"R7 Agent"}],"vuln":{"check_id":null,"first_found":"2021-03-23T21:18:51Z","key":"","last_found":"2023-06-23T19:16:12.895Z","nic":null,"port":445,"proof":"

Vulnerable OS: Microsoft Windows Server 2008 Enterprise Edition

\\BROWSER: WriteAndX succeeded with offset 77

","protocol":"TCP","reintroduced":null,"solution_fix":"Take a look at all possible solutions for vulnerability","solution_id":"unknown-windows-hotfix-ms09-001","solution_summary":"The solution is unknown for vuln windows-hotfix-ms09-001","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"windows-hotfix-ms09-001","added":"2009-10-13T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution","cves":"CVE-2009-2526,CVE-2009-2532,CVE-2009-3103","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"complete","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":10.000845454680942,"cvss_v2_integrity_impact":"complete","cvss_v2_score":10,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:C/I:C/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":3.8870427750000003,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":9.8,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"This security update resolves one publicly disclosed and two privately reported vulnerabilities in Server Message Block Version 2 (SMBv2). The most severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.","exploits":[{"description":"Microsoft Windows 7/2008 R2 - Remote Kernel Crash","id":"10005","name":"Microsoft Windows 7/2008 R2 - Remote Kernel Crash","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing\n an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.\n Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.","id":"auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff","name":"Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference","rank":"normal","skill_level":"intermediate","source":"metasploit"},{"description":"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)","id":"40280","name":"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service","id":"12524","name":"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\n without SP1 does not seem affected by this flaw.","id":"exploit/windows/smb/ms09_050_smb2_negotiate_func_index","name":"MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference","rank":"good","skill_level":"intermediate","source":"metasploit"},{"description":"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)","id":"14674","name":"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows\tVista\n without SP1 does not seem affected by this flaw.","id":"auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh","name":"Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference","rank":"normal","skill_level":"intermediate","source":"metasploit"},{"description":"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)","id":"9594","name":"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)","rank":"average","skill_level":"expert","source":"exploitdb"}],"id":"windows-hotfix-ms09-050","links":[{"href":"http://www.us-cert.gov/cas/techalerts/TA09-286A.html","id":"TA09-286A","source":"cert"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6489","id":"6489","source":"oval"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6336","id":"6336","source":"oval"},{"href":"http://www.securityfocus.com/bid/36299","id":"36299","source":"bid"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:5595","id":"5595","source":"oval"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2009-2526","id":"CVE-2009-2526","source":"cve"},{"href":"http://technet.microsoft.com/security/bulletin/MS09-050","id":"MS09-050","source":"ms"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2009-3103","id":"CVE-2009-3103","source":"cve"},{"href":"http://www.kb.cert.org/vuls/id/135940","id":"135940","source":"cert-vn"},{"href":"https://support.microsoft.com/en-us/kb/975517","id":"KB975517","source":"mskb"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2009-2532","id":"CVE-2009-2532","source":"cve"},{"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/53090","id":"53090","source":"xf"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":10,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"","pci_status":"fail","published":"2009-10-13T00:00:00Z","references":"cert-vn:135940,bid:36299,xf:53090,oval:5595,oval:6336,oval:6489,cve:CVE-2009-2526,cve:CVE-2009-2532,cve:CVE-2009-3103,mskb:KB975517,ms:MS09-050,cert:TA09-286A","risk_score":914.2,"severity":"critical","severity_score":10,"title":"MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)"}} -{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vuln":{"check_id":null,"first_found":"2018-11-25T09:16:57Z","key":"","last_found":"2022-02-23T20:10:02.535Z","nic":null,"port":53,"proof":"

Vulnerable OS: Debian Linux 6.0

  • Running DNS service
  • Product BIND exists -- ISC BIND 9.7.3
  • Vulnerable version of product BIND found -- ISC BIND 9.7.3

","protocol":"TCP","reintroduced":null,"solution_fix":"

\n More information about upgrading your version of ISC BIND is available on the ISC website.\n

","solution_id":"upgrade-isc-bind-latest","solution_summary":"Upgrade ISC BIND to latest version","solution_type":"workaround","status":"VULNERABLE_VERS","vulnerability_id":"dns-bind-cve-2015-4620","added":"2015-10-27T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,DNS,Denial of Service,ISC,ISC BIND","cves":"CVE-2015-4620","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"none","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":6.870600273013115,"cvss_v2_integrity_impact":"none","cvss_v2_score":7.8,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:N/I:N/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"none","cvss_v3_exploit_score":3.8870427750000003,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"none","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":7.5,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","denial_of_service":true,"description":"name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone.","exploits":[],"id":"dns-bind-cve-2015-4620","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2015-4620","id":"CVE-2015-4620","source":"cve"},{"href":"https://kb.isc.org/article/AA-01267/0","id":"https://kb.isc.org/article/AA-01267/0","source":"url"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":7.8,"pci_fail":false,"pci_severity_score":2,"pci_special_notes":"Denial-of-Service-only vulnerability marked as compliant. ","pci_status":"pass","published":"2015-07-08T00:00:00Z","references":"cve:CVE-2015-4620,url:https://kb.isc.org/article/AA-01267/0","risk_score":334.11,"severity":"critical","severity_score":8,"title":"ISC BIND: Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating (CVE-2015-4620)"}} -{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vuln":{"check_id":null,"first_found":"2023-03-23T19:23:01Z","key":"","last_found":"2023-06-23T19:36:17.715Z","nic":null,"port":445,"proof":"

  • Running CIFS service
  • Configuration item smb2-enabled set to 'true' matched
  • Configuration item smb2-signing set to 'enabled' matched

","protocol":"TCP","reintroduced":null,"solution_fix":"

\n Configure the system to enable or require SMB signing as appropriate.\n The method and effect of doing this is system specific so please see\n this Microsoft article for\n details. Note: ensure that SMB signing configuration is done for \n incoming connections (Server).\n

","solution_id":"cifs-smb-signing-windows","solution_summary":"Configure SMB signing for Windows","solution_type":"workaround","status":"VULNERABLE_VERS","vulnerability_id":"cifs-smb2-signing-not-required","added":"2015-10-27T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,DNS,Denial of Service,ISC,ISC BIND","cves":"CVE-2015-4620","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"none","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":6.870600273013115,"cvss_v2_integrity_impact":"none","cvss_v2_score":7.8,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:N/I:N/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"none","cvss_v3_exploit_score":3.8870427750000003,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"none","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":7.5,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","denial_of_service":true,"description":"name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone.","exploits":[],"id":"dns-bind-cve-2015-4620","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2015-4620","id":"CVE-2015-4620","source":"cve"},{"href":"https://kb.isc.org/article/AA-01267/0","id":"https://kb.isc.org/article/AA-01267/0","source":"url"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":7.8,"pci_fail":false,"pci_severity_score":2,"pci_special_notes":"Denial-of-Service-only vulnerability marked as compliant. ","pci_status":"pass","published":"2015-07-08T00:00:00Z","references":"cve:CVE-2015-4620,url:https://kb.isc.org/article/AA-01267/0","risk_score":334.11,"severity":"critical","severity_score":8,"title":"ISC BIND: Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating (CVE-2015-4620)"}} -{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vuln":{"check_id":null,"first_found":"2022-12-23T19:25:13Z","key":"VMware ESX Server 4.0.0 GA","last_found":"2023-06-23T18:08:29.154Z","nic":null,"port":null,"proof":"

Vulnerable OS: VMware ESX Server 4.0.0 GA

  • The property "build" contains: 164009.

","protocol":null,"reintroduced":null,"solution_fix":"

Download and apply the upgrade from: https://knowledge.broadcom.com/external/article?articleNumber=142814

","solution_id":"vmware-esx-upgrade-latest","solution_summary":"Upgrade VMware ESX to the latest version","solution_type":"rollup","status":"VULNERABLE_VERS","vulnerability_id":"vmsa-2012-0013-cve-2012-0815","added":"2012-09-17T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,Denial of Service,IAVM,Remote Execution,VMware,VMware ESX/ESXi","cves":"CVE-2012-0815","cvss_v2_access_complexity":"medium","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":8.588799953460693,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":6.8,"cvss_v2_vector":"(AV:N/AC:M/Au:N/C:P/I:P/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.515145325,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":8.4,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"The headerVerifyInfo function in lib/header.c in RPM before 4.9.1.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a negative value in a region offset of a package header, which is not properly handled in a numeric range comparison.","exploits":[],"id":"vmsa-2012-0013-cve-2012-0815","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2012-0815","id":"CVE-2012-0815","source":"cve"},{"href":"http://iase.disa.mil/stigs/iavm-cve.html","id":"V0033884","source":"disa_vmskey"},{"href":"http://iase.disa.mil/stigs/iavm-cve.html","id":"2012-A-0153","source":"iavm"},{"href":"http://www.vmware.com/security/advisories/VMSA-2012-0013.html","id":"http://www.vmware.com/security/advisories/VMSA-2012-0013.html","source":"url"},{"href":"http://iase.disa.mil/stigs/iavm-cve.html","id":"Category I","source":"disa_severity"},{"href":"http://iase.disa.mil/stigs/iavm-cve.html","id":"2012-A-0148","source":"iavm"},{"href":"http://iase.disa.mil/stigs/iavm-cve.html","id":"V0033794","source":"disa_vmskey"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":6.8,"pci_fail":true,"pci_severity_score":4,"pci_special_notes":"","pci_status":"fail","published":"2012-06-04T00:00:00Z","references":"iavm:2012-A-0148,iavm:2012-A-0153,cve:CVE-2012-0815,disa_severity:Category I,disa_vmskey:V0033794,disa_vmskey:V0033884,url:http://www.vmware.com/security/advisories/VMSA-2012-0013.html","risk_score":716.99,"severity":"severe","severity_score":7,"title":"VMSA-2012-0013: Update to ESX service console popt, rpm, rpm-libs, and rpm-python RPMS (CVE-2012-0815)"}} -{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vuln":{"check_id":null,"first_found":"2022-12-23T18:54:08Z","key":"","last_found":"2023-06-23T17:40:02.211Z","nic":null,"port":null,"proof":"

Vulnerable software installed: Wordpress 3.0

","protocol":null,"reintroduced":null,"solution_fix":"

\n Upgrade to the latest version of Wordpress from https://wordpress.org/download/release-archive/

","solution_id":"wordpress-upgrade-latest","solution_summary":"Upgrade to the latest version of Wordpress","solution_type":"workaround","status":"VULNERABLE_VERS","vulnerability_id":"wordpress-cve-2015-5731","added":"2017-05-16T00:00:00Z","categories":"CSRF,CVSS Score Predicted with Rapid7 AI,Denial of Service,WordPress","cves":"CVE-2015-5731","cvss_v2_access_complexity":"medium","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":8.588799953460693,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":6.8,"cvss_v2_vector":"(AV:N/AC:M/Au:N/C:P/I:P/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"none","cvss_v3_exploit_score":2.8352547300000004,"cvss_v3_impact_score":5.177088,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":8.1,"cvss_v3_user_interaction":"required","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H","denial_of_service":false,"description":"Cross-site request forgery (CSRF) vulnerability in wp-admin/post.php in WordPress before 4.2.4 allows remote attackers to hijack the authentication of administrators for requests that lock a post, and consequently cause a denial of service (editing blockage), via a get-post-lock action.","exploits":[],"id":"wordpress-cve-2015-5731","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2015-5731","id":"CVE-2015-5731","source":"cve"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":6.8,"pci_fail":true,"pci_severity_score":4,"pci_special_notes":"","pci_status":"fail","published":"2015-11-09T00:00:00Z","references":"cve:CVE-2015-5731","risk_score":676.67,"severity":"severe","severity_score":7,"title":"Wordpress: CVE-2015-5731: Cross-Site Request Forgery (CSRF)"}} -{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vuln":{"check_id":null,"first_found":"2022-12-23T18:55:39Z","key":"","last_found":"2023-06-23T17:41:50.071Z","nic":null,"port":80,"proof":"

  • Running HTTP service
  • Vulnerable version of component PHP found -- PHP 5.4.16

","protocol":"TCP","reintroduced":null,"solution_fix":"

Download and apply the upgrade from: http://www.php.net/downloads.php

","solution_id":"php-upgrade-latest","solution_summary":"Upgrade to the latest version of PHP","solution_type":"rollup","status":"VULNERABLE_VERS","vulnerability_id":"php-cve-2016-3171","added":"2019-09-30T00:00:00Z","categories":"HTTP,PHP,Remote Execution","cves":"CVE-2016-3171","cvss_v2_access_complexity":"medium","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":8.588799953460693,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":6.8,"cvss_v2_vector":"(AV:N/AC:M/Au:N/C:P/I:P/A:P)","cvss_v3_attack_complexity":"high","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.2211673,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":8.1,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.","exploits":[],"id":"php-cve-2016-3171","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2016-3171","id":"CVE-2016-3171","source":"cve"}],"malware_kits":[],"modified":"2024-11-27T00:00:00Z","pci_cvss_score":6.8,"pci_fail":true,"pci_severity_score":4,"pci_special_notes":"","pci_status":"fail","published":"2016-04-12T00:00:00Z","references":"cve:CVE-2016-3171","risk_score":669.57,"severity":"severe","severity_score":7,"title":"PHP Vulnerability: CVE-2016-3171"}} -{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":161,"protocol":"UDP","status":"NO_CREDS_SUPPLIED"},{"port":161,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":22,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":9,"exploits":5,"host_name":"BIG-IP-16-1-0.dev.test.rapid7.com","id":"12123455-abcd-5678-1234-01234567890e-default-asset-4123","ip":"175.16.199.1","last_assessed_for_vulnerabilities":"2024-06-23T17:54:28.107Z","last_scan_end":"2024-06-23T17:54:28.107Z","last_scan_start":"2024-06-23T17:44:15.351Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":10,"new":[],"os_architecture":"","os_description":"F5 BIG-IP 16.1.0.0","os_family":"BIG-IP","os_name":"BIG-IP","os_system_name":"F5 BIG-IP","os_type":"Network management device","os_vendor":"F5","os_version":"16.1.0.0","remediated":[],"risk_score":35804.71185,"vuln":{"check_id":null,"first_found":"2022-05-23T19:03:38Z","key":"F5 BIG-IP 16.1.0.0","last_found":"2024-06-23T17:54:28.107Z","nic":null,"port":null,"proof":"

Vulnerable OS: F5 BIG-IP 16.1.0.0

  • The property "ltm" contains: true.

","protocol":null,"reintroduced":null,"solution_fix":"

\n Upgrade to the latest available version of F5 BIG-IP. Refer to BIG-IP Hotfix Matrix for the latest hotfix information.\n

","solution_id":"f5-big-ip-upgrade-latest","solution_summary":"Upgrade to the latest available version of F5 BIG-IP","solution_type":"workaround","status":"VULNERABLE_VERS","vulnerability_id":"f5-big-ip-cve-2017-7656","added":"2022-04-20T00:00:00Z","categories":"F5,F5 BIG-IP,Web","cves":"CVE-2017-7656","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"none","cvss_v2_confidentiality_impact":"none","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":2.8627500620484354,"cvss_v2_integrity_impact":"partial","cvss_v2_score":5,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:N/I:P/A:N)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"none","cvss_v3_exploit_score":3.8870427750000003,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":7.5,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","denial_of_service":false,"description":"In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.","exploits":[],"id":"f5-big-ip-cve-2017-7656","links":[{"href":"https://my.f5.com/manage/s/article/K21054458","id":"https://my.f5.com/manage/s/article/K21054458","source":"url"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2017-7656","id":"CVE-2017-7656","source":"cve"}],"malware_kits":[],"modified":"2024-12-06T00:00:00Z","pci_cvss_score":5,"pci_fail":true,"pci_severity_score":3,"pci_special_notes":"","pci_status":"fail","published":"2018-06-26T00:00:00Z","references":"cve:CVE-2017-7656,url:https://my.f5.com/manage/s/article/K21054458","risk_score":229.89,"severity":"severe","severity_score":5,"title":"F5 Networks: CVE-2017-7656: K21054458: Eclipse Jetty vulnerability CVE-2017-7656"},"severe_vulnerabilities":94,"tags":[{"name":"snow_test","type":"CUSTOM"},{"name":"all_assets2","type":"CUSTOM"},{"name":"all_assets","type":"CUSTOM"},{"name":"my tag test","type":"CUSTOM"},{"name":"lab","type":"SITE"}],"total_vulnerabilities":113,"type":"guest","unique_identifiers":[]} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vulnerability":{"check_id":null,"first_found":"2025-05-14T13:52:10Z","key":"/root/infaagent/jdk/lib/jrt-fs.jar","last_found":"2025-05-27T19:54:43.777Z","nic":null,"port":null,"proof":"

Vulnerable OS: Ubuntu Linux 22.04

Vulnerable software installed: Azul Systems JRE 17.54.22 (/root/infaagent/jdk/lib/jrt-fs.jar)

","protocol":null,"reintroduced":null,"solution_fix":"

\n Download and upgrade to the latest version of Azul Zulu from here.

","solution_id":"azul-zulu-upgrade-latest","solution_summary":"Upgrade Azul Zulu to the latest version","solution_type":"workaround","status":"VULNERABLE_VERS","vulnerability_id":"azul-zulu-cve-2025-21502","added":"2025-02-05T00:00:00Z","categories":"Azul Systems,Azul Zulu,Java,Web","cves":"CVE-2025-21502","cvss_v2_access_complexity":"high","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"none","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":4.927999973297119,"cvss_v2_impact_score":4.938243839970231,"cvss_v2_integrity_impact":"partial","cvss_v2_score":4,"cvss_v2_vector":"(AV:N/AC:H/Au:N/C:P/I:P/A:N)","cvss_v3_attack_complexity":"high","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"low","cvss_v3_exploit_score":2.2211673,"cvss_v3_impact_score":2.5140719999999996,"cvss_v3_integrity_impact":"low","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":4.8,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N","denial_of_service":false,"description":"Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM for JDK: 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM Enterprise Edition: 20.3.16 and 21.3.12. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).","exploits":[],"id":"azul-zulu-cve-2025-21502","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2025-21502","id":"CVE-2025-21502","source":"cve"},{"href":"https://www.azul.com/downloads/","id":"https://www.azul.com/downloads/","source":"url"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":4,"pci_fail":true,"pci_severity_score":3,"pci_special_notes":"","pci_status":"fail","published":"2025-01-21T00:00:00Z","references":"cve:CVE-2025-21502,url:https://www.azul.com/downloads/","risk_score":321,"severity":"low","severity_score":4,"title":"Azul Zulu: CVE-2025-21502: Vulnerability in the Azul Zulu OpenJDK component"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vulnerability":{"check_id":null,"first_found":"2025-05-13T13:25:40Z","key":"","last_found":"2025-05-27T19:54:43.777Z","nic":null,"port":null,"proof":"

Grub config with no password found.

  • Vulnerable file: /boot/grub/grub.cfg

","protocol":null,"reintroduced":null,"solution_fix":"

Set a password in the GRUB configuration file. This\n is often located in one of several locations, but can really be\n anywhere:

\n          /etc/grub.conf\n          /boot/grub/grub.conf\n          /boot/grub/grub.cfg\n          /boot/grub/menu.lst\n

For all files mentioned above ensure that a password is set or that the files do not exist.

To set a plain-text password, edit your GRUB configuration file\n and add the following line before the first uncommented line:

   password <password>

To set an encrypted password, run grub-md5-crypt and use its\n output when adding the following line before the first\n uncommented line:

   password --md5 <encryptedpassword>

For either approach, choose an appropriately strong password.

","solution_id":"linux-grub-missing-passwd","solution_summary":" Enable GRUB password ","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"linux-grub-missing-passwd","added":"2004-11-30T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,UNIX","cves":"","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"local","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":3.948735978603363,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":4.6,"cvss_v2_vector":"(AV:L/AC:L/Au:N/C:P/I:P/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.515145325,"cvss_v3_impact_score":5.177088,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":7.7,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","denial_of_service":false,"description":"GRUB bootloader is not password protected. An attacker can use the GRUB editor interface to change its configuration or to gather information using the cat command. It can also be exploited to boot into single user mode as root or boot into an insecure operating system.","exploits":[],"id":"linux-grub-missing-passwd","links":[],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":4.6,"pci_fail":true,"pci_severity_score":3,"pci_special_notes":"","pci_status":"fail","published":"1999-01-01T00:00:00Z","references":"","risk_score":515,"severity":"critical","severity_score":5,"title":"No password for Grub"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":135,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":445,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":119,"exploits":4,"host_name":"Win11-50-13-52","id":"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1","ip":"10.50.13.52","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":8,"os_architecture":"x86_64","os_description":"Microsoft Windows 11 22H2","os_family":"Windows","os_name":"Windows 11","os_system_name":"Microsoft Windows","os_type":"Workstation","os_vendor":"Microsoft","os_version":"22H2","risk_score":181622,"severe_vulnerabilities":241,"tags":[{"name":"USA","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":368,"type":"guest","unique_identifiers":[{"id":"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050","source":"CSPRODUCT"},{"id":"c5cf46abcdef0123456789291c7d554a","source":"R7 Agent"}],"vulnerability":{"check_id":null,"first_found":"2025-04-30T06:21:05Z","key":"","last_found":"2025-05-27T19:54:43.777Z","nic":null,"port":3389,"proof":"

The subject common name found in the X.509 certificate does not seem to match the scan target:

  • Subject CN Win11-50-13-52.testad.local does not match target name specified in the site.

","protocol":"TCP","reintroduced":"2025-05-27T13:34:19Z","solution_fix":"

\n The subject's common name (CN) field in the X.509 certificate should be fixed\nto reflect the name of the entity presenting the certificate (e.g., the\nhostname). This is done by generating a new certificate usually signed by a\nCertification Authority (CA) trusted by both the client and server.\n

","solution_id":"certificate-common-name-mismatch","solution_summary":"Fix the subject's Common Name (CN) field in the certificate","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"certificate-common-name-mismatch","added":"2007-08-03T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,HTTP,Web","cves":"","cvss_v2_access_complexity":"high","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"none","cvss_v2_confidentiality_impact":"complete","cvss_v2_exploit_score":4.927999973297119,"cvss_v2_impact_score":7.843935219030975,"cvss_v2_integrity_impact":"partial","cvss_v2_score":6.1,"cvss_v2_vector":"(AV:N/AC:H/Au:N/C:C/I:P/A:N)","cvss_v3_attack_complexity":"high","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.2211673,"cvss_v3_impact_score":5.177088,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":7.4,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","denial_of_service":false,"description":"The subject common name (CN) field in the X.509 certificate does not match the name of the entity presenting the certificate.\n\nBefore issuing a certificate, a Certification Authority (CA) must check the identity of the entity requesting the certificate, as specified in the CA's Certification Practice Statement (CPS). Thus, standard certificate validation procedures require the subject CN field of a certificate to match the actual name of the entity presenting the certificate. For example, in a certificate presented by \"https://www.example.com/\", the CN should be \"www.example.com\". \n\nIn order to detect and prevent active eavesdropping attacks, the validity of a certificate must be verified, or else an attacker could then launch a man-in-the-middle attack and gain full control of the data stream. Of particular importance is the validity of the subject's CN, that should match the name of the entity (hostname).\n\nA CN mismatch most often occurs due to a configuration error, though it can also indicate that a man-in-the-middle attack is being conducted.","exploits":[],"id":"certificate-common-name-mismatch","links":[],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":6.1,"pci_fail":true,"pci_severity_score":4,"pci_special_notes":"","pci_status":"fail","published":"2007-08-03T00:00:00Z","references":"","risk_score":495,"severity":"none","severity_score":6,"title":"X.509 Certificate Subject CN Does Not Match the Entity Name"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":135,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":445,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":119,"exploits":4,"host_name":"Win11-50-13-52","id":"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1","ip":"10.50.13.52","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":8,"os_architecture":"x86_64","os_description":"Microsoft Windows 11 22H2","os_family":"Windows","os_name":"Windows 11","os_system_name":"Microsoft Windows","os_type":"Workstation","os_vendor":"Microsoft","os_version":"22H2","risk_score":181622,"severe_vulnerabilities":241,"tags":[{"name":"USA","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":368,"type":"guest","unique_identifiers":[{"id":"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050","source":"CSPRODUCT"},{"id":"c5cf46abcdef0123456789291c7d554a","source":"R7 Agent"}],"vulnerability":{"check_id":"microsoft-windows-cve-2025-21204-windows_11-22h2-kb5055528","first_found":"2025-05-13T07:25:34Z","key":"","last_found":"2025-05-27T19:54:43.777Z","nic":null,"port":null,"proof":"

Vulnerable OS: Microsoft Windows 11 22H2

  • HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion
    • UBR - contains 4317

","protocol":null,"reintroduced":null,"solution_fix":"

Download and apply the patch from: https://support.microsoft.com/help/5058405

","solution_id":"microsoft-windows-windows_11-22h2-kb5058405","solution_summary":"2025-05 Cumulative Update for Microsoft Windows 11, version 22H2 (KB5058405)","solution_type":"patch","status":"VULNERABLE_EXPL","vulnerability_id":"microsoft-windows-cve-2025-21204","added":"2025-04-08T00:00:00Z","categories":"Microsoft,Microsoft Patch,Microsoft Windows,Privilege Escalation","cves":"CVE-2025-21204","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"local","cvss_v2_authentication":"single","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"complete","cvss_v2_exploit_score":3.141040013372898,"cvss_v2_impact_score":10.000845454680942,"cvss_v2_integrity_impact":"complete","cvss_v2_score":6.8,"cvss_v2_vector":"(AV:L/AC:L/Au:S/C:C/I:C/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":1.8345765900000002,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"low","cvss_v3_scope":"unchanged","cvss_v3_score":7.8,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"Microsoft Windows: CVE-2025-21204: Windows Process Activation Elevation of Privilege Vulnerability","exploits":[],"id":"microsoft-windows-cve-2025-21204","links":[{"href":"https://support.microsoft.com/help/5055557","id":"https://support.microsoft.com/help/5055557","source":"url"},{"href":"https://support.microsoft.com/help/5055547","id":"https://support.microsoft.com/help/5055547","source":"url"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2025-21204","id":"CVE-2025-21204","source":"cve"},{"href":"https://support.microsoft.com/help/5055526","id":"https://support.microsoft.com/help/5055526","source":"url"},{"href":"https://support.microsoft.com/help/5055527","id":"https://support.microsoft.com/help/5055527","source":"url"},{"href":"https://support.microsoft.com/help/5055521","id":"https://support.microsoft.com/help/5055521","source":"url"},{"href":"https://support.microsoft.com/help/5055523","id":"https://support.microsoft.com/help/5055523","source":"url"},{"href":"https://support.microsoft.com/help/5055528","id":"https://support.microsoft.com/help/5055528","source":"url"},{"href":"https://support.microsoft.com/help/5055518","id":"https://support.microsoft.com/help/5055518","source":"url"},{"href":"https://support.microsoft.com/help/5055519","id":"https://support.microsoft.com/help/5055519","source":"url"},{"href":"https://support.microsoft.com/help/5055581","id":"https://support.microsoft.com/help/5055581","source":"url"}],"malware_kits":[],"modified":"2025-04-14T00:00:00Z","pci_cvss_score":6.8,"pci_fail":true,"pci_severity_score":4,"pci_special_notes":"","pci_status":"fail","published":"2025-04-08T00:00:00Z","references":"cve:CVE-2025-21204,url:https://support.microsoft.com/help/5055518,url:https://support.microsoft.com/help/5055519,url:https://support.microsoft.com/help/5055521,url:https://support.microsoft.com/help/5055523,url:https://support.microsoft.com/help/5055526,url:https://support.microsoft.com/help/5055527,url:https://support.microsoft.com/help/5055528,url:https://support.microsoft.com/help/5055547,url:https://support.microsoft.com/help/5055557,url:https://support.microsoft.com/help/5055581","risk_score":522,"severity":"informational","severity_score":7,"title":"Microsoft Windows: CVE-2025-21204: Windows Process Activation Elevation of Privilege Vulnerability"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":135,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":445,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":119,"exploits":4,"host_name":"Win11-50-13-52","id":"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1","ip":"10.50.13.52","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":8,"os_architecture":"x86_64","os_description":"Microsoft Windows 11 22H2","os_family":"Windows","os_name":"Windows 11","os_system_name":"Microsoft Windows","os_type":"Workstation","os_vendor":"Microsoft","os_version":"22H2","risk_score":181622,"severe_vulnerabilities":241,"tags":[{"name":"USA","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":368,"type":"guest","unique_identifiers":[{"id":"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050","source":"CSPRODUCT"},{"id":"c5cf46abcdef0123456789291c7d554a","source":"R7 Agent"}],"vulnerability":{"check_id":"WINDOWS-HOTFIX-MS13-098-x64","first_found":"2025-05-13T07:25:34Z","key":"","last_found":"2025-05-27T19:54:43.777Z","nic":null,"port":null,"proof":"

Vulnerable OS: Microsoft Windows 11 22H2

  • HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Wintrust\\Config - key does not exist
    • EnableCertPaddingCheck - value does not exist

","protocol":null,"reintroduced":null,"solution_fix":"

Download and apply the patch from: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900

","solution_id":"windows-hotfix-ms13-098","solution_summary":"Enable Certificate Padding Check for Windows Systems","solution_type":"patch","status":"VULNERABLE_EXPL","vulnerability_id":"windows-hotfix-ms13-098","added":"2013-12-10T00:00:00Z","categories":"CISA KEV,Exploited in the Wild,Microsoft,Microsoft Patch,Microsoft Windows,Remote Execution","cves":"CVE-2013-3900","cvss_v2_access_complexity":"medium","cvss_v2_access_vector":"local","cvss_v2_authentication":"none","cvss_v2_availability_impact":"none","cvss_v2_confidentiality_impact":"none","cvss_v2_exploit_score":3.392575981616974,"cvss_v2_impact_score":6.870600273013115,"cvss_v2_integrity_impact":"complete","cvss_v2_score":4.7,"cvss_v2_vector":"(AV:L/AC:M/Au:N/C:N/I:C/A:N)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"none","cvss_v3_exploit_score":1.8345765900000002,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":5.5,"cvss_v3_user_interaction":"required","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N","denial_of_service":false,"description":"This vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system. Note that this vulnerability was originally published by Microsoft as MS13-098, but has now been republished as CVE-2013-3900. Microsoft provides current information on the CVE-2013-3900 advisory.","exploits":[],"id":"windows-hotfix-ms13-098","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2013-3900","id":"CVE-2013-3900","source":"cve"},{"href":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900","id":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900","source":"url"}],"malware_kits":[],"modified":"2025-04-22T00:00:00Z","pci_cvss_score":4.7,"pci_fail":true,"pci_severity_score":3,"pci_special_notes":"","pci_status":"fail","published":"2013-12-10T00:00:00Z","references":"cve:CVE-2013-3900,url:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900","risk_score":450,"severity":"severe","severity_score":5,"title":"CVE-2013-3900: MS13-098: Vulnerability in Windows Could Allow Remote Code Execution"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":22,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":3,"exploits":0,"host_name":"computer-test","id":"8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6","ip":"10.50.5.112","last_assessed_for_vulnerabilities":"2025-05-27T18:21:36.279Z","last_scan_end":"2025-05-27T18:21:36.279Z","last_scan_start":"2025-05-27T18:20:41.505Z","mac":"00:00:5E:00:53:02","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Red Hat Enterprise Linux 7.9","os_family":"Linux","os_name":"Enterprise Linux","os_system_name":"Red Hat Linux","os_type":"","os_vendor":"Red Hat","os_version":"7.9","risk_score":18250,"severe_vulnerabilities":48,"tags":[{"name":"Ahmedabad","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":52,"type":"guest","unique_identifiers":[{"id":"CEF12345-ABCD-1234-ABCD-95ABCDEF1234","source":"dmidecode"},{"id":"e80644e940123456789abcdef66a8b16","source":"R7 Agent"}],"vulnerability":{"check_id":null,"first_found":"2025-05-12T16:25:35Z","key":"","last_found":"2025-05-27T18:21:36.279Z","nic":null,"port":null,"proof":"

Following entries in /etc/securetty \n may allow anonymous root logins:

  • ttyS0
  • ttysclp0
  • sclp_line0
  • 3270/tty1
  • hvc0
  • hvc1
  • hvc2
  • hvc3
  • hvc4
  • hvc5
  • hvc6
  • hvc7
  • hvsi0
  • hvsi1
  • hvsi2
  • xvc0

","protocol":null,"reintroduced":null,"solution_fix":"

Remove all the entries in /etc/securetty except console,\n tty[0-9]* and vc\\[0-9]*

Note: ssh does not use /etc/securetty. To disable root login\n through ssh, use the "PermitRootLogin" setting in /etc/ssh/sshd_config\n and restart the ssh daemon.

","solution_id":"unix-anonymous-root-logins","solution_summary":"Edit '/etc/securetty' entries","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"unix-anonymous-root-logins","added":"2004-11-30T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,UNIX","cves":"","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"single","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":7.9520000338554375,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":6.5,"cvss_v2_vector":"(AV:N/AC:L/Au:S/C:P/I:P/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.515145325,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":8.4,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \"su\" to become root.","exploits":[],"id":"unix-anonymous-root-logins","links":[],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":6.5,"pci_fail":true,"pci_severity_score":4,"pci_special_notes":"","pci_status":"fail","published":"2004-11-30T00:00:00Z","references":"","risk_score":562,"severity":"severe","severity_score":7,"title":"Anonymous root login is allowed"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":22,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":3,"exploits":0,"host_name":"computer-test","id":"8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6","ip":"10.50.5.112","last_assessed_for_vulnerabilities":"2025-05-27T18:21:36.279Z","last_scan_end":"2025-05-27T18:21:36.279Z","last_scan_start":"2025-05-27T18:20:41.505Z","mac":"00:00:5E:00:53:02","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Red Hat Enterprise Linux 7.9","os_family":"Linux","os_name":"Enterprise Linux","os_system_name":"Red Hat Linux","os_type":"","os_vendor":"Red Hat","os_version":"7.9","risk_score":18250,"severe_vulnerabilities":48,"tags":[{"name":"Ahmedabad","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":52,"type":"guest","unique_identifiers":[{"id":"CEF12345-ABCD-1234-ABCD-95ABCDEF1234","source":"dmidecode"},{"id":"e80644e940123456789abcdef66a8b16","source":"R7 Agent"}],"vulnerability":{"check_id":null,"first_found":"2025-05-14T13:52:10Z","key":"","last_found":"2025-05-27T18:21:36.279Z","nic":null,"port":null,"proof":"

The following world writable files were found.

  • /var/.com.zerog.registry.xml (-rwxrwxrwx)

","protocol":null,"reintroduced":null,"solution_fix":"

For each world-writable file, determine whether there is a good reason for\n it to be world writable. If not, remove world write permissions for the file.\n The output here is limited to 50 files. In order to find all of these files without needing to\n run another Nexpose scan run the following command:

 find / -type f -perm -02

Please note; it may be necessary exclude particular paths or file share types, run 'man find' for information.

","solution_id":"unix-world-writable-files","solution_summary":"Remove world write permissions","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"unix-world-writable-files","added":"2005-01-15T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,UNIX","cves":"","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"local","cvss_v2_authentication":"none","cvss_v2_availability_impact":"none","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":3.948735978603363,"cvss_v2_impact_score":4.938243839970231,"cvss_v2_integrity_impact":"partial","cvss_v2_score":3.6,"cvss_v2_vector":"(AV:L/AC:L/Au:N/C:P/I:P/A:N)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"low","cvss_v3_exploit_score":2.515145325,"cvss_v3_impact_score":1.4123999999999999,"cvss_v3_integrity_impact":"none","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":4,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","denial_of_service":false,"description":"World writable files were found on the system. A file that can be written by any user on the system could be a serious security flaw.","exploits":[],"id":"unix-world-writable-files","links":[],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":3.6,"pci_fail":false,"pci_severity_score":2,"pci_special_notes":"","pci_status":"pass","published":"2005-01-15T00:00:00Z","references":"","risk_score":268,"severity":"severe","severity_score":4,"title":"World writable files exist"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vulnerability":{"check_id":null,"first_found":"2020-07-23T20:11:10Z","key":"Debian Linux 8.0","last_found":"2020-07-23T20:11:10.304Z","nic":null,"port":null,"proof":"

Vulnerable OS: Debian Linux 8.0

","protocol":null,"reintroduced":null,"solution_fix":"

\n See the Debian 9 release notes for instructions on upgrading to Debian GNU/Linux 9, alias "stretch".\n

","solution_id":"debian-upgrade-to-stretch","solution_summary":"Upgrade to Debian GNU/Linux 9 or later","solution_type":"workaround","status":"VULNERABLE_VERS","vulnerability_id":"debian-obsolete","added":"2013-01-29T00:00:00Z","categories":"Debian Linux,Obsolete OS,Obsolete Software","cves":"","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"complete","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":10.000845454680942,"cvss_v2_integrity_impact":"complete","cvss_v2_score":10,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:C/I:C/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":3.8870427750000003,"cvss_v3_impact_score":6.0477304915445185,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"changed","cvss_v3_score":10,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","denial_of_service":false,"description":"Debian terminated support for Debian GNU/Linux 9 \"stretch\" on Jun 30, 2022. All Debian versions prior to 10.0 \"buster\" may have unpatched security vulnerabilities.","exploits":[],"id":"debian-obsolete","links":[{"href":"https://wiki.debian.org/LTS","id":"https://wiki.debian.org/LTS","source":"url"}],"malware_kits":[],"modified":"2025-03-28T00:00:00Z","pci_cvss_score":10,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"This operating system version is no longer supported by the vendor, and results in an automatic failure. ","pci_status":"fail","published":"2006-06-30T00:00:00Z","references":"url:https://wiki.debian.org/LTS","risk_score":911.42,"severity":"critical","severity_score":10,"title":"Obsolete Debian GNU/Linux Version"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vulnerability":{"check_id":null,"first_found":"2018-11-25T09:20:27Z","key":"","last_found":"2023-05-23T18:16:30.836Z","nic":null,"port":null,"proof":"

Vulnerable OS: Microsoft Windows Server 2003 SP1

Server responded with vulnerable error code: 2 and class: 1

","protocol":null,"reintroduced":null,"solution_fix":"Take a look at all possible solutions for vulnerability","solution_id":"unknown-windows-hotfix-ms06-035","solution_summary":"The solution is unknown for vuln windows-hotfix-ms06-035","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"windows-hotfix-ms06-035","added":"2006-07-12T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution","cves":"CVE-2006-1314,CVE-2006-1315","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":7.5,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:P/I:P/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.83525473,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"none","cvss_v3_privileges_required":"low","cvss_v3_scope":"unchanged","cvss_v3_score":6.5,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","denial_of_service":false,"description":"This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \"Vulnerability Details\" section of this bulletin. We recommend that customers apply the update immediately.","exploits":[{"description":"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)","id":"2057","name":"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module triggers a kernel pool corruption bug in SRV.SYS. Each\n call to the mailslot write function results in a two byte return value\n being written into the response packet. The code which creates this packet\n fails to consider these two bytes in the allocation routine, resulting in\n a slow corruption of the kernel memory pool. These two bytes are almost\n always set to \"\\xff\\xff\" (a short integer with value of -1).","id":"auxiliary/dos/windows/smb/ms06_035_mailslot","name":"Microsoft SRV.SYS Mailslot Write Corruption","rank":"normal","skill_level":"intermediate","source":"metasploit"}],"id":"windows-hotfix-ms06-035","links":[{"href":"http://www.kb.cert.org/vuls/id/189140","id":"189140","source":"cert-vn"},{"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/26818","id":"win-mailslot-bo(26818)","source":"xf"},{"href":"http://www.securityfocus.com/bid/18863","id":"18863","source":"bid"},{"href":"https://support.microsoft.com/en-us/kb/917159","id":"KB917159","source":"mskb"},{"href":"http://www.us-cert.gov/cas/techalerts/TA06-192A.html","id":"TA06-192A","source":"cert"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2006-1314","id":"CVE-2006-1314","source":"cve"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2006-1315","id":"CVE-2006-1315","source":"cve"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3","id":"3","source":"oval"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600","id":"600","source":"oval"},{"href":"http://www.osvdb.org/27155","id":"27155","source":"osvdb"},{"href":"http://www.osvdb.org/27154","id":"27154","source":"osvdb"},{"href":"http://technet.microsoft.com/security/bulletin/MS06-035","id":"MS06-035","source":"ms"},{"href":"http://www.securityfocus.com/bid/18891","id":"18891","source":"bid"},{"href":"http://technet.microsoft.com/en-us/security/bulletin/MS06-035","id":"http://technet.microsoft.com/en-us/security/bulletin/MS06-035","source":"url"},{"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/26820","id":"win-smb-information-disclosure(26820)","source":"xf"},{"href":"http://www.kb.cert.org/vuls/id/333636","id":"333636","source":"cert-vn"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":7.5,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"","pci_status":"fail","published":"2006-07-11T00:00:00Z","references":"bid:18863,bid:18891,cert-vn:189140,osvdb:27154,osvdb:27155,oval:3,cert-vn:333636,oval:600,cve:CVE-2006-1314,cve:CVE-2006-1315,mskb:KB917159,ms:MS06-035,cert:TA06-192A,url:http://technet.microsoft.com/en-us/security/bulletin/MS06-035,xf:win-mailslot-bo(26818),xf:win-smb-information-disclosure(26820)","risk_score":756.57,"severity":"critical","severity_score":8,"title":"MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vulnerability":{"check_id":null,"first_found":"2018-11-25T09:20:27Z","key":"","last_found":"2023-05-23T18:16:30.836Z","nic":null,"port":null,"proof":"

Vulnerable OS: Microsoft Windows Server 2003 SP1

Based on the result of the "dcerpc-ms-netapi-netpathcanonicalize-dos" test, this node is applicable to this issue.

","protocol":null,"reintroduced":null,"solution_fix":"Take a look at all possible solutions for vulnerability","solution_id":"unknown-windows-hotfix-ms06-035","solution_summary":"The solution is unknown for vuln windows-hotfix-ms06-035","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"windows-hotfix-ms06-035","added":"2006-07-12T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution","cves":"CVE-2006-1314,CVE-2006-1315","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":7.5,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:P/I:P/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.83525473,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"none","cvss_v3_privileges_required":"low","cvss_v3_scope":"unchanged","cvss_v3_score":6.5,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","denial_of_service":false,"description":"This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \"Vulnerability Details\" section of this bulletin. We recommend that customers apply the update immediately.","exploits":[{"description":"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)","id":"2057","name":"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module triggers a kernel pool corruption bug in SRV.SYS. Each\n call to the mailslot write function results in a two byte return value\n being written into the response packet. The code which creates this packet\n fails to consider these two bytes in the allocation routine, resulting in\n a slow corruption of the kernel memory pool. These two bytes are almost\n always set to \"\\xff\\xff\" (a short integer with value of -1).","id":"auxiliary/dos/windows/smb/ms06_035_mailslot","name":"Microsoft SRV.SYS Mailslot Write Corruption","rank":"normal","skill_level":"intermediate","source":"metasploit"}],"id":"windows-hotfix-ms06-035","links":[{"href":"http://www.kb.cert.org/vuls/id/189140","id":"189140","source":"cert-vn"},{"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/26818","id":"win-mailslot-bo(26818)","source":"xf"},{"href":"http://www.securityfocus.com/bid/18863","id":"18863","source":"bid"},{"href":"https://support.microsoft.com/en-us/kb/917159","id":"KB917159","source":"mskb"},{"href":"http://www.us-cert.gov/cas/techalerts/TA06-192A.html","id":"TA06-192A","source":"cert"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2006-1314","id":"CVE-2006-1314","source":"cve"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2006-1315","id":"CVE-2006-1315","source":"cve"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3","id":"3","source":"oval"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600","id":"600","source":"oval"},{"href":"http://www.osvdb.org/27155","id":"27155","source":"osvdb"},{"href":"http://www.osvdb.org/27154","id":"27154","source":"osvdb"},{"href":"http://technet.microsoft.com/security/bulletin/MS06-035","id":"MS06-035","source":"ms"},{"href":"http://www.securityfocus.com/bid/18891","id":"18891","source":"bid"},{"href":"http://technet.microsoft.com/en-us/security/bulletin/MS06-035","id":"http://technet.microsoft.com/en-us/security/bulletin/MS06-035","source":"url"},{"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/26820","id":"win-smb-information-disclosure(26820)","source":"xf"},{"href":"http://www.kb.cert.org/vuls/id/333636","id":"333636","source":"cert-vn"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":7.5,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"","pci_status":"fail","published":"2006-07-11T00:00:00Z","references":"bid:18863,bid:18891,cert-vn:189140,osvdb:27154,osvdb:27155,oval:3,cert-vn:333636,oval:600,cve:CVE-2006-1314,cve:CVE-2006-1315,mskb:KB917159,ms:MS06-035,cert:TA06-192A,url:http://technet.microsoft.com/en-us/security/bulletin/MS06-035,xf:win-mailslot-bo(26818),xf:win-smb-information-disclosure(26820)","risk_score":756.57,"severity":"critical","severity_score":8,"title":"MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":135,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":445,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":119,"exploits":4,"host_name":"Win11-50-13-52","id":"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1","ip":"10.50.13.52","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":8,"os_architecture":"x86_64","os_description":"Microsoft Windows 11 22H2","os_family":"Windows","os_name":"Windows 11","os_system_name":"Microsoft Windows","os_type":"Workstation","os_vendor":"Microsoft","os_version":"22H2","risk_score":181622,"severe_vulnerabilities":241,"tags":[{"name":"USA","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":368,"type":"guest","unique_identifiers":[{"id":"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050","source":"CSPRODUCT"},{"id":"c5cf46abcdef0123456789291c7d554a","source":"R7 Agent"}],"vulnerability":{"check_id":"msft-cve-2022-37967-kb5021288-c2d89794-10f9-459d-a1a9-79847eac03fc","first_found":"2022-12-23T18:40:29Z","key":"","last_found":"2023-06-23T17:29:23.453Z","nic":null,"port":null,"proof":"

Vulnerable OS: Microsoft Windows 7 Enterprise Edition SP1

Based on the following 2 results:

    • Found an applicable package: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Component Based Servicing\\Packages\\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.
      • HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\Winners\\amd64_Microsoft-Windows-Audio-DMusic_31bf3856ad364e35_none_6ddb350169ebdb56 - key exists
      • The above CBS component is currently version 6.1.7600.16385, expected version 6.1.7601.26262 or higher
      • 2022-12 Security Only Quality Update for Windows 7 for x64-based Systems (KB5021288) is applicable for this CBS component

    • HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion
      • UBR - contains 24443

","protocol":null,"reintroduced":null,"solution_fix":"

Download and apply the patch from: https://support.microsoft.com/kb/5021288

","solution_id":"msft-kb5021288-c2d89794-10f9-459d-a1a9-79847eac03fc","solution_summary":"2022-12 Security Only Quality Update for Windows 7 for x64-based Systems (KB5021288)","solution_type":"patch","status":"VULNERABLE_EXPL","vulnerability_id":"msft-cve-2022-37967","added":"2022-11-08T00:00:00Z","categories":"Microsoft,Microsoft Patch,Microsoft Windows,Privilege Escalation","cves":"CVE-2022-37967","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"multiple","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"complete","cvss_v2_exploit_score":6.389999830722808,"cvss_v2_impact_score":10.000845454680942,"cvss_v2_integrity_impact":"complete","cvss_v2_score":8.3,"cvss_v2_vector":"(AV:N/AC:L/Au:M/C:C/I:C/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":1.2347077050000002,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"high","cvss_v3_scope":"unchanged","cvss_v3_score":7.2,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"Windows Kerberos Elevation of Privilege Vulnerability.","exploits":[],"id":"msft-cve-2022-37967","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2022-37967","id":"CVE-2022-37967","source":"cve"},{"href":"https://support.microsoft.com/help/5031364","id":"https://support.microsoft.com/help/5031364","source":"url"},{"href":"https://support.microsoft.com/help/5031362","id":"https://support.microsoft.com/help/5031362","source":"url"},{"href":"https://support.microsoft.com/help/5031361","id":"https://support.microsoft.com/help/5031361","source":"url"},{"href":"https://support.microsoft.com/help/5031407","id":"https://support.microsoft.com/help/5031407","source":"url"},{"href":"https://support.microsoft.com/help/5031419","id":"https://support.microsoft.com/help/5031419","source":"url"},{"href":"https://support.microsoft.com/help/5031427","id":"https://support.microsoft.com/help/5031427","source":"url"}],"malware_kits":[],"modified":"2024-09-06T00:00:00Z","pci_cvss_score":8.3,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"","pci_status":"fail","published":"2022-11-08T00:00:00Z","references":"cve:CVE-2022-37967,url:https://support.microsoft.com/help/5031361,url:https://support.microsoft.com/help/5031362,url:https://support.microsoft.com/help/5031364,url:https://support.microsoft.com/help/5031407,url:https://support.microsoft.com/help/5031419,url:https://support.microsoft.com/help/5031427","risk_score":434.28,"severity":"critical","severity_score":8,"title":"Microsoft Windows: CVE-2022-37967: Windows Kerberos Elevation of Privilege Vulnerability"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":135,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":445,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":119,"exploits":4,"host_name":"Win11-50-13-52","id":"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1","ip":"10.50.13.52","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":8,"os_architecture":"x86_64","os_description":"Microsoft Windows 11 22H2","os_family":"Windows","os_name":"Windows 11","os_system_name":"Microsoft Windows","os_type":"Workstation","os_vendor":"Microsoft","os_version":"22H2","risk_score":181622,"severe_vulnerabilities":241,"tags":[{"name":"USA","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":368,"type":"guest","unique_identifiers":[{"id":"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050","source":"CSPRODUCT"},{"id":"c5cf46abcdef0123456789291c7d554a","source":"R7 Agent"}],"vulnerability":{"check_id":null,"first_found":"2022-12-23T18:40:29Z","key":"","last_found":"2023-06-23T17:29:23.453Z","nic":null,"port":null,"proof":"

Vulnerable OS: Microsoft Windows 7 Enterprise Edition SP1

Based on the following 4 results:

  1. Based on the following 2 results:

      • HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender - key does not exist

      • HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender
        • DisableAntiSpyware - contains 0

    • HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Signature Updates
      • EngineVersion - contains 1.1.9203.0

    • HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SepMasterService - key does not exist
      • Start - value does not exist

    • HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\MsMpSvc - key does not exist
      • Start - value does not exist

","protocol":null,"reintroduced":null,"solution_fix":"

Verify that the latest version of the Microsoft Malware Protection Engine\nand definition updates are being actively downloaded and installed for their Microsoft antimalware products.\nFor more information on how to verify the version number for the Microsoft Malware Protection Engine that your\nsoftware is currently using, see the section Verifying Update Installation\nin Microsoft Knowledge Base Article 2510781 https://support.microsoft.com/kb/2510781

","solution_id":"windows-defender-upgrade-latest","solution_summary":"Upgrade Microsoft Defender to the latest version.","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"windows-defender-cve-2022-24548","added":"2022-04-14T00:00:00Z","categories":"Denial of Service,Microsoft Windows Defender","cves":"CVE-2022-24548","cvss_v2_access_complexity":"medium","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"none","cvss_v2_exploit_score":8.588799953460693,"cvss_v2_impact_score":2.862749751806259,"cvss_v2_integrity_impact":"none","cvss_v2_score":4.3,"cvss_v2_vector":"(AV:N/AC:M/Au:N/C:N/I:N/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"none","cvss_v3_exploit_score":1.8345765900000002,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"none","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":5.5,"cvss_v3_user_interaction":"required","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","denial_of_service":true,"description":"Microsoft Defender Denial of Service Vulnerability","exploits":[],"id":"windows-defender-cve-2022-24548","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2022-24548","id":"CVE-2022-24548","source":"cve"},{"href":"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548","id":"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548","source":"url"}],"malware_kits":[],"modified":"2023-12-13T00:00:00Z","pci_cvss_score":4.3,"pci_fail":false,"pci_severity_score":2,"pci_special_notes":"Denial-of-Service-only vulnerability marked as compliant. ","pci_status":"pass","published":"2022-04-14T00:00:00Z","references":"cve:CVE-2022-24548,url:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548","risk_score":124.28,"severity":"severe","severity_score":4,"title":"Microsoft Defender Denial of Service Vulnerability (CVE-2022-24548)"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":135,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":445,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":119,"exploits":4,"host_name":"Win11-50-13-52","id":"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1","ip":"10.50.13.52","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":8,"os_architecture":"x86_64","os_description":"Microsoft Windows 11 22H2","os_family":"Windows","os_name":"Windows 11","os_system_name":"Microsoft Windows","os_type":"Workstation","os_vendor":"Microsoft","os_version":"22H2","risk_score":181622,"severe_vulnerabilities":241,"tags":[{"name":"USA","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":368,"type":"guest","unique_identifiers":[{"id":"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050","source":"CSPRODUCT"},{"id":"c5cf46abcdef0123456789291c7d554a","source":"R7 Agent"}],"vulnerability":{"check_id":null,"first_found":"2018-11-25T09:10:10Z","key":"","last_found":"2019-02-14T21:39:25.312Z","nic":null,"port":445,"proof":"

Vulnerable OS: Microsoft Windows Server 2008 Enterprise Edition SP2

System replied with a malformed SMB packet

","protocol":"TCP","reintroduced":null,"solution_fix":"Take a look at all possible solutions for vulnerability","solution_id":"unknown-windows-hotfix-ms09-050","solution_summary":"The solution is unknown for vuln windows-hotfix-ms09-050","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"windows-hotfix-ms09-050","added":"2009-10-13T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution","cves":"CVE-2009-2526,CVE-2009-2532,CVE-2009-3103","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"complete","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":10.000845454680942,"cvss_v2_integrity_impact":"complete","cvss_v2_score":10,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:C/I:C/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":3.8870427750000003,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":9.8,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"This security update resolves one publicly disclosed and two privately reported vulnerabilities in Server Message Block Version 2 (SMBv2). The most severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.","exploits":[{"description":"Microsoft Windows 7/2008 R2 - Remote Kernel Crash","id":"10005","name":"Microsoft Windows 7/2008 R2 - Remote Kernel Crash","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing\n an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.\n Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.","id":"auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff","name":"Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference","rank":"normal","skill_level":"intermediate","source":"metasploit"},{"description":"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)","id":"40280","name":"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service","id":"12524","name":"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\n without SP1 does not seem affected by this flaw.","id":"exploit/windows/smb/ms09_050_smb2_negotiate_func_index","name":"MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference","rank":"good","skill_level":"intermediate","source":"metasploit"},{"description":"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)","id":"14674","name":"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows\tVista\n without SP1 does not seem affected by this flaw.","id":"auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh","name":"Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference","rank":"normal","skill_level":"intermediate","source":"metasploit"},{"description":"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)","id":"9594","name":"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)","rank":"average","skill_level":"expert","source":"exploitdb"}],"id":"windows-hotfix-ms09-050","links":[{"href":"http://www.us-cert.gov/cas/techalerts/TA09-286A.html","id":"TA09-286A","source":"cert"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6489","id":"6489","source":"oval"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6336","id":"6336","source":"oval"},{"href":"http://www.securityfocus.com/bid/36299","id":"36299","source":"bid"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:5595","id":"5595","source":"oval"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2009-2526","id":"CVE-2009-2526","source":"cve"},{"href":"http://technet.microsoft.com/security/bulletin/MS09-050","id":"MS09-050","source":"ms"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2009-3103","id":"CVE-2009-3103","source":"cve"},{"href":"http://www.kb.cert.org/vuls/id/135940","id":"135940","source":"cert-vn"},{"href":"https://support.microsoft.com/en-us/kb/975517","id":"KB975517","source":"mskb"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2009-2532","id":"CVE-2009-2532","source":"cve"},{"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/53090","id":"53090","source":"xf"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":10,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"","pci_status":"fail","published":"2009-10-13T00:00:00Z","references":"cert-vn:135940,bid:36299,xf:53090,oval:5595,oval:6336,oval:6489,cve:CVE-2009-2526,cve:CVE-2009-2532,cve:CVE-2009-3103,mskb:KB975517,ms:MS09-050,cert:TA09-286A","risk_score":914.2,"severity":"critical","severity_score":10,"title":"MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vulnerability":{"check_id":null,"first_found":"2021-02-23T18:39:30Z","key":"","last_found":"2022-04-23T18:04:36.094Z","nic":null,"port":null,"proof":"

Vulnerable OS: CentOS Linux 7.6.1810

  • mariadb-libs - version 1:5.5.60-1.el7_5 is installed

","protocol":null,"reintroduced":null,"solution_fix":"Take a look at all possible solutions for vulnerability","solution_id":"unknown-centos_linux-cve-2020-2574","solution_summary":"The solution is unknown for vuln centos_linux-cve-2020-2574","solution_type":"workaround","status":"VULNERABLE_VERS","vulnerability_id":"centos_linux-cve-2020-2574","added":"2020-09-15T00:00:00Z","categories":"CentOS","cves":"CVE-2020-2574","cvss_v2_access_complexity":"medium","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"none","cvss_v2_exploit_score":8.588799953460693,"cvss_v2_impact_score":2.862749751806259,"cvss_v2_integrity_impact":"none","cvss_v2_score":4.3,"cvss_v2_vector":"(AV:N/AC:M/Au:N/C:N/I:N/A:P)","cvss_v3_attack_complexity":"high","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"none","cvss_v3_exploit_score":2.2211673,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"none","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":5.9,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","denial_of_service":true,"description":"Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).","exploits":[],"id":"centos_linux-cve-2020-2574","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2020-2574","id":"CVE-2020-2574","source":"nvd"}],"malware_kits":[],"modified":"2023-05-25T00:00:00Z","pci_cvss_score":4.3,"pci_fail":false,"pci_severity_score":2,"pci_special_notes":"Denial-of-Service-only vulnerability marked as compliant. ","pci_status":"pass","published":"2020-01-15T00:00:00Z","references":"nvd:CVE-2020-2574","risk_score":150.88,"severity":"severe","severity_score":4,"title":"CentOS Linux: CVE-2020-2574: Important: mysql:8.0 security update (Multiple Advisories)"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":135,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":445,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":119,"exploits":4,"host_name":"Win11-50-13-52","id":"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1","ip":"10.50.13.52","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":8,"os_architecture":"x86_64","os_description":"Microsoft Windows 11 22H2","os_family":"Windows","os_name":"Windows 11","os_system_name":"Microsoft Windows","os_type":"Workstation","os_vendor":"Microsoft","os_version":"22H2","risk_score":181622,"severe_vulnerabilities":241,"tags":[{"name":"USA","type":"LOCATION"},{"name":"test","type":"SITE"},{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":368,"type":"guest","unique_identifiers":[{"id":"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050","source":"CSPRODUCT"},{"id":"c5cf46abcdef0123456789291c7d554a","source":"R7 Agent"}],"vulnerability":{"check_id":null,"first_found":"2021-03-23T21:18:51Z","key":"","last_found":"2023-06-23T19:16:12.895Z","nic":null,"port":445,"proof":"

Vulnerable OS: Microsoft Windows Server 2008 Enterprise Edition

\\BROWSER: WriteAndX succeeded with offset 77

","protocol":"TCP","reintroduced":null,"solution_fix":"Take a look at all possible solutions for vulnerability","solution_id":"unknown-windows-hotfix-ms09-001","solution_summary":"The solution is unknown for vuln windows-hotfix-ms09-001","solution_type":"workaround","status":"VULNERABLE_EXPL","vulnerability_id":"windows-hotfix-ms09-001","added":"2009-10-13T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution","cves":"CVE-2009-2526,CVE-2009-2532,CVE-2009-3103","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"complete","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":10.000845454680942,"cvss_v2_integrity_impact":"complete","cvss_v2_score":10,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:C/I:C/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":3.8870427750000003,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":9.8,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"This security update resolves one publicly disclosed and two privately reported vulnerabilities in Server Message Block Version 2 (SMBv2). The most severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.","exploits":[{"description":"Microsoft Windows 7/2008 R2 - Remote Kernel Crash","id":"10005","name":"Microsoft Windows 7/2008 R2 - Remote Kernel Crash","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing\n an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.\n Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.","id":"auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff","name":"Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference","rank":"normal","skill_level":"intermediate","source":"metasploit"},{"description":"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)","id":"40280","name":"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service","id":"12524","name":"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\n without SP1 does not seem affected by this flaw.","id":"exploit/windows/smb/ms09_050_smb2_negotiate_func_index","name":"MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference","rank":"good","skill_level":"intermediate","source":"metasploit"},{"description":"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)","id":"14674","name":"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows\tVista\n without SP1 does not seem affected by this flaw.","id":"auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh","name":"Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference","rank":"normal","skill_level":"intermediate","source":"metasploit"},{"description":"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)","id":"9594","name":"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)","rank":"average","skill_level":"expert","source":"exploitdb"}],"id":"windows-hotfix-ms09-050","links":[{"href":"http://www.us-cert.gov/cas/techalerts/TA09-286A.html","id":"TA09-286A","source":"cert"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6489","id":"6489","source":"oval"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6336","id":"6336","source":"oval"},{"href":"http://www.securityfocus.com/bid/36299","id":"36299","source":"bid"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:5595","id":"5595","source":"oval"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2009-2526","id":"CVE-2009-2526","source":"cve"},{"href":"http://technet.microsoft.com/security/bulletin/MS09-050","id":"MS09-050","source":"ms"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2009-3103","id":"CVE-2009-3103","source":"cve"},{"href":"http://www.kb.cert.org/vuls/id/135940","id":"135940","source":"cert-vn"},{"href":"https://support.microsoft.com/en-us/kb/975517","id":"KB975517","source":"mskb"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2009-2532","id":"CVE-2009-2532","source":"cve"},{"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/53090","id":"53090","source":"xf"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":10,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"","pci_status":"fail","published":"2009-10-13T00:00:00Z","references":"cert-vn:135940,bid:36299,xf:53090,oval:5595,oval:6336,oval:6489,cve:CVE-2009-2526,cve:CVE-2009-2532,cve:CVE-2009-3103,mskb:KB975517,ms:MS09-050,cert:TA09-286A","risk_score":914.2,"severity":"critical","severity_score":10,"title":"MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vulnerability":{"check_id":null,"first_found":"2018-11-25T09:16:57Z","key":"","last_found":"2022-02-23T20:10:02.535Z","nic":null,"port":53,"proof":"

Vulnerable OS: Debian Linux 6.0

  • Running DNS service
  • Product BIND exists -- ISC BIND 9.7.3
  • Vulnerable version of product BIND found -- ISC BIND 9.7.3

","protocol":"TCP","reintroduced":null,"solution_fix":"

\n More information about upgrading your version of ISC BIND is available on the ISC website.\n

","solution_id":"upgrade-isc-bind-latest","solution_summary":"Upgrade ISC BIND to latest version","solution_type":"workaround","status":"VULNERABLE_VERS","vulnerability_id":"dns-bind-cve-2015-4620","added":"2015-10-27T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,DNS,Denial of Service,ISC,ISC BIND","cves":"CVE-2015-4620","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"none","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":6.870600273013115,"cvss_v2_integrity_impact":"none","cvss_v2_score":7.8,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:N/I:N/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"none","cvss_v3_exploit_score":3.8870427750000003,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"none","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":7.5,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","denial_of_service":true,"description":"name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone.","exploits":[],"id":"dns-bind-cve-2015-4620","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2015-4620","id":"CVE-2015-4620","source":"cve"},{"href":"https://kb.isc.org/article/AA-01267/0","id":"https://kb.isc.org/article/AA-01267/0","source":"url"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":7.8,"pci_fail":false,"pci_severity_score":2,"pci_special_notes":"Denial-of-Service-only vulnerability marked as compliant. ","pci_status":"pass","published":"2015-07-08T00:00:00Z","references":"cve:CVE-2015-4620,url:https://kb.isc.org/article/AA-01267/0","risk_score":334.11,"severity":"critical","severity_score":8,"title":"ISC BIND: Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating (CVE-2015-4620)"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vulnerability":{"check_id":null,"first_found":"2023-03-23T19:23:01Z","key":"","last_found":"2023-06-23T19:36:17.715Z","nic":null,"port":445,"proof":"

  • Running CIFS service
  • Configuration item smb2-enabled set to 'true' matched
  • Configuration item smb2-signing set to 'enabled' matched

","protocol":"TCP","reintroduced":null,"solution_fix":"

\n Configure the system to enable or require SMB signing as appropriate.\n The method and effect of doing this is system specific so please see\n this Microsoft article for\n details. Note: ensure that SMB signing configuration is done for \n incoming connections (Server).\n

","solution_id":"cifs-smb-signing-windows","solution_summary":"Configure SMB signing for Windows","solution_type":"workaround","status":"VULNERABLE_VERS","vulnerability_id":"cifs-smb2-signing-not-required","added":"2015-10-27T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,DNS,Denial of Service,ISC,ISC BIND","cves":"CVE-2015-4620","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"none","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":6.870600273013115,"cvss_v2_integrity_impact":"none","cvss_v2_score":7.8,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:N/I:N/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"none","cvss_v3_exploit_score":3.8870427750000003,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"none","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":7.5,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","denial_of_service":true,"description":"name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone.","exploits":[],"id":"dns-bind-cve-2015-4620","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2015-4620","id":"CVE-2015-4620","source":"cve"},{"href":"https://kb.isc.org/article/AA-01267/0","id":"https://kb.isc.org/article/AA-01267/0","source":"url"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":7.8,"pci_fail":false,"pci_severity_score":2,"pci_special_notes":"Denial-of-Service-only vulnerability marked as compliant. ","pci_status":"pass","published":"2015-07-08T00:00:00Z","references":"cve:CVE-2015-4620,url:https://kb.isc.org/article/AA-01267/0","risk_score":334.11,"severity":"critical","severity_score":8,"title":"ISC BIND: Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating (CVE-2015-4620)"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vulnerability":{"check_id":null,"first_found":"2022-12-23T19:25:13Z","key":"VMware ESX Server 4.0.0 GA","last_found":"2023-06-23T18:08:29.154Z","nic":null,"port":null,"proof":"

Vulnerable OS: VMware ESX Server 4.0.0 GA

  • The property "build" contains: 164009.

","protocol":null,"reintroduced":null,"solution_fix":"

Download and apply the upgrade from: https://knowledge.broadcom.com/external/article?articleNumber=142814

","solution_id":"vmware-esx-upgrade-latest","solution_summary":"Upgrade VMware ESX to the latest version","solution_type":"rollup","status":"VULNERABLE_VERS","vulnerability_id":"vmsa-2012-0013-cve-2012-0815","added":"2012-09-17T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,Denial of Service,IAVM,Remote Execution,VMware,VMware ESX/ESXi","cves":"CVE-2012-0815","cvss_v2_access_complexity":"medium","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":8.588799953460693,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":6.8,"cvss_v2_vector":"(AV:N/AC:M/Au:N/C:P/I:P/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"local","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.515145325,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":8.4,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"The headerVerifyInfo function in lib/header.c in RPM before 4.9.1.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a negative value in a region offset of a package header, which is not properly handled in a numeric range comparison.","exploits":[],"id":"vmsa-2012-0013-cve-2012-0815","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2012-0815","id":"CVE-2012-0815","source":"cve"},{"href":"http://iase.disa.mil/stigs/iavm-cve.html","id":"V0033884","source":"disa_vmskey"},{"href":"http://iase.disa.mil/stigs/iavm-cve.html","id":"2012-A-0153","source":"iavm"},{"href":"http://www.vmware.com/security/advisories/VMSA-2012-0013.html","id":"http://www.vmware.com/security/advisories/VMSA-2012-0013.html","source":"url"},{"href":"http://iase.disa.mil/stigs/iavm-cve.html","id":"Category I","source":"disa_severity"},{"href":"http://iase.disa.mil/stigs/iavm-cve.html","id":"2012-A-0148","source":"iavm"},{"href":"http://iase.disa.mil/stigs/iavm-cve.html","id":"V0033794","source":"disa_vmskey"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":6.8,"pci_fail":true,"pci_severity_score":4,"pci_special_notes":"","pci_status":"fail","published":"2012-06-04T00:00:00Z","references":"iavm:2012-A-0148,iavm:2012-A-0153,cve:CVE-2012-0815,disa_severity:Category I,disa_vmskey:V0033794,disa_vmskey:V0033884,url:http://www.vmware.com/security/advisories/VMSA-2012-0013.html","risk_score":716.99,"severity":"severe","severity_score":7,"title":"VMSA-2012-0013: Update to ESX service console popt, rpm, rpm-libs, and rpm-python RPMS (CVE-2012-0815)"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vulnerability":{"check_id":null,"first_found":"2022-12-23T18:54:08Z","key":"","last_found":"2023-06-23T17:40:02.211Z","nic":null,"port":null,"proof":"

Vulnerable software installed: Wordpress 3.0

","protocol":null,"reintroduced":null,"solution_fix":"

\n Upgrade to the latest version of Wordpress from https://wordpress.org/download/release-archive/

","solution_id":"wordpress-upgrade-latest","solution_summary":"Upgrade to the latest version of Wordpress","solution_type":"workaround","status":"VULNERABLE_VERS","vulnerability_id":"wordpress-cve-2015-5731","added":"2017-05-16T00:00:00Z","categories":"CSRF,CVSS Score Predicted with Rapid7 AI,Denial of Service,WordPress","cves":"CVE-2015-5731","cvss_v2_access_complexity":"medium","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":8.588799953460693,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":6.8,"cvss_v2_vector":"(AV:N/AC:M/Au:N/C:P/I:P/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"none","cvss_v3_exploit_score":2.8352547300000004,"cvss_v3_impact_score":5.177088,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":8.1,"cvss_v3_user_interaction":"required","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H","denial_of_service":false,"description":"Cross-site request forgery (CSRF) vulnerability in wp-admin/post.php in WordPress before 4.2.4 allows remote attackers to hijack the authentication of administrators for requests that lock a post, and consequently cause a denial of service (editing blockage), via a get-post-lock action.","exploits":[],"id":"wordpress-cve-2015-5731","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2015-5731","id":"CVE-2015-5731","source":"cve"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":6.8,"pci_fail":true,"pci_severity_score":4,"pci_special_notes":"","pci_status":"fail","published":"2015-11-09T00:00:00Z","references":"cve:CVE-2015-5731","risk_score":676.67,"severity":"severe","severity_score":7,"title":"Wordpress: CVE-2015-5731: Cross-Site Request Forgery (CSRF)"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vulnerability":{"check_id":null,"first_found":"2022-12-23T18:55:39Z","key":"","last_found":"2023-06-23T17:41:50.071Z","nic":null,"port":80,"proof":"

  • Running HTTP service
  • Vulnerable version of component PHP found -- PHP 5.4.16

","protocol":"TCP","reintroduced":null,"solution_fix":"

Download and apply the upgrade from: http://www.php.net/downloads.php

","solution_id":"php-upgrade-latest","solution_summary":"Upgrade to the latest version of PHP","solution_type":"rollup","status":"VULNERABLE_VERS","vulnerability_id":"php-cve-2016-3171","added":"2019-09-30T00:00:00Z","categories":"HTTP,PHP,Remote Execution","cves":"CVE-2016-3171","cvss_v2_access_complexity":"medium","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":8.588799953460693,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":6.8,"cvss_v2_vector":"(AV:N/AC:M/Au:N/C:P/I:P/A:P)","cvss_v3_attack_complexity":"high","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.2211673,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":8.1,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.","exploits":[],"id":"php-cve-2016-3171","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2016-3171","id":"CVE-2016-3171","source":"cve"}],"malware_kits":[],"modified":"2024-11-27T00:00:00Z","pci_cvss_score":6.8,"pci_fail":true,"pci_severity_score":4,"pci_special_notes":"","pci_status":"fail","published":"2016-04-12T00:00:00Z","references":"cve:CVE-2016-3171","risk_score":669.57,"severity":"severe","severity_score":7,"title":"PHP Vulnerability: CVE-2016-3171"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":161,"protocol":"UDP","status":"NO_CREDS_SUPPLIED"},{"port":161,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":22,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":9,"exploits":5,"host_name":"BIG-IP-16-1-0.dev.test.rapid7.com","id":"12123455-abcd-5678-1234-01234567890e-default-asset-4123","ip":"175.16.199.1","last_assessed_for_vulnerabilities":"2024-06-23T17:54:28.107Z","last_scan_end":"2024-06-23T17:54:28.107Z","last_scan_start":"2024-06-23T17:44:15.351Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":10,"new":[],"os_architecture":"","os_description":"F5 BIG-IP 16.1.0.0","os_family":"BIG-IP","os_name":"BIG-IP","os_system_name":"F5 BIG-IP","os_type":"Network management device","os_vendor":"F5","os_version":"16.1.0.0","remediated":[],"risk_score":35804.71185,"vulnerability":{"check_id":null,"first_found":"2022-05-23T19:03:38Z","key":"F5 BIG-IP 16.1.0.0","last_found":"2024-06-23T17:54:28.107Z","nic":null,"port":null,"proof":"

Vulnerable OS: F5 BIG-IP 16.1.0.0

  • The property "ltm" contains: true.

","protocol":null,"reintroduced":null,"solution_fix":"

\n Upgrade to the latest available version of F5 BIG-IP. Refer to BIG-IP Hotfix Matrix for the latest hotfix information.\n

","solution_id":"f5-big-ip-upgrade-latest","solution_summary":"Upgrade to the latest available version of F5 BIG-IP","solution_type":"workaround","status":"VULNERABLE_VERS","vulnerability_id":"f5-big-ip-cve-2017-7656","added":"2022-04-20T00:00:00Z","categories":"F5,F5 BIG-IP,Web","cves":"CVE-2017-7656","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"none","cvss_v2_confidentiality_impact":"none","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":2.8627500620484354,"cvss_v2_integrity_impact":"partial","cvss_v2_score":5,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:N/I:P/A:N)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"none","cvss_v3_exploit_score":3.8870427750000003,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":7.5,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","denial_of_service":false,"description":"In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.","exploits":[],"id":"f5-big-ip-cve-2017-7656","links":[{"href":"https://my.f5.com/manage/s/article/K21054458","id":"https://my.f5.com/manage/s/article/K21054458","source":"url"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2017-7656","id":"CVE-2017-7656","source":"cve"}],"malware_kits":[],"modified":"2024-12-06T00:00:00Z","pci_cvss_score":5,"pci_fail":true,"pci_severity_score":3,"pci_special_notes":"","pci_status":"fail","published":"2018-06-26T00:00:00Z","references":"cve:CVE-2017-7656,url:https://my.f5.com/manage/s/article/K21054458","risk_score":229.89,"severity":"severe","severity_score":5,"title":"F5 Networks: CVE-2017-7656: K21054458: Eclipse Jetty vulnerability CVE-2017-7656"},"severe_vulnerabilities":94,"tags":[{"name":"snow_test","type":"CUSTOM"},{"name":"all_assets2","type":"CUSTOM"},{"name":"all_assets","type":"CUSTOM"},{"name":"my tag test","type":"CUSTOM"},{"name":"lab","type":"SITE"}],"total_vulnerabilities":113,"type":"guest","unique_identifiers":[]} diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log-expected.json b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log-expected.json index d2d1f2b9bd7..e69bc57ef48 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log-expected.json +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log-expected.json @@ -12,7 +12,7 @@ "created": "2025-05-14T13:52:10.000Z", "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|azul-zulu-cve-2025-21502|2025-05-27T19:54:43.777Z", "kind": "event", - "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2025-05-14T13:52:10Z\",\"key\":\"/root/infaagent/jdk/lib/jrt-fs.jar\",\"last_found\":\"2025-05-27T19:54:43.777Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: Ubuntu Linux 22.04

Vulnerable software installed: Azul Systems JRE 17.54.22 (/root/infaagent/jdk/lib/jrt-fs.jar)

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

\\n Download and upgrade to the latest version of Azul Zulu from here.

\",\"solution_id\":\"azul-zulu-upgrade-latest\",\"solution_summary\":\"Upgrade Azul Zulu to the latest version\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"azul-zulu-cve-2025-21502\",\"added\":\"2025-02-05T00:00:00Z\",\"categories\":\"Azul Systems,Azul Zulu,Java,Web\",\"cves\":\"CVE-2025-21502\",\"cvss_v2_access_complexity\":\"high\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"none\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":4.927999973297119,\"cvss_v2_impact_score\":4.938243839970231,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":4,\"cvss_v2_vector\":\"(AV:N/AC:H/Au:N/C:P/I:P/A:N)\",\"cvss_v3_attack_complexity\":\"high\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"low\",\"cvss_v3_exploit_score\":2.2211673,\"cvss_v3_impact_score\":2.5140719999999996,\"cvss_v3_integrity_impact\":\"low\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":4.8,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"denial_of_service\":false,\"description\":\"Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM for JDK: 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM Enterprise Edition: 20.3.16 and 21.3.12. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).\",\"exploits\":[],\"id\":\"azul-zulu-cve-2025-21502\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2025-21502\",\"id\":\"CVE-2025-21502\",\"source\":\"cve\"},{\"href\":\"https://www.azul.com/downloads/\",\"id\":\"https://www.azul.com/downloads/\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":4,\"pci_fail\":true,\"pci_severity_score\":3,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2025-01-21T00:00:00Z\",\"references\":\"cve:CVE-2025-21502,url:https://www.azul.com/downloads/\",\"risk_score\":321,\"severity\":\"low\",\"severity_score\":4,\"title\":\"Azul Zulu: CVE-2025-21502: Vulnerability in the Azul Zulu OpenJDK component\"}}", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2025-05-14T13:52:10Z\",\"key\":\"/root/infaagent/jdk/lib/jrt-fs.jar\",\"last_found\":\"2025-05-27T19:54:43.777Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: Ubuntu Linux 22.04

Vulnerable software installed: Azul Systems JRE 17.54.22 (/root/infaagent/jdk/lib/jrt-fs.jar)

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

\\n Download and upgrade to the latest version of Azul Zulu from here.

\",\"solution_id\":\"azul-zulu-upgrade-latest\",\"solution_summary\":\"Upgrade Azul Zulu to the latest version\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"azul-zulu-cve-2025-21502\",\"added\":\"2025-02-05T00:00:00Z\",\"categories\":\"Azul Systems,Azul Zulu,Java,Web\",\"cves\":\"CVE-2025-21502\",\"cvss_v2_access_complexity\":\"high\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"none\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":4.927999973297119,\"cvss_v2_impact_score\":4.938243839970231,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":4,\"cvss_v2_vector\":\"(AV:N/AC:H/Au:N/C:P/I:P/A:N)\",\"cvss_v3_attack_complexity\":\"high\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"low\",\"cvss_v3_exploit_score\":2.2211673,\"cvss_v3_impact_score\":2.5140719999999996,\"cvss_v3_integrity_impact\":\"low\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":4.8,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"denial_of_service\":false,\"description\":\"Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM for JDK: 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM Enterprise Edition: 20.3.16 and 21.3.12. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).\",\"exploits\":[],\"id\":\"azul-zulu-cve-2025-21502\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2025-21502\",\"id\":\"CVE-2025-21502\",\"source\":\"cve\"},{\"href\":\"https://www.azul.com/downloads/\",\"id\":\"https://www.azul.com/downloads/\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":4,\"pci_fail\":true,\"pci_severity_score\":3,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2025-01-21T00:00:00Z\",\"references\":\"cve:CVE-2025-21502,url:https://www.azul.com/downloads/\",\"risk_score\":321,\"severity\":\"low\",\"severity_score\":4,\"title\":\"Azul Zulu: CVE-2025-21502: Vulnerability in the Azul Zulu OpenJDK component\"}}", "severity": 4, "type": [ "info" @@ -93,7 +93,7 @@ "source": "Endpoint Agent" } ], - "vuln": { + "vulnerability": { "added": "2025-02-05T00:00:00.000Z", "categories": [ "Azul Systems", @@ -231,7 +231,7 @@ "created": "2025-05-13T13:25:40.000Z", "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|linux-grub-missing-passwd|2025-05-27T19:54:43.777Z", "kind": "event", - "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2025-05-13T13:25:40Z\",\"key\":\"\",\"last_found\":\"2025-05-27T19:54:43.777Z\",\"nic\":null,\"port\":null,\"proof\":\"

Grub config with no password found.

  • Vulnerable file: /boot/grub/grub.cfg

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

Set a password in the GRUB configuration file. This\\n is often located in one of several locations, but can really be\\n anywhere:

\\n          /etc/grub.conf\\n          /boot/grub/grub.conf\\n          /boot/grub/grub.cfg\\n          /boot/grub/menu.lst\\n

For all files mentioned above ensure that a password is set or that the files do not exist.

To set a plain-text password, edit your GRUB configuration file\\n and add the following line before the first uncommented line:

   password <password>

To set an encrypted password, run grub-md5-crypt and use its\\n output when adding the following line before the first\\n uncommented line:

   password --md5 <encryptedpassword>

For either approach, choose an appropriately strong password.

\",\"solution_id\":\"linux-grub-missing-passwd\",\"solution_summary\":\" Enable GRUB password \",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"linux-grub-missing-passwd\",\"added\":\"2004-11-30T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,UNIX\",\"cves\":\"\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"local\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":3.948735978603363,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":4.6,\"cvss_v2_vector\":\"(AV:L/AC:L/Au:N/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.515145325,\"cvss_v3_impact_score\":5.177088,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":7.7,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"denial_of_service\":false,\"description\":\"GRUB bootloader is not password protected. An attacker can use the GRUB editor interface to change its configuration or to gather information using the cat command. It can also be exploited to boot into single user mode as root or boot into an insecure operating system.\",\"exploits\":[],\"id\":\"linux-grub-missing-passwd\",\"links\":[],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":4.6,\"pci_fail\":true,\"pci_severity_score\":3,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"1999-01-01T00:00:00Z\",\"references\":\"\",\"risk_score\":515,\"severity\":\"critical\",\"severity_score\":5,\"title\":\"No password for Grub\"}}", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2025-05-13T13:25:40Z\",\"key\":\"\",\"last_found\":\"2025-05-27T19:54:43.777Z\",\"nic\":null,\"port\":null,\"proof\":\"

Grub config with no password found.

  • Vulnerable file: /boot/grub/grub.cfg

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

Set a password in the GRUB configuration file. This\\n is often located in one of several locations, but can really be\\n anywhere:

\\n          /etc/grub.conf\\n          /boot/grub/grub.conf\\n          /boot/grub/grub.cfg\\n          /boot/grub/menu.lst\\n

For all files mentioned above ensure that a password is set or that the files do not exist.

To set a plain-text password, edit your GRUB configuration file\\n and add the following line before the first uncommented line:

   password <password>

To set an encrypted password, run grub-md5-crypt and use its\\n output when adding the following line before the first\\n uncommented line:

   password --md5 <encryptedpassword>

For either approach, choose an appropriately strong password.

\",\"solution_id\":\"linux-grub-missing-passwd\",\"solution_summary\":\" Enable GRUB password \",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"linux-grub-missing-passwd\",\"added\":\"2004-11-30T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,UNIX\",\"cves\":\"\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"local\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":3.948735978603363,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":4.6,\"cvss_v2_vector\":\"(AV:L/AC:L/Au:N/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.515145325,\"cvss_v3_impact_score\":5.177088,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":7.7,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"denial_of_service\":false,\"description\":\"GRUB bootloader is not password protected. An attacker can use the GRUB editor interface to change its configuration or to gather information using the cat command. It can also be exploited to boot into single user mode as root or boot into an insecure operating system.\",\"exploits\":[],\"id\":\"linux-grub-missing-passwd\",\"links\":[],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":4.6,\"pci_fail\":true,\"pci_severity_score\":3,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"1999-01-01T00:00:00Z\",\"references\":\"\",\"risk_score\":515,\"severity\":\"critical\",\"severity_score\":5,\"title\":\"No password for Grub\"}}", "severity": 5, "type": [ "info" @@ -307,7 +307,7 @@ "source": "Endpoint Agent" } ], - "vuln": { + "vulnerability": { "added": "2004-11-30T00:00:00.000Z", "categories": [ "CVSS Score Predicted with Rapid7 AI", @@ -417,7 +417,7 @@ "created": "2025-04-30T06:21:05.000Z", "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1|certificate-common-name-mismatch|2025-05-27T19:54:43.777Z", "kind": "event", - "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":135,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":445,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":119,\"exploits\":4,\"host_name\":\"Win11-50-13-52\",\"id\":\"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1\",\"ip\":\"10.50.13.52\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":8,\"os_architecture\":\"x86_64\",\"os_description\":\"Microsoft Windows 11 22H2\",\"os_family\":\"Windows\",\"os_name\":\"Windows 11\",\"os_system_name\":\"Microsoft Windows\",\"os_type\":\"Workstation\",\"os_vendor\":\"Microsoft\",\"os_version\":\"22H2\",\"risk_score\":181622,\"severe_vulnerabilities\":241,\"tags\":[{\"name\":\"USA\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":368,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050\",\"source\":\"CSPRODUCT\"},{\"id\":\"c5cf46abcdef0123456789291c7d554a\",\"source\":\"R7 Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2025-04-30T06:21:05Z\",\"key\":\"\",\"last_found\":\"2025-05-27T19:54:43.777Z\",\"nic\":null,\"port\":3389,\"proof\":\"

The subject common name found in the X.509 certificate does not seem to match the scan target:

  • Subject CN Win11-50-13-52.testad.local does not match target name specified in the site.

\",\"protocol\":\"TCP\",\"reintroduced\":\"2025-05-27T13:34:19Z\",\"solution_fix\":\"

\\n The subject's common name (CN) field in the X.509 certificate should be fixed\\nto reflect the name of the entity presenting the certificate (e.g., the\\nhostname). This is done by generating a new certificate usually signed by a\\nCertification Authority (CA) trusted by both the client and server.\\n

\",\"solution_id\":\"certificate-common-name-mismatch\",\"solution_summary\":\"Fix the subject's Common Name (CN) field in the certificate\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"certificate-common-name-mismatch\",\"added\":\"2007-08-03T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,HTTP,Web\",\"cves\":\"\",\"cvss_v2_access_complexity\":\"high\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"none\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":4.927999973297119,\"cvss_v2_impact_score\":7.843935219030975,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.1,\"cvss_v2_vector\":\"(AV:N/AC:H/Au:N/C:C/I:P/A:N)\",\"cvss_v3_attack_complexity\":\"high\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.2211673,\"cvss_v3_impact_score\":5.177088,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":7.4,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"denial_of_service\":false,\"description\":\"The subject common name (CN) field in the X.509 certificate does not match the name of the entity presenting the certificate.\\n\\nBefore issuing a certificate, a Certification Authority (CA) must check the identity of the entity requesting the certificate, as specified in the CA's Certification Practice Statement (CPS). Thus, standard certificate validation procedures require the subject CN field of a certificate to match the actual name of the entity presenting the certificate. For example, in a certificate presented by \\\"https://www.example.com/\\\", the CN should be \\\"www.example.com\\\". \\n\\nIn order to detect and prevent active eavesdropping attacks, the validity of a certificate must be verified, or else an attacker could then launch a man-in-the-middle attack and gain full control of the data stream. Of particular importance is the validity of the subject's CN, that should match the name of the entity (hostname).\\n\\nA CN mismatch most often occurs due to a configuration error, though it can also indicate that a man-in-the-middle attack is being conducted.\",\"exploits\":[],\"id\":\"certificate-common-name-mismatch\",\"links\":[],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":6.1,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2007-08-03T00:00:00Z\",\"references\":\"\",\"risk_score\":495,\"severity\":\"none\",\"severity_score\":6,\"title\":\"X.509 Certificate Subject CN Does Not Match the Entity Name\"}}", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":135,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":445,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":119,\"exploits\":4,\"host_name\":\"Win11-50-13-52\",\"id\":\"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1\",\"ip\":\"10.50.13.52\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":8,\"os_architecture\":\"x86_64\",\"os_description\":\"Microsoft Windows 11 22H2\",\"os_family\":\"Windows\",\"os_name\":\"Windows 11\",\"os_system_name\":\"Microsoft Windows\",\"os_type\":\"Workstation\",\"os_vendor\":\"Microsoft\",\"os_version\":\"22H2\",\"risk_score\":181622,\"severe_vulnerabilities\":241,\"tags\":[{\"name\":\"USA\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":368,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050\",\"source\":\"CSPRODUCT\"},{\"id\":\"c5cf46abcdef0123456789291c7d554a\",\"source\":\"R7 Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2025-04-30T06:21:05Z\",\"key\":\"\",\"last_found\":\"2025-05-27T19:54:43.777Z\",\"nic\":null,\"port\":3389,\"proof\":\"

The subject common name found in the X.509 certificate does not seem to match the scan target:

  • Subject CN Win11-50-13-52.testad.local does not match target name specified in the site.

\",\"protocol\":\"TCP\",\"reintroduced\":\"2025-05-27T13:34:19Z\",\"solution_fix\":\"

\\n The subject's common name (CN) field in the X.509 certificate should be fixed\\nto reflect the name of the entity presenting the certificate (e.g., the\\nhostname). This is done by generating a new certificate usually signed by a\\nCertification Authority (CA) trusted by both the client and server.\\n

\",\"solution_id\":\"certificate-common-name-mismatch\",\"solution_summary\":\"Fix the subject's Common Name (CN) field in the certificate\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"certificate-common-name-mismatch\",\"added\":\"2007-08-03T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,HTTP,Web\",\"cves\":\"\",\"cvss_v2_access_complexity\":\"high\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"none\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":4.927999973297119,\"cvss_v2_impact_score\":7.843935219030975,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.1,\"cvss_v2_vector\":\"(AV:N/AC:H/Au:N/C:C/I:P/A:N)\",\"cvss_v3_attack_complexity\":\"high\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.2211673,\"cvss_v3_impact_score\":5.177088,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":7.4,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"denial_of_service\":false,\"description\":\"The subject common name (CN) field in the X.509 certificate does not match the name of the entity presenting the certificate.\\n\\nBefore issuing a certificate, a Certification Authority (CA) must check the identity of the entity requesting the certificate, as specified in the CA's Certification Practice Statement (CPS). Thus, standard certificate validation procedures require the subject CN field of a certificate to match the actual name of the entity presenting the certificate. For example, in a certificate presented by \\\"https://www.example.com/\\\", the CN should be \\\"www.example.com\\\". \\n\\nIn order to detect and prevent active eavesdropping attacks, the validity of a certificate must be verified, or else an attacker could then launch a man-in-the-middle attack and gain full control of the data stream. Of particular importance is the validity of the subject's CN, that should match the name of the entity (hostname).\\n\\nA CN mismatch most often occurs due to a configuration error, though it can also indicate that a man-in-the-middle attack is being conducted.\",\"exploits\":[],\"id\":\"certificate-common-name-mismatch\",\"links\":[],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":6.1,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2007-08-03T00:00:00Z\",\"references\":\"\",\"risk_score\":495,\"severity\":\"none\",\"severity_score\":6,\"title\":\"X.509 Certificate Subject CN Does Not Match the Entity Name\"}}", "severity": 6, "type": [ "info" @@ -490,7 +490,7 @@ "source": "R7 Agent" } ], - "vuln": { + "vulnerability": { "added": "2007-08-03T00:00:00.000Z", "categories": [ "CVSS Score Predicted with Rapid7 AI", @@ -604,7 +604,7 @@ "created": "2025-05-13T07:25:34.000Z", "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1|microsoft-windows-cve-2025-21204|2025-05-27T19:54:43.777Z", "kind": "event", - "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":135,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":445,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":119,\"exploits\":4,\"host_name\":\"Win11-50-13-52\",\"id\":\"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1\",\"ip\":\"10.50.13.52\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":8,\"os_architecture\":\"x86_64\",\"os_description\":\"Microsoft Windows 11 22H2\",\"os_family\":\"Windows\",\"os_name\":\"Windows 11\",\"os_system_name\":\"Microsoft Windows\",\"os_type\":\"Workstation\",\"os_vendor\":\"Microsoft\",\"os_version\":\"22H2\",\"risk_score\":181622,\"severe_vulnerabilities\":241,\"tags\":[{\"name\":\"USA\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":368,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050\",\"source\":\"CSPRODUCT\"},{\"id\":\"c5cf46abcdef0123456789291c7d554a\",\"source\":\"R7 Agent\"}],\"vuln\":{\"check_id\":\"microsoft-windows-cve-2025-21204-windows_11-22h2-kb5055528\",\"first_found\":\"2025-05-13T07:25:34Z\",\"key\":\"\",\"last_found\":\"2025-05-27T19:54:43.777Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: Microsoft Windows 11 22H2

  • HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion
    • UBR - contains 4317

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

Download and apply the patch from: https://support.microsoft.com/help/5058405

\",\"solution_id\":\"microsoft-windows-windows_11-22h2-kb5058405\",\"solution_summary\":\"2025-05 Cumulative Update for Microsoft Windows 11, version 22H2 (KB5058405)\",\"solution_type\":\"patch\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"microsoft-windows-cve-2025-21204\",\"added\":\"2025-04-08T00:00:00Z\",\"categories\":\"Microsoft,Microsoft Patch,Microsoft Windows,Privilege Escalation\",\"cves\":\"CVE-2025-21204\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"local\",\"cvss_v2_authentication\":\"single\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":3.141040013372898,\"cvss_v2_impact_score\":10.000845454680942,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":6.8,\"cvss_v2_vector\":\"(AV:L/AC:L/Au:S/C:C/I:C/A:C)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":1.8345765900000002,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"low\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":7.8,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Microsoft Windows: CVE-2025-21204: Windows Process Activation Elevation of Privilege Vulnerability\",\"exploits\":[],\"id\":\"microsoft-windows-cve-2025-21204\",\"links\":[{\"href\":\"https://support.microsoft.com/help/5055557\",\"id\":\"https://support.microsoft.com/help/5055557\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055547\",\"id\":\"https://support.microsoft.com/help/5055547\",\"source\":\"url\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2025-21204\",\"id\":\"CVE-2025-21204\",\"source\":\"cve\"},{\"href\":\"https://support.microsoft.com/help/5055526\",\"id\":\"https://support.microsoft.com/help/5055526\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055527\",\"id\":\"https://support.microsoft.com/help/5055527\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055521\",\"id\":\"https://support.microsoft.com/help/5055521\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055523\",\"id\":\"https://support.microsoft.com/help/5055523\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055528\",\"id\":\"https://support.microsoft.com/help/5055528\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055518\",\"id\":\"https://support.microsoft.com/help/5055518\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055519\",\"id\":\"https://support.microsoft.com/help/5055519\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055581\",\"id\":\"https://support.microsoft.com/help/5055581\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2025-04-14T00:00:00Z\",\"pci_cvss_score\":6.8,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2025-04-08T00:00:00Z\",\"references\":\"cve:CVE-2025-21204,url:https://support.microsoft.com/help/5055518,url:https://support.microsoft.com/help/5055519,url:https://support.microsoft.com/help/5055521,url:https://support.microsoft.com/help/5055523,url:https://support.microsoft.com/help/5055526,url:https://support.microsoft.com/help/5055527,url:https://support.microsoft.com/help/5055528,url:https://support.microsoft.com/help/5055547,url:https://support.microsoft.com/help/5055557,url:https://support.microsoft.com/help/5055581\",\"risk_score\":522,\"severity\":\"informational\",\"severity_score\":7,\"title\":\"Microsoft Windows: CVE-2025-21204: Windows Process Activation Elevation of Privilege Vulnerability\"}}", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":135,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":445,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":119,\"exploits\":4,\"host_name\":\"Win11-50-13-52\",\"id\":\"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1\",\"ip\":\"10.50.13.52\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":8,\"os_architecture\":\"x86_64\",\"os_description\":\"Microsoft Windows 11 22H2\",\"os_family\":\"Windows\",\"os_name\":\"Windows 11\",\"os_system_name\":\"Microsoft Windows\",\"os_type\":\"Workstation\",\"os_vendor\":\"Microsoft\",\"os_version\":\"22H2\",\"risk_score\":181622,\"severe_vulnerabilities\":241,\"tags\":[{\"name\":\"USA\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":368,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050\",\"source\":\"CSPRODUCT\"},{\"id\":\"c5cf46abcdef0123456789291c7d554a\",\"source\":\"R7 Agent\"}],\"vulnerability\":{\"check_id\":\"microsoft-windows-cve-2025-21204-windows_11-22h2-kb5055528\",\"first_found\":\"2025-05-13T07:25:34Z\",\"key\":\"\",\"last_found\":\"2025-05-27T19:54:43.777Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: Microsoft Windows 11 22H2

  • HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion
    • UBR - contains 4317

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

Download and apply the patch from: https://support.microsoft.com/help/5058405

\",\"solution_id\":\"microsoft-windows-windows_11-22h2-kb5058405\",\"solution_summary\":\"2025-05 Cumulative Update for Microsoft Windows 11, version 22H2 (KB5058405)\",\"solution_type\":\"patch\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"microsoft-windows-cve-2025-21204\",\"added\":\"2025-04-08T00:00:00Z\",\"categories\":\"Microsoft,Microsoft Patch,Microsoft Windows,Privilege Escalation\",\"cves\":\"CVE-2025-21204\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"local\",\"cvss_v2_authentication\":\"single\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":3.141040013372898,\"cvss_v2_impact_score\":10.000845454680942,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":6.8,\"cvss_v2_vector\":\"(AV:L/AC:L/Au:S/C:C/I:C/A:C)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":1.8345765900000002,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"low\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":7.8,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Microsoft Windows: CVE-2025-21204: Windows Process Activation Elevation of Privilege Vulnerability\",\"exploits\":[],\"id\":\"microsoft-windows-cve-2025-21204\",\"links\":[{\"href\":\"https://support.microsoft.com/help/5055557\",\"id\":\"https://support.microsoft.com/help/5055557\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055547\",\"id\":\"https://support.microsoft.com/help/5055547\",\"source\":\"url\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2025-21204\",\"id\":\"CVE-2025-21204\",\"source\":\"cve\"},{\"href\":\"https://support.microsoft.com/help/5055526\",\"id\":\"https://support.microsoft.com/help/5055526\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055527\",\"id\":\"https://support.microsoft.com/help/5055527\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055521\",\"id\":\"https://support.microsoft.com/help/5055521\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055523\",\"id\":\"https://support.microsoft.com/help/5055523\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055528\",\"id\":\"https://support.microsoft.com/help/5055528\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055518\",\"id\":\"https://support.microsoft.com/help/5055518\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055519\",\"id\":\"https://support.microsoft.com/help/5055519\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5055581\",\"id\":\"https://support.microsoft.com/help/5055581\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2025-04-14T00:00:00Z\",\"pci_cvss_score\":6.8,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2025-04-08T00:00:00Z\",\"references\":\"cve:CVE-2025-21204,url:https://support.microsoft.com/help/5055518,url:https://support.microsoft.com/help/5055519,url:https://support.microsoft.com/help/5055521,url:https://support.microsoft.com/help/5055523,url:https://support.microsoft.com/help/5055526,url:https://support.microsoft.com/help/5055527,url:https://support.microsoft.com/help/5055528,url:https://support.microsoft.com/help/5055547,url:https://support.microsoft.com/help/5055557,url:https://support.microsoft.com/help/5055581\",\"risk_score\":522,\"severity\":\"informational\",\"severity_score\":7,\"title\":\"Microsoft Windows: CVE-2025-21204: Windows Process Activation Elevation of Privilege Vulnerability\"}}", "severity": 7, "type": [ "info" @@ -681,7 +681,7 @@ "source": "R7 Agent" } ], - "vuln": { + "vulnerability": { "added": "2025-04-08T00:00:00.000Z", "categories": [ "Microsoft", @@ -873,7 +873,7 @@ "created": "2025-05-13T07:25:34.000Z", "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1|windows-hotfix-ms13-098|2025-05-27T19:54:43.777Z", "kind": "event", - "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":135,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":445,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":119,\"exploits\":4,\"host_name\":\"Win11-50-13-52\",\"id\":\"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1\",\"ip\":\"10.50.13.52\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":8,\"os_architecture\":\"x86_64\",\"os_description\":\"Microsoft Windows 11 22H2\",\"os_family\":\"Windows\",\"os_name\":\"Windows 11\",\"os_system_name\":\"Microsoft Windows\",\"os_type\":\"Workstation\",\"os_vendor\":\"Microsoft\",\"os_version\":\"22H2\",\"risk_score\":181622,\"severe_vulnerabilities\":241,\"tags\":[{\"name\":\"USA\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":368,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050\",\"source\":\"CSPRODUCT\"},{\"id\":\"c5cf46abcdef0123456789291c7d554a\",\"source\":\"R7 Agent\"}],\"vuln\":{\"check_id\":\"WINDOWS-HOTFIX-MS13-098-x64\",\"first_found\":\"2025-05-13T07:25:34Z\",\"key\":\"\",\"last_found\":\"2025-05-27T19:54:43.777Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: Microsoft Windows 11 22H2

  • HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Wintrust\\\\Config - key does not exist
    • EnableCertPaddingCheck - value does not exist

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

Download and apply the patch from: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900

\",\"solution_id\":\"windows-hotfix-ms13-098\",\"solution_summary\":\"Enable Certificate Padding Check for Windows Systems\",\"solution_type\":\"patch\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"windows-hotfix-ms13-098\",\"added\":\"2013-12-10T00:00:00Z\",\"categories\":\"CISA KEV,Exploited in the Wild,Microsoft,Microsoft Patch,Microsoft Windows,Remote Execution\",\"cves\":\"CVE-2013-3900\",\"cvss_v2_access_complexity\":\"medium\",\"cvss_v2_access_vector\":\"local\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"none\",\"cvss_v2_confidentiality_impact\":\"none\",\"cvss_v2_exploit_score\":3.392575981616974,\"cvss_v2_impact_score\":6.870600273013115,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":4.7,\"cvss_v2_vector\":\"(AV:L/AC:M/Au:N/C:N/I:C/A:N)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"none\",\"cvss_v3_exploit_score\":1.8345765900000002,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":5.5,\"cvss_v3_user_interaction\":\"required\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\",\"denial_of_service\":false,\"description\":\"This vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system. Note that this vulnerability was originally published by Microsoft as MS13-098, but has now been republished as CVE-2013-3900. Microsoft provides current information on the CVE-2013-3900 advisory.\",\"exploits\":[],\"id\":\"windows-hotfix-ms13-098\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2013-3900\",\"id\":\"CVE-2013-3900\",\"source\":\"cve\"},{\"href\":\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900\",\"id\":\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2025-04-22T00:00:00Z\",\"pci_cvss_score\":4.7,\"pci_fail\":true,\"pci_severity_score\":3,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2013-12-10T00:00:00Z\",\"references\":\"cve:CVE-2013-3900,url:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900\",\"risk_score\":450,\"severity\":\"severe\",\"severity_score\":5,\"title\":\"CVE-2013-3900: MS13-098: Vulnerability in Windows Could Allow Remote Code Execution\"}}", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":135,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":445,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":119,\"exploits\":4,\"host_name\":\"Win11-50-13-52\",\"id\":\"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1\",\"ip\":\"10.50.13.52\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":8,\"os_architecture\":\"x86_64\",\"os_description\":\"Microsoft Windows 11 22H2\",\"os_family\":\"Windows\",\"os_name\":\"Windows 11\",\"os_system_name\":\"Microsoft Windows\",\"os_type\":\"Workstation\",\"os_vendor\":\"Microsoft\",\"os_version\":\"22H2\",\"risk_score\":181622,\"severe_vulnerabilities\":241,\"tags\":[{\"name\":\"USA\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":368,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050\",\"source\":\"CSPRODUCT\"},{\"id\":\"c5cf46abcdef0123456789291c7d554a\",\"source\":\"R7 Agent\"}],\"vulnerability\":{\"check_id\":\"WINDOWS-HOTFIX-MS13-098-x64\",\"first_found\":\"2025-05-13T07:25:34Z\",\"key\":\"\",\"last_found\":\"2025-05-27T19:54:43.777Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: Microsoft Windows 11 22H2

  • HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Wintrust\\\\Config - key does not exist
    • EnableCertPaddingCheck - value does not exist

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

Download and apply the patch from: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900

\",\"solution_id\":\"windows-hotfix-ms13-098\",\"solution_summary\":\"Enable Certificate Padding Check for Windows Systems\",\"solution_type\":\"patch\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"windows-hotfix-ms13-098\",\"added\":\"2013-12-10T00:00:00Z\",\"categories\":\"CISA KEV,Exploited in the Wild,Microsoft,Microsoft Patch,Microsoft Windows,Remote Execution\",\"cves\":\"CVE-2013-3900\",\"cvss_v2_access_complexity\":\"medium\",\"cvss_v2_access_vector\":\"local\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"none\",\"cvss_v2_confidentiality_impact\":\"none\",\"cvss_v2_exploit_score\":3.392575981616974,\"cvss_v2_impact_score\":6.870600273013115,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":4.7,\"cvss_v2_vector\":\"(AV:L/AC:M/Au:N/C:N/I:C/A:N)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"none\",\"cvss_v3_exploit_score\":1.8345765900000002,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":5.5,\"cvss_v3_user_interaction\":\"required\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\",\"denial_of_service\":false,\"description\":\"This vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system. Note that this vulnerability was originally published by Microsoft as MS13-098, but has now been republished as CVE-2013-3900. Microsoft provides current information on the CVE-2013-3900 advisory.\",\"exploits\":[],\"id\":\"windows-hotfix-ms13-098\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2013-3900\",\"id\":\"CVE-2013-3900\",\"source\":\"cve\"},{\"href\":\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900\",\"id\":\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2025-04-22T00:00:00Z\",\"pci_cvss_score\":4.7,\"pci_fail\":true,\"pci_severity_score\":3,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2013-12-10T00:00:00Z\",\"references\":\"cve:CVE-2013-3900,url:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900\",\"risk_score\":450,\"severity\":\"severe\",\"severity_score\":5,\"title\":\"CVE-2013-3900: MS13-098: Vulnerability in Windows Could Allow Remote Code Execution\"}}", "severity": 5, "type": [ "info" @@ -950,7 +950,7 @@ "source": "R7 Agent" } ], - "vuln": { + "vulnerability": { "added": "2013-12-10T00:00:00.000Z", "categories": [ "CISA KEV", @@ -1092,7 +1092,7 @@ "created": "2025-05-12T16:25:35.000Z", "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6|unix-anonymous-root-logins|2025-05-27T18:21:36.279Z", "kind": "event", - "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":22,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":3,\"exploits\":0,\"host_name\":\"computer-test\",\"id\":\"8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6\",\"ip\":\"10.50.5.112\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T18:21:36.279Z\",\"last_scan_end\":\"2025-05-27T18:21:36.279Z\",\"last_scan_start\":\"2025-05-27T18:20:41.505Z\",\"mac\":\"00:00:5E:00:53:02\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Red Hat Enterprise Linux 7.9\",\"os_family\":\"Linux\",\"os_name\":\"Enterprise Linux\",\"os_system_name\":\"Red Hat Linux\",\"os_type\":\"\",\"os_vendor\":\"Red Hat\",\"os_version\":\"7.9\",\"risk_score\":18250,\"severe_vulnerabilities\":48,\"tags\":[{\"name\":\"Ahmedabad\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":52,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"CEF12345-ABCD-1234-ABCD-95ABCDEF1234\",\"source\":\"dmidecode\"},{\"id\":\"e80644e940123456789abcdef66a8b16\",\"source\":\"R7 Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2025-05-12T16:25:35Z\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"nic\":null,\"port\":null,\"proof\":\"

Following entries in /etc/securetty \\n may allow anonymous root logins:

  • ttyS0
  • ttysclp0
  • sclp_line0
  • 3270/tty1
  • hvc0
  • hvc1
  • hvc2
  • hvc3
  • hvc4
  • hvc5
  • hvc6
  • hvc7
  • hvsi0
  • hvsi1
  • hvsi2
  • xvc0

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

Remove all the entries in /etc/securetty except console,\\n tty[0-9]* and vc\\\\[0-9]*

Note: ssh does not use /etc/securetty. To disable root login\\n through ssh, use the "PermitRootLogin" setting in /etc/ssh/sshd_config\\n and restart the ssh daemon.

\",\"solution_id\":\"unix-anonymous-root-logins\",\"solution_summary\":\"Edit '/etc/securetty' entries\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"unix-anonymous-root-logins\",\"added\":\"2004-11-30T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,UNIX\",\"cves\":\"\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"single\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":7.9520000338554375,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.5,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:S/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.515145325,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":8.4,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \\\"su\\\" to become root.\",\"exploits\":[],\"id\":\"unix-anonymous-root-logins\",\"links\":[],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":6.5,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2004-11-30T00:00:00Z\",\"references\":\"\",\"risk_score\":562,\"severity\":\"severe\",\"severity_score\":7,\"title\":\"Anonymous root login is allowed\"}}", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":22,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":3,\"exploits\":0,\"host_name\":\"computer-test\",\"id\":\"8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6\",\"ip\":\"10.50.5.112\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T18:21:36.279Z\",\"last_scan_end\":\"2025-05-27T18:21:36.279Z\",\"last_scan_start\":\"2025-05-27T18:20:41.505Z\",\"mac\":\"00:00:5E:00:53:02\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Red Hat Enterprise Linux 7.9\",\"os_family\":\"Linux\",\"os_name\":\"Enterprise Linux\",\"os_system_name\":\"Red Hat Linux\",\"os_type\":\"\",\"os_vendor\":\"Red Hat\",\"os_version\":\"7.9\",\"risk_score\":18250,\"severe_vulnerabilities\":48,\"tags\":[{\"name\":\"Ahmedabad\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":52,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"CEF12345-ABCD-1234-ABCD-95ABCDEF1234\",\"source\":\"dmidecode\"},{\"id\":\"e80644e940123456789abcdef66a8b16\",\"source\":\"R7 Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2025-05-12T16:25:35Z\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"nic\":null,\"port\":null,\"proof\":\"

Following entries in /etc/securetty \\n may allow anonymous root logins:

  • ttyS0
  • ttysclp0
  • sclp_line0
  • 3270/tty1
  • hvc0
  • hvc1
  • hvc2
  • hvc3
  • hvc4
  • hvc5
  • hvc6
  • hvc7
  • hvsi0
  • hvsi1
  • hvsi2
  • xvc0

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

Remove all the entries in /etc/securetty except console,\\n tty[0-9]* and vc\\\\[0-9]*

Note: ssh does not use /etc/securetty. To disable root login\\n through ssh, use the "PermitRootLogin" setting in /etc/ssh/sshd_config\\n and restart the ssh daemon.

\",\"solution_id\":\"unix-anonymous-root-logins\",\"solution_summary\":\"Edit '/etc/securetty' entries\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"unix-anonymous-root-logins\",\"added\":\"2004-11-30T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,UNIX\",\"cves\":\"\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"single\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":7.9520000338554375,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.5,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:S/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.515145325,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":8.4,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \\\"su\\\" to become root.\",\"exploits\":[],\"id\":\"unix-anonymous-root-logins\",\"links\":[],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":6.5,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2004-11-30T00:00:00Z\",\"references\":\"\",\"risk_score\":562,\"severity\":\"severe\",\"severity_score\":7,\"title\":\"Anonymous root login is allowed\"}}", "severity": 7, "type": [ "info" @@ -1164,7 +1164,7 @@ "source": "R7 Agent" } ], - "vuln": { + "vulnerability": { "added": "2004-11-30T00:00:00.000Z", "categories": [ "CVSS Score Predicted with Rapid7 AI", @@ -1274,7 +1274,7 @@ "created": "2025-05-14T13:52:10.000Z", "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6|unix-world-writable-files|2025-05-27T18:21:36.279Z", "kind": "event", - "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":22,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":3,\"exploits\":0,\"host_name\":\"computer-test\",\"id\":\"8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6\",\"ip\":\"10.50.5.112\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T18:21:36.279Z\",\"last_scan_end\":\"2025-05-27T18:21:36.279Z\",\"last_scan_start\":\"2025-05-27T18:20:41.505Z\",\"mac\":\"00:00:5E:00:53:02\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Red Hat Enterprise Linux 7.9\",\"os_family\":\"Linux\",\"os_name\":\"Enterprise Linux\",\"os_system_name\":\"Red Hat Linux\",\"os_type\":\"\",\"os_vendor\":\"Red Hat\",\"os_version\":\"7.9\",\"risk_score\":18250,\"severe_vulnerabilities\":48,\"tags\":[{\"name\":\"Ahmedabad\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":52,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"CEF12345-ABCD-1234-ABCD-95ABCDEF1234\",\"source\":\"dmidecode\"},{\"id\":\"e80644e940123456789abcdef66a8b16\",\"source\":\"R7 Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2025-05-14T13:52:10Z\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"nic\":null,\"port\":null,\"proof\":\"

The following world writable files were found.

  • /var/.com.zerog.registry.xml (-rwxrwxrwx)

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

For each world-writable file, determine whether there is a good reason for\\n it to be world writable. If not, remove world write permissions for the file.\\n The output here is limited to 50 files. In order to find all of these files without needing to\\n run another Nexpose scan run the following command:

 find / -type f -perm -02

Please note; it may be necessary exclude particular paths or file share types, run 'man find' for information.

\",\"solution_id\":\"unix-world-writable-files\",\"solution_summary\":\"Remove world write permissions\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"unix-world-writable-files\",\"added\":\"2005-01-15T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,UNIX\",\"cves\":\"\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"local\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"none\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":3.948735978603363,\"cvss_v2_impact_score\":4.938243839970231,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":3.6,\"cvss_v2_vector\":\"(AV:L/AC:L/Au:N/C:P/I:P/A:N)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"low\",\"cvss_v3_exploit_score\":2.515145325,\"cvss_v3_impact_score\":1.4123999999999999,\"cvss_v3_integrity_impact\":\"none\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":4,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"denial_of_service\":false,\"description\":\"World writable files were found on the system. A file that can be written by any user on the system could be a serious security flaw.\",\"exploits\":[],\"id\":\"unix-world-writable-files\",\"links\":[],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":3.6,\"pci_fail\":false,\"pci_severity_score\":2,\"pci_special_notes\":\"\",\"pci_status\":\"pass\",\"published\":\"2005-01-15T00:00:00Z\",\"references\":\"\",\"risk_score\":268,\"severity\":\"severe\",\"severity_score\":4,\"title\":\"World writable files exist\"}}", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":22,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":3,\"exploits\":0,\"host_name\":\"computer-test\",\"id\":\"8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6\",\"ip\":\"10.50.5.112\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T18:21:36.279Z\",\"last_scan_end\":\"2025-05-27T18:21:36.279Z\",\"last_scan_start\":\"2025-05-27T18:20:41.505Z\",\"mac\":\"00:00:5E:00:53:02\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Red Hat Enterprise Linux 7.9\",\"os_family\":\"Linux\",\"os_name\":\"Enterprise Linux\",\"os_system_name\":\"Red Hat Linux\",\"os_type\":\"\",\"os_vendor\":\"Red Hat\",\"os_version\":\"7.9\",\"risk_score\":18250,\"severe_vulnerabilities\":48,\"tags\":[{\"name\":\"Ahmedabad\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":52,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"CEF12345-ABCD-1234-ABCD-95ABCDEF1234\",\"source\":\"dmidecode\"},{\"id\":\"e80644e940123456789abcdef66a8b16\",\"source\":\"R7 Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2025-05-14T13:52:10Z\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"nic\":null,\"port\":null,\"proof\":\"

The following world writable files were found.

  • /var/.com.zerog.registry.xml (-rwxrwxrwx)

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

For each world-writable file, determine whether there is a good reason for\\n it to be world writable. If not, remove world write permissions for the file.\\n The output here is limited to 50 files. In order to find all of these files without needing to\\n run another Nexpose scan run the following command:

 find / -type f -perm -02

Please note; it may be necessary exclude particular paths or file share types, run 'man find' for information.

\",\"solution_id\":\"unix-world-writable-files\",\"solution_summary\":\"Remove world write permissions\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"unix-world-writable-files\",\"added\":\"2005-01-15T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,UNIX\",\"cves\":\"\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"local\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"none\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":3.948735978603363,\"cvss_v2_impact_score\":4.938243839970231,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":3.6,\"cvss_v2_vector\":\"(AV:L/AC:L/Au:N/C:P/I:P/A:N)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"low\",\"cvss_v3_exploit_score\":2.515145325,\"cvss_v3_impact_score\":1.4123999999999999,\"cvss_v3_integrity_impact\":\"none\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":4,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"denial_of_service\":false,\"description\":\"World writable files were found on the system. A file that can be written by any user on the system could be a serious security flaw.\",\"exploits\":[],\"id\":\"unix-world-writable-files\",\"links\":[],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":3.6,\"pci_fail\":false,\"pci_severity_score\":2,\"pci_special_notes\":\"\",\"pci_status\":\"pass\",\"published\":\"2005-01-15T00:00:00Z\",\"references\":\"\",\"risk_score\":268,\"severity\":\"severe\",\"severity_score\":4,\"title\":\"World writable files exist\"}}", "severity": 4, "type": [ "info" @@ -1346,7 +1346,7 @@ "source": "R7 Agent" } ], - "vuln": { + "vulnerability": { "added": "2005-01-15T00:00:00.000Z", "categories": [ "CVSS Score Predicted with Rapid7 AI", @@ -1456,7 +1456,7 @@ "created": "2020-07-23T20:11:10.000Z", "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|debian-obsolete|2020-07-23T20:11:10.304Z", "kind": "event", - "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2020-07-23T20:11:10Z\",\"key\":\"Debian Linux 8.0\",\"last_found\":\"2020-07-23T20:11:10.304Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: Debian Linux 8.0

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

\\n See the Debian 9 release notes for instructions on upgrading to Debian GNU/Linux 9, alias "stretch".\\n

\",\"solution_id\":\"debian-upgrade-to-stretch\",\"solution_summary\":\"Upgrade to Debian GNU/Linux 9 or later\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"debian-obsolete\",\"added\":\"2013-01-29T00:00:00Z\",\"categories\":\"Debian Linux,Obsolete OS,Obsolete Software\",\"cves\":\"\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":10.000845454680942,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":10,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:C/I:C/A:C)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":3.8870427750000003,\"cvss_v3_impact_score\":6.0477304915445185,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"changed\",\"cvss_v3_score\":10,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Debian terminated support for Debian GNU/Linux 9 \\\"stretch\\\" on Jun 30, 2022. All Debian versions prior to 10.0 \\\"buster\\\" may have unpatched security vulnerabilities.\",\"exploits\":[],\"id\":\"debian-obsolete\",\"links\":[{\"href\":\"https://wiki.debian.org/LTS\",\"id\":\"https://wiki.debian.org/LTS\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2025-03-28T00:00:00Z\",\"pci_cvss_score\":10,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"This operating system version is no longer supported by the vendor, and results in an automatic failure. \",\"pci_status\":\"fail\",\"published\":\"2006-06-30T00:00:00Z\",\"references\":\"url:https://wiki.debian.org/LTS\",\"risk_score\":911.42,\"severity\":\"critical\",\"severity_score\":10,\"title\":\"Obsolete Debian GNU/Linux Version\"}}", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2020-07-23T20:11:10Z\",\"key\":\"Debian Linux 8.0\",\"last_found\":\"2020-07-23T20:11:10.304Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: Debian Linux 8.0

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

\\n See the Debian 9 release notes for instructions on upgrading to Debian GNU/Linux 9, alias "stretch".\\n

\",\"solution_id\":\"debian-upgrade-to-stretch\",\"solution_summary\":\"Upgrade to Debian GNU/Linux 9 or later\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"debian-obsolete\",\"added\":\"2013-01-29T00:00:00Z\",\"categories\":\"Debian Linux,Obsolete OS,Obsolete Software\",\"cves\":\"\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":10.000845454680942,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":10,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:C/I:C/A:C)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":3.8870427750000003,\"cvss_v3_impact_score\":6.0477304915445185,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"changed\",\"cvss_v3_score\":10,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Debian terminated support for Debian GNU/Linux 9 \\\"stretch\\\" on Jun 30, 2022. All Debian versions prior to 10.0 \\\"buster\\\" may have unpatched security vulnerabilities.\",\"exploits\":[],\"id\":\"debian-obsolete\",\"links\":[{\"href\":\"https://wiki.debian.org/LTS\",\"id\":\"https://wiki.debian.org/LTS\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2025-03-28T00:00:00Z\",\"pci_cvss_score\":10,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"This operating system version is no longer supported by the vendor, and results in an automatic failure. \",\"pci_status\":\"fail\",\"published\":\"2006-06-30T00:00:00Z\",\"references\":\"url:https://wiki.debian.org/LTS\",\"risk_score\":911.42,\"severity\":\"critical\",\"severity_score\":10,\"title\":\"Obsolete Debian GNU/Linux Version\"}}", "severity": 10, "type": [ "info" @@ -1537,7 +1537,7 @@ "source": "Endpoint Agent" } ], - "vuln": { + "vulnerability": { "added": "2013-01-29T00:00:00.000Z", "categories": [ "Debian Linux", @@ -1662,7 +1662,7 @@ "created": "2018-11-25T09:20:27.000Z", "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|windows-hotfix-ms06-035|2023-05-23T18:16:30.836Z", "kind": "event", - "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2018-11-25T09:20:27Z\",\"key\":\"\",\"last_found\":\"2023-05-23T18:16:30.836Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: Microsoft Windows Server 2003 SP1

Server responded with vulnerable error code: 2 and class: 1

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"Take a look at all possible solutions for vulnerability\",\"solution_id\":\"unknown-windows-hotfix-ms06-035\",\"solution_summary\":\"The solution is unknown for vuln windows-hotfix-ms06-035\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"windows-hotfix-ms06-035\",\"added\":\"2006-07-12T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution\",\"cves\":\"CVE-2006-1314,CVE-2006-1315\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":7.5,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.83525473,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"none\",\"cvss_v3_privileges_required\":\"low\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":6.5,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"denial_of_service\":false,\"description\":\"This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \\\"Vulnerability Details\\\" section of this bulletin. We recommend that customers apply the update immediately.\",\"exploits\":[{\"description\":\"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)\",\"id\":\"2057\",\"name\":\"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module triggers a kernel pool corruption bug in SRV.SYS. Each\\n call to the mailslot write function results in a two byte return value\\n being written into the response packet. The code which creates this packet\\n fails to consider these two bytes in the allocation routine, resulting in\\n a slow corruption of the kernel memory pool. These two bytes are almost\\n always set to \\\"\\\\xff\\\\xff\\\" (a short integer with value of -1).\",\"id\":\"auxiliary/dos/windows/smb/ms06_035_mailslot\",\"name\":\"Microsoft SRV.SYS Mailslot Write Corruption\",\"rank\":\"normal\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"}],\"id\":\"windows-hotfix-ms06-035\",\"links\":[{\"href\":\"http://www.kb.cert.org/vuls/id/189140\",\"id\":\"189140\",\"source\":\"cert-vn\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/26818\",\"id\":\"win-mailslot-bo(26818)\",\"source\":\"xf\"},{\"href\":\"http://www.securityfocus.com/bid/18863\",\"id\":\"18863\",\"source\":\"bid\"},{\"href\":\"https://support.microsoft.com/en-us/kb/917159\",\"id\":\"KB917159\",\"source\":\"mskb\"},{\"href\":\"http://www.us-cert.gov/cas/techalerts/TA06-192A.html\",\"id\":\"TA06-192A\",\"source\":\"cert\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2006-1314\",\"id\":\"CVE-2006-1314\",\"source\":\"cve\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2006-1315\",\"id\":\"CVE-2006-1315\",\"source\":\"cve\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3\",\"id\":\"3\",\"source\":\"oval\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600\",\"id\":\"600\",\"source\":\"oval\"},{\"href\":\"http://www.osvdb.org/27155\",\"id\":\"27155\",\"source\":\"osvdb\"},{\"href\":\"http://www.osvdb.org/27154\",\"id\":\"27154\",\"source\":\"osvdb\"},{\"href\":\"http://technet.microsoft.com/security/bulletin/MS06-035\",\"id\":\"MS06-035\",\"source\":\"ms\"},{\"href\":\"http://www.securityfocus.com/bid/18891\",\"id\":\"18891\",\"source\":\"bid\"},{\"href\":\"http://technet.microsoft.com/en-us/security/bulletin/MS06-035\",\"id\":\"http://technet.microsoft.com/en-us/security/bulletin/MS06-035\",\"source\":\"url\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/26820\",\"id\":\"win-smb-information-disclosure(26820)\",\"source\":\"xf\"},{\"href\":\"http://www.kb.cert.org/vuls/id/333636\",\"id\":\"333636\",\"source\":\"cert-vn\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":7.5,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2006-07-11T00:00:00Z\",\"references\":\"bid:18863,bid:18891,cert-vn:189140,osvdb:27154,osvdb:27155,oval:3,cert-vn:333636,oval:600,cve:CVE-2006-1314,cve:CVE-2006-1315,mskb:KB917159,ms:MS06-035,cert:TA06-192A,url:http://technet.microsoft.com/en-us/security/bulletin/MS06-035,xf:win-mailslot-bo(26818),xf:win-smb-information-disclosure(26820)\",\"risk_score\":756.57,\"severity\":\"critical\",\"severity_score\":8,\"title\":\"MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)\"}}", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2018-11-25T09:20:27Z\",\"key\":\"\",\"last_found\":\"2023-05-23T18:16:30.836Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: Microsoft Windows Server 2003 SP1

Server responded with vulnerable error code: 2 and class: 1

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"Take a look at all possible solutions for vulnerability\",\"solution_id\":\"unknown-windows-hotfix-ms06-035\",\"solution_summary\":\"The solution is unknown for vuln windows-hotfix-ms06-035\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"windows-hotfix-ms06-035\",\"added\":\"2006-07-12T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution\",\"cves\":\"CVE-2006-1314,CVE-2006-1315\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":7.5,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.83525473,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"none\",\"cvss_v3_privileges_required\":\"low\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":6.5,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"denial_of_service\":false,\"description\":\"This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \\\"Vulnerability Details\\\" section of this bulletin. We recommend that customers apply the update immediately.\",\"exploits\":[{\"description\":\"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)\",\"id\":\"2057\",\"name\":\"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module triggers a kernel pool corruption bug in SRV.SYS. Each\\n call to the mailslot write function results in a two byte return value\\n being written into the response packet. The code which creates this packet\\n fails to consider these two bytes in the allocation routine, resulting in\\n a slow corruption of the kernel memory pool. These two bytes are almost\\n always set to \\\"\\\\xff\\\\xff\\\" (a short integer with value of -1).\",\"id\":\"auxiliary/dos/windows/smb/ms06_035_mailslot\",\"name\":\"Microsoft SRV.SYS Mailslot Write Corruption\",\"rank\":\"normal\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"}],\"id\":\"windows-hotfix-ms06-035\",\"links\":[{\"href\":\"http://www.kb.cert.org/vuls/id/189140\",\"id\":\"189140\",\"source\":\"cert-vn\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/26818\",\"id\":\"win-mailslot-bo(26818)\",\"source\":\"xf\"},{\"href\":\"http://www.securityfocus.com/bid/18863\",\"id\":\"18863\",\"source\":\"bid\"},{\"href\":\"https://support.microsoft.com/en-us/kb/917159\",\"id\":\"KB917159\",\"source\":\"mskb\"},{\"href\":\"http://www.us-cert.gov/cas/techalerts/TA06-192A.html\",\"id\":\"TA06-192A\",\"source\":\"cert\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2006-1314\",\"id\":\"CVE-2006-1314\",\"source\":\"cve\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2006-1315\",\"id\":\"CVE-2006-1315\",\"source\":\"cve\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3\",\"id\":\"3\",\"source\":\"oval\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600\",\"id\":\"600\",\"source\":\"oval\"},{\"href\":\"http://www.osvdb.org/27155\",\"id\":\"27155\",\"source\":\"osvdb\"},{\"href\":\"http://www.osvdb.org/27154\",\"id\":\"27154\",\"source\":\"osvdb\"},{\"href\":\"http://technet.microsoft.com/security/bulletin/MS06-035\",\"id\":\"MS06-035\",\"source\":\"ms\"},{\"href\":\"http://www.securityfocus.com/bid/18891\",\"id\":\"18891\",\"source\":\"bid\"},{\"href\":\"http://technet.microsoft.com/en-us/security/bulletin/MS06-035\",\"id\":\"http://technet.microsoft.com/en-us/security/bulletin/MS06-035\",\"source\":\"url\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/26820\",\"id\":\"win-smb-information-disclosure(26820)\",\"source\":\"xf\"},{\"href\":\"http://www.kb.cert.org/vuls/id/333636\",\"id\":\"333636\",\"source\":\"cert-vn\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":7.5,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2006-07-11T00:00:00Z\",\"references\":\"bid:18863,bid:18891,cert-vn:189140,osvdb:27154,osvdb:27155,oval:3,cert-vn:333636,oval:600,cve:CVE-2006-1314,cve:CVE-2006-1315,mskb:KB917159,ms:MS06-035,cert:TA06-192A,url:http://technet.microsoft.com/en-us/security/bulletin/MS06-035,xf:win-mailslot-bo(26818),xf:win-smb-information-disclosure(26820)\",\"risk_score\":756.57,\"severity\":\"critical\",\"severity_score\":8,\"title\":\"MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)\"}}", "severity": 8, "type": [ "info" @@ -1742,7 +1742,7 @@ "source": "Endpoint Agent" } ], - "vuln": { + "vulnerability": { "added": "2006-07-12T00:00:00.000Z", "categories": [ "CVSS Score Predicted with Rapid7 AI", @@ -1983,7 +1983,7 @@ "created": "2018-11-25T09:20:27.000Z", "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|windows-hotfix-ms06-035|2023-05-23T18:16:30.836Z", "kind": "event", - "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2018-11-25T09:20:27Z\",\"key\":\"\",\"last_found\":\"2023-05-23T18:16:30.836Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: Microsoft Windows Server 2003 SP1

Based on the result of the "dcerpc-ms-netapi-netpathcanonicalize-dos" test, this node is applicable to this issue.

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"Take a look at all possible solutions for vulnerability\",\"solution_id\":\"unknown-windows-hotfix-ms06-035\",\"solution_summary\":\"The solution is unknown for vuln windows-hotfix-ms06-035\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"windows-hotfix-ms06-035\",\"added\":\"2006-07-12T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution\",\"cves\":\"CVE-2006-1314,CVE-2006-1315\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":7.5,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.83525473,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"none\",\"cvss_v3_privileges_required\":\"low\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":6.5,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"denial_of_service\":false,\"description\":\"This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \\\"Vulnerability Details\\\" section of this bulletin. We recommend that customers apply the update immediately.\",\"exploits\":[{\"description\":\"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)\",\"id\":\"2057\",\"name\":\"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module triggers a kernel pool corruption bug in SRV.SYS. Each\\n call to the mailslot write function results in a two byte return value\\n being written into the response packet. The code which creates this packet\\n fails to consider these two bytes in the allocation routine, resulting in\\n a slow corruption of the kernel memory pool. These two bytes are almost\\n always set to \\\"\\\\xff\\\\xff\\\" (a short integer with value of -1).\",\"id\":\"auxiliary/dos/windows/smb/ms06_035_mailslot\",\"name\":\"Microsoft SRV.SYS Mailslot Write Corruption\",\"rank\":\"normal\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"}],\"id\":\"windows-hotfix-ms06-035\",\"links\":[{\"href\":\"http://www.kb.cert.org/vuls/id/189140\",\"id\":\"189140\",\"source\":\"cert-vn\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/26818\",\"id\":\"win-mailslot-bo(26818)\",\"source\":\"xf\"},{\"href\":\"http://www.securityfocus.com/bid/18863\",\"id\":\"18863\",\"source\":\"bid\"},{\"href\":\"https://support.microsoft.com/en-us/kb/917159\",\"id\":\"KB917159\",\"source\":\"mskb\"},{\"href\":\"http://www.us-cert.gov/cas/techalerts/TA06-192A.html\",\"id\":\"TA06-192A\",\"source\":\"cert\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2006-1314\",\"id\":\"CVE-2006-1314\",\"source\":\"cve\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2006-1315\",\"id\":\"CVE-2006-1315\",\"source\":\"cve\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3\",\"id\":\"3\",\"source\":\"oval\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600\",\"id\":\"600\",\"source\":\"oval\"},{\"href\":\"http://www.osvdb.org/27155\",\"id\":\"27155\",\"source\":\"osvdb\"},{\"href\":\"http://www.osvdb.org/27154\",\"id\":\"27154\",\"source\":\"osvdb\"},{\"href\":\"http://technet.microsoft.com/security/bulletin/MS06-035\",\"id\":\"MS06-035\",\"source\":\"ms\"},{\"href\":\"http://www.securityfocus.com/bid/18891\",\"id\":\"18891\",\"source\":\"bid\"},{\"href\":\"http://technet.microsoft.com/en-us/security/bulletin/MS06-035\",\"id\":\"http://technet.microsoft.com/en-us/security/bulletin/MS06-035\",\"source\":\"url\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/26820\",\"id\":\"win-smb-information-disclosure(26820)\",\"source\":\"xf\"},{\"href\":\"http://www.kb.cert.org/vuls/id/333636\",\"id\":\"333636\",\"source\":\"cert-vn\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":7.5,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2006-07-11T00:00:00Z\",\"references\":\"bid:18863,bid:18891,cert-vn:189140,osvdb:27154,osvdb:27155,oval:3,cert-vn:333636,oval:600,cve:CVE-2006-1314,cve:CVE-2006-1315,mskb:KB917159,ms:MS06-035,cert:TA06-192A,url:http://technet.microsoft.com/en-us/security/bulletin/MS06-035,xf:win-mailslot-bo(26818),xf:win-smb-information-disclosure(26820)\",\"risk_score\":756.57,\"severity\":\"critical\",\"severity_score\":8,\"title\":\"MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)\"}}", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2018-11-25T09:20:27Z\",\"key\":\"\",\"last_found\":\"2023-05-23T18:16:30.836Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: Microsoft Windows Server 2003 SP1

Based on the result of the "dcerpc-ms-netapi-netpathcanonicalize-dos" test, this node is applicable to this issue.

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"Take a look at all possible solutions for vulnerability\",\"solution_id\":\"unknown-windows-hotfix-ms06-035\",\"solution_summary\":\"The solution is unknown for vuln windows-hotfix-ms06-035\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"windows-hotfix-ms06-035\",\"added\":\"2006-07-12T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution\",\"cves\":\"CVE-2006-1314,CVE-2006-1315\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":7.5,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.83525473,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"none\",\"cvss_v3_privileges_required\":\"low\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":6.5,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"denial_of_service\":false,\"description\":\"This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \\\"Vulnerability Details\\\" section of this bulletin. We recommend that customers apply the update immediately.\",\"exploits\":[{\"description\":\"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)\",\"id\":\"2057\",\"name\":\"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module triggers a kernel pool corruption bug in SRV.SYS. Each\\n call to the mailslot write function results in a two byte return value\\n being written into the response packet. The code which creates this packet\\n fails to consider these two bytes in the allocation routine, resulting in\\n a slow corruption of the kernel memory pool. These two bytes are almost\\n always set to \\\"\\\\xff\\\\xff\\\" (a short integer with value of -1).\",\"id\":\"auxiliary/dos/windows/smb/ms06_035_mailslot\",\"name\":\"Microsoft SRV.SYS Mailslot Write Corruption\",\"rank\":\"normal\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"}],\"id\":\"windows-hotfix-ms06-035\",\"links\":[{\"href\":\"http://www.kb.cert.org/vuls/id/189140\",\"id\":\"189140\",\"source\":\"cert-vn\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/26818\",\"id\":\"win-mailslot-bo(26818)\",\"source\":\"xf\"},{\"href\":\"http://www.securityfocus.com/bid/18863\",\"id\":\"18863\",\"source\":\"bid\"},{\"href\":\"https://support.microsoft.com/en-us/kb/917159\",\"id\":\"KB917159\",\"source\":\"mskb\"},{\"href\":\"http://www.us-cert.gov/cas/techalerts/TA06-192A.html\",\"id\":\"TA06-192A\",\"source\":\"cert\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2006-1314\",\"id\":\"CVE-2006-1314\",\"source\":\"cve\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2006-1315\",\"id\":\"CVE-2006-1315\",\"source\":\"cve\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3\",\"id\":\"3\",\"source\":\"oval\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600\",\"id\":\"600\",\"source\":\"oval\"},{\"href\":\"http://www.osvdb.org/27155\",\"id\":\"27155\",\"source\":\"osvdb\"},{\"href\":\"http://www.osvdb.org/27154\",\"id\":\"27154\",\"source\":\"osvdb\"},{\"href\":\"http://technet.microsoft.com/security/bulletin/MS06-035\",\"id\":\"MS06-035\",\"source\":\"ms\"},{\"href\":\"http://www.securityfocus.com/bid/18891\",\"id\":\"18891\",\"source\":\"bid\"},{\"href\":\"http://technet.microsoft.com/en-us/security/bulletin/MS06-035\",\"id\":\"http://technet.microsoft.com/en-us/security/bulletin/MS06-035\",\"source\":\"url\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/26820\",\"id\":\"win-smb-information-disclosure(26820)\",\"source\":\"xf\"},{\"href\":\"http://www.kb.cert.org/vuls/id/333636\",\"id\":\"333636\",\"source\":\"cert-vn\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":7.5,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2006-07-11T00:00:00Z\",\"references\":\"bid:18863,bid:18891,cert-vn:189140,osvdb:27154,osvdb:27155,oval:3,cert-vn:333636,oval:600,cve:CVE-2006-1314,cve:CVE-2006-1315,mskb:KB917159,ms:MS06-035,cert:TA06-192A,url:http://technet.microsoft.com/en-us/security/bulletin/MS06-035,xf:win-mailslot-bo(26818),xf:win-smb-information-disclosure(26820)\",\"risk_score\":756.57,\"severity\":\"critical\",\"severity_score\":8,\"title\":\"MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)\"}}", "severity": 8, "type": [ "info" @@ -2063,7 +2063,7 @@ "source": "Endpoint Agent" } ], - "vuln": { + "vulnerability": { "added": "2006-07-12T00:00:00.000Z", "categories": [ "CVSS Score Predicted with Rapid7 AI", @@ -2304,7 +2304,7 @@ "created": "2022-12-23T18:40:29.000Z", "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1|msft-cve-2022-37967|2023-06-23T17:29:23.453Z", "kind": "event", - "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":135,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":445,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":119,\"exploits\":4,\"host_name\":\"Win11-50-13-52\",\"id\":\"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1\",\"ip\":\"10.50.13.52\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":8,\"os_architecture\":\"x86_64\",\"os_description\":\"Microsoft Windows 11 22H2\",\"os_family\":\"Windows\",\"os_name\":\"Windows 11\",\"os_system_name\":\"Microsoft Windows\",\"os_type\":\"Workstation\",\"os_vendor\":\"Microsoft\",\"os_version\":\"22H2\",\"risk_score\":181622,\"severe_vulnerabilities\":241,\"tags\":[{\"name\":\"USA\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":368,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050\",\"source\":\"CSPRODUCT\"},{\"id\":\"c5cf46abcdef0123456789291c7d554a\",\"source\":\"R7 Agent\"}],\"vuln\":{\"check_id\":\"msft-cve-2022-37967-kb5021288-c2d89794-10f9-459d-a1a9-79847eac03fc\",\"first_found\":\"2022-12-23T18:40:29Z\",\"key\":\"\",\"last_found\":\"2023-06-23T17:29:23.453Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: Microsoft Windows 7 Enterprise Edition SP1

Based on the following 2 results:

    • Found an applicable package: HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Component Based Servicing\\\\Packages\\\\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.
      • HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\SideBySide\\\\Winners\\\\amd64_Microsoft-Windows-Audio-DMusic_31bf3856ad364e35_none_6ddb350169ebdb56 - key exists
      • The above CBS component is currently version 6.1.7600.16385, expected version 6.1.7601.26262 or higher
      • 2022-12 Security Only Quality Update for Windows 7 for x64-based Systems (KB5021288) is applicable for this CBS component

    • HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion
      • UBR - contains 24443

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

Download and apply the patch from: https://support.microsoft.com/kb/5021288

\",\"solution_id\":\"msft-kb5021288-c2d89794-10f9-459d-a1a9-79847eac03fc\",\"solution_summary\":\"2022-12 Security Only Quality Update for Windows 7 for x64-based Systems (KB5021288)\",\"solution_type\":\"patch\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"msft-cve-2022-37967\",\"added\":\"2022-11-08T00:00:00Z\",\"categories\":\"Microsoft,Microsoft Patch,Microsoft Windows,Privilege Escalation\",\"cves\":\"CVE-2022-37967\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"multiple\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":6.389999830722808,\"cvss_v2_impact_score\":10.000845454680942,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":8.3,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:M/C:C/I:C/A:C)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":1.2347077050000002,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"high\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":7.2,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Windows Kerberos Elevation of Privilege Vulnerability.\",\"exploits\":[],\"id\":\"msft-cve-2022-37967\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2022-37967\",\"id\":\"CVE-2022-37967\",\"source\":\"cve\"},{\"href\":\"https://support.microsoft.com/help/5031364\",\"id\":\"https://support.microsoft.com/help/5031364\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5031362\",\"id\":\"https://support.microsoft.com/help/5031362\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5031361\",\"id\":\"https://support.microsoft.com/help/5031361\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5031407\",\"id\":\"https://support.microsoft.com/help/5031407\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5031419\",\"id\":\"https://support.microsoft.com/help/5031419\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5031427\",\"id\":\"https://support.microsoft.com/help/5031427\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2024-09-06T00:00:00Z\",\"pci_cvss_score\":8.3,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2022-11-08T00:00:00Z\",\"references\":\"cve:CVE-2022-37967,url:https://support.microsoft.com/help/5031361,url:https://support.microsoft.com/help/5031362,url:https://support.microsoft.com/help/5031364,url:https://support.microsoft.com/help/5031407,url:https://support.microsoft.com/help/5031419,url:https://support.microsoft.com/help/5031427\",\"risk_score\":434.28,\"severity\":\"critical\",\"severity_score\":8,\"title\":\"Microsoft Windows: CVE-2022-37967: Windows Kerberos Elevation of Privilege Vulnerability\"}}", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":135,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":445,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":119,\"exploits\":4,\"host_name\":\"Win11-50-13-52\",\"id\":\"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1\",\"ip\":\"10.50.13.52\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":8,\"os_architecture\":\"x86_64\",\"os_description\":\"Microsoft Windows 11 22H2\",\"os_family\":\"Windows\",\"os_name\":\"Windows 11\",\"os_system_name\":\"Microsoft Windows\",\"os_type\":\"Workstation\",\"os_vendor\":\"Microsoft\",\"os_version\":\"22H2\",\"risk_score\":181622,\"severe_vulnerabilities\":241,\"tags\":[{\"name\":\"USA\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":368,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050\",\"source\":\"CSPRODUCT\"},{\"id\":\"c5cf46abcdef0123456789291c7d554a\",\"source\":\"R7 Agent\"}],\"vulnerability\":{\"check_id\":\"msft-cve-2022-37967-kb5021288-c2d89794-10f9-459d-a1a9-79847eac03fc\",\"first_found\":\"2022-12-23T18:40:29Z\",\"key\":\"\",\"last_found\":\"2023-06-23T17:29:23.453Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: Microsoft Windows 7 Enterprise Edition SP1

Based on the following 2 results:

    • Found an applicable package: HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Component Based Servicing\\\\Packages\\\\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.
      • HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\SideBySide\\\\Winners\\\\amd64_Microsoft-Windows-Audio-DMusic_31bf3856ad364e35_none_6ddb350169ebdb56 - key exists
      • The above CBS component is currently version 6.1.7600.16385, expected version 6.1.7601.26262 or higher
      • 2022-12 Security Only Quality Update for Windows 7 for x64-based Systems (KB5021288) is applicable for this CBS component

    • HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion
      • UBR - contains 24443

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

Download and apply the patch from: https://support.microsoft.com/kb/5021288

\",\"solution_id\":\"msft-kb5021288-c2d89794-10f9-459d-a1a9-79847eac03fc\",\"solution_summary\":\"2022-12 Security Only Quality Update for Windows 7 for x64-based Systems (KB5021288)\",\"solution_type\":\"patch\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"msft-cve-2022-37967\",\"added\":\"2022-11-08T00:00:00Z\",\"categories\":\"Microsoft,Microsoft Patch,Microsoft Windows,Privilege Escalation\",\"cves\":\"CVE-2022-37967\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"multiple\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":6.389999830722808,\"cvss_v2_impact_score\":10.000845454680942,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":8.3,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:M/C:C/I:C/A:C)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":1.2347077050000002,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"high\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":7.2,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Windows Kerberos Elevation of Privilege Vulnerability.\",\"exploits\":[],\"id\":\"msft-cve-2022-37967\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2022-37967\",\"id\":\"CVE-2022-37967\",\"source\":\"cve\"},{\"href\":\"https://support.microsoft.com/help/5031364\",\"id\":\"https://support.microsoft.com/help/5031364\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5031362\",\"id\":\"https://support.microsoft.com/help/5031362\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5031361\",\"id\":\"https://support.microsoft.com/help/5031361\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5031407\",\"id\":\"https://support.microsoft.com/help/5031407\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5031419\",\"id\":\"https://support.microsoft.com/help/5031419\",\"source\":\"url\"},{\"href\":\"https://support.microsoft.com/help/5031427\",\"id\":\"https://support.microsoft.com/help/5031427\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2024-09-06T00:00:00Z\",\"pci_cvss_score\":8.3,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2022-11-08T00:00:00Z\",\"references\":\"cve:CVE-2022-37967,url:https://support.microsoft.com/help/5031361,url:https://support.microsoft.com/help/5031362,url:https://support.microsoft.com/help/5031364,url:https://support.microsoft.com/help/5031407,url:https://support.microsoft.com/help/5031419,url:https://support.microsoft.com/help/5031427\",\"risk_score\":434.28,\"severity\":\"critical\",\"severity_score\":8,\"title\":\"Microsoft Windows: CVE-2022-37967: Windows Kerberos Elevation of Privilege Vulnerability\"}}", "severity": 8, "type": [ "info" @@ -2381,7 +2381,7 @@ "source": "R7 Agent" } ], - "vuln": { + "vulnerability": { "added": "2022-11-08T00:00:00.000Z", "categories": [ "Microsoft", @@ -2549,7 +2549,7 @@ "created": "2022-12-23T18:40:29.000Z", "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1|windows-defender-cve-2022-24548|2023-06-23T17:29:23.453Z", "kind": "event", - "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":135,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":445,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":119,\"exploits\":4,\"host_name\":\"Win11-50-13-52\",\"id\":\"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1\",\"ip\":\"10.50.13.52\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":8,\"os_architecture\":\"x86_64\",\"os_description\":\"Microsoft Windows 11 22H2\",\"os_family\":\"Windows\",\"os_name\":\"Windows 11\",\"os_system_name\":\"Microsoft Windows\",\"os_type\":\"Workstation\",\"os_vendor\":\"Microsoft\",\"os_version\":\"22H2\",\"risk_score\":181622,\"severe_vulnerabilities\":241,\"tags\":[{\"name\":\"USA\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":368,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050\",\"source\":\"CSPRODUCT\"},{\"id\":\"c5cf46abcdef0123456789291c7d554a\",\"source\":\"R7 Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2022-12-23T18:40:29Z\",\"key\":\"\",\"last_found\":\"2023-06-23T17:29:23.453Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: Microsoft Windows 7 Enterprise Edition SP1

Based on the following 4 results:

  1. Based on the following 2 results:

      • HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender - key does not exist

      • HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender
        • DisableAntiSpyware - contains 0

    • HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Signature Updates
      • EngineVersion - contains 1.1.9203.0

    • HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SepMasterService - key does not exist
      • Start - value does not exist

    • HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\MsMpSvc - key does not exist
      • Start - value does not exist

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

Verify that the latest version of the Microsoft Malware Protection Engine\\nand definition updates are being actively downloaded and installed for their Microsoft antimalware products.\\nFor more information on how to verify the version number for the Microsoft Malware Protection Engine that your\\nsoftware is currently using, see the section Verifying Update Installation\\nin Microsoft Knowledge Base Article 2510781 https://support.microsoft.com/kb/2510781

\",\"solution_id\":\"windows-defender-upgrade-latest\",\"solution_summary\":\"Upgrade Microsoft Defender to the latest version.\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"windows-defender-cve-2022-24548\",\"added\":\"2022-04-14T00:00:00Z\",\"categories\":\"Denial of Service,Microsoft Windows Defender\",\"cves\":\"CVE-2022-24548\",\"cvss_v2_access_complexity\":\"medium\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"none\",\"cvss_v2_exploit_score\":8.588799953460693,\"cvss_v2_impact_score\":2.862749751806259,\"cvss_v2_integrity_impact\":\"none\",\"cvss_v2_score\":4.3,\"cvss_v2_vector\":\"(AV:N/AC:M/Au:N/C:N/I:N/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"none\",\"cvss_v3_exploit_score\":1.8345765900000002,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"none\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":5.5,\"cvss_v3_user_interaction\":\"required\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\"denial_of_service\":true,\"description\":\"Microsoft Defender Denial of Service Vulnerability\",\"exploits\":[],\"id\":\"windows-defender-cve-2022-24548\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2022-24548\",\"id\":\"CVE-2022-24548\",\"source\":\"cve\"},{\"href\":\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548\",\"id\":\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2023-12-13T00:00:00Z\",\"pci_cvss_score\":4.3,\"pci_fail\":false,\"pci_severity_score\":2,\"pci_special_notes\":\"Denial-of-Service-only vulnerability marked as compliant. \",\"pci_status\":\"pass\",\"published\":\"2022-04-14T00:00:00Z\",\"references\":\"cve:CVE-2022-24548,url:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548\",\"risk_score\":124.28,\"severity\":\"severe\",\"severity_score\":4,\"title\":\"Microsoft Defender Denial of Service Vulnerability (CVE-2022-24548)\"}}", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":135,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":445,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":119,\"exploits\":4,\"host_name\":\"Win11-50-13-52\",\"id\":\"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1\",\"ip\":\"10.50.13.52\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":8,\"os_architecture\":\"x86_64\",\"os_description\":\"Microsoft Windows 11 22H2\",\"os_family\":\"Windows\",\"os_name\":\"Windows 11\",\"os_system_name\":\"Microsoft Windows\",\"os_type\":\"Workstation\",\"os_vendor\":\"Microsoft\",\"os_version\":\"22H2\",\"risk_score\":181622,\"severe_vulnerabilities\":241,\"tags\":[{\"name\":\"USA\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":368,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050\",\"source\":\"CSPRODUCT\"},{\"id\":\"c5cf46abcdef0123456789291c7d554a\",\"source\":\"R7 Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2022-12-23T18:40:29Z\",\"key\":\"\",\"last_found\":\"2023-06-23T17:29:23.453Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: Microsoft Windows 7 Enterprise Edition SP1

Based on the following 4 results:

  1. Based on the following 2 results:

      • HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender - key does not exist

      • HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender
        • DisableAntiSpyware - contains 0

    • HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Signature Updates
      • EngineVersion - contains 1.1.9203.0

    • HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SepMasterService - key does not exist
      • Start - value does not exist

    • HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\MsMpSvc - key does not exist
      • Start - value does not exist

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

Verify that the latest version of the Microsoft Malware Protection Engine\\nand definition updates are being actively downloaded and installed for their Microsoft antimalware products.\\nFor more information on how to verify the version number for the Microsoft Malware Protection Engine that your\\nsoftware is currently using, see the section Verifying Update Installation\\nin Microsoft Knowledge Base Article 2510781 https://support.microsoft.com/kb/2510781

\",\"solution_id\":\"windows-defender-upgrade-latest\",\"solution_summary\":\"Upgrade Microsoft Defender to the latest version.\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"windows-defender-cve-2022-24548\",\"added\":\"2022-04-14T00:00:00Z\",\"categories\":\"Denial of Service,Microsoft Windows Defender\",\"cves\":\"CVE-2022-24548\",\"cvss_v2_access_complexity\":\"medium\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"none\",\"cvss_v2_exploit_score\":8.588799953460693,\"cvss_v2_impact_score\":2.862749751806259,\"cvss_v2_integrity_impact\":\"none\",\"cvss_v2_score\":4.3,\"cvss_v2_vector\":\"(AV:N/AC:M/Au:N/C:N/I:N/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"none\",\"cvss_v3_exploit_score\":1.8345765900000002,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"none\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":5.5,\"cvss_v3_user_interaction\":\"required\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\"denial_of_service\":true,\"description\":\"Microsoft Defender Denial of Service Vulnerability\",\"exploits\":[],\"id\":\"windows-defender-cve-2022-24548\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2022-24548\",\"id\":\"CVE-2022-24548\",\"source\":\"cve\"},{\"href\":\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548\",\"id\":\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2023-12-13T00:00:00Z\",\"pci_cvss_score\":4.3,\"pci_fail\":false,\"pci_severity_score\":2,\"pci_special_notes\":\"Denial-of-Service-only vulnerability marked as compliant. \",\"pci_status\":\"pass\",\"published\":\"2022-04-14T00:00:00Z\",\"references\":\"cve:CVE-2022-24548,url:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24548\",\"risk_score\":124.28,\"severity\":\"severe\",\"severity_score\":4,\"title\":\"Microsoft Defender Denial of Service Vulnerability (CVE-2022-24548)\"}}", "severity": 4, "type": [ "info" @@ -2627,7 +2627,7 @@ "source": "R7 Agent" } ], - "vuln": { + "vulnerability": { "added": "2022-04-14T00:00:00.000Z", "categories": [ "Denial of Service", @@ -2761,7 +2761,7 @@ "created": "2018-11-25T09:10:10.000Z", "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1|windows-hotfix-ms09-050|2019-02-14T21:39:25.312Z", "kind": "event", - "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":135,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":445,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":119,\"exploits\":4,\"host_name\":\"Win11-50-13-52\",\"id\":\"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1\",\"ip\":\"10.50.13.52\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":8,\"os_architecture\":\"x86_64\",\"os_description\":\"Microsoft Windows 11 22H2\",\"os_family\":\"Windows\",\"os_name\":\"Windows 11\",\"os_system_name\":\"Microsoft Windows\",\"os_type\":\"Workstation\",\"os_vendor\":\"Microsoft\",\"os_version\":\"22H2\",\"risk_score\":181622,\"severe_vulnerabilities\":241,\"tags\":[{\"name\":\"USA\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":368,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050\",\"source\":\"CSPRODUCT\"},{\"id\":\"c5cf46abcdef0123456789291c7d554a\",\"source\":\"R7 Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2018-11-25T09:10:10Z\",\"key\":\"\",\"last_found\":\"2019-02-14T21:39:25.312Z\",\"nic\":null,\"port\":445,\"proof\":\"

Vulnerable OS: Microsoft Windows Server 2008 Enterprise Edition SP2

System replied with a malformed SMB packet

\",\"protocol\":\"TCP\",\"reintroduced\":null,\"solution_fix\":\"Take a look at all possible solutions for vulnerability\",\"solution_id\":\"unknown-windows-hotfix-ms09-050\",\"solution_summary\":\"The solution is unknown for vuln windows-hotfix-ms09-050\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"windows-hotfix-ms09-050\",\"added\":\"2009-10-13T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution\",\"cves\":\"CVE-2009-2526,CVE-2009-2532,CVE-2009-3103\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":10.000845454680942,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":10,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:C/I:C/A:C)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":3.8870427750000003,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":9.8,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"This security update resolves one publicly disclosed and two privately reported vulnerabilities in Server Message Block Version 2 (SMBv2). The most severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.\",\"exploits\":[{\"description\":\"Microsoft Windows 7/2008 R2 - Remote Kernel Crash\",\"id\":\"10005\",\"name\":\"Microsoft Windows 7/2008 R2 - Remote Kernel Crash\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing\\n an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.\\n Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.\",\"id\":\"auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff\",\"name\":\"Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference\",\"rank\":\"normal\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"},{\"description\":\"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)\",\"id\":\"40280\",\"name\":\"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service\",\"id\":\"12524\",\"name\":\"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module exploits an out of bounds function table dereference in the SMB\\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\\n without SP1 does not seem affected by this flaw.\",\"id\":\"exploit/windows/smb/ms09_050_smb2_negotiate_func_index\",\"name\":\"MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference\",\"rank\":\"good\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"},{\"description\":\"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)\",\"id\":\"14674\",\"name\":\"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module exploits an out of bounds function table dereference in the SMB\\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows\\tVista\\n without SP1 does not seem affected by this flaw.\",\"id\":\"auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh\",\"name\":\"Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference\",\"rank\":\"normal\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"},{\"description\":\"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)\",\"id\":\"9594\",\"name\":\"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"}],\"id\":\"windows-hotfix-ms09-050\",\"links\":[{\"href\":\"http://www.us-cert.gov/cas/techalerts/TA09-286A.html\",\"id\":\"TA09-286A\",\"source\":\"cert\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6489\",\"id\":\"6489\",\"source\":\"oval\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6336\",\"id\":\"6336\",\"source\":\"oval\"},{\"href\":\"http://www.securityfocus.com/bid/36299\",\"id\":\"36299\",\"source\":\"bid\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:5595\",\"id\":\"5595\",\"source\":\"oval\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2009-2526\",\"id\":\"CVE-2009-2526\",\"source\":\"cve\"},{\"href\":\"http://technet.microsoft.com/security/bulletin/MS09-050\",\"id\":\"MS09-050\",\"source\":\"ms\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2009-3103\",\"id\":\"CVE-2009-3103\",\"source\":\"cve\"},{\"href\":\"http://www.kb.cert.org/vuls/id/135940\",\"id\":\"135940\",\"source\":\"cert-vn\"},{\"href\":\"https://support.microsoft.com/en-us/kb/975517\",\"id\":\"KB975517\",\"source\":\"mskb\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2009-2532\",\"id\":\"CVE-2009-2532\",\"source\":\"cve\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/53090\",\"id\":\"53090\",\"source\":\"xf\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":10,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2009-10-13T00:00:00Z\",\"references\":\"cert-vn:135940,bid:36299,xf:53090,oval:5595,oval:6336,oval:6489,cve:CVE-2009-2526,cve:CVE-2009-2532,cve:CVE-2009-3103,mskb:KB975517,ms:MS09-050,cert:TA09-286A\",\"risk_score\":914.2,\"severity\":\"critical\",\"severity_score\":10,\"title\":\"MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)\"}}", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":135,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":445,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":119,\"exploits\":4,\"host_name\":\"Win11-50-13-52\",\"id\":\"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1\",\"ip\":\"10.50.13.52\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":8,\"os_architecture\":\"x86_64\",\"os_description\":\"Microsoft Windows 11 22H2\",\"os_family\":\"Windows\",\"os_name\":\"Windows 11\",\"os_system_name\":\"Microsoft Windows\",\"os_type\":\"Workstation\",\"os_vendor\":\"Microsoft\",\"os_version\":\"22H2\",\"risk_score\":181622,\"severe_vulnerabilities\":241,\"tags\":[{\"name\":\"USA\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":368,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050\",\"source\":\"CSPRODUCT\"},{\"id\":\"c5cf46abcdef0123456789291c7d554a\",\"source\":\"R7 Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2018-11-25T09:10:10Z\",\"key\":\"\",\"last_found\":\"2019-02-14T21:39:25.312Z\",\"nic\":null,\"port\":445,\"proof\":\"

Vulnerable OS: Microsoft Windows Server 2008 Enterprise Edition SP2

System replied with a malformed SMB packet

\",\"protocol\":\"TCP\",\"reintroduced\":null,\"solution_fix\":\"Take a look at all possible solutions for vulnerability\",\"solution_id\":\"unknown-windows-hotfix-ms09-050\",\"solution_summary\":\"The solution is unknown for vuln windows-hotfix-ms09-050\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"windows-hotfix-ms09-050\",\"added\":\"2009-10-13T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution\",\"cves\":\"CVE-2009-2526,CVE-2009-2532,CVE-2009-3103\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":10.000845454680942,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":10,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:C/I:C/A:C)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":3.8870427750000003,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":9.8,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"This security update resolves one publicly disclosed and two privately reported vulnerabilities in Server Message Block Version 2 (SMBv2). The most severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.\",\"exploits\":[{\"description\":\"Microsoft Windows 7/2008 R2 - Remote Kernel Crash\",\"id\":\"10005\",\"name\":\"Microsoft Windows 7/2008 R2 - Remote Kernel Crash\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing\\n an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.\\n Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.\",\"id\":\"auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff\",\"name\":\"Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference\",\"rank\":\"normal\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"},{\"description\":\"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)\",\"id\":\"40280\",\"name\":\"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service\",\"id\":\"12524\",\"name\":\"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module exploits an out of bounds function table dereference in the SMB\\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\\n without SP1 does not seem affected by this flaw.\",\"id\":\"exploit/windows/smb/ms09_050_smb2_negotiate_func_index\",\"name\":\"MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference\",\"rank\":\"good\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"},{\"description\":\"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)\",\"id\":\"14674\",\"name\":\"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module exploits an out of bounds function table dereference in the SMB\\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows\\tVista\\n without SP1 does not seem affected by this flaw.\",\"id\":\"auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh\",\"name\":\"Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference\",\"rank\":\"normal\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"},{\"description\":\"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)\",\"id\":\"9594\",\"name\":\"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"}],\"id\":\"windows-hotfix-ms09-050\",\"links\":[{\"href\":\"http://www.us-cert.gov/cas/techalerts/TA09-286A.html\",\"id\":\"TA09-286A\",\"source\":\"cert\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6489\",\"id\":\"6489\",\"source\":\"oval\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6336\",\"id\":\"6336\",\"source\":\"oval\"},{\"href\":\"http://www.securityfocus.com/bid/36299\",\"id\":\"36299\",\"source\":\"bid\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:5595\",\"id\":\"5595\",\"source\":\"oval\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2009-2526\",\"id\":\"CVE-2009-2526\",\"source\":\"cve\"},{\"href\":\"http://technet.microsoft.com/security/bulletin/MS09-050\",\"id\":\"MS09-050\",\"source\":\"ms\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2009-3103\",\"id\":\"CVE-2009-3103\",\"source\":\"cve\"},{\"href\":\"http://www.kb.cert.org/vuls/id/135940\",\"id\":\"135940\",\"source\":\"cert-vn\"},{\"href\":\"https://support.microsoft.com/en-us/kb/975517\",\"id\":\"KB975517\",\"source\":\"mskb\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2009-2532\",\"id\":\"CVE-2009-2532\",\"source\":\"cve\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/53090\",\"id\":\"53090\",\"source\":\"xf\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":10,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2009-10-13T00:00:00Z\",\"references\":\"cert-vn:135940,bid:36299,xf:53090,oval:5595,oval:6336,oval:6489,cve:CVE-2009-2526,cve:CVE-2009-2532,cve:CVE-2009-3103,mskb:KB975517,ms:MS09-050,cert:TA09-286A\",\"risk_score\":914.2,\"severity\":\"critical\",\"severity_score\":10,\"title\":\"MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)\"}}", "severity": 10, "type": [ "info" @@ -2838,7 +2838,7 @@ "source": "R7 Agent" } ], - "vuln": { + "vulnerability": { "added": "2009-10-13T00:00:00.000Z", "categories": [ "CVSS Score Predicted with Rapid7 AI", @@ -3107,7 +3107,7 @@ "created": "2021-02-23T18:39:30.000Z", "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|centos_linux-cve-2020-2574|2022-04-23T18:04:36.094Z", "kind": "event", - "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2021-02-23T18:39:30Z\",\"key\":\"\",\"last_found\":\"2022-04-23T18:04:36.094Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: CentOS Linux 7.6.1810

  • mariadb-libs - version 1:5.5.60-1.el7_5 is installed

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"Take a look at all possible solutions for vulnerability\",\"solution_id\":\"unknown-centos_linux-cve-2020-2574\",\"solution_summary\":\"The solution is unknown for vuln centos_linux-cve-2020-2574\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"centos_linux-cve-2020-2574\",\"added\":\"2020-09-15T00:00:00Z\",\"categories\":\"CentOS\",\"cves\":\"CVE-2020-2574\",\"cvss_v2_access_complexity\":\"medium\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"none\",\"cvss_v2_exploit_score\":8.588799953460693,\"cvss_v2_impact_score\":2.862749751806259,\"cvss_v2_integrity_impact\":\"none\",\"cvss_v2_score\":4.3,\"cvss_v2_vector\":\"(AV:N/AC:M/Au:N/C:N/I:N/A:P)\",\"cvss_v3_attack_complexity\":\"high\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"none\",\"cvss_v3_exploit_score\":2.2211673,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"none\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":5.9,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"denial_of_service\":true,\"description\":\"Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).\",\"exploits\":[],\"id\":\"centos_linux-cve-2020-2574\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2020-2574\",\"id\":\"CVE-2020-2574\",\"source\":\"nvd\"}],\"malware_kits\":[],\"modified\":\"2023-05-25T00:00:00Z\",\"pci_cvss_score\":4.3,\"pci_fail\":false,\"pci_severity_score\":2,\"pci_special_notes\":\"Denial-of-Service-only vulnerability marked as compliant. \",\"pci_status\":\"pass\",\"published\":\"2020-01-15T00:00:00Z\",\"references\":\"nvd:CVE-2020-2574\",\"risk_score\":150.88,\"severity\":\"severe\",\"severity_score\":4,\"title\":\"CentOS Linux: CVE-2020-2574: Important: mysql:8.0 security update (Multiple Advisories)\"}}", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2021-02-23T18:39:30Z\",\"key\":\"\",\"last_found\":\"2022-04-23T18:04:36.094Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: CentOS Linux 7.6.1810

  • mariadb-libs - version 1:5.5.60-1.el7_5 is installed

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"Take a look at all possible solutions for vulnerability\",\"solution_id\":\"unknown-centos_linux-cve-2020-2574\",\"solution_summary\":\"The solution is unknown for vuln centos_linux-cve-2020-2574\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"centos_linux-cve-2020-2574\",\"added\":\"2020-09-15T00:00:00Z\",\"categories\":\"CentOS\",\"cves\":\"CVE-2020-2574\",\"cvss_v2_access_complexity\":\"medium\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"none\",\"cvss_v2_exploit_score\":8.588799953460693,\"cvss_v2_impact_score\":2.862749751806259,\"cvss_v2_integrity_impact\":\"none\",\"cvss_v2_score\":4.3,\"cvss_v2_vector\":\"(AV:N/AC:M/Au:N/C:N/I:N/A:P)\",\"cvss_v3_attack_complexity\":\"high\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"none\",\"cvss_v3_exploit_score\":2.2211673,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"none\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":5.9,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"denial_of_service\":true,\"description\":\"Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).\",\"exploits\":[],\"id\":\"centos_linux-cve-2020-2574\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2020-2574\",\"id\":\"CVE-2020-2574\",\"source\":\"nvd\"}],\"malware_kits\":[],\"modified\":\"2023-05-25T00:00:00Z\",\"pci_cvss_score\":4.3,\"pci_fail\":false,\"pci_severity_score\":2,\"pci_special_notes\":\"Denial-of-Service-only vulnerability marked as compliant. \",\"pci_status\":\"pass\",\"published\":\"2020-01-15T00:00:00Z\",\"references\":\"nvd:CVE-2020-2574\",\"risk_score\":150.88,\"severity\":\"severe\",\"severity_score\":4,\"title\":\"CentOS Linux: CVE-2020-2574: Important: mysql:8.0 security update (Multiple Advisories)\"}}", "severity": 4, "type": [ "info" @@ -3187,7 +3187,7 @@ "source": "Endpoint Agent" } ], - "vuln": { + "vulnerability": { "added": "2020-09-15T00:00:00.000Z", "categories": [ "CentOS" @@ -3313,7 +3313,7 @@ "created": "2021-03-23T21:18:51.000Z", "id": "81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1|windows-hotfix-ms09-050|2023-06-23T19:16:12.895Z", "kind": "event", - "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":135,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":445,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":119,\"exploits\":4,\"host_name\":\"Win11-50-13-52\",\"id\":\"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1\",\"ip\":\"10.50.13.52\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":8,\"os_architecture\":\"x86_64\",\"os_description\":\"Microsoft Windows 11 22H2\",\"os_family\":\"Windows\",\"os_name\":\"Windows 11\",\"os_system_name\":\"Microsoft Windows\",\"os_type\":\"Workstation\",\"os_vendor\":\"Microsoft\",\"os_version\":\"22H2\",\"risk_score\":181622,\"severe_vulnerabilities\":241,\"tags\":[{\"name\":\"USA\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":368,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050\",\"source\":\"CSPRODUCT\"},{\"id\":\"c5cf46abcdef0123456789291c7d554a\",\"source\":\"R7 Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2021-03-23T21:18:51Z\",\"key\":\"\",\"last_found\":\"2023-06-23T19:16:12.895Z\",\"nic\":null,\"port\":445,\"proof\":\"

Vulnerable OS: Microsoft Windows Server 2008 Enterprise Edition

\\\\BROWSER: WriteAndX succeeded with offset 77

\",\"protocol\":\"TCP\",\"reintroduced\":null,\"solution_fix\":\"Take a look at all possible solutions for vulnerability\",\"solution_id\":\"unknown-windows-hotfix-ms09-001\",\"solution_summary\":\"The solution is unknown for vuln windows-hotfix-ms09-001\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"windows-hotfix-ms09-001\",\"added\":\"2009-10-13T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution\",\"cves\":\"CVE-2009-2526,CVE-2009-2532,CVE-2009-3103\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":10.000845454680942,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":10,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:C/I:C/A:C)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":3.8870427750000003,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":9.8,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"This security update resolves one publicly disclosed and two privately reported vulnerabilities in Server Message Block Version 2 (SMBv2). The most severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.\",\"exploits\":[{\"description\":\"Microsoft Windows 7/2008 R2 - Remote Kernel Crash\",\"id\":\"10005\",\"name\":\"Microsoft Windows 7/2008 R2 - Remote Kernel Crash\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing\\n an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.\\n Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.\",\"id\":\"auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff\",\"name\":\"Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference\",\"rank\":\"normal\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"},{\"description\":\"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)\",\"id\":\"40280\",\"name\":\"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service\",\"id\":\"12524\",\"name\":\"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module exploits an out of bounds function table dereference in the SMB\\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\\n without SP1 does not seem affected by this flaw.\",\"id\":\"exploit/windows/smb/ms09_050_smb2_negotiate_func_index\",\"name\":\"MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference\",\"rank\":\"good\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"},{\"description\":\"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)\",\"id\":\"14674\",\"name\":\"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module exploits an out of bounds function table dereference in the SMB\\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows\\tVista\\n without SP1 does not seem affected by this flaw.\",\"id\":\"auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh\",\"name\":\"Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference\",\"rank\":\"normal\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"},{\"description\":\"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)\",\"id\":\"9594\",\"name\":\"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"}],\"id\":\"windows-hotfix-ms09-050\",\"links\":[{\"href\":\"http://www.us-cert.gov/cas/techalerts/TA09-286A.html\",\"id\":\"TA09-286A\",\"source\":\"cert\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6489\",\"id\":\"6489\",\"source\":\"oval\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6336\",\"id\":\"6336\",\"source\":\"oval\"},{\"href\":\"http://www.securityfocus.com/bid/36299\",\"id\":\"36299\",\"source\":\"bid\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:5595\",\"id\":\"5595\",\"source\":\"oval\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2009-2526\",\"id\":\"CVE-2009-2526\",\"source\":\"cve\"},{\"href\":\"http://technet.microsoft.com/security/bulletin/MS09-050\",\"id\":\"MS09-050\",\"source\":\"ms\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2009-3103\",\"id\":\"CVE-2009-3103\",\"source\":\"cve\"},{\"href\":\"http://www.kb.cert.org/vuls/id/135940\",\"id\":\"135940\",\"source\":\"cert-vn\"},{\"href\":\"https://support.microsoft.com/en-us/kb/975517\",\"id\":\"KB975517\",\"source\":\"mskb\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2009-2532\",\"id\":\"CVE-2009-2532\",\"source\":\"cve\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/53090\",\"id\":\"53090\",\"source\":\"xf\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":10,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2009-10-13T00:00:00Z\",\"references\":\"cert-vn:135940,bid:36299,xf:53090,oval:5595,oval:6336,oval:6489,cve:CVE-2009-2526,cve:CVE-2009-2532,cve:CVE-2009-3103,mskb:KB975517,ms:MS09-050,cert:TA09-286A\",\"risk_score\":914.2,\"severity\":\"critical\",\"severity_score\":10,\"title\":\"MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)\"}}", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":135,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":445,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":119,\"exploits\":4,\"host_name\":\"Win11-50-13-52\",\"id\":\"81234561-1234-5678-abcd-c4aabcdef84e-default-asset-1\",\"ip\":\"10.50.13.52\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":8,\"os_architecture\":\"x86_64\",\"os_description\":\"Microsoft Windows 11 22H2\",\"os_family\":\"Windows\",\"os_name\":\"Windows 11\",\"os_system_name\":\"Microsoft Windows\",\"os_type\":\"Workstation\",\"os_vendor\":\"Microsoft\",\"os_version\":\"22H2\",\"risk_score\":181622,\"severe_vulnerabilities\":241,\"tags\":[{\"name\":\"USA\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":368,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"F0ABCDE2-ABCD-EFAB-1234-1BABCDEFE050\",\"source\":\"CSPRODUCT\"},{\"id\":\"c5cf46abcdef0123456789291c7d554a\",\"source\":\"R7 Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2021-03-23T21:18:51Z\",\"key\":\"\",\"last_found\":\"2023-06-23T19:16:12.895Z\",\"nic\":null,\"port\":445,\"proof\":\"

Vulnerable OS: Microsoft Windows Server 2008 Enterprise Edition

\\\\BROWSER: WriteAndX succeeded with offset 77

\",\"protocol\":\"TCP\",\"reintroduced\":null,\"solution_fix\":\"Take a look at all possible solutions for vulnerability\",\"solution_id\":\"unknown-windows-hotfix-ms09-001\",\"solution_summary\":\"The solution is unknown for vuln windows-hotfix-ms09-001\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"windows-hotfix-ms09-001\",\"added\":\"2009-10-13T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution\",\"cves\":\"CVE-2009-2526,CVE-2009-2532,CVE-2009-3103\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":10.000845454680942,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":10,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:C/I:C/A:C)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":3.8870427750000003,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":9.8,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"This security update resolves one publicly disclosed and two privately reported vulnerabilities in Server Message Block Version 2 (SMBv2). The most severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.\",\"exploits\":[{\"description\":\"Microsoft Windows 7/2008 R2 - Remote Kernel Crash\",\"id\":\"10005\",\"name\":\"Microsoft Windows 7/2008 R2 - Remote Kernel Crash\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing\\n an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.\\n Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.\",\"id\":\"auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff\",\"name\":\"Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference\",\"rank\":\"normal\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"},{\"description\":\"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)\",\"id\":\"40280\",\"name\":\"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service\",\"id\":\"12524\",\"name\":\"Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module exploits an out of bounds function table dereference in the SMB\\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\\n without SP1 does not seem affected by this flaw.\",\"id\":\"exploit/windows/smb/ms09_050_smb2_negotiate_func_index\",\"name\":\"MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference\",\"rank\":\"good\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"},{\"description\":\"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)\",\"id\":\"14674\",\"name\":\"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module exploits an out of bounds function table dereference in the SMB\\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows\\tVista\\n without SP1 does not seem affected by this flaw.\",\"id\":\"auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh\",\"name\":\"Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference\",\"rank\":\"normal\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"},{\"description\":\"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)\",\"id\":\"9594\",\"name\":\"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"}],\"id\":\"windows-hotfix-ms09-050\",\"links\":[{\"href\":\"http://www.us-cert.gov/cas/techalerts/TA09-286A.html\",\"id\":\"TA09-286A\",\"source\":\"cert\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6489\",\"id\":\"6489\",\"source\":\"oval\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6336\",\"id\":\"6336\",\"source\":\"oval\"},{\"href\":\"http://www.securityfocus.com/bid/36299\",\"id\":\"36299\",\"source\":\"bid\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:5595\",\"id\":\"5595\",\"source\":\"oval\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2009-2526\",\"id\":\"CVE-2009-2526\",\"source\":\"cve\"},{\"href\":\"http://technet.microsoft.com/security/bulletin/MS09-050\",\"id\":\"MS09-050\",\"source\":\"ms\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2009-3103\",\"id\":\"CVE-2009-3103\",\"source\":\"cve\"},{\"href\":\"http://www.kb.cert.org/vuls/id/135940\",\"id\":\"135940\",\"source\":\"cert-vn\"},{\"href\":\"https://support.microsoft.com/en-us/kb/975517\",\"id\":\"KB975517\",\"source\":\"mskb\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2009-2532\",\"id\":\"CVE-2009-2532\",\"source\":\"cve\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/53090\",\"id\":\"53090\",\"source\":\"xf\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":10,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2009-10-13T00:00:00Z\",\"references\":\"cert-vn:135940,bid:36299,xf:53090,oval:5595,oval:6336,oval:6489,cve:CVE-2009-2526,cve:CVE-2009-2532,cve:CVE-2009-3103,mskb:KB975517,ms:MS09-050,cert:TA09-286A\",\"risk_score\":914.2,\"severity\":\"critical\",\"severity_score\":10,\"title\":\"MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)\"}}", "severity": 10, "type": [ "info" @@ -3390,7 +3390,7 @@ "source": "R7 Agent" } ], - "vuln": { + "vulnerability": { "added": "2009-10-13T00:00:00.000Z", "categories": [ "CVSS Score Predicted with Rapid7 AI", @@ -3659,7 +3659,7 @@ "created": "2018-11-25T09:16:57.000Z", "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|dns-bind-cve-2015-4620|2022-02-23T20:10:02.535Z", "kind": "event", - "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2018-11-25T09:16:57Z\",\"key\":\"\",\"last_found\":\"2022-02-23T20:10:02.535Z\",\"nic\":null,\"port\":53,\"proof\":\"

Vulnerable OS: Debian Linux 6.0

  • Running DNS service
  • Product BIND exists -- ISC BIND 9.7.3
  • Vulnerable version of product BIND found -- ISC BIND 9.7.3

\",\"protocol\":\"TCP\",\"reintroduced\":null,\"solution_fix\":\"

\\n More information about upgrading your version of ISC BIND is available on the ISC website.\\n

\",\"solution_id\":\"upgrade-isc-bind-latest\",\"solution_summary\":\"Upgrade ISC BIND to latest version\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"dns-bind-cve-2015-4620\",\"added\":\"2015-10-27T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,DNS,Denial of Service,ISC,ISC BIND\",\"cves\":\"CVE-2015-4620\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"none\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":6.870600273013115,\"cvss_v2_integrity_impact\":\"none\",\"cvss_v2_score\":7.8,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:N/I:N/A:C)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"none\",\"cvss_v3_exploit_score\":3.8870427750000003,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"none\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":7.5,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"denial_of_service\":true,\"description\":\"name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone.\",\"exploits\":[],\"id\":\"dns-bind-cve-2015-4620\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2015-4620\",\"id\":\"CVE-2015-4620\",\"source\":\"cve\"},{\"href\":\"https://kb.isc.org/article/AA-01267/0\",\"id\":\"https://kb.isc.org/article/AA-01267/0\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":7.8,\"pci_fail\":false,\"pci_severity_score\":2,\"pci_special_notes\":\"Denial-of-Service-only vulnerability marked as compliant. \",\"pci_status\":\"pass\",\"published\":\"2015-07-08T00:00:00Z\",\"references\":\"cve:CVE-2015-4620,url:https://kb.isc.org/article/AA-01267/0\",\"risk_score\":334.11,\"severity\":\"critical\",\"severity_score\":8,\"title\":\"ISC BIND: Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating (CVE-2015-4620)\"}}", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2018-11-25T09:16:57Z\",\"key\":\"\",\"last_found\":\"2022-02-23T20:10:02.535Z\",\"nic\":null,\"port\":53,\"proof\":\"

Vulnerable OS: Debian Linux 6.0

  • Running DNS service
  • Product BIND exists -- ISC BIND 9.7.3
  • Vulnerable version of product BIND found -- ISC BIND 9.7.3

\",\"protocol\":\"TCP\",\"reintroduced\":null,\"solution_fix\":\"

\\n More information about upgrading your version of ISC BIND is available on the ISC website.\\n

\",\"solution_id\":\"upgrade-isc-bind-latest\",\"solution_summary\":\"Upgrade ISC BIND to latest version\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"dns-bind-cve-2015-4620\",\"added\":\"2015-10-27T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,DNS,Denial of Service,ISC,ISC BIND\",\"cves\":\"CVE-2015-4620\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"none\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":6.870600273013115,\"cvss_v2_integrity_impact\":\"none\",\"cvss_v2_score\":7.8,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:N/I:N/A:C)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"none\",\"cvss_v3_exploit_score\":3.8870427750000003,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"none\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":7.5,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"denial_of_service\":true,\"description\":\"name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone.\",\"exploits\":[],\"id\":\"dns-bind-cve-2015-4620\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2015-4620\",\"id\":\"CVE-2015-4620\",\"source\":\"cve\"},{\"href\":\"https://kb.isc.org/article/AA-01267/0\",\"id\":\"https://kb.isc.org/article/AA-01267/0\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":7.8,\"pci_fail\":false,\"pci_severity_score\":2,\"pci_special_notes\":\"Denial-of-Service-only vulnerability marked as compliant. \",\"pci_status\":\"pass\",\"published\":\"2015-07-08T00:00:00Z\",\"references\":\"cve:CVE-2015-4620,url:https://kb.isc.org/article/AA-01267/0\",\"risk_score\":334.11,\"severity\":\"critical\",\"severity_score\":8,\"title\":\"ISC BIND: Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating (CVE-2015-4620)\"}}", "severity": 8, "type": [ "info" @@ -3740,7 +3740,7 @@ "source": "Endpoint Agent" } ], - "vuln": { + "vulnerability": { "added": "2015-10-27T00:00:00.000Z", "categories": [ "CVSS Score Predicted with Rapid7 AI", @@ -3882,7 +3882,7 @@ "created": "2023-03-23T19:23:01.000Z", "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|dns-bind-cve-2015-4620|2023-06-23T19:36:17.715Z", "kind": "event", - "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2023-03-23T19:23:01Z\",\"key\":\"\",\"last_found\":\"2023-06-23T19:36:17.715Z\",\"nic\":null,\"port\":445,\"proof\":\"

  • Running CIFS service
  • Configuration item smb2-enabled set to 'true' matched
  • Configuration item smb2-signing set to 'enabled' matched

\",\"protocol\":\"TCP\",\"reintroduced\":null,\"solution_fix\":\"

\\n Configure the system to enable or require SMB signing as appropriate.\\n The method and effect of doing this is system specific so please see\\n this Microsoft article for\\n details. Note: ensure that SMB signing configuration is done for \\n incoming connections (Server).\\n

\",\"solution_id\":\"cifs-smb-signing-windows\",\"solution_summary\":\"Configure SMB signing for Windows\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"cifs-smb2-signing-not-required\",\"added\":\"2015-10-27T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,DNS,Denial of Service,ISC,ISC BIND\",\"cves\":\"CVE-2015-4620\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"none\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":6.870600273013115,\"cvss_v2_integrity_impact\":\"none\",\"cvss_v2_score\":7.8,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:N/I:N/A:C)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"none\",\"cvss_v3_exploit_score\":3.8870427750000003,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"none\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":7.5,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"denial_of_service\":true,\"description\":\"name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone.\",\"exploits\":[],\"id\":\"dns-bind-cve-2015-4620\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2015-4620\",\"id\":\"CVE-2015-4620\",\"source\":\"cve\"},{\"href\":\"https://kb.isc.org/article/AA-01267/0\",\"id\":\"https://kb.isc.org/article/AA-01267/0\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":7.8,\"pci_fail\":false,\"pci_severity_score\":2,\"pci_special_notes\":\"Denial-of-Service-only vulnerability marked as compliant. \",\"pci_status\":\"pass\",\"published\":\"2015-07-08T00:00:00Z\",\"references\":\"cve:CVE-2015-4620,url:https://kb.isc.org/article/AA-01267/0\",\"risk_score\":334.11,\"severity\":\"critical\",\"severity_score\":8,\"title\":\"ISC BIND: Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating (CVE-2015-4620)\"}}", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2023-03-23T19:23:01Z\",\"key\":\"\",\"last_found\":\"2023-06-23T19:36:17.715Z\",\"nic\":null,\"port\":445,\"proof\":\"

  • Running CIFS service
  • Configuration item smb2-enabled set to 'true' matched
  • Configuration item smb2-signing set to 'enabled' matched

\",\"protocol\":\"TCP\",\"reintroduced\":null,\"solution_fix\":\"

\\n Configure the system to enable or require SMB signing as appropriate.\\n The method and effect of doing this is system specific so please see\\n this Microsoft article for\\n details. Note: ensure that SMB signing configuration is done for \\n incoming connections (Server).\\n

\",\"solution_id\":\"cifs-smb-signing-windows\",\"solution_summary\":\"Configure SMB signing for Windows\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"cifs-smb2-signing-not-required\",\"added\":\"2015-10-27T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,DNS,Denial of Service,ISC,ISC BIND\",\"cves\":\"CVE-2015-4620\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"none\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":6.870600273013115,\"cvss_v2_integrity_impact\":\"none\",\"cvss_v2_score\":7.8,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:N/I:N/A:C)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"none\",\"cvss_v3_exploit_score\":3.8870427750000003,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"none\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":7.5,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"denial_of_service\":true,\"description\":\"name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone.\",\"exploits\":[],\"id\":\"dns-bind-cve-2015-4620\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2015-4620\",\"id\":\"CVE-2015-4620\",\"source\":\"cve\"},{\"href\":\"https://kb.isc.org/article/AA-01267/0\",\"id\":\"https://kb.isc.org/article/AA-01267/0\",\"source\":\"url\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":7.8,\"pci_fail\":false,\"pci_severity_score\":2,\"pci_special_notes\":\"Denial-of-Service-only vulnerability marked as compliant. \",\"pci_status\":\"pass\",\"published\":\"2015-07-08T00:00:00Z\",\"references\":\"cve:CVE-2015-4620,url:https://kb.isc.org/article/AA-01267/0\",\"risk_score\":334.11,\"severity\":\"critical\",\"severity_score\":8,\"title\":\"ISC BIND: Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating (CVE-2015-4620)\"}}", "severity": 8, "type": [ "info" @@ -3958,7 +3958,7 @@ "source": "Endpoint Agent" } ], - "vuln": { + "vulnerability": { "added": "2015-10-27T00:00:00.000Z", "categories": [ "CVSS Score Predicted with Rapid7 AI", @@ -4100,7 +4100,7 @@ "created": "2022-12-23T19:25:13.000Z", "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|vmsa-2012-0013-cve-2012-0815|2023-06-23T18:08:29.154Z", "kind": "event", - "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2022-12-23T19:25:13Z\",\"key\":\"VMware ESX Server 4.0.0 GA\",\"last_found\":\"2023-06-23T18:08:29.154Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: VMware ESX Server 4.0.0 GA

  • The property "build" contains: 164009.

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

Download and apply the upgrade from: https://knowledge.broadcom.com/external/article?articleNumber=142814

\",\"solution_id\":\"vmware-esx-upgrade-latest\",\"solution_summary\":\"Upgrade VMware ESX to the latest version\",\"solution_type\":\"rollup\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"vmsa-2012-0013-cve-2012-0815\",\"added\":\"2012-09-17T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,Denial of Service,IAVM,Remote Execution,VMware,VMware ESX/ESXi\",\"cves\":\"CVE-2012-0815\",\"cvss_v2_access_complexity\":\"medium\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":8.588799953460693,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.8,\"cvss_v2_vector\":\"(AV:N/AC:M/Au:N/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.515145325,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":8.4,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"The headerVerifyInfo function in lib/header.c in RPM before 4.9.1.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a negative value in a region offset of a package header, which is not properly handled in a numeric range comparison.\",\"exploits\":[],\"id\":\"vmsa-2012-0013-cve-2012-0815\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2012-0815\",\"id\":\"CVE-2012-0815\",\"source\":\"cve\"},{\"href\":\"http://iase.disa.mil/stigs/iavm-cve.html\",\"id\":\"V0033884\",\"source\":\"disa_vmskey\"},{\"href\":\"http://iase.disa.mil/stigs/iavm-cve.html\",\"id\":\"2012-A-0153\",\"source\":\"iavm\"},{\"href\":\"http://www.vmware.com/security/advisories/VMSA-2012-0013.html\",\"id\":\"http://www.vmware.com/security/advisories/VMSA-2012-0013.html\",\"source\":\"url\"},{\"href\":\"http://iase.disa.mil/stigs/iavm-cve.html\",\"id\":\"Category I\",\"source\":\"disa_severity\"},{\"href\":\"http://iase.disa.mil/stigs/iavm-cve.html\",\"id\":\"2012-A-0148\",\"source\":\"iavm\"},{\"href\":\"http://iase.disa.mil/stigs/iavm-cve.html\",\"id\":\"V0033794\",\"source\":\"disa_vmskey\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":6.8,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2012-06-04T00:00:00Z\",\"references\":\"iavm:2012-A-0148,iavm:2012-A-0153,cve:CVE-2012-0815,disa_severity:Category I,disa_vmskey:V0033794,disa_vmskey:V0033884,url:http://www.vmware.com/security/advisories/VMSA-2012-0013.html\",\"risk_score\":716.99,\"severity\":\"severe\",\"severity_score\":7,\"title\":\"VMSA-2012-0013: Update to ESX service console popt, rpm, rpm-libs, and rpm-python RPMS (CVE-2012-0815)\"}}", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2022-12-23T19:25:13Z\",\"key\":\"VMware ESX Server 4.0.0 GA\",\"last_found\":\"2023-06-23T18:08:29.154Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: VMware ESX Server 4.0.0 GA

  • The property "build" contains: 164009.

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

Download and apply the upgrade from: https://knowledge.broadcom.com/external/article?articleNumber=142814

\",\"solution_id\":\"vmware-esx-upgrade-latest\",\"solution_summary\":\"Upgrade VMware ESX to the latest version\",\"solution_type\":\"rollup\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"vmsa-2012-0013-cve-2012-0815\",\"added\":\"2012-09-17T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,Denial of Service,IAVM,Remote Execution,VMware,VMware ESX/ESXi\",\"cves\":\"CVE-2012-0815\",\"cvss_v2_access_complexity\":\"medium\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":8.588799953460693,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.8,\"cvss_v2_vector\":\"(AV:N/AC:M/Au:N/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.515145325,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":8.4,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"The headerVerifyInfo function in lib/header.c in RPM before 4.9.1.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a negative value in a region offset of a package header, which is not properly handled in a numeric range comparison.\",\"exploits\":[],\"id\":\"vmsa-2012-0013-cve-2012-0815\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2012-0815\",\"id\":\"CVE-2012-0815\",\"source\":\"cve\"},{\"href\":\"http://iase.disa.mil/stigs/iavm-cve.html\",\"id\":\"V0033884\",\"source\":\"disa_vmskey\"},{\"href\":\"http://iase.disa.mil/stigs/iavm-cve.html\",\"id\":\"2012-A-0153\",\"source\":\"iavm\"},{\"href\":\"http://www.vmware.com/security/advisories/VMSA-2012-0013.html\",\"id\":\"http://www.vmware.com/security/advisories/VMSA-2012-0013.html\",\"source\":\"url\"},{\"href\":\"http://iase.disa.mil/stigs/iavm-cve.html\",\"id\":\"Category I\",\"source\":\"disa_severity\"},{\"href\":\"http://iase.disa.mil/stigs/iavm-cve.html\",\"id\":\"2012-A-0148\",\"source\":\"iavm\"},{\"href\":\"http://iase.disa.mil/stigs/iavm-cve.html\",\"id\":\"V0033794\",\"source\":\"disa_vmskey\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":6.8,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2012-06-04T00:00:00Z\",\"references\":\"iavm:2012-A-0148,iavm:2012-A-0153,cve:CVE-2012-0815,disa_severity:Category I,disa_vmskey:V0033794,disa_vmskey:V0033884,url:http://www.vmware.com/security/advisories/VMSA-2012-0013.html\",\"risk_score\":716.99,\"severity\":\"severe\",\"severity_score\":7,\"title\":\"VMSA-2012-0013: Update to ESX service console popt, rpm, rpm-libs, and rpm-python RPMS (CVE-2012-0815)\"}}", "severity": 7, "type": [ "info" @@ -4181,7 +4181,7 @@ "source": "Endpoint Agent" } ], - "vuln": { + "vulnerability": { "added": "2012-09-17T00:00:00.000Z", "categories": [ "CVSS Score Predicted with Rapid7 AI", @@ -4349,7 +4349,7 @@ "created": "2022-12-23T18:54:08.000Z", "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|wordpress-cve-2015-5731|2023-06-23T17:40:02.211Z", "kind": "event", - "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2022-12-23T18:54:08Z\",\"key\":\"\",\"last_found\":\"2023-06-23T17:40:02.211Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable software installed: Wordpress 3.0

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

\\n Upgrade to the latest version of Wordpress from https://wordpress.org/download/release-archive/

\",\"solution_id\":\"wordpress-upgrade-latest\",\"solution_summary\":\"Upgrade to the latest version of Wordpress\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"wordpress-cve-2015-5731\",\"added\":\"2017-05-16T00:00:00Z\",\"categories\":\"CSRF,CVSS Score Predicted with Rapid7 AI,Denial of Service,WordPress\",\"cves\":\"CVE-2015-5731\",\"cvss_v2_access_complexity\":\"medium\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":8.588799953460693,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.8,\"cvss_v2_vector\":\"(AV:N/AC:M/Au:N/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"none\",\"cvss_v3_exploit_score\":2.8352547300000004,\"cvss_v3_impact_score\":5.177088,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":8.1,\"cvss_v3_user_interaction\":\"required\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Cross-site request forgery (CSRF) vulnerability in wp-admin/post.php in WordPress before 4.2.4 allows remote attackers to hijack the authentication of administrators for requests that lock a post, and consequently cause a denial of service (editing blockage), via a get-post-lock action.\",\"exploits\":[],\"id\":\"wordpress-cve-2015-5731\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2015-5731\",\"id\":\"CVE-2015-5731\",\"source\":\"cve\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":6.8,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2015-11-09T00:00:00Z\",\"references\":\"cve:CVE-2015-5731\",\"risk_score\":676.67,\"severity\":\"severe\",\"severity_score\":7,\"title\":\"Wordpress: CVE-2015-5731: Cross-Site Request Forgery (CSRF)\"}}", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2022-12-23T18:54:08Z\",\"key\":\"\",\"last_found\":\"2023-06-23T17:40:02.211Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable software installed: Wordpress 3.0

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

\\n Upgrade to the latest version of Wordpress from https://wordpress.org/download/release-archive/

\",\"solution_id\":\"wordpress-upgrade-latest\",\"solution_summary\":\"Upgrade to the latest version of Wordpress\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"wordpress-cve-2015-5731\",\"added\":\"2017-05-16T00:00:00Z\",\"categories\":\"CSRF,CVSS Score Predicted with Rapid7 AI,Denial of Service,WordPress\",\"cves\":\"CVE-2015-5731\",\"cvss_v2_access_complexity\":\"medium\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":8.588799953460693,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.8,\"cvss_v2_vector\":\"(AV:N/AC:M/Au:N/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"none\",\"cvss_v3_exploit_score\":2.8352547300000004,\"cvss_v3_impact_score\":5.177088,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":8.1,\"cvss_v3_user_interaction\":\"required\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Cross-site request forgery (CSRF) vulnerability in wp-admin/post.php in WordPress before 4.2.4 allows remote attackers to hijack the authentication of administrators for requests that lock a post, and consequently cause a denial of service (editing blockage), via a get-post-lock action.\",\"exploits\":[],\"id\":\"wordpress-cve-2015-5731\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2015-5731\",\"id\":\"CVE-2015-5731\",\"source\":\"cve\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"pci_cvss_score\":6.8,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2015-11-09T00:00:00Z\",\"references\":\"cve:CVE-2015-5731\",\"risk_score\":676.67,\"severity\":\"severe\",\"severity_score\":7,\"title\":\"Wordpress: CVE-2015-5731: Cross-Site Request Forgery (CSRF)\"}}", "severity": 7, "type": [ "info" @@ -4430,7 +4430,7 @@ "source": "Endpoint Agent" } ], - "vuln": { + "vulnerability": { "added": "2017-05-16T00:00:00.000Z", "categories": [ "CSRF", @@ -4561,7 +4561,7 @@ "created": "2022-12-23T18:55:39.000Z", "id": "8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7|php-cve-2016-3171|2023-06-23T17:41:50.071Z", "kind": "event", - "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vuln\":{\"check_id\":null,\"first_found\":\"2022-12-23T18:55:39Z\",\"key\":\"\",\"last_found\":\"2023-06-23T17:41:50.071Z\",\"nic\":null,\"port\":80,\"proof\":\"

  • Running HTTP service
  • Vulnerable version of component PHP found -- PHP 5.4.16

\",\"protocol\":\"TCP\",\"reintroduced\":null,\"solution_fix\":\"

Download and apply the upgrade from: http://www.php.net/downloads.php

\",\"solution_id\":\"php-upgrade-latest\",\"solution_summary\":\"Upgrade to the latest version of PHP\",\"solution_type\":\"rollup\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"php-cve-2016-3171\",\"added\":\"2019-09-30T00:00:00Z\",\"categories\":\"HTTP,PHP,Remote Execution\",\"cves\":\"CVE-2016-3171\",\"cvss_v2_access_complexity\":\"medium\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":8.588799953460693,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.8,\"cvss_v2_vector\":\"(AV:N/AC:M/Au:N/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"high\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.2211673,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":8.1,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.\",\"exploits\":[],\"id\":\"php-cve-2016-3171\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2016-3171\",\"id\":\"CVE-2016-3171\",\"source\":\"cve\"}],\"malware_kits\":[],\"modified\":\"2024-11-27T00:00:00Z\",\"pci_cvss_score\":6.8,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2016-04-12T00:00:00Z\",\"references\":\"cve:CVE-2016-3171\",\"risk_score\":669.57,\"severity\":\"severe\",\"severity_score\":7,\"title\":\"PHP Vulnerability: CVE-2016-3171\"}}", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":5,\"exploits\":0,\"host_name\":\"ub22-50-6-126\",\"id\":\"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T19:54:43.777Z\",\"last_scan_end\":\"2025-05-27T19:54:43.777Z\",\"last_scan_start\":\"2025-05-27T19:53:43.777Z\",\"mac\":\"00:00:5E:00:53:01\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Ubuntu Linux 22.04\",\"os_family\":\"Linux\",\"os_name\":\"Linux\",\"os_system_name\":\"Ubuntu Linux\",\"os_type\":\"\",\"os_vendor\":\"Ubuntu\",\"os_version\":\"22.04\",\"risk_score\":5656,\"severe_vulnerabilities\":6,\"tags\":[{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":12,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"B7123456-5678-1234-ABCD-6F6ABCDEFA91\",\"source\":\"dmidecode\"},{\"id\":\"cababcdefabcd0123456789f16d7061a\",\"source\":\"R7 Agent\"},{\"id\":\"cab682b411e200123456789ab6d7061a\",\"source\":\"Endpoint Agent\"}],\"vulnerability\":{\"check_id\":null,\"first_found\":\"2022-12-23T18:55:39Z\",\"key\":\"\",\"last_found\":\"2023-06-23T17:41:50.071Z\",\"nic\":null,\"port\":80,\"proof\":\"

  • Running HTTP service
  • Vulnerable version of component PHP found -- PHP 5.4.16

\",\"protocol\":\"TCP\",\"reintroduced\":null,\"solution_fix\":\"

Download and apply the upgrade from: http://www.php.net/downloads.php

\",\"solution_id\":\"php-upgrade-latest\",\"solution_summary\":\"Upgrade to the latest version of PHP\",\"solution_type\":\"rollup\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"php-cve-2016-3171\",\"added\":\"2019-09-30T00:00:00Z\",\"categories\":\"HTTP,PHP,Remote Execution\",\"cves\":\"CVE-2016-3171\",\"cvss_v2_access_complexity\":\"medium\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":8.588799953460693,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.8,\"cvss_v2_vector\":\"(AV:N/AC:M/Au:N/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"high\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.2211673,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":8.1,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.\",\"exploits\":[],\"id\":\"php-cve-2016-3171\",\"links\":[{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2016-3171\",\"id\":\"CVE-2016-3171\",\"source\":\"cve\"}],\"malware_kits\":[],\"modified\":\"2024-11-27T00:00:00Z\",\"pci_cvss_score\":6.8,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2016-04-12T00:00:00Z\",\"references\":\"cve:CVE-2016-3171\",\"risk_score\":669.57,\"severity\":\"severe\",\"severity_score\":7,\"title\":\"PHP Vulnerability: CVE-2016-3171\"}}", "severity": 7, "type": [ "info" @@ -4641,7 +4641,7 @@ "source": "Endpoint Agent" } ], - "vuln": { + "vulnerability": { "added": "2019-09-30T00:00:00.000Z", "categories": [ "HTTP", @@ -4772,7 +4772,7 @@ "created": "2022-05-23T19:03:38.000Z", "id": "12123455-abcd-5678-1234-01234567890e-default-asset-4123|f5-big-ip-cve-2017-7656|2024-06-23T17:54:28.107Z", "kind": "event", - "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":161,\"protocol\":\"UDP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":161,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":22,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":9,\"exploits\":5,\"host_name\":\"BIG-IP-16-1-0.dev.test.rapid7.com\",\"id\":\"12123455-abcd-5678-1234-01234567890e-default-asset-4123\",\"ip\":\"175.16.199.1\",\"last_assessed_for_vulnerabilities\":\"2024-06-23T17:54:28.107Z\",\"last_scan_end\":\"2024-06-23T17:54:28.107Z\",\"last_scan_start\":\"2024-06-23T17:44:15.351Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":10,\"new\":[],\"os_architecture\":\"\",\"os_description\":\"F5 BIG-IP 16.1.0.0\",\"os_family\":\"BIG-IP\",\"os_name\":\"BIG-IP\",\"os_system_name\":\"F5 BIG-IP\",\"os_type\":\"Network management device\",\"os_vendor\":\"F5\",\"os_version\":\"16.1.0.0\",\"remediated\":[],\"risk_score\":35804.71185,\"vuln\":{\"check_id\":null,\"first_found\":\"2022-05-23T19:03:38Z\",\"key\":\"F5 BIG-IP 16.1.0.0\",\"last_found\":\"2024-06-23T17:54:28.107Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: F5 BIG-IP 16.1.0.0

  • The property "ltm" contains: true.

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

\\n Upgrade to the latest available version of F5 BIG-IP. Refer to BIG-IP Hotfix Matrix for the latest hotfix information.\\n

\",\"solution_id\":\"f5-big-ip-upgrade-latest\",\"solution_summary\":\"Upgrade to the latest available version of F5 BIG-IP\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"f5-big-ip-cve-2017-7656\",\"added\":\"2022-04-20T00:00:00Z\",\"categories\":\"F5,F5 BIG-IP,Web\",\"cves\":\"CVE-2017-7656\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"none\",\"cvss_v2_confidentiality_impact\":\"none\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":2.8627500620484354,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":5,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:N/I:P/A:N)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"none\",\"cvss_v3_exploit_score\":3.8870427750000003,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":7.5,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"denial_of_service\":false,\"description\":\"In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.\",\"exploits\":[],\"id\":\"f5-big-ip-cve-2017-7656\",\"links\":[{\"href\":\"https://my.f5.com/manage/s/article/K21054458\",\"id\":\"https://my.f5.com/manage/s/article/K21054458\",\"source\":\"url\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2017-7656\",\"id\":\"CVE-2017-7656\",\"source\":\"cve\"}],\"malware_kits\":[],\"modified\":\"2024-12-06T00:00:00Z\",\"pci_cvss_score\":5,\"pci_fail\":true,\"pci_severity_score\":3,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2018-06-26T00:00:00Z\",\"references\":\"cve:CVE-2017-7656,url:https://my.f5.com/manage/s/article/K21054458\",\"risk_score\":229.89,\"severity\":\"severe\",\"severity_score\":5,\"title\":\"F5 Networks: CVE-2017-7656: K21054458: Eclipse Jetty vulnerability CVE-2017-7656\"},\"severe_vulnerabilities\":94,\"tags\":[{\"name\":\"snow_test\",\"type\":\"CUSTOM\"},{\"name\":\"all_assets2\",\"type\":\"CUSTOM\"},{\"name\":\"all_assets\",\"type\":\"CUSTOM\"},{\"name\":\"my tag test\",\"type\":\"CUSTOM\"},{\"name\":\"lab\",\"type\":\"SITE\"}],\"total_vulnerabilities\":113,\"type\":\"guest\",\"unique_identifiers\":[]}", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":161,\"protocol\":\"UDP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":161,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":22,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":9,\"exploits\":5,\"host_name\":\"BIG-IP-16-1-0.dev.test.rapid7.com\",\"id\":\"12123455-abcd-5678-1234-01234567890e-default-asset-4123\",\"ip\":\"175.16.199.1\",\"last_assessed_for_vulnerabilities\":\"2024-06-23T17:54:28.107Z\",\"last_scan_end\":\"2024-06-23T17:54:28.107Z\",\"last_scan_start\":\"2024-06-23T17:44:15.351Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":0,\"moderate_vulnerabilities\":10,\"new\":[],\"os_architecture\":\"\",\"os_description\":\"F5 BIG-IP 16.1.0.0\",\"os_family\":\"BIG-IP\",\"os_name\":\"BIG-IP\",\"os_system_name\":\"F5 BIG-IP\",\"os_type\":\"Network management device\",\"os_vendor\":\"F5\",\"os_version\":\"16.1.0.0\",\"remediated\":[],\"risk_score\":35804.71185,\"vulnerability\":{\"check_id\":null,\"first_found\":\"2022-05-23T19:03:38Z\",\"key\":\"F5 BIG-IP 16.1.0.0\",\"last_found\":\"2024-06-23T17:54:28.107Z\",\"nic\":null,\"port\":null,\"proof\":\"

Vulnerable OS: F5 BIG-IP 16.1.0.0

  • The property "ltm" contains: true.

\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"

\\n Upgrade to the latest available version of F5 BIG-IP. Refer to BIG-IP Hotfix Matrix for the latest hotfix information.\\n

\",\"solution_id\":\"f5-big-ip-upgrade-latest\",\"solution_summary\":\"Upgrade to the latest available version of F5 BIG-IP\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"vulnerability_id\":\"f5-big-ip-cve-2017-7656\",\"added\":\"2022-04-20T00:00:00Z\",\"categories\":\"F5,F5 BIG-IP,Web\",\"cves\":\"CVE-2017-7656\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"none\",\"cvss_v2_confidentiality_impact\":\"none\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":2.8627500620484354,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":5,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:N/I:P/A:N)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"none\",\"cvss_v3_exploit_score\":3.8870427750000003,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":7.5,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"denial_of_service\":false,\"description\":\"In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.\",\"exploits\":[],\"id\":\"f5-big-ip-cve-2017-7656\",\"links\":[{\"href\":\"https://my.f5.com/manage/s/article/K21054458\",\"id\":\"https://my.f5.com/manage/s/article/K21054458\",\"source\":\"url\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2017-7656\",\"id\":\"CVE-2017-7656\",\"source\":\"cve\"}],\"malware_kits\":[],\"modified\":\"2024-12-06T00:00:00Z\",\"pci_cvss_score\":5,\"pci_fail\":true,\"pci_severity_score\":3,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"published\":\"2018-06-26T00:00:00Z\",\"references\":\"cve:CVE-2017-7656,url:https://my.f5.com/manage/s/article/K21054458\",\"risk_score\":229.89,\"severity\":\"severe\",\"severity_score\":5,\"title\":\"F5 Networks: CVE-2017-7656: K21054458: Eclipse Jetty vulnerability CVE-2017-7656\"},\"severe_vulnerabilities\":94,\"tags\":[{\"name\":\"snow_test\",\"type\":\"CUSTOM\"},{\"name\":\"all_assets2\",\"type\":\"CUSTOM\"},{\"name\":\"all_assets\",\"type\":\"CUSTOM\"},{\"name\":\"my tag test\",\"type\":\"CUSTOM\"},{\"name\":\"lab\",\"type\":\"SITE\"}],\"total_vulnerabilities\":113,\"type\":\"guest\",\"unique_identifiers\":[]}", "severity": 5, "type": [ "info" @@ -4836,7 +4836,7 @@ "severe_vulnerabilities": 94, "total_vulnerabilities": 113, "type": "guest", - "vuln": { + "vulnerability": { "added": "2022-04-20T00:00:00.000Z", "categories": [ "F5", diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/system/test-default-config.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/system/test-default-config.yml index d7108d9ed5f..397ade4ac07 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/system/test-default-config.yml +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/system/test-default-config.yml @@ -3,10 +3,13 @@ service: rapid7_insightvm vars: url: http://{{Hostname}}:{{Port}} api_key: api_key + logging: + level: debug data_stream: vars: batch_size: 2 preserve_original_event: true preserve_duplicate_custom_fields: true + enable_request_tracer: true assert: - hit_count: 7 + hit_count: 8 diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs b/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs index 2c12fd7a0a2..8414f9e285a 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs @@ -27,11 +27,13 @@ program: | : now ).as(interval_time, debug("DEBUG_work", - has(state.assets) && state.is_all_assets_fetched ? + has(state.assets) && (state.is_all_assets_fetched || !state.?is_current_vulnerabilities_fetched.orValue(false)) ? { "assets": state.assets, "is_all_assets_fetched": state.is_all_assets_fetched, + "asset_vuln_ids": state.asset_vuln_ids, "interval_time": interval_time, + ?"next_asset_cursor": state.?next_asset_cursor, } : request( @@ -41,7 +43,7 @@ program: | "includeUniqueIdentifiers": ["true"], ?"includeSame": has(state.?cursor.last_interval_time) ? optional.none() : optional.of(["true"]), ?"comparisonTime": state.?cursor.last_interval_time.optMap(v, [v]), - ?"cursor": state.?next_cursor.optMap(v, [v]), + ?"cursor": state.?next_asset_cursor.optMap(v, [v]), }.format_query() ).with({ "Header": { @@ -52,10 +54,10 @@ program: | "events": [{"message": "retry"}], "batch_size": state.batch_size, "api_key": state.api_key, - ?"next_cursor": has(body.?metadata.cursor) && body.metadata.cursor != null ? optional.of(body.metadata.cursor) : optional.none(), + ?"next_asset_cursor": has(body.?metadata.cursor) && body.metadata.cursor != null ? optional.of(body.metadata.cursor) : optional.none(), "is_all_assets_fetched": has(body.metadata.cursor) && body.metadata.cursor != null ? false : true, - "assets": (state.?assets.orValue([]) + body.data).flatten(), - "asset_vuln_ids": debug("DEBUG_asset_vuln_ids", debug("DEBUG_vuln_ids", (state.?assets.orValue([]) + body.data).flatten().map(a, + "assets": body.data, + "asset_vuln_ids": debug("DEBUG_asset_vuln_ids", debug("DEBUG_vuln_ids", body.data.map(a, a.?same.orValue([]).map(s, s.vulnerability_id) + a.?new.orValue([]).map(n, n.vulnerability_id) + a.?remediated.orValue([]).map(r, r.vulnerability_id) ).flatten()).as(vuln_ids, vuln_ids.map(vuln_id, string(vuln_id)).as(str_vuln_ids, zip(str_vuln_ids, vuln_ids)) @@ -85,37 +87,38 @@ program: | )).as(work, has(work.events) ? work : // Exit early ( - has(state.vulnerabilities) && state.is_all_vulnerabilities_fetched ? + (has(state.vulnerabilities) && state.is_current_vulnerabilities_fetched) ? work.with({ "vulnerabilities": state.vulnerabilities, - "is_all_vulnerabilities_fetched": state.is_all_vulnerabilities_fetched + "is_current_vulnerabilities_fetched": state.is_current_vulnerabilities_fetched }) : request( "POST", state.url.trim_right("/") + "/vm/v4/integration/vulnerabilities?" + { "size": ["500"], - ?"cursor": state.?next_cursor.optMap(v, [v]), + ?"cursor": state.?next_vuln_cursor.optMap(v, [v]), }.format_query() ).with({ "Header": { "X-Api-Key": [state.api_key], "Content-Type": ["application/json"] }, - }).as(req, !has(work.asset_vuln_ids) ? req : req.with({ "Body": { "vulnerability": work.asset_vuln_ids.as(x, sprintf("id IN ['%s']", [x.join("','")])), }.encode_json(), - })).do_request().as(resp, resp.StatusCode == 200 ? + }).do_request().as(resp, resp.StatusCode == 200 ? resp.Body.decode_json().as(body, { "events": [{"message": "retry"}], "batch_size": state.batch_size, "api_key": state.api_key, "assets": state.assets, "is_all_assets_fetched": state.is_all_assets_fetched, - ?"next_cursor": has(body.?metadata.cursor) && body.metadata.cursor != null ? optional.of(body.metadata.cursor) : optional.none(), - "is_all_vulnerabilities_fetched": has(body.metadata.cursor) && body.metadata.cursor != null ? false : true, + ?"next_vuln_cursor": has(body.?metadata.cursor) && body.metadata.cursor != null ? optional.of(body.metadata.cursor) : optional.none(), + ?"next_asset_cursor": work.?next_asset_cursor, + "is_current_vulnerabilities_fetched": has(body.metadata.cursor) && body.metadata.cursor != null ? false : true, "vulnerabilities": (state.?vulnerabilities.orValue([]) + body.data).flatten(), + "asset_vuln_ids": work.asset_vuln_ids, "interval_time": work.interval_time, "want_more": true }) @@ -140,36 +143,55 @@ program: | ) ) ).as(work, - has(work.events) ? work : // Exit early - work.with({ - // convert vulnerabilities to map for better searching - "vulnerabilities": work.vulnerabilities.map(e, { - "key": e.id, - "value": e - }).as(result, zip( - result.map(e, e.key), - result.map(e, e.value) - )), - // combine same[] new[] remediated[] into vulnerability[] - "assets": work.assets.map(e, e.with({ - "vulnerability": e.?same.orValue([]) + e.?new.orValue([]) + e.?remediated.orValue([]).map(r, r.with({"remediated": true})), - }).drop(["new","remediated","same"])) - }).as(work, { - "events": work.assets.map(e, e.vulnerability.map(v, { - "message": e.with({"vuln": v.with( - work.?vulnerabilities[v.vulnerability_id].orValue("not present") != "not present" ? - work.vulnerabilities[v.vulnerability_id] - : - {"is_present": "no"} - )}).encode_json() - })).flatten(), - "cursor": { - "last_interval_time": state.interval_time, - }, - "want_more": false, - "api_key": state.api_key, - "batch_size": state.batch_size - }) + (type(work.events) == map || !(work.is_all_assets_fetched || work.?is_current_vulnerabilities_fetched.orValue(false))) ? + work // Error or more vulnerabilities to fetch for current assets. + : + work.is_all_assets_fetched ? + // All assets fetched. Save cursor and end iteration. + { + "events": [], + "cursor": { + ?"last_interval_time": optional.of(work.interval_time), + }, + "want_more": false, + "api_key": state.api_key, + "batch_size": state.batch_size, + } + : + // All vulnerabilities of current assets batch are fetched. Publish events. + work.with({ + // convert vulnerabilities to map for better searching + "vulnerabilities": work.vulnerabilities.map(e, { + "key": e.id, + "value": e + }).as(result, zip( + result.map(e, e.key), + result.map(e, e.value) + )), + // combine same[] new[] remediated[] into vulnerability[] + "assets": work.assets.map(e, e.with({ + "vulnerabilities": e.?same.orValue([]) + e.?new.orValue([]) + e.?remediated.orValue([]).map(r, r.with({"remediated": true})), + }).drop(["new","remediated","same"])) + }).as(work, { + "events": work.assets.map(e, e.vulnerabilities.map(v, { + "message": e.with({"vulnerability": v.with( + work.?vulnerabilities[v.vulnerability_id].orValue("not present") != "not present" ? + work.vulnerabilities[v.vulnerability_id] + : + {"is_enriched": false} + )}).drop("vulnerabilities").encode_json() + })).flatten(), + "is_all_assets_fetched": work.is_all_assets_fetched, + "is_current_vulnerabilities_fetched": work.is_current_vulnerabilities_fetched, + ?"next_asset_cursor": work.?next_asset_cursor, + "interval_time": work.interval_time, + //"cursor": { + // ?"last_interval_time": work.is_all_assets_fetched ? optional.of(state.interval_time) : optional.none(), + //}, + "want_more": !(work.is_all_assets_fetched && work.is_current_vulnerabilities_fetched), + "api_key": state.api_key, + "batch_size": state.batch_size, + }) ) tags: {{#if preserve_original_event}} diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml index b26a02123d1..ece3fc59807 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml @@ -456,82 +456,82 @@ processors: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - date: - field: json.vuln.added - tag: date_vuln_added - target_field: rapid7_insightvm.asset_vulnerability.vuln.added + field: json.vulnerability.added + tag: date_vulnerability_added + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.added formats: - ISO8601 - if: ctx.json?.vuln?.added != null && ctx.json.vuln.added != '' + if: ctx.json?.vulnerability?.added != null && ctx.json.vulnerability.added != '' on_failure: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - split: - field: json.vuln.categories + field: json.vulnerability.categories separator: ',' - tag: split_vuln_categories - target_field: rapid7_insightvm.asset_vulnerability.vuln.categories + tag: split_vulnerability_categories + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.categories ignore_missing: true - if: ctx.json?.vuln?.categories instanceof String + if: ctx.json?.vulnerability?.categories instanceof String on_failure: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: vulnerability.category - tag: set_vulnerability_category_from_asset_vulnerability_vuln_categories - copy_from: rapid7_insightvm.asset_vulnerability.vuln.categories + tag: set_vulnerability_category_from_asset_vulnerability_vulnerability_categories + copy_from: rapid7_insightvm.asset_vulnerability.vulnerability.categories ignore_empty_value: true - rename: - field: json.vuln.check_id - tag: rename_vuln_check_id - target_field: rapid7_insightvm.asset_vulnerability.vuln.check_id + field: json.vulnerability.check_id + tag: rename_vulnerability_check_id + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.check_id ignore_missing: true - split: - field: json.vuln.cves + field: json.vulnerability.cves separator: ',' - tag: split_vuln_cves - target_field: rapid7_insightvm.asset_vulnerability.vuln.cves + tag: split_vulnerability_cves + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cves ignore_missing: true - if: ctx.json?.vuln?.cves instanceof String + if: ctx.json?.vulnerability?.cves instanceof String on_failure: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: vulnerability.id - tag: set_vulnerability_id_from_asset_vulnerability_vuln_cves - copy_from: rapid7_insightvm.asset_vulnerability.vuln.cves + tag: set_vulnerability_id_from_asset_vulnerability_vulnerability_cves + copy_from: rapid7_insightvm.asset_vulnerability.vulnerability.cves ignore_empty_value: true - rename: - field: json.vuln.cvss_v2_access_complexity - tag: rename_vuln_cvss_v2_access_complexity - target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.access_complexity + field: json.vulnerability.cvss_v2_access_complexity + tag: rename_vulnerability_cvss_v2_access_complexity + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.access_complexity ignore_missing: true - rename: - field: json.vuln.cvss_v2_access_vector - tag: rename_vuln_cvss_v2_access_vector - target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.access_vector + field: json.vulnerability.cvss_v2_access_vector + tag: rename_vulnerability_cvss_v2_access_vector + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.access_vector ignore_missing: true - rename: - field: json.vuln.cvss_v2_authentication - tag: rename_vuln_cvss_v2_authentication - target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.authentication + field: json.vulnerability.cvss_v2_authentication + tag: rename_vulnerability_cvss_v2_authentication + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.authentication ignore_missing: true - rename: - field: json.vuln.cvss_v2_availability_impact - tag: rename_vuln_cvss_v2_availability_impact - target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.availability_impact + field: json.vulnerability.cvss_v2_availability_impact + tag: rename_vulnerability_cvss_v2_availability_impact + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.availability_impact ignore_missing: true - rename: - field: json.vuln.cvss_v2_confidentiality_impact - tag: rename_vuln_cvss_v2_confidentiality_impact - target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.confidentiality_impact + field: json.vulnerability.cvss_v2_confidentiality_impact + tag: rename_vulnerability_cvss_v2_confidentiality_impact + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.confidentiality_impact ignore_missing: true - convert: - field: json.vuln.cvss_v2_exploit_score - tag: convert_vuln_cvss_v2_exploit_score_to_double - target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.exploit_score + field: json.vulnerability.cvss_v2_exploit_score + tag: convert_vulnerability_cvss_v2_exploit_score_to_double + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.exploit_score type: double ignore_missing: true on_failure: @@ -539,9 +539,9 @@ processors: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - convert: - field: json.vuln.cvss_v2_impact_score - tag: convert_vuln_cvss_v2_impact_score_to_double - target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.impact_score + field: json.vulnerability.cvss_v2_impact_score + tag: convert_vulnerability_cvss_v2_impact_score_to_double + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.impact_score type: double ignore_missing: true on_failure: @@ -549,14 +549,14 @@ processors: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: - field: json.vuln.cvss_v2_integrity_impact - tag: rename_vuln_cvss_v2_integrity_impact - target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.integrity_impact + field: json.vulnerability.cvss_v2_integrity_impact + tag: rename_vulnerability_cvss_v2_integrity_impact + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.integrity_impact ignore_missing: true - convert: - field: json.vuln.cvss_v2_score - tag: convert_vuln_cvss_v2_score_to_double - target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.score + field: json.vulnerability.cvss_v2_score + tag: convert_vulnerability_cvss_v2_score_to_double + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.score type: double ignore_missing: true on_failure: @@ -564,34 +564,34 @@ processors: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: - field: json.vuln.cvss_v2_vector - tag: rename_vuln_cvss_v2_vector - target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.vector + field: json.vulnerability.cvss_v2_vector + tag: rename_vulnerability_cvss_v2_vector + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.vector ignore_missing: true - rename: - field: json.vuln.cvss_v3_attack_complexity - tag: rename_vuln_cvss_v3_attack_complexity - target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.attack_complexity + field: json.vulnerability.cvss_v3_attack_complexity + tag: rename_vulnerability_cvss_v3_attack_complexity + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.attack_complexity ignore_missing: true - rename: - field: json.vuln.cvss_v3_attack_vector - tag: rename_vuln_cvss_v3_attack_vector - target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.attack_vector + field: json.vulnerability.cvss_v3_attack_vector + tag: rename_vulnerability_cvss_v3_attack_vector + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.attack_vector ignore_missing: true - rename: - field: json.vuln.cvss_v3_availability_impact - tag: rename_vuln_cvss_v3_availability_impact - target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.availability_impact + field: json.vulnerability.cvss_v3_availability_impact + tag: rename_vulnerability_cvss_v3_availability_impact + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.availability_impact ignore_missing: true - rename: - field: json.vuln.cvss_v3_confidentiality_impact - tag: rename_vuln_cvss_v3_confidentiality_impact - target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.confidentiality_impact + field: json.vulnerability.cvss_v3_confidentiality_impact + tag: rename_vulnerability_cvss_v3_confidentiality_impact + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.confidentiality_impact ignore_missing: true - convert: - field: json.vuln.cvss_v3_exploit_score - tag: convert_vuln_cvss_v3_exploit_score_to_double - target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.exploit_score + field: json.vulnerability.cvss_v3_exploit_score + tag: convert_vulnerability_cvss_v3_exploit_score_to_double + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.exploit_score type: double ignore_missing: true on_failure: @@ -599,9 +599,9 @@ processors: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - convert: - field: json.vuln.cvss_v3_impact_score - tag: convert_vuln_cvss_v3_impact_score_to_double - target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.impact_score + field: json.vulnerability.cvss_v3_impact_score + tag: convert_vulnerability_cvss_v3_impact_score_to_double + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.impact_score type: double ignore_missing: true on_failure: @@ -609,24 +609,24 @@ processors: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: - field: json.vuln.cvss_v3_integrity_impact - tag: rename_vuln_cvss_v3_integrity_impact - target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.integrity_impact + field: json.vulnerability.cvss_v3_integrity_impact + tag: rename_vulnerability_cvss_v3_integrity_impact + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.integrity_impact ignore_missing: true - rename: - field: json.vuln.cvss_v3_privileges_required - tag: rename_vuln_cvss_v3_privileges_required - target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.privileges_required + field: json.vulnerability.cvss_v3_privileges_required + tag: rename_vulnerability_cvss_v3_privileges_required + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.privileges_required ignore_missing: true - rename: - field: json.vuln.cvss_v3_scope - tag: rename_vuln_cvss_v3_scope - target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.scope + field: json.vulnerability.cvss_v3_scope + tag: rename_vulnerability_cvss_v3_scope + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.scope ignore_missing: true - convert: - field: json.vuln.cvss_v3_score - tag: convert_vuln_cvss_v3_score_to_double - target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.score + field: json.vulnerability.cvss_v3_score + tag: convert_vulnerability_cvss_v3_score_to_double + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.score type: double ignore_missing: true on_failure: @@ -635,27 +635,27 @@ processors: value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: vulnerability.score.base - tag: set_vulnerability_score_base_from_asset_vulnerability_vuln_cvss_v3_score - copy_from: rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.score + tag: set_vulnerability_score_base_from_asset_vulnerability_vulnerability_cvss_v3_score + copy_from: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.score ignore_empty_value: true - set: field: vulnerability.score.version tag: set_vulnerability_score_version value: '3.0' - rename: - field: json.vuln.cvss_v3_user_interaction - tag: rename_vuln_cvss_v3_user_interaction - target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.user_interaction + field: json.vulnerability.cvss_v3_user_interaction + tag: rename_vulnerability_cvss_v3_user_interaction + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.user_interaction ignore_missing: true - rename: - field: json.vuln.cvss_v3_vector - tag: rename_vuln_cvss_v3_vector - target_field: rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.vector + field: json.vulnerability.cvss_v3_vector + tag: rename_vulnerability_cvss_v3_vector + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.vector ignore_missing: true - convert: - field: json.vuln.denial_of_service - tag: convert_vuln_denial_of_service_to_boolean - target_field: rapid7_insightvm.asset_vulnerability.vuln.denial_of_service + field: json.vulnerability.denial_of_service + tag: convert_vulnerability_denial_of_service_to_boolean + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.denial_of_service type: boolean ignore_missing: true on_failure: @@ -663,100 +663,116 @@ processors: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: - field: json.vuln.description - tag: rename_vuln_description - target_field: rapid7_insightvm.asset_vulnerability.vuln.description + field: json.vulnerability.description + tag: rename_vulnerability_description + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.description ignore_missing: true - set: field: vulnerability.description - tag: set_vulnerability_description_from_asset_vulnerability_vuln_description - copy_from: rapid7_insightvm.asset_vulnerability.vuln.description + tag: set_vulnerability_description_from_asset_vulnerability_vulnerability_description + copy_from: rapid7_insightvm.asset_vulnerability.vulnerability.description ignore_empty_value: true - rename: - field: json.vuln.exploits - tag: rename_vuln_exploits - target_field: rapid7_insightvm.asset_vulnerability.vuln.exploits + field: json.vulnerability.exploits + tag: rename_vulnerability_exploits + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.exploits ignore_missing: true - date: - field: json.vuln.first_found - tag: date_vuln_first_found - target_field: rapid7_insightvm.asset_vulnerability.vuln.first_found + field: json.vulnerability.first_found + tag: date_vulnerability_first_found + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.first_found formats: - ISO8601 - if: ctx.json?.vuln?.first_found != null && ctx.json.vuln.first_found != '' + if: ctx.json?.vulnerability?.first_found != null && ctx.json.vulnerability.first_found != '' on_failure: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: event.created - tag: set_event_created_from_asset_vulnerability_vuln_first_found - copy_from: rapid7_insightvm.asset_vulnerability.vuln.first_found + tag: set_event_created_from_asset_vulnerability_vulnerability_first_found + copy_from: rapid7_insightvm.asset_vulnerability.vulnerability.first_found ignore_empty_value: true - rename: - field: json.vuln.id - tag: rename_vuln_id - target_field: rapid7_insightvm.asset_vulnerability.vuln.id + field: json.vulnerability.id + tag: rename_vulnerability_id + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.id ignore_missing: true - rename: - field: json.vuln.key - tag: rename_vuln_key - target_field: rapid7_insightvm.asset_vulnerability.vuln.key + field: json.vulnerability.vulnerability_id + tag: rename_vulnerability_vulnerability_id + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.id + if: ctx.rapid7_insightvm?.asset_vulnerability?.vulnerability?.id == null ignore_missing: true + - rename: + field: json.vulnerability.key + tag: rename_vulnerability_key + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.key + ignore_missing: true + - convert: + field: json.vulnerability.is_enriched + tag: convert_vulnerability_is_enriched_to_boolean + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.is_enriched + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - date: - field: json.vuln.last_found - tag: date_vuln_last_found - target_field: rapid7_insightvm.asset_vulnerability.vuln.last_found + field: json.vulnerability.last_found + tag: date_vulnerability_last_found + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.last_found formats: - ISO8601 - if: ctx.json?.vuln?.last_found != null && ctx.json.vuln.last_found != '' + if: ctx.json?.vulnerability?.last_found != null && ctx.json.vulnerability.last_found != '' on_failure: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: '@timestamp' - tag: set_timestamp_from_asset_vulnerability_vuln_last_found - copy_from: rapid7_insightvm.asset_vulnerability.vuln.last_found + tag: set_timestamp_from_asset_vulnerability_vulnerability_last_found + copy_from: rapid7_insightvm.asset_vulnerability.vulnerability.last_found ignore_empty_value: true - set: field: event.id tag: set_event_id - value: '{{rapid7_insightvm.asset_vulnerability.id}}|{{rapid7_insightvm.asset_vulnerability.vuln.id}}|{{rapid7_insightvm.asset_vulnerability.vuln.last_found}}' + value: '{{rapid7_insightvm.asset_vulnerability.id}}|{{rapid7_insightvm.asset_vulnerability.vulnerability.id}}|{{rapid7_insightvm.asset_vulnerability.vulnerability.last_found}}' - rename: - field: json.vuln.links - tag: rename_vuln_links - target_field: rapid7_insightvm.asset_vulnerability.vuln.links + field: json.vulnerability.links + tag: rename_vulnerability_links + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.links ignore_missing: true - foreach: - field: rapid7_insightvm.asset_vulnerability.vuln.links - if: ctx.rapid7_insightvm?.asset_vulnerability?.vuln?.links instanceof List + field: rapid7_insightvm.asset_vulnerability.vulnerability.links + if: ctx.rapid7_insightvm?.asset_vulnerability?.vulnerability?.links instanceof List processor: append: field: vulnerability.reference - tag: append_vuln_links_href_into_vulnerability_reference + tag: append_vulnerability_links_href_into_vulnerability_reference value: '{{{_ingest._value.href}}}' allow_duplicates: false - rename: - field: json.vuln.malware_kits - tag: rename_vuln_malware_kits - target_field: rapid7_insightvm.asset_vulnerability.vuln.malware_kits + field: json.vulnerability.malware_kits + tag: rename_vulnerability_malware_kits + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.malware_kits ignore_missing: true - date: - field: json.vuln.modified - tag: date_vuln_modified - target_field: rapid7_insightvm.asset_vulnerability.vuln.modified + field: json.vulnerability.modified + tag: date_vulnerability_modified + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.modified formats: - ISO8601 - if: ctx.json?.vuln?.modified != null && ctx.json.vuln.modified != '' + if: ctx.json?.vulnerability?.modified != null && ctx.json.vulnerability.modified != '' on_failure: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - convert: - field: json.vuln.pci_cvss_score - tag: convert_vuln_pci_cvss_score_to_double - target_field: rapid7_insightvm.asset_vulnerability.vuln.pci.cvss_score + field: json.vulnerability.pci_cvss_score + tag: convert_vulnerability_pci_cvss_score_to_double + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.pci.cvss_score type: double ignore_missing: true on_failure: @@ -764,9 +780,9 @@ processors: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - convert: - field: json.vuln.pci_fail - tag: convert_vuln_pci_fail_to_boolean - target_field: rapid7_insightvm.asset_vulnerability.vuln.pci.fail + field: json.vulnerability.pci_fail + tag: convert_vulnerability_pci_fail_to_boolean + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.pci.fail type: boolean ignore_missing: true on_failure: @@ -774,9 +790,9 @@ processors: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - convert: - field: json.vuln.pci_severity_score - tag: convert_vuln_pci_severity_score_to_long - target_field: rapid7_insightvm.asset_vulnerability.vuln.pci.severity_score + field: json.vulnerability.pci_severity_score + tag: convert_vulnerability_pci_severity_score_to_long + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.pci.severity_score type: long ignore_missing: true on_failure: @@ -784,19 +800,19 @@ processors: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: - field: json.vuln.pci_special_notes - tag: rename_vuln_pci_special_notes - target_field: rapid7_insightvm.asset_vulnerability.vuln.pci.special_notes + field: json.vulnerability.pci_special_notes + tag: rename_vulnerability_pci_special_notes + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.pci.special_notes ignore_missing: true - rename: - field: json.vuln.pci_status - tag: rename_vuln_pci_status - target_field: rapid7_insightvm.asset_vulnerability.vuln.pci.status + field: json.vulnerability.pci_status + tag: rename_vulnerability_pci_status + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.pci.status ignore_missing: true - convert: - field: json.vuln.port - tag: convert_vuln_port_to_long - target_field: rapid7_insightvm.asset_vulnerability.vuln.port + field: json.vulnerability.port + tag: convert_vulnerability_port_to_long + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.port type: long ignore_missing: true on_failure: @@ -804,52 +820,52 @@ processors: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - html_strip: - field: json.vuln.proof - tag: html_strip_vuln_proof - target_field: rapid7_insightvm.asset_vulnerability.vuln.proof + field: json.vulnerability.proof + tag: html_strip_vulnerability_proof + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.proof ignore_missing: true on_failure: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - trim: - field: rapid7_insightvm.asset_vulnerability.vuln.proof - tag: trim_vuln_proof + field: rapid7_insightvm.asset_vulnerability.vulnerability.proof + tag: trim_vulnerability_proof ignore_missing: true on_failure: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: - field: json.vuln.protocol - tag: rename_vuln_protocol - target_field: rapid7_insightvm.asset_vulnerability.vuln.protocol + field: json.vulnerability.protocol + tag: rename_vulnerability_protocol + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.protocol ignore_missing: true - date: - field: json.vuln.published - tag: date_vuln_published - target_field: rapid7_insightvm.asset_vulnerability.vuln.published + field: json.vulnerability.published + tag: date_vulnerability_published + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.published formats: - ISO8601 - if: ctx.json?.vuln?.published != null && ctx.json.vuln.published != '' + if: ctx.json?.vulnerability?.published != null && ctx.json.vulnerability.published != '' on_failure: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: vulnerability.published_date - tag: set_vulnerability_published_date_from_asset_vulnerability_vuln_published - copy_from: rapid7_insightvm.asset_vulnerability.vuln.published + tag: set_vulnerability_published_date_from_asset_vulnerability_vulnerability_published + copy_from: rapid7_insightvm.asset_vulnerability.vulnerability.published ignore_empty_value: true - rename: - field: json.vuln.references - tag: rename_vuln_references - target_field: rapid7_insightvm.asset_vulnerability.vuln.references + field: json.vulnerability.references + tag: rename_vulnerability_references + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.references ignore_missing: true - convert: - field: json.vuln.risk_score - tag: convert_vuln_risk_score_to_double - target_field: rapid7_insightvm.asset_vulnerability.vuln.risk_score + field: json.vulnerability.risk_score + tag: convert_vulnerability_risk_score_to_double + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.risk_score type: double ignore_missing: true on_failure: @@ -857,17 +873,17 @@ processors: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: - field: json.vuln.severity - tag: rename_vuln_severity - target_field: rapid7_insightvm.asset_vulnerability.vuln.severity + field: json.vulnerability.severity + tag: rename_vulnerability_severity + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.severity ignore_missing: true - script: description: Map vulnerability.severity to CVSS standard tag: script_to_map_severity_to_CVSS lang: painless - if: ctx.rapid7_insightvm?.asset_vulnerability?.vuln?.severity != null + if: ctx.rapid7_insightvm?.asset_vulnerability?.vulnerability?.severity != null source: > - String severity = ctx.rapid7_insightvm.asset_vulnerability.vuln.severity.toLowerCase(); + String severity = ctx.rapid7_insightvm.asset_vulnerability.vulnerability.severity.toLowerCase(); if (severity == 'none') { ctx.vulnerability.put('severity', 'None'); } else if (severity == 'informational') { @@ -886,9 +902,9 @@ processors: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - convert: - field: json.vuln.severity_score - tag: convert_vuln_severity_score_to_long - target_field: rapid7_insightvm.asset_vulnerability.vuln.severity_score + field: json.vulnerability.severity_score + tag: convert_vulnerability_severity_score_to_long + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.severity_score type: long ignore_missing: true on_failure: @@ -897,45 +913,45 @@ processors: value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: event.severity - tag: set_event_severity_from_asset_vulnerability_vuln_severity_score - copy_from: rapid7_insightvm.asset_vulnerability.vuln.severity_score + tag: set_event_severity_from_asset_vulnerability_vulnerability_severity_score + copy_from: rapid7_insightvm.asset_vulnerability.vulnerability.severity_score ignore_empty_value: true - html_strip: - field: json.vuln.solution_fix - tag: html_strip_vuln_solution_fix - target_field: rapid7_insightvm.asset_vulnerability.vuln.solution.fix + field: json.vulnerability.solution_fix + tag: html_strip_vulnerability_solution_fix + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.solution.fix ignore_missing: true on_failure: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - trim: - field: rapid7_insightvm.asset_vulnerability.vuln.solution.fix - tag: trim_vuln_solution_fix + field: rapid7_insightvm.asset_vulnerability.vulnerability.solution.fix + tag: trim_vulnerability_solution_fix ignore_missing: true on_failure: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: - field: json.vuln.solution_id - tag: rename_vuln_solution_id - target_field: rapid7_insightvm.asset_vulnerability.vuln.solution.id + field: json.vulnerability.solution_id + tag: rename_vulnerability_solution_id + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.solution.id ignore_missing: true - rename: - field: json.vuln.solution_summary - tag: rename_vuln_solution_summary - target_field: rapid7_insightvm.asset_vulnerability.vuln.solution.summary + field: json.vulnerability.solution_summary + tag: rename_vulnerability_solution_summary + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.solution.summary ignore_missing: true - rename: - field: json.vuln.solution_type - tag: rename_vuln_solution_type - target_field: rapid7_insightvm.asset_vulnerability.vuln.solution.type + field: json.vulnerability.solution_type + tag: rename_vulnerability_solution_type + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.solution.type ignore_missing: true - grok: - field: rapid7_insightvm.asset_vulnerability.vuln.proof + field: rapid7_insightvm.asset_vulnerability.vulnerability.proof description: Extract package fields from proof. - tag: grok_parse_vuln_proof + tag: grok_parse_vulnerability_proof patterns: - '^Vulnerable OS: %{DATA:_temp.os} Vulnerable software installed: %{DATA:package.name} Required patch %{GREEDYDATA}$' - '^Vulnerable OS: %{DATA:_temp.os} Vulnerable software installed: %{DATA:package.name} Running HTTPS service %{GREEDYDATA}$' @@ -968,8 +984,8 @@ processors: copy_from: package.name ignore_empty_value: true - grok: - field: rapid7_insightvm.asset_vulnerability.vuln.solution.summary - tag: grok_parse_vuln_solution_summary + field: rapid7_insightvm.asset_vulnerability.vulnerability.solution.summary + tag: grok_parse_vulnerability_solution_summary patterns: - '^Upgrade to the %{DATA:package.fixed_version}( available)? version of %{DATA:_temp.package_name}$' - '^(Upgrade|Update) %{DATA:_temp.package_name} to (the )?%{DATA:package.fixed_version}( version)?(.)?$' @@ -988,23 +1004,23 @@ processors: if: ctx.package?.name == null - set: field: package.version - tag: set_package_version_from_vuln_key - copy_from: rapid7_insightvm.asset_vulnerability.vuln.key + tag: set_package_version_from_vulnerability_key + copy_from: rapid7_insightvm.asset_vulnerability.vulnerability.key ignore_empty_value: true if: ctx.package?.version == null - rename: - field: json.vuln.status - tag: rename_vuln_status - target_field: rapid7_insightvm.asset_vulnerability.vuln.status + field: json.vulnerability.status + tag: rename_vulnerability_status + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.status ignore_missing: true - rename: - field: json.vuln.title - tag: rename_vuln_title - target_field: rapid7_insightvm.asset_vulnerability.vuln.title + field: json.vulnerability.title + tag: rename_vulnerability_title + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.title ignore_missing: true - grok: - field: rapid7_insightvm.asset_vulnerability.vuln.title - tag: grok_parse_vuln_title + field: rapid7_insightvm.asset_vulnerability.vulnerability.title + tag: grok_parse_vulnerability_title patterns: - '^%{DATA:_temp.package}: CVE-%{DATA:_temp.cve_id}: %{GREEDYDATA:vulnerability.title}$' - '^%{DATA:_temp.package}: %{GREEDYDATA:vulnerability.title}$' @@ -1027,13 +1043,12 @@ processors: - rapid7_insightvm.asset_vulnerability.os.version - rapid7_insightvm.asset_vulnerability.risk_score - rapid7_insightvm.asset_vulnerability.type - - rapid7_insightvm.asset_vulnerability.vuln.categories - - rapid7_insightvm.asset_vulnerability.vuln.first_found - - rapid7_insightvm.asset_vulnerability.vuln.published - - rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.score - - rapid7_insightvm.asset_vulnerability.vuln.description - - rapid7_insightvm.asset_vulnerability.vuln.id - - rapid7_insightvm.asset_vulnerability.vuln.severity_score + - rapid7_insightvm.asset_vulnerability.vulnerability.categories + - rapid7_insightvm.asset_vulnerability.vulnerability.first_found + - rapid7_insightvm.asset_vulnerability.vulnerability.published + - rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.score + - rapid7_insightvm.asset_vulnerability.vulnerability.description + - rapid7_insightvm.asset_vulnerability.vulnerability.severity_score tag: remove_custom_duplicate_fields ignore_missing: true if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/fields.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/fields.yml index 495cff8ac6a..247c4912871 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/fields.yml +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/fields.yml @@ -112,7 +112,7 @@ - name: source type: keyword description: The source of the unique identifier. - - name: vuln + - name: vulnerability type: group fields: - name: added @@ -232,6 +232,9 @@ - name: id type: keyword description: The identifier of the vulnerability. + - name: is_enriched + type: boolean + description: Whether the enriched vulnerability information is available. - name: key type: keyword description: The identifier of the assessment key. diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/sample_event.json b/packages/rapid7_insightvm/data_stream/asset_vulnerability/sample_event.json index e5934891166..e3cf85d9672 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/sample_event.json +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/sample_event.json @@ -1,22 +1,22 @@ { "@timestamp": "2025-05-27T18:21:36.279Z", "agent": { - "ephemeral_id": "73ea1f6b-6078-4924-89a9-b450335edc95", - "id": "b012c8e8-a961-4eb0-aacd-93b21a297b5e", - "name": "elastic-agent-36163", + "ephemeral_id": "8f30a153-d7fb-4630-8931-752c0f5190e4", + "id": "3e3bd5a6-8efb-4f70-b560-987a16383f05", + "name": "elastic-agent-64243", "type": "filebeat", "version": "8.19.0" }, "data_stream": { "dataset": "rapid7_insightvm.asset_vulnerability", - "namespace": "78624", + "namespace": "30380", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "b012c8e8-a961-4eb0-aacd-93b21a297b5e", + "id": "3e3bd5a6-8efb-4f70-b560-987a16383f05", "snapshot": true, "version": "8.19.0" }, @@ -28,9 +28,9 @@ "created": "2025-05-12T16:25:35.000Z", "dataset": "rapid7_insightvm.asset_vulnerability", "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6|unix-anonymous-root-logins|2025-05-27T18:21:36.279Z", - "ingested": "2025-06-05T04:34:26Z", + "ingested": "2025-06-07T12:24:02Z", "kind": "event", - "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":22,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":3,\"exploits\":0,\"host_name\":\"computer-test\",\"id\":\"8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6\",\"ip\":\"10.50.5.112\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T18:21:36.279Z\",\"last_scan_end\":\"2025-05-27T18:21:36.279Z\",\"last_scan_start\":\"2025-05-27T18:20:41.505Z\",\"mac\":\"00:00:5E:00:53:02\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Red Hat Enterprise Linux 7.9\",\"os_family\":\"Linux\",\"os_name\":\"Enterprise Linux\",\"os_system_name\":\"Red Hat Linux\",\"os_type\":\"\",\"os_vendor\":\"Red Hat\",\"os_version\":\"7.9\",\"risk_score\":18250,\"severe_vulnerabilities\":48,\"tags\":[{\"name\":\"Ahmedabad\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":52,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"CEF12345-ABCD-1234-ABCD-95ABCDEF1234\",\"source\":\"dmidecode\"},{\"id\":\"e80644e940123456789abcdef66a8b16\",\"source\":\"R7 Agent\"}],\"vuln\":{\"added\":\"2004-11-30T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,UNIX\",\"check_id\":null,\"cves\":\"\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"single\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":7.9520000338554375,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.5,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:S/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.515145325,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":8.4,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \\\"su\\\" to become root.\",\"exploits\":[],\"first_found\":\"2025-05-12T16:25:35Z\",\"id\":\"unix-anonymous-root-logins\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"links\":[],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"nic\":null,\"pci_cvss_score\":6.5,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"port\":null,\"proof\":\"\\u003cp\\u003e\\u003cp\\u003eFollowing entries in /etc/securetty \\n may allow anonymous root logins: \\u003cul\\u003e\\u003cli\\u003ettyS0\\u003c/li\\u003e\\u003cli\\u003ettysclp0\\u003c/li\\u003e\\u003cli\\u003esclp_line0\\u003c/li\\u003e\\u003cli\\u003e3270/tty1\\u003c/li\\u003e\\u003cli\\u003ehvc0\\u003c/li\\u003e\\u003cli\\u003ehvc1\\u003c/li\\u003e\\u003cli\\u003ehvc2\\u003c/li\\u003e\\u003cli\\u003ehvc3\\u003c/li\\u003e\\u003cli\\u003ehvc4\\u003c/li\\u003e\\u003cli\\u003ehvc5\\u003c/li\\u003e\\u003cli\\u003ehvc6\\u003c/li\\u003e\\u003cli\\u003ehvc7\\u003c/li\\u003e\\u003cli\\u003ehvsi0\\u003c/li\\u003e\\u003cli\\u003ehvsi1\\u003c/li\\u003e\\u003cli\\u003ehvsi2\\u003c/li\\u003e\\u003cli\\u003exvc0\\u003c/li\\u003e\\u003c/ul\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\",\"protocol\":null,\"published\":\"2004-11-30T00:00:00Z\",\"references\":\"\",\"reintroduced\":null,\"risk_score\":562,\"severity\":\"severe\",\"severity_score\":7,\"solution_fix\":\"\\u003cp\\u003e\\u003cp\\u003eRemove all the entries in /etc/securetty except console,\\n tty[0-9]* and vc\\\\[0-9]* \\u003c/p\\u003e\\u003cp\\u003eNote: ssh does not use /etc/securetty. To disable root login\\n through ssh, use the \\u0026quot;PermitRootLogin\\u0026quot; setting in /etc/ssh/sshd_config\\n and restart the ssh daemon. \\u003c/p\\u003e\\u003c/p\\u003e\",\"solution_id\":\"unix-anonymous-root-logins\",\"solution_summary\":\"Edit '/etc/securetty' entries\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"title\":\"Anonymous root login is allowed\",\"vulnerability_id\":\"unix-anonymous-root-logins\"},\"vulnerability\":[{\"check_id\":null,\"first_found\":\"2025-05-12T16:25:35Z\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"nic\":null,\"port\":null,\"proof\":\"\\u003cp\\u003e\\u003cp\\u003eFollowing entries in /etc/securetty \\n may allow anonymous root logins: \\u003cul\\u003e\\u003cli\\u003ettyS0\\u003c/li\\u003e\\u003cli\\u003ettysclp0\\u003c/li\\u003e\\u003cli\\u003esclp_line0\\u003c/li\\u003e\\u003cli\\u003e3270/tty1\\u003c/li\\u003e\\u003cli\\u003ehvc0\\u003c/li\\u003e\\u003cli\\u003ehvc1\\u003c/li\\u003e\\u003cli\\u003ehvc2\\u003c/li\\u003e\\u003cli\\u003ehvc3\\u003c/li\\u003e\\u003cli\\u003ehvc4\\u003c/li\\u003e\\u003cli\\u003ehvc5\\u003c/li\\u003e\\u003cli\\u003ehvc6\\u003c/li\\u003e\\u003cli\\u003ehvc7\\u003c/li\\u003e\\u003cli\\u003ehvsi0\\u003c/li\\u003e\\u003cli\\u003ehvsi1\\u003c/li\\u003e\\u003cli\\u003ehvsi2\\u003c/li\\u003e\\u003cli\\u003exvc0\\u003c/li\\u003e\\u003c/ul\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"\\u003cp\\u003e\\u003cp\\u003eRemove all the entries in /etc/securetty except console,\\n tty[0-9]* and vc\\\\[0-9]* \\u003c/p\\u003e\\u003cp\\u003eNote: ssh does not use /etc/securetty. To disable root login\\n through ssh, use the \\u0026quot;PermitRootLogin\\u0026quot; setting in /etc/ssh/sshd_config\\n and restart the ssh daemon. \\u003c/p\\u003e\\u003c/p\\u003e\",\"solution_id\":\"unix-anonymous-root-logins\",\"solution_summary\":\"Edit '/etc/securetty' entries\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"unix-anonymous-root-logins\"},{\"check_id\":null,\"first_found\":\"2025-05-14T13:52:10Z\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"nic\":null,\"port\":null,\"proof\":\"\\u003cp\\u003e\\u003cp\\u003eThe following world writable files were found.\\u003cul\\u003e\\u003cli\\u003e/var/.com.zerog.registry.xml (-rwxrwxrwx)\\u003c/li\\u003e\\u003c/ul\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"\\u003cp\\u003e\\u003cp\\u003eFor each world-writable file, determine whether there is a good reason for\\n it to be world writable. If not, remove world write permissions for the file.\\n The output here is limited to 50 files. In order to find all of these files without needing to\\n run another Nexpose scan run the following command:\\u003c/p\\u003e\\u003cpre\\u003e find / -type f -perm -02\\u003c/pre\\u003e\\u003cp\\u003ePlease note; it may be necessary exclude particular paths or file share types, run \\u0026#39;man find\\u0026#39; for information.\\u003c/p\\u003e\\u003c/p\\u003e\",\"solution_id\":\"unix-world-writable-files\",\"solution_summary\":\"Remove world write permissions\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"unix-world-writable-files\"}]}", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":22,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":3,\"exploits\":0,\"host_name\":\"computer-test\",\"id\":\"8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6\",\"ip\":\"10.50.5.112\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T18:21:36.279Z\",\"last_scan_end\":\"2025-05-27T18:21:36.279Z\",\"last_scan_start\":\"2025-05-27T18:20:41.505Z\",\"mac\":\"00:00:5E:00:53:02\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Red Hat Enterprise Linux 7.9\",\"os_family\":\"Linux\",\"os_name\":\"Enterprise Linux\",\"os_system_name\":\"Red Hat Linux\",\"os_type\":\"\",\"os_vendor\":\"Red Hat\",\"os_version\":\"7.9\",\"risk_score\":18250,\"severe_vulnerabilities\":48,\"tags\":[{\"name\":\"Ahmedabad\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":52,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"CEF12345-ABCD-1234-ABCD-95ABCDEF1234\",\"source\":\"dmidecode\"},{\"id\":\"e80644e940123456789abcdef66a8b16\",\"source\":\"R7 Agent\"}],\"vulnerability\":{\"added\":\"2004-11-30T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,UNIX\",\"check_id\":null,\"cves\":\"\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"single\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":7.9520000338554375,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.5,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:S/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.515145325,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":8.4,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \\\"su\\\" to become root.\",\"exploits\":[],\"first_found\":\"2025-05-12T16:25:35Z\",\"id\":\"unix-anonymous-root-logins\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"links\":[],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"nic\":null,\"pci_cvss_score\":6.5,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"port\":null,\"proof\":\"\\u003cp\\u003e\\u003cp\\u003eFollowing entries in /etc/securetty \\n may allow anonymous root logins: \\u003cul\\u003e\\u003cli\\u003ettyS0\\u003c/li\\u003e\\u003cli\\u003ettysclp0\\u003c/li\\u003e\\u003cli\\u003esclp_line0\\u003c/li\\u003e\\u003cli\\u003e3270/tty1\\u003c/li\\u003e\\u003cli\\u003ehvc0\\u003c/li\\u003e\\u003cli\\u003ehvc1\\u003c/li\\u003e\\u003cli\\u003ehvc2\\u003c/li\\u003e\\u003cli\\u003ehvc3\\u003c/li\\u003e\\u003cli\\u003ehvc4\\u003c/li\\u003e\\u003cli\\u003ehvc5\\u003c/li\\u003e\\u003cli\\u003ehvc6\\u003c/li\\u003e\\u003cli\\u003ehvc7\\u003c/li\\u003e\\u003cli\\u003ehvsi0\\u003c/li\\u003e\\u003cli\\u003ehvsi1\\u003c/li\\u003e\\u003cli\\u003ehvsi2\\u003c/li\\u003e\\u003cli\\u003exvc0\\u003c/li\\u003e\\u003c/ul\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\",\"protocol\":null,\"published\":\"2004-11-30T00:00:00Z\",\"references\":\"\",\"reintroduced\":null,\"risk_score\":562,\"severity\":\"severe\",\"severity_score\":7,\"solution_fix\":\"\\u003cp\\u003e\\u003cp\\u003eRemove all the entries in /etc/securetty except console,\\n tty[0-9]* and vc\\\\[0-9]* \\u003c/p\\u003e\\u003cp\\u003eNote: ssh does not use /etc/securetty. To disable root login\\n through ssh, use the \\u0026quot;PermitRootLogin\\u0026quot; setting in /etc/ssh/sshd_config\\n and restart the ssh daemon. \\u003c/p\\u003e\\u003c/p\\u003e\",\"solution_id\":\"unix-anonymous-root-logins\",\"solution_summary\":\"Edit '/etc/securetty' entries\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"title\":\"Anonymous root login is allowed\",\"vulnerability_id\":\"unix-anonymous-root-logins\"}}", "severity": 7, "type": [ "info" @@ -105,7 +105,7 @@ "source": "R7 Agent" } ], - "vuln": { + "vulnerability": { "added": "2004-11-30T00:00:00.000Z", "categories": [ "CVSS Score Predicted with Rapid7 AI", diff --git a/packages/rapid7_insightvm/docs/README.md b/packages/rapid7_insightvm/docs/README.md index 6a88ecd394d..b15d2c3fdca 100644 --- a/packages/rapid7_insightvm/docs/README.md +++ b/packages/rapid7_insightvm/docs/README.md @@ -249,24 +249,24 @@ An example event for `asset_vulnerability` looks as following: { "@timestamp": "2025-05-27T18:21:36.279Z", "agent": { - "ephemeral_id": "1f134173-6086-4111-ab6c-78895b63908d", - "id": "d16b29fe-9b2e-43cf-b0e1-82325680132b", - "name": "elastic-agent-34771", + "ephemeral_id": "8f30a153-d7fb-4630-8931-752c0f5190e4", + "id": "3e3bd5a6-8efb-4f70-b560-987a16383f05", + "name": "elastic-agent-64243", "type": "filebeat", - "version": "8.18.0" + "version": "8.19.0" }, "data_stream": { "dataset": "rapid7_insightvm.asset_vulnerability", - "namespace": "27649", + "namespace": "30380", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "d16b29fe-9b2e-43cf-b0e1-82325680132b", - "snapshot": false, - "version": "8.18.0" + "id": "3e3bd5a6-8efb-4f70-b560-987a16383f05", + "snapshot": true, + "version": "8.19.0" }, "event": { "agent_id_status": "verified", @@ -276,9 +276,9 @@ An example event for `asset_vulnerability` looks as following: "created": "2025-05-12T16:25:35.000Z", "dataset": "rapid7_insightvm.asset_vulnerability", "id": "8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6|unix-anonymous-root-logins|2025-05-27T18:21:36.279Z", - "ingested": "2025-05-30T11:11:51Z", + "ingested": "2025-06-07T12:24:02Z", "kind": "event", - "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":22,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":3,\"exploits\":0,\"host_name\":\"computer-test\",\"id\":\"8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6\",\"ip\":\"10.50.5.112\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T18:21:36.279Z\",\"last_scan_end\":\"2025-05-27T18:21:36.279Z\",\"last_scan_start\":\"2025-05-27T18:20:41.505Z\",\"mac\":\"00:00:5E:00:53:02\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Red Hat Enterprise Linux 7.9\",\"os_family\":\"Linux\",\"os_name\":\"Enterprise Linux\",\"os_system_name\":\"Red Hat Linux\",\"os_type\":\"\",\"os_vendor\":\"Red Hat\",\"os_version\":\"7.9\",\"risk_score\":18250,\"severe_vulnerabilities\":48,\"tags\":[{\"name\":\"Ahmedabad\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":52,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"CEF12345-ABCD-1234-ABCD-95ABCDEF1234\",\"source\":\"dmidecode\"},{\"id\":\"e80644e940123456789abcdef66a8b16\",\"source\":\"R7 Agent\"}],\"vuln\":{\"added\":\"2004-11-30T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,UNIX\",\"check_id\":null,\"cves\":\"\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"single\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":7.9520000338554375,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.5,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:S/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.515145325,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":8.4,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \\\"su\\\" to become root.\",\"exploits\":[],\"first_found\":\"2025-05-12T16:25:35Z\",\"id\":\"unix-anonymous-root-logins\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"links\":[],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"nic\":null,\"pci_cvss_score\":6.5,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"port\":null,\"proof\":\"\\u003cp\\u003e\\u003cp\\u003eFollowing entries in /etc/securetty \\n may allow anonymous root logins: \\u003cul\\u003e\\u003cli\\u003ettyS0\\u003c/li\\u003e\\u003cli\\u003ettysclp0\\u003c/li\\u003e\\u003cli\\u003esclp_line0\\u003c/li\\u003e\\u003cli\\u003e3270/tty1\\u003c/li\\u003e\\u003cli\\u003ehvc0\\u003c/li\\u003e\\u003cli\\u003ehvc1\\u003c/li\\u003e\\u003cli\\u003ehvc2\\u003c/li\\u003e\\u003cli\\u003ehvc3\\u003c/li\\u003e\\u003cli\\u003ehvc4\\u003c/li\\u003e\\u003cli\\u003ehvc5\\u003c/li\\u003e\\u003cli\\u003ehvc6\\u003c/li\\u003e\\u003cli\\u003ehvc7\\u003c/li\\u003e\\u003cli\\u003ehvsi0\\u003c/li\\u003e\\u003cli\\u003ehvsi1\\u003c/li\\u003e\\u003cli\\u003ehvsi2\\u003c/li\\u003e\\u003cli\\u003exvc0\\u003c/li\\u003e\\u003c/ul\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\",\"protocol\":null,\"published\":\"2004-11-30T00:00:00Z\",\"references\":\"\",\"reintroduced\":null,\"risk_score\":562,\"severity\":\"severe\",\"severity_score\":7,\"solution_fix\":\"\\u003cp\\u003e\\u003cp\\u003eRemove all the entries in /etc/securetty except console,\\n tty[0-9]* and vc\\\\[0-9]* \\u003c/p\\u003e\\u003cp\\u003eNote: ssh does not use /etc/securetty. To disable root login\\n through ssh, use the \\u0026quot;PermitRootLogin\\u0026quot; setting in /etc/ssh/sshd_config\\n and restart the ssh daemon. \\u003c/p\\u003e\\u003c/p\\u003e\",\"solution_id\":\"unix-anonymous-root-logins\",\"solution_summary\":\"Edit '/etc/securetty' entries\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"title\":\"Anonymous root login is allowed\",\"vulnerability_id\":\"unix-anonymous-root-logins\"},\"vulnerability\":[{\"check_id\":null,\"first_found\":\"2025-05-12T16:25:35Z\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"nic\":null,\"port\":null,\"proof\":\"\\u003cp\\u003e\\u003cp\\u003eFollowing entries in /etc/securetty \\n may allow anonymous root logins: \\u003cul\\u003e\\u003cli\\u003ettyS0\\u003c/li\\u003e\\u003cli\\u003ettysclp0\\u003c/li\\u003e\\u003cli\\u003esclp_line0\\u003c/li\\u003e\\u003cli\\u003e3270/tty1\\u003c/li\\u003e\\u003cli\\u003ehvc0\\u003c/li\\u003e\\u003cli\\u003ehvc1\\u003c/li\\u003e\\u003cli\\u003ehvc2\\u003c/li\\u003e\\u003cli\\u003ehvc3\\u003c/li\\u003e\\u003cli\\u003ehvc4\\u003c/li\\u003e\\u003cli\\u003ehvc5\\u003c/li\\u003e\\u003cli\\u003ehvc6\\u003c/li\\u003e\\u003cli\\u003ehvc7\\u003c/li\\u003e\\u003cli\\u003ehvsi0\\u003c/li\\u003e\\u003cli\\u003ehvsi1\\u003c/li\\u003e\\u003cli\\u003ehvsi2\\u003c/li\\u003e\\u003cli\\u003exvc0\\u003c/li\\u003e\\u003c/ul\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"\\u003cp\\u003e\\u003cp\\u003eRemove all the entries in /etc/securetty except console,\\n tty[0-9]* and vc\\\\[0-9]* \\u003c/p\\u003e\\u003cp\\u003eNote: ssh does not use /etc/securetty. To disable root login\\n through ssh, use the \\u0026quot;PermitRootLogin\\u0026quot; setting in /etc/ssh/sshd_config\\n and restart the ssh daemon. \\u003c/p\\u003e\\u003c/p\\u003e\",\"solution_id\":\"unix-anonymous-root-logins\",\"solution_summary\":\"Edit '/etc/securetty' entries\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"unix-anonymous-root-logins\"},{\"check_id\":null,\"first_found\":\"2025-05-14T13:52:10Z\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"nic\":null,\"port\":null,\"proof\":\"\\u003cp\\u003e\\u003cp\\u003eThe following world writable files were found.\\u003cul\\u003e\\u003cli\\u003e/var/.com.zerog.registry.xml (-rwxrwxrwx)\\u003c/li\\u003e\\u003c/ul\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\",\"protocol\":null,\"reintroduced\":null,\"solution_fix\":\"\\u003cp\\u003e\\u003cp\\u003eFor each world-writable file, determine whether there is a good reason for\\n it to be world writable. If not, remove world write permissions for the file.\\n The output here is limited to 50 files. In order to find all of these files without needing to\\n run another Nexpose scan run the following command:\\u003c/p\\u003e\\u003cpre\\u003e find / -type f -perm -02\\u003c/pre\\u003e\\u003cp\\u003ePlease note; it may be necessary exclude particular paths or file share types, run \\u0026#39;man find\\u0026#39; for information.\\u003c/p\\u003e\\u003c/p\\u003e\",\"solution_id\":\"unix-world-writable-files\",\"solution_summary\":\"Remove world write permissions\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"vulnerability_id\":\"unix-world-writable-files\"}]}", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":22,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":3,\"exploits\":0,\"host_name\":\"computer-test\",\"id\":\"8babcde1-1234-5678-0912-cabcdef1284e-default-asset-6\",\"ip\":\"10.50.5.112\",\"last_assessed_for_vulnerabilities\":\"2025-05-27T18:21:36.279Z\",\"last_scan_end\":\"2025-05-27T18:21:36.279Z\",\"last_scan_start\":\"2025-05-27T18:20:41.505Z\",\"mac\":\"00:00:5E:00:53:02\",\"malware_kits\":0,\"moderate_vulnerabilities\":1,\"os_architecture\":\"x86_64\",\"os_description\":\"Red Hat Enterprise Linux 7.9\",\"os_family\":\"Linux\",\"os_name\":\"Enterprise Linux\",\"os_system_name\":\"Red Hat Linux\",\"os_type\":\"\",\"os_vendor\":\"Red Hat\",\"os_version\":\"7.9\",\"risk_score\":18250,\"severe_vulnerabilities\":48,\"tags\":[{\"name\":\"Ahmedabad\",\"type\":\"LOCATION\"},{\"name\":\"test\",\"type\":\"SITE\"},{\"name\":\"rapid7 insight agents\",\"type\":\"SITE\"}],\"total_vulnerabilities\":52,\"type\":\"guest\",\"unique_identifiers\":[{\"id\":\"CEF12345-ABCD-1234-ABCD-95ABCDEF1234\",\"source\":\"dmidecode\"},{\"id\":\"e80644e940123456789abcdef66a8b16\",\"source\":\"R7 Agent\"}],\"vulnerability\":{\"added\":\"2004-11-30T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,UNIX\",\"check_id\":null,\"cves\":\"\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"single\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":7.9520000338554375,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":6.5,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:S/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"local\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.515145325,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":8.4,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virtual consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's root user will not be allowed and user has to \\\"su\\\" to become root.\",\"exploits\":[],\"first_found\":\"2025-05-12T16:25:35Z\",\"id\":\"unix-anonymous-root-logins\",\"key\":\"\",\"last_found\":\"2025-05-27T18:21:36.279Z\",\"links\":[],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"nic\":null,\"pci_cvss_score\":6.5,\"pci_fail\":true,\"pci_severity_score\":4,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"port\":null,\"proof\":\"\\u003cp\\u003e\\u003cp\\u003eFollowing entries in /etc/securetty \\n may allow anonymous root logins: \\u003cul\\u003e\\u003cli\\u003ettyS0\\u003c/li\\u003e\\u003cli\\u003ettysclp0\\u003c/li\\u003e\\u003cli\\u003esclp_line0\\u003c/li\\u003e\\u003cli\\u003e3270/tty1\\u003c/li\\u003e\\u003cli\\u003ehvc0\\u003c/li\\u003e\\u003cli\\u003ehvc1\\u003c/li\\u003e\\u003cli\\u003ehvc2\\u003c/li\\u003e\\u003cli\\u003ehvc3\\u003c/li\\u003e\\u003cli\\u003ehvc4\\u003c/li\\u003e\\u003cli\\u003ehvc5\\u003c/li\\u003e\\u003cli\\u003ehvc6\\u003c/li\\u003e\\u003cli\\u003ehvc7\\u003c/li\\u003e\\u003cli\\u003ehvsi0\\u003c/li\\u003e\\u003cli\\u003ehvsi1\\u003c/li\\u003e\\u003cli\\u003ehvsi2\\u003c/li\\u003e\\u003cli\\u003exvc0\\u003c/li\\u003e\\u003c/ul\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\",\"protocol\":null,\"published\":\"2004-11-30T00:00:00Z\",\"references\":\"\",\"reintroduced\":null,\"risk_score\":562,\"severity\":\"severe\",\"severity_score\":7,\"solution_fix\":\"\\u003cp\\u003e\\u003cp\\u003eRemove all the entries in /etc/securetty except console,\\n tty[0-9]* and vc\\\\[0-9]* \\u003c/p\\u003e\\u003cp\\u003eNote: ssh does not use /etc/securetty. To disable root login\\n through ssh, use the \\u0026quot;PermitRootLogin\\u0026quot; setting in /etc/ssh/sshd_config\\n and restart the ssh daemon. \\u003c/p\\u003e\\u003c/p\\u003e\",\"solution_id\":\"unix-anonymous-root-logins\",\"solution_summary\":\"Edit '/etc/securetty' entries\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"title\":\"Anonymous root login is allowed\",\"vulnerability_id\":\"unix-anonymous-root-logins\"}}", "severity": 7, "type": [ "info" @@ -353,7 +353,7 @@ An example event for `asset_vulnerability` looks as following: "source": "R7 Agent" } ], - "vuln": { + "vulnerability": { "added": "2004-11-30T00:00:00.000Z", "categories": [ "CVSS Score Predicted with Rapid7 AI", @@ -503,71 +503,72 @@ An example event for `asset_vulnerability` looks as following: | rapid7_insightvm.asset_vulnerability.type | The type of asset. | keyword | | rapid7_insightvm.asset_vulnerability.unique_identifiers.id | The unique identifier. | keyword | | rapid7_insightvm.asset_vulnerability.unique_identifiers.source | The source of the unique identifier. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.added | The date the vulnerability coverage was added. The format is an ISO 8601 date, YYYY-MM-DD. | date | -| rapid7_insightvm.asset_vulnerability.vuln.categories | Comma-separated list of categories the vulnerability is classified under. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.check_id | The identifier of the vulnerability check. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.cves | All CVEs assigned to this vulnerability. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.access_complexity | Access Complexity (AC) component which measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.access_vector | Access Vector (Av) component which reflects how the vulnerability is exploited. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.authentication | Authentication (Au) component which measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.availability_impact | Availability Impact (A) component which measures the impact to availability of a successfully exploited vulnerability. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.confidentiality_impact | Confidentiality Impact (C) component which measures the impact on confidentiality of a successfully exploited vulnerability. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.exploit_score | The CVSS exploit score. | double | -| rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.impact_score | The CVSS impact score. | double | -| rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.integrity_impact | Integrity Impact (I) component measures the impact to integrity of a successfully exploited vulnerability. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.score | The CVSS score, which ranges from 0-10. | double | -| rapid7_insightvm.asset_vulnerability.vuln.cvss_v2.vector | The CVSS v2 vector. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.attack_complexity | Attack Complexity (AC) component with measures the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.attack_vector | Attack Vector (AV) component which measures context by which vulnerability exploitation is possible. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.availability_impact | Availability Impact (A) measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.confidentiality_impact | Confidentiality Impact (C) component which measures the impact on confidentiality of a successfully exploited vulnerability. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.exploit_score | The CVSS exploit score. | double | -| rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.impact_score | The CVSS impact score. | double | -| rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.integrity_impact | Integrity Impact (I) measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.privileges_required | Privileges Required (PR) measures the level of privileges an attacker must possess before successfully exploiting the vulnerability. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.scope | Scope (S) measures the collection of privileges defined by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.score | The CVSS score, which ranges from 0-10. | double | -| rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.user_interaction | User Interaction (UI) measures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.cvss_v3.vector | The CVSS v3 vector. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.denial_of_service | Whether the vulnerability can lead to Denial of Service (DoS). | boolean | -| rapid7_insightvm.asset_vulnerability.vuln.description | A verbose description of the vulnerability. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.exploits.description | A verbose description of the exploit. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.exploits.id | The identifier of the exploit. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.exploits.name | The name of the exploit. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.exploits.rank | How common the exploit is used. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.exploits.skill_level | The level of skill required to use the exploit. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.exploits.source | Details about where the exploit is defined. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.first_found | The first time the vulnerability was discovered. | date | -| rapid7_insightvm.asset_vulnerability.vuln.id | The identifier of the vulnerability. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.key | The identifier of the assessment key. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.last_found | The most recent time the vulnerability was discovered. | date | -| rapid7_insightvm.asset_vulnerability.vuln.links.href | | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.links.id | | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.links.rel | | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.links.source | | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.malware_kits.description | A known Malware Kit that can be used to compromise a vulnerability. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.malware_kits.name | The name of the malware kit. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.malware_kits.popularity | The popularity of the malware kit. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.modified | The last date the vulnerability was modified. The format is an ISO 8601 date, YYYY-MM-DD. | date | -| rapid7_insightvm.asset_vulnerability.vuln.pci.cvss_score | The CVSS score of the vulnerability, adjusted for PCI rules and exceptions, on a scale of 0-10. | double | -| rapid7_insightvm.asset_vulnerability.vuln.pci.fail | Whether if present on a host this vulnerability would cause a PCI failure. true if compliance status is "fail", false otherwise. | boolean | -| rapid7_insightvm.asset_vulnerability.vuln.pci.severity_score | The severity score of the vulnerability, adjusted for PCI rules and exceptions, on a scale of 0-10. | long | -| rapid7_insightvm.asset_vulnerability.vuln.pci.special_notes | Any special notes or remarks about the vulnerability that pertain to PCI compliance. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.pci.status | The PCI compliance status. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.port | For services vulnerabilities, the port that is vulnerable. | long | -| rapid7_insightvm.asset_vulnerability.vuln.proof | The identifier of the vulnerability proof. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.protocol | For services vulnerabilities, the protocol that is vulnerable. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.published | The date the vulnerability was first published or announced. The format is an ISO 8601 date, YYYY-MM-DD. | date | -| rapid7_insightvm.asset_vulnerability.vuln.references | References to security standards this vulnerability is a part of, in condensed format (comma-separated). | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.risk_score | The risk score of the vulnerability. If using the default Rapid7 Real Riskâ„¢ model, this value ranges from 0-1000. | double | -| rapid7_insightvm.asset_vulnerability.vuln.severity | The severity of the vulnerability. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.severity_score | The severity score of the vulnerability, on a scale of 0-10. | long | -| rapid7_insightvm.asset_vulnerability.vuln.solution.fix | The solution fix for the vulnerability. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.solution.id | The identifier of the solution for the vulnerability. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.solution.summary | The summary for the solution for the vulnerability. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.solution.type | The solution type for the vulnerability. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.status | The status of the vulnerability finding. | keyword | -| rapid7_insightvm.asset_vulnerability.vuln.title | The title (summary) of the vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.added | The date the vulnerability coverage was added. The format is an ISO 8601 date, YYYY-MM-DD. | date | +| rapid7_insightvm.asset_vulnerability.vulnerability.categories | Comma-separated list of categories the vulnerability is classified under. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.check_id | The identifier of the vulnerability check. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cves | All CVEs assigned to this vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.access_complexity | Access Complexity (AC) component which measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.access_vector | Access Vector (Av) component which reflects how the vulnerability is exploited. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.authentication | Authentication (Au) component which measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.availability_impact | Availability Impact (A) component which measures the impact to availability of a successfully exploited vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.confidentiality_impact | Confidentiality Impact (C) component which measures the impact on confidentiality of a successfully exploited vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.exploit_score | The CVSS exploit score. | double | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.impact_score | The CVSS impact score. | double | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.integrity_impact | Integrity Impact (I) component measures the impact to integrity of a successfully exploited vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.score | The CVSS score, which ranges from 0-10. | double | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v2.vector | The CVSS v2 vector. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.attack_complexity | Attack Complexity (AC) component with measures the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.attack_vector | Attack Vector (AV) component which measures context by which vulnerability exploitation is possible. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.availability_impact | Availability Impact (A) measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.confidentiality_impact | Confidentiality Impact (C) component which measures the impact on confidentiality of a successfully exploited vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.exploit_score | The CVSS exploit score. | double | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.impact_score | The CVSS impact score. | double | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.integrity_impact | Integrity Impact (I) measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.privileges_required | Privileges Required (PR) measures the level of privileges an attacker must possess before successfully exploiting the vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.scope | Scope (S) measures the collection of privileges defined by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.score | The CVSS score, which ranges from 0-10. | double | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.user_interaction | User Interaction (UI) measures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.cvss_v3.vector | The CVSS v3 vector. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.denial_of_service | Whether the vulnerability can lead to Denial of Service (DoS). | boolean | +| rapid7_insightvm.asset_vulnerability.vulnerability.description | A verbose description of the vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.exploits.description | A verbose description of the exploit. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.exploits.id | The identifier of the exploit. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.exploits.name | The name of the exploit. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.exploits.rank | How common the exploit is used. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.exploits.skill_level | The level of skill required to use the exploit. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.exploits.source | Details about where the exploit is defined. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.first_found | The first time the vulnerability was discovered. | date | +| rapid7_insightvm.asset_vulnerability.vulnerability.id | The identifier of the vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.is_enriched | Whether the enriched vulnerability information is available. | boolean | +| rapid7_insightvm.asset_vulnerability.vulnerability.key | The identifier of the assessment key. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.last_found | The most recent time the vulnerability was discovered. | date | +| rapid7_insightvm.asset_vulnerability.vulnerability.links.href | | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.links.id | | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.links.rel | | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.links.source | | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.malware_kits.description | A known Malware Kit that can be used to compromise a vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.malware_kits.name | The name of the malware kit. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.malware_kits.popularity | The popularity of the malware kit. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.modified | The last date the vulnerability was modified. The format is an ISO 8601 date, YYYY-MM-DD. | date | +| rapid7_insightvm.asset_vulnerability.vulnerability.pci.cvss_score | The CVSS score of the vulnerability, adjusted for PCI rules and exceptions, on a scale of 0-10. | double | +| rapid7_insightvm.asset_vulnerability.vulnerability.pci.fail | Whether if present on a host this vulnerability would cause a PCI failure. true if compliance status is "fail", false otherwise. | boolean | +| rapid7_insightvm.asset_vulnerability.vulnerability.pci.severity_score | The severity score of the vulnerability, adjusted for PCI rules and exceptions, on a scale of 0-10. | long | +| rapid7_insightvm.asset_vulnerability.vulnerability.pci.special_notes | Any special notes or remarks about the vulnerability that pertain to PCI compliance. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.pci.status | The PCI compliance status. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.port | For services vulnerabilities, the port that is vulnerable. | long | +| rapid7_insightvm.asset_vulnerability.vulnerability.proof | The identifier of the vulnerability proof. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.protocol | For services vulnerabilities, the protocol that is vulnerable. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.published | The date the vulnerability was first published or announced. The format is an ISO 8601 date, YYYY-MM-DD. | date | +| rapid7_insightvm.asset_vulnerability.vulnerability.references | References to security standards this vulnerability is a part of, in condensed format (comma-separated). | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.risk_score | The risk score of the vulnerability. If using the default Rapid7 Real Riskâ„¢ model, this value ranges from 0-1000. | double | +| rapid7_insightvm.asset_vulnerability.vulnerability.severity | The severity of the vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.severity_score | The severity score of the vulnerability, on a scale of 0-10. | long | +| rapid7_insightvm.asset_vulnerability.vulnerability.solution.fix | The solution fix for the vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.solution.id | The identifier of the solution for the vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.solution.summary | The summary for the solution for the vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.solution.type | The solution type for the vulnerability. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.status | The status of the vulnerability finding. | keyword | +| rapid7_insightvm.asset_vulnerability.vulnerability.title | The title (summary) of the vulnerability. | keyword | | resource.id | | keyword | | resource.name | | keyword | | vulnerability.published_date | | date | diff --git a/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml index 495cff8ac6a..247c4912871 100644 --- a/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml +++ b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml @@ -112,7 +112,7 @@ - name: source type: keyword description: The source of the unique identifier. - - name: vuln + - name: vulnerability type: group fields: - name: added @@ -232,6 +232,9 @@ - name: id type: keyword description: The identifier of the vulnerability. + - name: is_enriched + type: boolean + description: Whether the enriched vulnerability information is available. - name: key type: keyword description: The identifier of the assessment key. From 3283605f154e6b8ba3557f242c30558bf9bde6eb Mon Sep 17 00:00:00 2001 From: kcreddy Date: Sat, 7 Jun 2025 23:05:07 +0530 Subject: [PATCH 09/19] remove debug from cel --- .../asset_vulnerability/agent/stream/cel.yml.hbs | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs b/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs index 8414f9e285a..82d9801f991 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs @@ -26,7 +26,7 @@ program: | state.interval_time : now - ).as(interval_time, debug("DEBUG_work", + ).as(interval_time, has(state.assets) && (state.is_all_assets_fetched || !state.?is_current_vulnerabilities_fetched.orValue(false)) ? { "assets": state.assets, @@ -57,11 +57,11 @@ program: | ?"next_asset_cursor": has(body.?metadata.cursor) && body.metadata.cursor != null ? optional.of(body.metadata.cursor) : optional.none(), "is_all_assets_fetched": has(body.metadata.cursor) && body.metadata.cursor != null ? false : true, "assets": body.data, - "asset_vuln_ids": debug("DEBUG_asset_vuln_ids", debug("DEBUG_vuln_ids", body.data.map(a, + "asset_vuln_ids": body.data.map(a, a.?same.orValue([]).map(s, s.vulnerability_id) + a.?new.orValue([]).map(n, n.vulnerability_id) + a.?remediated.orValue([]).map(r, r.vulnerability_id) - ).flatten()).as(vuln_ids, + ).flatten().as(vuln_ids, vuln_ids.map(vuln_id, string(vuln_id)).as(str_vuln_ids, zip(str_vuln_ids, vuln_ids)) - ).keys()), + ).keys(), "interval_time": interval_time, "want_more": true }) @@ -84,7 +84,7 @@ program: | "batch_size": state.batch_size } ) - )).as(work, + ).as(work, has(work.events) ? work : // Exit early ( (has(state.vulnerabilities) && state.is_current_vulnerabilities_fetched) ? From d78abe0a93b05012ee1b362b1712a2ee77b0f680 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Sat, 7 Jun 2025 23:06:36 +0530 Subject: [PATCH 10/19] fix transform version. --- .../transform/latest_cdr_vulnerabilities/transform.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml index 61949fca15a..180900189a1 100644 --- a/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml +++ b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml @@ -27,5 +27,5 @@ _meta: managed: true # Bump this version to delete, reinstall, and restart the transform during package. # Version bump is needed if there is any code change in transform. - fleet_transform_version: 0.2.0 + fleet_transform_version: 0.1.0 run_as_kibana_system: false From 130e2b7417c97f3f8e661e45262284a63c626ea6 Mon Sep 17 00:00:00 2001 From: brijesh-elastic Date: Mon, 9 Jun 2025 18:12:56 +0530 Subject: [PATCH 11/19] Increase memory for agentless deployment --- packages/rapid7_insightvm/manifest.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/packages/rapid7_insightvm/manifest.yml b/packages/rapid7_insightvm/manifest.yml index 1437788ca49..1bbb7bb58f8 100644 --- a/packages/rapid7_insightvm/manifest.yml +++ b/packages/rapid7_insightvm/manifest.yml @@ -1,4 +1,4 @@ -format_version: "3.2.3" +format_version: "3.3.5" name: rapid7_insightvm title: Rapid7 InsightVM version: "2.0.0" @@ -40,6 +40,9 @@ policy_templates: organization: security division: engineering team: security-service-integrations + resources: + requests: + memory: 2Gi inputs: - type: httpjson title: Collect Rapid7 InsightVM logs via HTTPJSON From 15e46525677c7353bbcea2cc9553714a8e8ae753 Mon Sep 17 00:00:00 2001 From: brijesh-elastic Date: Tue, 10 Jun 2025 12:55:24 +0530 Subject: [PATCH 12/19] Increase memory to 4gb --- packages/rapid7_insightvm/manifest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/rapid7_insightvm/manifest.yml b/packages/rapid7_insightvm/manifest.yml index 1bbb7bb58f8..d117042cd6b 100644 --- a/packages/rapid7_insightvm/manifest.yml +++ b/packages/rapid7_insightvm/manifest.yml @@ -42,7 +42,7 @@ policy_templates: team: security-service-integrations resources: requests: - memory: 2Gi + memory: 4Gi inputs: - type: httpjson title: Collect Rapid7 InsightVM logs via HTTPJSON From 9bd0b7bfaf827e84201df8967f3194bccc291a79 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Wed, 11 Jun 2025 22:08:29 +0530 Subject: [PATCH 13/19] Address PR comments from @maxcold --- .../pipeline/test-asset-vulnerability.log | 1 + ...test-asset-vulnerability.log-expected.json | 153 ++++++++++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 4 +- packages/rapid7_insightvm/manifest.yml | 2 +- 4 files changed, 157 insertions(+), 3 deletions(-) diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log index 612af355d3f..3766b806b1a 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log @@ -19,3 +19,4 @@ {"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vulnerability":{"check_id":null,"first_found":"2022-12-23T18:54:08Z","key":"","last_found":"2023-06-23T17:40:02.211Z","nic":null,"port":null,"proof":"

Vulnerable software installed: Wordpress 3.0

","protocol":null,"reintroduced":null,"solution_fix":"

\n Upgrade to the latest version of Wordpress from https://wordpress.org/download/release-archive/

","solution_id":"wordpress-upgrade-latest","solution_summary":"Upgrade to the latest version of Wordpress","solution_type":"workaround","status":"VULNERABLE_VERS","vulnerability_id":"wordpress-cve-2015-5731","added":"2017-05-16T00:00:00Z","categories":"CSRF,CVSS Score Predicted with Rapid7 AI,Denial of Service,WordPress","cves":"CVE-2015-5731","cvss_v2_access_complexity":"medium","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":8.588799953460693,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":6.8,"cvss_v2_vector":"(AV:N/AC:M/Au:N/C:P/I:P/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"none","cvss_v3_exploit_score":2.8352547300000004,"cvss_v3_impact_score":5.177088,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":8.1,"cvss_v3_user_interaction":"required","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H","denial_of_service":false,"description":"Cross-site request forgery (CSRF) vulnerability in wp-admin/post.php in WordPress before 4.2.4 allows remote attackers to hijack the authentication of administrators for requests that lock a post, and consequently cause a denial of service (editing blockage), via a get-post-lock action.","exploits":[],"id":"wordpress-cve-2015-5731","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2015-5731","id":"CVE-2015-5731","source":"cve"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","pci_cvss_score":6.8,"pci_fail":true,"pci_severity_score":4,"pci_special_notes":"","pci_status":"fail","published":"2015-11-09T00:00:00Z","references":"cve:CVE-2015-5731","risk_score":676.67,"severity":"severe","severity_score":7,"title":"Wordpress: CVE-2015-5731: Cross-Site Request Forgery (CSRF)"}} {"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vulnerability":{"check_id":null,"first_found":"2022-12-23T18:55:39Z","key":"","last_found":"2023-06-23T17:41:50.071Z","nic":null,"port":80,"proof":"

  • Running HTTP service
  • Vulnerable version of component PHP found -- PHP 5.4.16

","protocol":"TCP","reintroduced":null,"solution_fix":"

Download and apply the upgrade from: http://www.php.net/downloads.php

","solution_id":"php-upgrade-latest","solution_summary":"Upgrade to the latest version of PHP","solution_type":"rollup","status":"VULNERABLE_VERS","vulnerability_id":"php-cve-2016-3171","added":"2019-09-30T00:00:00Z","categories":"HTTP,PHP,Remote Execution","cves":"CVE-2016-3171","cvss_v2_access_complexity":"medium","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":8.588799953460693,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":6.8,"cvss_v2_vector":"(AV:N/AC:M/Au:N/C:P/I:P/A:P)","cvss_v3_attack_complexity":"high","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.2211673,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":8.1,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.","exploits":[],"id":"php-cve-2016-3171","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2016-3171","id":"CVE-2016-3171","source":"cve"}],"malware_kits":[],"modified":"2024-11-27T00:00:00Z","pci_cvss_score":6.8,"pci_fail":true,"pci_severity_score":4,"pci_special_notes":"","pci_status":"fail","published":"2016-04-12T00:00:00Z","references":"cve:CVE-2016-3171","risk_score":669.57,"severity":"severe","severity_score":7,"title":"PHP Vulnerability: CVE-2016-3171"}} {"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":161,"protocol":"UDP","status":"NO_CREDS_SUPPLIED"},{"port":161,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":22,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":9,"exploits":5,"host_name":"BIG-IP-16-1-0.dev.test.rapid7.com","id":"12123455-abcd-5678-1234-01234567890e-default-asset-4123","ip":"175.16.199.1","last_assessed_for_vulnerabilities":"2024-06-23T17:54:28.107Z","last_scan_end":"2024-06-23T17:54:28.107Z","last_scan_start":"2024-06-23T17:44:15.351Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":10,"new":[],"os_architecture":"","os_description":"F5 BIG-IP 16.1.0.0","os_family":"BIG-IP","os_name":"BIG-IP","os_system_name":"F5 BIG-IP","os_type":"Network management device","os_vendor":"F5","os_version":"16.1.0.0","remediated":[],"risk_score":35804.71185,"vulnerability":{"check_id":null,"first_found":"2022-05-23T19:03:38Z","key":"F5 BIG-IP 16.1.0.0","last_found":"2024-06-23T17:54:28.107Z","nic":null,"port":null,"proof":"

Vulnerable OS: F5 BIG-IP 16.1.0.0

  • The property "ltm" contains: true.

","protocol":null,"reintroduced":null,"solution_fix":"

\n Upgrade to the latest available version of F5 BIG-IP. Refer to BIG-IP Hotfix Matrix for the latest hotfix information.\n

","solution_id":"f5-big-ip-upgrade-latest","solution_summary":"Upgrade to the latest available version of F5 BIG-IP","solution_type":"workaround","status":"VULNERABLE_VERS","vulnerability_id":"f5-big-ip-cve-2017-7656","added":"2022-04-20T00:00:00Z","categories":"F5,F5 BIG-IP,Web","cves":"CVE-2017-7656","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"none","cvss_v2_confidentiality_impact":"none","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":2.8627500620484354,"cvss_v2_integrity_impact":"partial","cvss_v2_score":5,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:N/I:P/A:N)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"none","cvss_v3_exploit_score":3.8870427750000003,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":7.5,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","denial_of_service":false,"description":"In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.","exploits":[],"id":"f5-big-ip-cve-2017-7656","links":[{"href":"https://my.f5.com/manage/s/article/K21054458","id":"https://my.f5.com/manage/s/article/K21054458","source":"url"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2017-7656","id":"CVE-2017-7656","source":"cve"}],"malware_kits":[],"modified":"2024-12-06T00:00:00Z","pci_cvss_score":5,"pci_fail":true,"pci_severity_score":3,"pci_special_notes":"","pci_status":"fail","published":"2018-06-26T00:00:00Z","references":"cve:CVE-2017-7656,url:https://my.f5.com/manage/s/article/K21054458","risk_score":229.89,"severity":"severe","severity_score":5,"title":"F5 Networks: CVE-2017-7656: K21054458: Eclipse Jetty vulnerability CVE-2017-7656"},"severe_vulnerabilities":94,"tags":[{"name":"snow_test","type":"CUSTOM"},{"name":"all_assets2","type":"CUSTOM"},{"name":"all_assets","type":"CUSTOM"},{"name":"my tag test","type":"CUSTOM"},{"name":"lab","type":"SITE"}],"total_vulnerabilities":113,"type":"guest","unique_identifiers":[]} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":1,"exploits":0,"id":"11111111-34a7-40a3-1111-28db0b5cc90e-default-asset-1049","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2022-08-23T18:31:27.909Z","last_scan_end":"2022-08-23T18:31:27.909Z","last_scan_start":"2022-08-23T18:30:49.674Z","malware_kits":0,"moderate_vulnerabilities":3,"risk_score":871.9886474609375,"severe_vulnerabilities":5,"tags":[{"name":"No_Hostname","type":"CUSTOM"},{"name":"all_assets2","type":"CUSTOM"},{"name":"all_assets","type":"CUSTOM"},{"name":"lab","type":"SITE"}],"total_vulnerabilities":9,"unique_identifiers":[],"vulnerability":{"added":"2013-05-06T00:00:00Z","categories":"Canonical,Obsolete OS,Obsolete Software,Ubuntu Linux,Web","check_id":null,"cves":"","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"complete","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":10.000845454680942,"cvss_v2_integrity_impact":"complete","cvss_v2_score":10,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:C/I:C/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":3.8870427750000003,"cvss_v3_impact_score":6.0477304915445185,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"changed","cvss_v3_score":10,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","denial_of_service":false,"description":"This release has passed its End of Life. There may be unpatched security vulnerabilities. Please check with https://wiki.ubuntu.com/Releases (https://wiki.ubuntu.com/Releases) for supported versions.","exploits":[],"first_found":"2018-11-25T09:27:44Z","id":"ubuntu-obsolete-version","key":"Ubuntu Linux 12.04","last_found":"2022-08-23T18:31:27.909Z","links":[],"malware_kits":[],"modified":"2025-03-28T00:00:00Z","nic":null,"pci_cvss_score":10,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"This operating system version is no longer supported by the vendor, and results in an automatic failure. ","pci_status":"fail","port":null,"proof":"\\u003cp\\u003e\\u003cp\\u003eVulnerable OS: Ubuntu Linux 12.04\\u003cp\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\\u003c/p\\u003e","protocol":null,"published":"2013-05-06T00:00:00Z","references":"","reintroduced":null,"risk_score":891.5,"severity":"critical","severity_score":10,"solution_fix":"\\u003cp\\u003eUpgrade to a supported version of Ubuntu Linux\\u003c/p\\u003e","solution_id":"ubuntu-obsolete-version","solution_summary":"Upgrade Ubuntu","solution_type":"workaround","status":"VULNERABLE_VERS","title":"Obsolete Version of Ubuntu","vulnerability_id":"ubuntu-obsolete-version"}} diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log-expected.json b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log-expected.json index e69bc57ef48..9a59a0d7ef1 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log-expected.json +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log-expected.json @@ -4958,6 +4958,159 @@ "severity": "High", "title": "K21054458: Eclipse Jetty vulnerability CVE-2017-7656" } + }, + { + "@timestamp": "2022-08-23T18:31:27.909Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2018-11-25T09:27:44.000Z", + "id": "11111111-34a7-40a3-1111-28db0b5cc90e-default-asset-1049|ubuntu-obsolete-version|2022-08-23T18:31:27.909Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[],\"critical_vulnerabilities\":1,\"exploits\":0,\"id\":\"11111111-34a7-40a3-1111-28db0b5cc90e-default-asset-1049\",\"ip\":\"10.50.6.126\",\"last_assessed_for_vulnerabilities\":\"2022-08-23T18:31:27.909Z\",\"last_scan_end\":\"2022-08-23T18:31:27.909Z\",\"last_scan_start\":\"2022-08-23T18:30:49.674Z\",\"malware_kits\":0,\"moderate_vulnerabilities\":3,\"risk_score\":871.9886474609375,\"severe_vulnerabilities\":5,\"tags\":[{\"name\":\"No_Hostname\",\"type\":\"CUSTOM\"},{\"name\":\"all_assets2\",\"type\":\"CUSTOM\"},{\"name\":\"all_assets\",\"type\":\"CUSTOM\"},{\"name\":\"lab\",\"type\":\"SITE\"}],\"total_vulnerabilities\":9,\"unique_identifiers\":[],\"vulnerability\":{\"added\":\"2013-05-06T00:00:00Z\",\"categories\":\"Canonical,Obsolete OS,Obsolete Software,Ubuntu Linux,Web\",\"check_id\":null,\"cves\":\"\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":10.000845454680942,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":10,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:C/I:C/A:C)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":3.8870427750000003,\"cvss_v3_impact_score\":6.0477304915445185,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"changed\",\"cvss_v3_score\":10,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"This release has passed its End of Life. There may be unpatched security vulnerabilities. Please check with https://wiki.ubuntu.com/Releases (https://wiki.ubuntu.com/Releases) for supported versions.\",\"exploits\":[],\"first_found\":\"2018-11-25T09:27:44Z\",\"id\":\"ubuntu-obsolete-version\",\"key\":\"Ubuntu Linux 12.04\",\"last_found\":\"2022-08-23T18:31:27.909Z\",\"links\":[],\"malware_kits\":[],\"modified\":\"2025-03-28T00:00:00Z\",\"nic\":null,\"pci_cvss_score\":10,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"This operating system version is no longer supported by the vendor, and results in an automatic failure. \",\"pci_status\":\"fail\",\"port\":null,\"proof\":\"\\\\u003cp\\\\u003e\\\\u003cp\\\\u003eVulnerable OS: Ubuntu Linux 12.04\\\\u003cp\\\\u003e\\\\u003c/p\\\\u003e\\\\u003c/p\\\\u003e\\\\u003c/p\\\\u003e\",\"protocol\":null,\"published\":\"2013-05-06T00:00:00Z\",\"references\":\"\",\"reintroduced\":null,\"risk_score\":891.5,\"severity\":\"critical\",\"severity_score\":10,\"solution_fix\":\"\\\\u003cp\\\\u003eUpgrade to a supported version of Ubuntu Linux\\\\u003c/p\\\\u003e\",\"solution_id\":\"ubuntu-obsolete-version\",\"solution_summary\":\"Upgrade Ubuntu\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"title\":\"Obsolete Version of Ubuntu\",\"vulnerability_id\":\"ubuntu-obsolete-version\"}}", + "severity": 10, + "type": [ + "info" + ] + }, + "host": { + "id": "11111111-34a7-40a3-1111-28db0b5cc90e-default-asset-1049", + "ip": [ + "10.50.6.126" + ], + "risk": { + "static_score": 871.9886474609375 + } + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "version": "Ubuntu Linux 12.04" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 1, + "exploits": 0, + "id": "11111111-34a7-40a3-1111-28db0b5cc90e-default-asset-1049", + "ip": "10.50.6.126", + "last_assessed_for_vulnerabilities": "2022-08-23T18:31:27.909Z", + "last_scan_end": "2022-08-23T18:31:27.909Z", + "last_scan_start": "2022-08-23T18:30:49.674Z", + "malware_kits": 0, + "moderate_vulnerabilities": 3, + "risk_score": 871.9886474609375, + "severe_vulnerabilities": 5, + "total_vulnerabilities": 9, + "vulnerability": { + "added": "2013-05-06T00:00:00.000Z", + "categories": [ + "Canonical", + "Obsolete OS", + "Obsolete Software", + "Ubuntu Linux", + "Web" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "network", + "authentication": "none", + "availability_impact": "complete", + "confidentiality_impact": "complete", + "exploit_score": 9.996799945831299, + "impact_score": 10.000845454680942, + "integrity_impact": "complete", + "score": 10.0, + "vector": "(AV:N/AC:L/Au:N/C:C/I:C/A:C)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "network", + "availability_impact": "high", + "confidentiality_impact": "high", + "exploit_score": 3.8870427750000003, + "impact_score": 6.0477304915445185, + "integrity_impact": "high", + "privileges_required": "none", + "scope": "changed", + "score": 10.0, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + }, + "denial_of_service": false, + "description": "This release has passed its End of Life. There may be unpatched security vulnerabilities. Please check with https://wiki.ubuntu.com/Releases (https://wiki.ubuntu.com/Releases) for supported versions.", + "first_found": "2018-11-25T09:27:44.000Z", + "id": "ubuntu-obsolete-version", + "key": "Ubuntu Linux 12.04", + "last_found": "2022-08-23T18:31:27.909Z", + "modified": "2025-03-28T00:00:00.000Z", + "pci": { + "cvss_score": 10.0, + "fail": true, + "severity_score": 5, + "special_notes": "This operating system version is no longer supported by the vendor, and results in an automatic failure. ", + "status": "fail" + }, + "proof": "\\u003cp\\u003e\\u003cp\\u003eVulnerable OS: Ubuntu Linux 12.04\\u003cp\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\\u003c/p\\u003e", + "published": "2013-05-06T00:00:00.000Z", + "risk_score": 891.5, + "severity": "critical", + "severity_score": 10, + "solution": { + "fix": "\\u003cp\\u003eUpgrade to a supported version of Ubuntu Linux\\u003c/p\\u003e", + "id": "ubuntu-obsolete-version", + "summary": "Upgrade Ubuntu", + "type": "workaround" + }, + "status": "VULNERABLE_VERS", + "title": "Obsolete Version of Ubuntu" + } + } + }, + "related": { + "hosts": [ + "11111111-34a7-40a3-1111-28db0b5cc90e-default-asset-1049" + ], + "ip": [ + "10.50.6.126" + ] + }, + "resource": { + "id": "11111111-34a7-40a3-1111-28db0b5cc90e-default-asset-1049" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "Canonical", + "Obsolete OS", + "Obsolete Software", + "Ubuntu Linux", + "Web" + ], + "classification": "CVSS", + "description": "This release has passed its End of Life. There may be unpatched security vulnerabilities. Please check with https://wiki.ubuntu.com/Releases (https://wiki.ubuntu.com/Releases) for supported versions.", + "enumeration": "CVE", + "published_date": "2013-05-06T00:00:00.000Z", + "scanner": { + "vendor": "Rapid7" + }, + "score": { + "base": 10.0, + "version": "3.0" + }, + "severity": "Critical", + "title": "Obsolete Version of Ubuntu" + } } ] } diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml index ece3fc59807..5624fe495fe 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml @@ -63,7 +63,7 @@ processors: tag: set_vulnerability_enumeration value: CVE # Remove cloud.* fields populated by beat. - # These fields correspond to EA rather than Tenable hosts and could be misleading. + # These fields correspond to EA rather than Rapid7 hosts and could be misleading. - remove: field: cloud ignore_missing: true @@ -493,7 +493,7 @@ processors: tag: split_vulnerability_cves target_field: rapid7_insightvm.asset_vulnerability.vulnerability.cves ignore_missing: true - if: ctx.json?.vulnerability?.cves instanceof String + if: ctx.json?.vulnerability?.cves instanceof String && ctx.json.vulnerability.cves != '' on_failure: - append: field: error.message diff --git a/packages/rapid7_insightvm/manifest.yml b/packages/rapid7_insightvm/manifest.yml index d117042cd6b..8d563ce2689 100644 --- a/packages/rapid7_insightvm/manifest.yml +++ b/packages/rapid7_insightvm/manifest.yml @@ -11,7 +11,7 @@ categories: - vulnerability_management conditions: kibana: - version: "^8.19.0 || ^9.0.0" + version: "^8.19.0 || ^9.1.0" elastic: subscription: "basic" screenshots: From 1ff28b2d0f7fc49aaa54895b63fa65eb6a26f51b Mon Sep 17 00:00:00 2001 From: brijesh-elastic Date: Fri, 13 Jun 2025 11:51:41 +0530 Subject: [PATCH 14/19] adding support of initial_interval option --- .../agent/stream/cel.yml.hbs | 56 +++++++++++++------ .../elasticsearch/ingest_pipeline/default.yml | 10 ++++ .../asset_vulnerability/fields/fields.yml | 3 + .../asset_vulnerability/manifest.yml | 8 +++ packages/rapid7_insightvm/docs/README.md | 1 + .../fields/fields.yml | 3 + .../latest_cdr_vulnerabilities/transform.yml | 1 - 7 files changed, 65 insertions(+), 17 deletions(-) diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs b/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs index 82d9801f991..6ed7a15ed43 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs @@ -17,6 +17,7 @@ resource.url: {{url}} state: api_key: {{api_key}} batch_size: {{batch_size}} + initial_interval: {{initial_interval}} redact: fields: - api_key @@ -47,19 +48,30 @@ program: | }.format_query() ).with({ "Header": { - "X-Api-Key": [state.api_key] - } + "X-Api-Key": [state.api_key], + "Content-Type": ["application/json"], + }, + "Body": { + ?"asset": has(state.?cursor.last_interval_time) ? + optional.none() + : + optional.of(("last_scan_end > " + string((timestamp(interval_time) - duration(state.initial_interval)).format(time_layout.RFC3339)))), + }.encode_json(), }).do_request().as(resp, resp.StatusCode == 200 ? resp.Body.decode_json().as(body, { "events": [{"message": "retry"}], "batch_size": state.batch_size, + "initial_interval": state.initial_interval, "api_key": state.api_key, + "cursor": { + ?"last_interval_time": state.?cursor.last_interval_time, + }, ?"next_asset_cursor": has(body.?metadata.cursor) && body.metadata.cursor != null ? optional.of(body.metadata.cursor) : optional.none(), "is_all_assets_fetched": has(body.metadata.cursor) && body.metadata.cursor != null ? false : true, "assets": body.data, - "asset_vuln_ids": body.data.map(a, + "asset_vuln_ids": body.data.map(a, a.?same.orValue([]).map(s, s.vulnerability_id) + a.?new.orValue([]).map(n, n.vulnerability_id) + a.?remediated.orValue([]).map(r, r.vulnerability_id) - ).flatten().as(vuln_ids, + ).flatten().as(vuln_ids, vuln_ids.map(vuln_id, string(vuln_id)).as(str_vuln_ids, zip(str_vuln_ids, vuln_ids)) ).keys(), "interval_time": interval_time, @@ -81,7 +93,8 @@ program: | }, "want_more": false, "api_key": state.api_key, - "batch_size": state.batch_size + "batch_size": state.batch_size, + "initial_interval": state.initial_interval, } ) ).as(work, @@ -112,7 +125,11 @@ program: | "events": [{"message": "retry"}], "batch_size": state.batch_size, "api_key": state.api_key, + "initial_interval": state.initial_interval, "assets": state.assets, + "cursor": { + ?"last_interval_time": state.?cursor.last_interval_time, + }, "is_all_assets_fetched": state.is_all_assets_fetched, ?"next_vuln_cursor": has(body.?metadata.cursor) && body.metadata.cursor != null ? optional.of(body.metadata.cursor) : optional.none(), ?"next_asset_cursor": work.?next_asset_cursor, @@ -138,15 +155,16 @@ program: | }, "want_more": false, "api_key": state.api_key, - "batch_size": state.batch_size + "batch_size": state.batch_size, + "initial_interval": state.initial_interval, } ) ) ).as(work, - (type(work.events) == map || !(work.is_all_assets_fetched || work.?is_current_vulnerabilities_fetched.orValue(false))) ? + (type(work.events) == map || !(work.is_all_assets_fetched || work.?is_current_vulnerabilities_fetched.orValue(false))) ? work // Error or more vulnerabilities to fetch for current assets. : - work.is_all_assets_fetched ? + work.is_all_assets_fetched ? // All assets fetched. Save cursor and end iteration. { "events": [], @@ -156,8 +174,9 @@ program: | "want_more": false, "api_key": state.api_key, "batch_size": state.batch_size, + "initial_interval": state.initial_interval, } - : + : // All vulnerabilities of current assets batch are fetched. Publish events. work.with({ // convert vulnerabilities to map for better searching @@ -170,27 +189,32 @@ program: | )), // combine same[] new[] remediated[] into vulnerability[] "assets": work.assets.map(e, e.with({ - "vulnerabilities": e.?same.orValue([]) + e.?new.orValue([]) + e.?remediated.orValue([]).map(r, r.with({"remediated": true})), + "vulnerabilities": e.?same.orValue([]) + e.?new.orValue([]) + e.?remediated.orValue([]).map(r, r.with({"is_remediated": true})), }).drop(["new","remediated","same"])) }).as(work, { - "events": work.assets.map(e, e.vulnerabilities.map(v, { + "events": (work.assets.map(e, e.vulnerabilities.map(v, { "message": e.with({"vulnerability": v.with( work.?vulnerabilities[v.vulnerability_id].orValue("not present") != "not present" ? work.vulnerabilities[v.vulnerability_id] : {"is_enriched": false} )}).drop("vulnerabilities").encode_json() - })).flatten(), + })).flatten()).as(result, size(result) != 0 ? // it will be empty when there is no vulnerability for current assets batch + result + : + [{"message": "retry"}] // retry execution as is_all_assets_fetched is false + ), + "cursor": { + ?"last_interval_time": state.?cursor.last_interval_time, + }, "is_all_assets_fetched": work.is_all_assets_fetched, "is_current_vulnerabilities_fetched": work.is_current_vulnerabilities_fetched, ?"next_asset_cursor": work.?next_asset_cursor, "interval_time": work.interval_time, - //"cursor": { - // ?"last_interval_time": work.is_all_assets_fetched ? optional.of(state.interval_time) : optional.none(), - //}, - "want_more": !(work.is_all_assets_fetched && work.is_current_vulnerabilities_fetched), + "want_more": true, "api_key": state.api_key, "batch_size": state.batch_size, + "initial_interval": state.initial_interval, }) ) tags: diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml index 5624fe495fe..7d841d9d3fe 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml @@ -719,6 +719,16 @@ processors: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.vulnerability.is_remediated + tag: convert_vulnerability_is_remediated_to_boolean + target_field: rapid7_insightvm.asset_vulnerability.vulnerability.is_remediated + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - date: field: json.vulnerability.last_found tag: date_vulnerability_last_found diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/fields.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/fields.yml index 247c4912871..d753a158a77 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/fields.yml +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/fields/fields.yml @@ -235,6 +235,9 @@ - name: is_enriched type: boolean description: Whether the enriched vulnerability information is available. + - name: is_remediated + type: boolean + description: Whether the vulnerability has been remediated. - name: key type: keyword description: The identifier of the assessment key. diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/manifest.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/manifest.yml index 9d966f5d213..ec0e860e4bb 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/manifest.yml +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/manifest.yml @@ -7,6 +7,14 @@ streams: template_path: cel.yml.hbs enabled: false vars: + - name: initial_interval + type: text + title: Initial Interval + multi: false + required: true + show_user: true + default: 2160h + description: How far back to pull the events from Rapid7 InsightVM API. Supported units for this parameter are h/m/s. - name: interval type: text title: Interval diff --git a/packages/rapid7_insightvm/docs/README.md b/packages/rapid7_insightvm/docs/README.md index b15d2c3fdca..81d3b73301e 100644 --- a/packages/rapid7_insightvm/docs/README.md +++ b/packages/rapid7_insightvm/docs/README.md @@ -540,6 +540,7 @@ An example event for `asset_vulnerability` looks as following: | rapid7_insightvm.asset_vulnerability.vulnerability.first_found | The first time the vulnerability was discovered. | date | | rapid7_insightvm.asset_vulnerability.vulnerability.id | The identifier of the vulnerability. | keyword | | rapid7_insightvm.asset_vulnerability.vulnerability.is_enriched | Whether the enriched vulnerability information is available. | boolean | +| rapid7_insightvm.asset_vulnerability.vulnerability.is_remediated | Whether the vulnerability has been remediated. | boolean | | rapid7_insightvm.asset_vulnerability.vulnerability.key | The identifier of the assessment key. | keyword | | rapid7_insightvm.asset_vulnerability.vulnerability.last_found | The most recent time the vulnerability was discovered. | date | | rapid7_insightvm.asset_vulnerability.vulnerability.links.href | | keyword | diff --git a/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml index 247c4912871..d753a158a77 100644 --- a/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml +++ b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml @@ -235,6 +235,9 @@ - name: is_enriched type: boolean description: Whether the enriched vulnerability information is available. + - name: is_remediated + type: boolean + description: Whether the vulnerability has been remediated. - name: key type: keyword description: The identifier of the assessment key. diff --git a/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml index 180900189a1..eecae70230b 100644 --- a/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml +++ b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml @@ -28,4 +28,3 @@ _meta: # Bump this version to delete, reinstall, and restart the transform during package. # Version bump is needed if there is any code change in transform. fleet_transform_version: 0.1.0 - run_as_kibana_system: false From 471e7fe155e6dc0f6f4f8141202a0a50d5720ede Mon Sep 17 00:00:00 2001 From: brijesh-elastic Date: Fri, 13 Jun 2025 15:45:14 +0530 Subject: [PATCH 15/19] deprecate asset data stream and update readme --- .../_dev/build/docs/README.md | 25 +++++++++++++++++-- .../data_stream/asset/manifest.yml | 4 +-- packages/rapid7_insightvm/docs/README.md | 25 +++++++++++++++++-- packages/rapid7_insightvm/manifest.yml | 1 + 4 files changed, 49 insertions(+), 6 deletions(-) diff --git a/packages/rapid7_insightvm/_dev/build/docs/README.md b/packages/rapid7_insightvm/_dev/build/docs/README.md index 53079cfddf3..ad562659a8e 100644 --- a/packages/rapid7_insightvm/_dev/build/docs/README.md +++ b/packages/rapid7_insightvm/_dev/build/docs/README.md @@ -10,11 +10,11 @@ Use the Rapid7 InsightVM integration to collect and parse data from the REST API The Rapid7 InsightVM integration collects two type of events: Asset and Vulnerability. -**Asset** is used to get details related to inventory, assessment, and summary details of assets that the user has access to. See more details in the API documentation [here](https://help.rapid7.com/insightvm/en-us/api/integrations.html#operation/searchIntegrationAssets). +**Asset (Deprecated)** is used to get details related to inventory, assessment, and summary details of assets that the user has access to. See more details in the API documentation [here](https://help.rapid7.com/insightvm/en-us/api/integrations.html#operation/searchIntegrationAssets). It is deprecated in version `2.0.0`. Instead, use the `Asset Vulnerability` data stream for enriched vulnerability documents and improved mappings. **Vulnerability** is used to retrieve all vulnerabilities that can be assessed. See more details in the API documentation [here](https://help.rapid7.com/insightvm/en-us/api/integrations.html#operation/searchIntegrationVulnerabilities). -**Asset Vulnerability** is used to gather and aggregate data on assets and vulnerabilities to support Native CDR Workflows. +**Asset Vulnerability** is used to gather and aggregate data on assets and vulnerabilities to support Native CDR Workflows. ## Requirements @@ -36,6 +36,27 @@ This module uses **InsightVM Cloud Integrations API v4**. 1. Generate the platform API key to access all Rapid7 InsightVM APIs. For more details, see [Documentation](https://docs.rapid7.com/insight/managing-platform-api-keys). +## Troubleshooting + +### Breaking Changes + +#### Support for Elastic Vulnerability Findings page. + +Version `2.0.0` of the Rapid7 InsightVM integration adds support for [Elastic Cloud Security workflow](https://www.elastic.co/docs/solutions/security/cloud/ingest-third-party-cloud-security-data#_ingest_third_party_security_posture_and_vulnerability_data). The enhancement enables the users of Rapid7 InsightVM integration to ingest their enriched asset vulnerabilities from Rapid7 InsightVM platform into Elastic and get insights directly from Elastic [Vulnerability Findings page](https://www.elastic.co/docs/solutions/security/cloud/findings-page-3). +This update adds [Elastic Latest Transform](https://www.elastic.co/docs/explore-analyze/transforms/transform-overview#latest-transform-overview) which copies the latest vulnerability findings from source indices matching the pattern `logs-rapid7_insightvm.asset_vulnerability-*` into new destination indices matching the pattern `security_solution-rapid7_insightvm.vulnerability_latest-*`. The Elastic Vulnerability Findings page will display vulnerabilities based on the destination indices. + +For existing users of Rapid7 InsightVM integration, before upgrading to `4.0.0` please ensure following requirements are met: + +1. Users need [Elastic Security solution](https://www.elastic.co/docs/solutions/security) which has requirements documented [here](https://www.elastic.co/docs/solutions/security/get-started/elastic-security-requirements). +2. To use transforms, users must have: + - at least one [transform node](https://www.elastic.co/docs/deploy-manage/distributed-architecture/clusters-nodes-shards/node-roles#transform-node-role), + - management features visible in the Kibana space, and + - security privileges that: + - grant use of transforms, and + - grant access to source and destination indices + For more details on Transform Setup, refer to the link [here](https://www.elastic.co/docs/explore-analyze/transforms/transform-setup) +3. Because the latest copy of vulnerabilities is now indexed in two places, i.e., in both source and destination indices, users must anticipate storage requirements accordingly. + ## Logs Reference ### asset diff --git a/packages/rapid7_insightvm/data_stream/asset/manifest.yml b/packages/rapid7_insightvm/data_stream/asset/manifest.yml index 1c2f1245029..5663d992df0 100644 --- a/packages/rapid7_insightvm/data_stream/asset/manifest.yml +++ b/packages/rapid7_insightvm/data_stream/asset/manifest.yml @@ -1,8 +1,8 @@ -title: Collect Asset logs from Rapid7 InsightVM +title: Collect Asset logs from Rapid7 InsightVM (Deprecated) type: logs streams: - input: httpjson - title: Asset logs + title: Asset logs (Deprecated) description: Collect Asset logs via API. template_path: httpjson.yml.hbs vars: diff --git a/packages/rapid7_insightvm/docs/README.md b/packages/rapid7_insightvm/docs/README.md index 81d3b73301e..5108daf68a3 100644 --- a/packages/rapid7_insightvm/docs/README.md +++ b/packages/rapid7_insightvm/docs/README.md @@ -10,11 +10,11 @@ Use the Rapid7 InsightVM integration to collect and parse data from the REST API The Rapid7 InsightVM integration collects two type of events: Asset and Vulnerability. -**Asset** is used to get details related to inventory, assessment, and summary details of assets that the user has access to. See more details in the API documentation [here](https://help.rapid7.com/insightvm/en-us/api/integrations.html#operation/searchIntegrationAssets). +**Asset (Deprecated)** is used to get details related to inventory, assessment, and summary details of assets that the user has access to. See more details in the API documentation [here](https://help.rapid7.com/insightvm/en-us/api/integrations.html#operation/searchIntegrationAssets). It is deprecated in version `2.0.0`. Instead, use the `Asset Vulnerability` data stream for enriched vulnerability documents and improved mappings. **Vulnerability** is used to retrieve all vulnerabilities that can be assessed. See more details in the API documentation [here](https://help.rapid7.com/insightvm/en-us/api/integrations.html#operation/searchIntegrationVulnerabilities). -**Asset Vulnerability** is used to gather and aggregate data on assets and vulnerabilities to support Native CDR Workflows. +**Asset Vulnerability** is used to gather and aggregate data on assets and vulnerabilities to support Native CDR Workflows. ## Requirements @@ -36,6 +36,27 @@ This module uses **InsightVM Cloud Integrations API v4**. 1. Generate the platform API key to access all Rapid7 InsightVM APIs. For more details, see [Documentation](https://docs.rapid7.com/insight/managing-platform-api-keys). +## Troubleshooting + +### Breaking Changes + +#### Support for Elastic Vulnerability Findings page. + +Version `2.0.0` of the Rapid7 InsightVM integration adds support for [Elastic Cloud Security workflow](https://www.elastic.co/docs/solutions/security/cloud/ingest-third-party-cloud-security-data#_ingest_third_party_security_posture_and_vulnerability_data). The enhancement enables the users of Rapid7 InsightVM integration to ingest their enriched asset vulnerabilities from Rapid7 InsightVM platform into Elastic and get insights directly from Elastic [Vulnerability Findings page](https://www.elastic.co/docs/solutions/security/cloud/findings-page-3). +This update adds [Elastic Latest Transform](https://www.elastic.co/docs/explore-analyze/transforms/transform-overview#latest-transform-overview) which copies the latest vulnerability findings from source indices matching the pattern `logs-rapid7_insightvm.asset_vulnerability-*` into new destination indices matching the pattern `security_solution-rapid7_insightvm.vulnerability_latest-*`. The Elastic Vulnerability Findings page will display vulnerabilities based on the destination indices. + +For existing users of Rapid7 InsightVM integration, before upgrading to `4.0.0` please ensure following requirements are met: + +1. Users need [Elastic Security solution](https://www.elastic.co/docs/solutions/security) which has requirements documented [here](https://www.elastic.co/docs/solutions/security/get-started/elastic-security-requirements). +2. To use transforms, users must have: + - at least one [transform node](https://www.elastic.co/docs/deploy-manage/distributed-architecture/clusters-nodes-shards/node-roles#transform-node-role), + - management features visible in the Kibana space, and + - security privileges that: + - grant use of transforms, and + - grant access to source and destination indices + For more details on Transform Setup, refer to the link [here](https://www.elastic.co/docs/explore-analyze/transforms/transform-setup) +3. Because the latest copy of vulnerabilities is now indexed in two places, i.e., in both source and destination indices, users must anticipate storage requirements accordingly. + ## Logs Reference ### asset diff --git a/packages/rapid7_insightvm/manifest.yml b/packages/rapid7_insightvm/manifest.yml index 8d563ce2689..2286e39945b 100644 --- a/packages/rapid7_insightvm/manifest.yml +++ b/packages/rapid7_insightvm/manifest.yml @@ -40,6 +40,7 @@ policy_templates: organization: security division: engineering team: security-service-integrations + # The default memory allocation of 1Gi for agentless deployment results in the input restarting multiple times and becoming stuck in a loop, unable to complete the ingestion cycle. Increasing the memory to 4Gi solves the issue. resources: requests: memory: 4Gi From 132cb48a424e3ea89c8398f8e734fa0c385815da Mon Sep 17 00:00:00 2001 From: brijesh-elastic Date: Mon, 16 Jun 2025 18:50:23 +0530 Subject: [PATCH 16/19] address pr comments --- .../_dev/build/docs/README.md | 6 +-- .../elasticsearch/ingest_pipeline/default.yml | 11 ++++++ .../data_stream/asset/manifest.yml | 1 + ...test-asset-vulnerability.log-expected.json | 4 +- .../agent/stream/cel.yml.hbs | 38 +++++++++++++++---- .../elasticsearch/ingest_pipeline/default.yml | 17 +++++++-- .../asset_vulnerability/manifest.yml | 2 +- .../elasticsearch/ingest_pipeline/default.yml | 11 ++++++ packages/rapid7_insightvm/docs/README.md | 6 +-- 9 files changed, 76 insertions(+), 20 deletions(-) diff --git a/packages/rapid7_insightvm/_dev/build/docs/README.md b/packages/rapid7_insightvm/_dev/build/docs/README.md index ad562659a8e..35105b55045 100644 --- a/packages/rapid7_insightvm/_dev/build/docs/README.md +++ b/packages/rapid7_insightvm/_dev/build/docs/README.md @@ -12,10 +12,10 @@ The Rapid7 InsightVM integration collects two type of events: Asset and Vulnerab **Asset (Deprecated)** is used to get details related to inventory, assessment, and summary details of assets that the user has access to. See more details in the API documentation [here](https://help.rapid7.com/insightvm/en-us/api/integrations.html#operation/searchIntegrationAssets). It is deprecated in version `2.0.0`. Instead, use the `Asset Vulnerability` data stream for enriched vulnerability documents and improved mappings. -**Vulnerability** is used to retrieve all vulnerabilities that can be assessed. See more details in the API documentation [here](https://help.rapid7.com/insightvm/en-us/api/integrations.html#operation/searchIntegrationVulnerabilities). - **Asset Vulnerability** is used to gather and aggregate data on assets and vulnerabilities to support Native CDR Workflows. +**Vulnerability** is used to retrieve all vulnerabilities that can be assessed. See more details in the API documentation [here](https://help.rapid7.com/insightvm/en-us/api/integrations.html#operation/searchIntegrationVulnerabilities). + ## Requirements ### Agent-based installation @@ -45,7 +45,7 @@ This module uses **InsightVM Cloud Integrations API v4**. Version `2.0.0` of the Rapid7 InsightVM integration adds support for [Elastic Cloud Security workflow](https://www.elastic.co/docs/solutions/security/cloud/ingest-third-party-cloud-security-data#_ingest_third_party_security_posture_and_vulnerability_data). The enhancement enables the users of Rapid7 InsightVM integration to ingest their enriched asset vulnerabilities from Rapid7 InsightVM platform into Elastic and get insights directly from Elastic [Vulnerability Findings page](https://www.elastic.co/docs/solutions/security/cloud/findings-page-3). This update adds [Elastic Latest Transform](https://www.elastic.co/docs/explore-analyze/transforms/transform-overview#latest-transform-overview) which copies the latest vulnerability findings from source indices matching the pattern `logs-rapid7_insightvm.asset_vulnerability-*` into new destination indices matching the pattern `security_solution-rapid7_insightvm.vulnerability_latest-*`. The Elastic Vulnerability Findings page will display vulnerabilities based on the destination indices. -For existing users of Rapid7 InsightVM integration, before upgrading to `4.0.0` please ensure following requirements are met: +For existing users of Rapid7 InsightVM integration, before upgrading to `2.0.0` please ensure following requirements are met: 1. Users need [Elastic Security solution](https://www.elastic.co/docs/solutions/security) which has requirements documented [here](https://www.elastic.co/docs/solutions/security/get-started/elastic-security-requirements). 2. To use transforms, users must have: diff --git a/packages/rapid7_insightvm/data_stream/asset/elasticsearch/ingest_pipeline/default.yml b/packages/rapid7_insightvm/data_stream/asset/elasticsearch/ingest_pipeline/default.yml index 0570e8ac01e..3f71fd9db75 100644 --- a/packages/rapid7_insightvm/data_stream/asset/elasticsearch/ingest_pipeline/default.yml +++ b/packages/rapid7_insightvm/data_stream/asset/elasticsearch/ingest_pipeline/default.yml @@ -13,6 +13,17 @@ processors: - set: field: event.type value: [info] + - remove: + field: + - organization + - division + - team + ignore_missing: true + if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String + tag: remove_agentless_tags + description: >- + Removes the fields added by Agentless as metadata, + as they can collide with ECS fields. - rename: field: message tag: rename_message_to_event_original diff --git a/packages/rapid7_insightvm/data_stream/asset/manifest.yml b/packages/rapid7_insightvm/data_stream/asset/manifest.yml index 5663d992df0..446718503bc 100644 --- a/packages/rapid7_insightvm/data_stream/asset/manifest.yml +++ b/packages/rapid7_insightvm/data_stream/asset/manifest.yml @@ -5,6 +5,7 @@ streams: title: Asset logs (Deprecated) description: Collect Asset logs via API. template_path: httpjson.yml.hbs + enabled: false vars: - name: interval type: text diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log-expected.json b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log-expected.json index 9a59a0d7ef1..a1e2bff35ed 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log-expected.json +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log-expected.json @@ -48,8 +48,8 @@ }, "package": { "fixed_version": "latest", - "name": "Ubuntu Linux 22.04", - "version": "Ubuntu Linux 22.04" + "name": "Azul Systems JRE 17.54.22 (/root/infaagent/jdk/lib/jrt-fs.jar)", + "version": "Azul Systems JRE 17.54.22 (/root/infaagent/jdk/lib/jrt-fs.jar)" }, "rapid7_insightvm": { "asset_vulnerability": { diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs b/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs index 6ed7a15ed43..d0b25d826bf 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs @@ -22,13 +22,30 @@ redact: fields: - api_key program: | + + // The program collects all assets and enriches them with vulnerability details. + // Here's a detailed overview of how this process works: + // + // On execution, the program calls the [Assets API][1] and retrieves the first batch of assets. + // From this batch, we extract all vulnerability IDs associated with the assets (including new, existing, and remediated vulnerabilities). + // We then use this list of vulnerability IDs as a filter to call the [Vulnerabilities API][2], + // retrieving all relevant vulnerabilities until we receive a null value for the next cursor. + // + // After retrieving the vulnerability data, we aggregate it with the corresponding assets and publish the events. + // This process continues batch by batch until the Assets API returns a null value for the next cursor. + // + // [1]: https://help.rapid7.com/insightvm/en-us/api/integrations.html#tag/Asset/operation/searchIntegrationAssets + // [2]: https://help.rapid7.com/insightvm/en-us/api/integrations.html#tag/Vulnerability/operation/searchIntegrationVulnerabilities + ( state.?want_more.orValue(false) ? state.interval_time : now ).as(interval_time, - has(state.assets) && (state.is_all_assets_fetched || !state.?is_current_vulnerabilities_fetched.orValue(false)) ? + // If assets are already present and the vulnerabilities for the current asset batch have not been fully fetched, + // skip the Asset API call and continue forwarding the state to the next block. + has(state.assets) && (state.is_all_assets_fetched || !state.?is_current_vulnerabilities_fetched.orValue(false)) ? { "assets": state.assets, "is_all_assets_fetched": state.is_all_assets_fetched, @@ -37,6 +54,8 @@ program: | ?"next_asset_cursor": state.?next_asset_cursor, } : + // The `includeSame` query parameter and `last_scan_end` body filter are only added in the first execution of program. + // These parameters are used to collect historical vulnerabilities for the assets. request( "POST", state.url.trim_right("/") + "/vm/v4/integration/assets?" + { @@ -67,12 +86,14 @@ program: | ?"last_interval_time": state.?cursor.last_interval_time, }, ?"next_asset_cursor": has(body.?metadata.cursor) && body.metadata.cursor != null ? optional.of(body.metadata.cursor) : optional.none(), - "is_all_assets_fetched": has(body.metadata.cursor) && body.metadata.cursor != null ? false : true, + "is_all_assets_fetched": !has(body.metadata.cursor) || body.metadata.cursor == null, "assets": body.data, - "asset_vuln_ids": body.data.map(a, - a.?same.orValue([]).map(s, s.vulnerability_id) + a.?new.orValue([]).map(n, n.vulnerability_id) + a.?remediated.orValue([]).map(r, r.vulnerability_id) - ).flatten().as(vuln_ids, - vuln_ids.map(vuln_id, string(vuln_id)).as(str_vuln_ids, zip(str_vuln_ids, vuln_ids)) + "asset_vuln_ids": body.data.map(a, ( + a.?same.orValue([]).map(s, s.vulnerability_id) + + a.?new.orValue([]).map(n, n.vulnerability_id) + + a.?remediated.orValue([]).map(r, r.vulnerability_id) + )).flatten().as(vuln_ids, + zip(vuln_ids, vuln_ids) // to get a unique set of IDs ).keys(), "interval_time": interval_time, "want_more": true @@ -100,6 +121,7 @@ program: | ).as(work, has(work.events) ? work : // Exit early ( + // If the current set of vulnerabilities has been fetched, skip the Vulnerability API call and continue forwarding the state to the next block. (has(state.vulnerabilities) && state.is_current_vulnerabilities_fetched) ? work.with({ "vulnerabilities": state.vulnerabilities, @@ -133,7 +155,7 @@ program: | "is_all_assets_fetched": state.is_all_assets_fetched, ?"next_vuln_cursor": has(body.?metadata.cursor) && body.metadata.cursor != null ? optional.of(body.metadata.cursor) : optional.none(), ?"next_asset_cursor": work.?next_asset_cursor, - "is_current_vulnerabilities_fetched": has(body.metadata.cursor) && body.metadata.cursor != null ? false : true, + "is_current_vulnerabilities_fetched": !has(body.metadata.cursor) || body.metadata.cursor == null, "vulnerabilities": (state.?vulnerabilities.orValue([]) + body.data).flatten(), "asset_vuln_ids": work.asset_vuln_ids, "interval_time": work.interval_time, @@ -177,7 +199,7 @@ program: | "initial_interval": state.initial_interval, } : - // All vulnerabilities of current assets batch are fetched. Publish events. + // All vulnerabilities of current assets batch are fetched. Aggregate and publish events. work.with({ // convert vulnerabilities to map for better searching "vulnerabilities": work.vulnerabilities.map(e, { diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml index 7d841d9d3fe..84fa8a76ce3 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml @@ -9,6 +9,17 @@ processors: tag: data_collection_error if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null message: error message set and no data to process. + - remove: + field: + - organization + - division + - team + ignore_missing: true + if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String + tag: remove_agentless_tags + description: >- + Removes the fields added by Agentless as metadata, + as they can collide with ECS fields. - rename: field: message tag: rename_message_to_event_original @@ -963,9 +974,9 @@ processors: description: Extract package fields from proof. tag: grok_parse_vulnerability_proof patterns: - - '^Vulnerable OS: %{DATA:_temp.os} Vulnerable software installed: %{DATA:package.name} Required patch %{GREEDYDATA}$' - - '^Vulnerable OS: %{DATA:_temp.os} Vulnerable software installed: %{DATA:package.name} Running HTTPS service %{GREEDYDATA}$' - - '^Vulnerable OS: %{DATA:_temp.os} Vulnerable software installed: %{DATA:package.name}$' + - '^Vulnerable OS: %{DATA:_temp.os}(\n)*Vulnerable software installed: %{DATA:package.name} Required patch %{GREEDYDATA}$' + - '^Vulnerable OS: %{DATA:_temp.os}(\n)*Vulnerable software installed: %{DATA:package.name} Running HTTPS service %{GREEDYDATA}$' + - '^Vulnerable OS: %{DATA:_temp.os}(\n)*Vulnerable software installed: %{DATA:package.name}$' - '^Vulnerable OS: %{DATA:_temp.os} Running %{DATA:_temp.service} service%{DATA}Vulnerable version of %{DATA} found -- %{DATA:package.name}$' - '^Vulnerable OS: %{DATA:package.name} The property %{GREEDYDATA}$' - '^Vulnerable OS: %{DATA:package.name} Based on the result of the %{GREEDYDATA}$' diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/manifest.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/manifest.yml index ec0e860e4bb..a19804cceda 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/manifest.yml +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/manifest.yml @@ -3,7 +3,7 @@ type: logs streams: - input: cel title: Asset Vulnerability Event - description: Collecting asset vulnerability events via API. + description: Collect enriched asset vulnerability events via API. template_path: cel.yml.hbs enabled: false vars: diff --git a/packages/rapid7_insightvm/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml b/packages/rapid7_insightvm/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml index 8db4753f6b2..141cc22ac46 100644 --- a/packages/rapid7_insightvm/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml +++ b/packages/rapid7_insightvm/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml @@ -13,6 +13,17 @@ processors: - set: field: event.type value: [info] + - remove: + field: + - organization + - division + - team + ignore_missing: true + if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String + tag: remove_agentless_tags + description: >- + Removes the fields added by Agentless as metadata, + as they can collide with ECS fields. - rename: field: message tag: rename_message_to_event_original diff --git a/packages/rapid7_insightvm/docs/README.md b/packages/rapid7_insightvm/docs/README.md index 5108daf68a3..0b9b1f3114a 100644 --- a/packages/rapid7_insightvm/docs/README.md +++ b/packages/rapid7_insightvm/docs/README.md @@ -12,10 +12,10 @@ The Rapid7 InsightVM integration collects two type of events: Asset and Vulnerab **Asset (Deprecated)** is used to get details related to inventory, assessment, and summary details of assets that the user has access to. See more details in the API documentation [here](https://help.rapid7.com/insightvm/en-us/api/integrations.html#operation/searchIntegrationAssets). It is deprecated in version `2.0.0`. Instead, use the `Asset Vulnerability` data stream for enriched vulnerability documents and improved mappings. -**Vulnerability** is used to retrieve all vulnerabilities that can be assessed. See more details in the API documentation [here](https://help.rapid7.com/insightvm/en-us/api/integrations.html#operation/searchIntegrationVulnerabilities). - **Asset Vulnerability** is used to gather and aggregate data on assets and vulnerabilities to support Native CDR Workflows. +**Vulnerability** is used to retrieve all vulnerabilities that can be assessed. See more details in the API documentation [here](https://help.rapid7.com/insightvm/en-us/api/integrations.html#operation/searchIntegrationVulnerabilities). + ## Requirements ### Agent-based installation @@ -45,7 +45,7 @@ This module uses **InsightVM Cloud Integrations API v4**. Version `2.0.0` of the Rapid7 InsightVM integration adds support for [Elastic Cloud Security workflow](https://www.elastic.co/docs/solutions/security/cloud/ingest-third-party-cloud-security-data#_ingest_third_party_security_posture_and_vulnerability_data). The enhancement enables the users of Rapid7 InsightVM integration to ingest their enriched asset vulnerabilities from Rapid7 InsightVM platform into Elastic and get insights directly from Elastic [Vulnerability Findings page](https://www.elastic.co/docs/solutions/security/cloud/findings-page-3). This update adds [Elastic Latest Transform](https://www.elastic.co/docs/explore-analyze/transforms/transform-overview#latest-transform-overview) which copies the latest vulnerability findings from source indices matching the pattern `logs-rapid7_insightvm.asset_vulnerability-*` into new destination indices matching the pattern `security_solution-rapid7_insightvm.vulnerability_latest-*`. The Elastic Vulnerability Findings page will display vulnerabilities based on the destination indices. -For existing users of Rapid7 InsightVM integration, before upgrading to `4.0.0` please ensure following requirements are met: +For existing users of Rapid7 InsightVM integration, before upgrading to `2.0.0` please ensure following requirements are met: 1. Users need [Elastic Security solution](https://www.elastic.co/docs/solutions/security) which has requirements documented [here](https://www.elastic.co/docs/solutions/security/get-started/elastic-security-requirements). 2. To use transforms, users must have: From 5fbe5cfaa1c112a780a321f98b8bac49542a8ebb Mon Sep 17 00:00:00 2001 From: brijesh-elastic Date: Tue, 17 Jun 2025 14:39:29 +0530 Subject: [PATCH 17/19] resolve comments --- packages/rapid7_insightvm/changelog.yml | 7 +- .../pipeline/test-asset-vulnerability.log | 3 + ...test-asset-vulnerability.log-expected.json | 817 +++++++++++++++++- .../agent/stream/cel.yml.hbs | 2 +- .../elasticsearch/ingest_pipeline/default.yml | 26 +- 5 files changed, 834 insertions(+), 21 deletions(-) diff --git a/packages/rapid7_insightvm/changelog.yml b/packages/rapid7_insightvm/changelog.yml index 3838e4ff926..e7175a582df 100644 --- a/packages/rapid7_insightvm/changelog.yml +++ b/packages/rapid7_insightvm/changelog.yml @@ -1,8 +1,11 @@ # newer versions go on top - version: "2.0.0" changes: - - description: Add asset_vulnerability datastream support for Cloud Detection and Response (CDR) vulnerability workflow. - type: enhancement + - description: | + Add `asset_vulnerability` datastream support for the Cloud Detection and Response (CDR) vulnerability workflow. + This will require a transform node, the necessary permissions to use the transform, and specified source and destination indices. + It also stores the latest copy of vulnerabilities in the destination indices, which will require additional storage. + type: breaking-change link: https://github.com/elastic/integrations/pull/14079 - version: "1.16.0" changes: diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log index 3766b806b1a..0e734808ce4 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log @@ -20,3 +20,6 @@ {"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":5,"exploits":0,"host_name":"ub22-50-6-126","id":"8babcdef-5678-5678-1234-cabcdef0123e-default-asset-7","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2025-05-27T19:54:43.777Z","last_scan_end":"2025-05-27T19:54:43.777Z","last_scan_start":"2025-05-27T19:53:43.777Z","mac":"00:00:5E:00:53:01","malware_kits":0,"moderate_vulnerabilities":1,"os_architecture":"x86_64","os_description":"Ubuntu Linux 22.04","os_family":"Linux","os_name":"Linux","os_system_name":"Ubuntu Linux","os_type":"","os_vendor":"Ubuntu","os_version":"22.04","risk_score":5656,"severe_vulnerabilities":6,"tags":[{"name":"rapid7 insight agents","type":"SITE"}],"total_vulnerabilities":12,"type":"guest","unique_identifiers":[{"id":"B7123456-5678-1234-ABCD-6F6ABCDEFA91","source":"dmidecode"},{"id":"cababcdefabcd0123456789f16d7061a","source":"R7 Agent"},{"id":"cab682b411e200123456789ab6d7061a","source":"Endpoint Agent"}],"vulnerability":{"check_id":null,"first_found":"2022-12-23T18:55:39Z","key":"","last_found":"2023-06-23T17:41:50.071Z","nic":null,"port":80,"proof":"

  • Running HTTP service
  • Vulnerable version of component PHP found -- PHP 5.4.16

","protocol":"TCP","reintroduced":null,"solution_fix":"

Download and apply the upgrade from: http://www.php.net/downloads.php

","solution_id":"php-upgrade-latest","solution_summary":"Upgrade to the latest version of PHP","solution_type":"rollup","status":"VULNERABLE_VERS","vulnerability_id":"php-cve-2016-3171","added":"2019-09-30T00:00:00Z","categories":"HTTP,PHP,Remote Execution","cves":"CVE-2016-3171","cvss_v2_access_complexity":"medium","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":8.588799953460693,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":6.8,"cvss_v2_vector":"(AV:N/AC:M/Au:N/C:P/I:P/A:P)","cvss_v3_attack_complexity":"high","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.2211673,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":8.1,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.","exploits":[],"id":"php-cve-2016-3171","links":[{"href":"http://nvd.nist.gov/vuln/detail/CVE-2016-3171","id":"CVE-2016-3171","source":"cve"}],"malware_kits":[],"modified":"2024-11-27T00:00:00Z","pci_cvss_score":6.8,"pci_fail":true,"pci_severity_score":4,"pci_special_notes":"","pci_status":"fail","published":"2016-04-12T00:00:00Z","references":"cve:CVE-2016-3171","risk_score":669.57,"severity":"severe","severity_score":7,"title":"PHP Vulnerability: CVE-2016-3171"}} {"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":161,"protocol":"UDP","status":"NO_CREDS_SUPPLIED"},{"port":161,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":22,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":9,"exploits":5,"host_name":"BIG-IP-16-1-0.dev.test.rapid7.com","id":"12123455-abcd-5678-1234-01234567890e-default-asset-4123","ip":"175.16.199.1","last_assessed_for_vulnerabilities":"2024-06-23T17:54:28.107Z","last_scan_end":"2024-06-23T17:54:28.107Z","last_scan_start":"2024-06-23T17:44:15.351Z","mac":"00:00:5E:00:53:00","malware_kits":0,"moderate_vulnerabilities":10,"new":[],"os_architecture":"","os_description":"F5 BIG-IP 16.1.0.0","os_family":"BIG-IP","os_name":"BIG-IP","os_system_name":"F5 BIG-IP","os_type":"Network management device","os_vendor":"F5","os_version":"16.1.0.0","remediated":[],"risk_score":35804.71185,"vulnerability":{"check_id":null,"first_found":"2022-05-23T19:03:38Z","key":"F5 BIG-IP 16.1.0.0","last_found":"2024-06-23T17:54:28.107Z","nic":null,"port":null,"proof":"

Vulnerable OS: F5 BIG-IP 16.1.0.0

  • The property "ltm" contains: true.

","protocol":null,"reintroduced":null,"solution_fix":"

\n Upgrade to the latest available version of F5 BIG-IP. Refer to BIG-IP Hotfix Matrix for the latest hotfix information.\n

","solution_id":"f5-big-ip-upgrade-latest","solution_summary":"Upgrade to the latest available version of F5 BIG-IP","solution_type":"workaround","status":"VULNERABLE_VERS","vulnerability_id":"f5-big-ip-cve-2017-7656","added":"2022-04-20T00:00:00Z","categories":"F5,F5 BIG-IP,Web","cves":"CVE-2017-7656","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"none","cvss_v2_confidentiality_impact":"none","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":2.8627500620484354,"cvss_v2_integrity_impact":"partial","cvss_v2_score":5,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:N/I:P/A:N)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"none","cvss_v3_exploit_score":3.8870427750000003,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":7.5,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","denial_of_service":false,"description":"In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.","exploits":[],"id":"f5-big-ip-cve-2017-7656","links":[{"href":"https://my.f5.com/manage/s/article/K21054458","id":"https://my.f5.com/manage/s/article/K21054458","source":"url"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2017-7656","id":"CVE-2017-7656","source":"cve"}],"malware_kits":[],"modified":"2024-12-06T00:00:00Z","pci_cvss_score":5,"pci_fail":true,"pci_severity_score":3,"pci_special_notes":"","pci_status":"fail","published":"2018-06-26T00:00:00Z","references":"cve:CVE-2017-7656,url:https://my.f5.com/manage/s/article/K21054458","risk_score":229.89,"severity":"severe","severity_score":5,"title":"F5 Networks: CVE-2017-7656: K21054458: Eclipse Jetty vulnerability CVE-2017-7656"},"severe_vulnerabilities":94,"tags":[{"name":"snow_test","type":"CUSTOM"},{"name":"all_assets2","type":"CUSTOM"},{"name":"all_assets","type":"CUSTOM"},{"name":"my tag test","type":"CUSTOM"},{"name":"lab","type":"SITE"}],"total_vulnerabilities":113,"type":"guest","unique_identifiers":[]} {"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[],"critical_vulnerabilities":1,"exploits":0,"id":"11111111-34a7-40a3-1111-28db0b5cc90e-default-asset-1049","ip":"10.50.6.126","last_assessed_for_vulnerabilities":"2022-08-23T18:31:27.909Z","last_scan_end":"2022-08-23T18:31:27.909Z","last_scan_start":"2022-08-23T18:30:49.674Z","malware_kits":0,"moderate_vulnerabilities":3,"risk_score":871.9886474609375,"severe_vulnerabilities":5,"tags":[{"name":"No_Hostname","type":"CUSTOM"},{"name":"all_assets2","type":"CUSTOM"},{"name":"all_assets","type":"CUSTOM"},{"name":"lab","type":"SITE"}],"total_vulnerabilities":9,"unique_identifiers":[],"vulnerability":{"added":"2013-05-06T00:00:00Z","categories":"Canonical,Obsolete OS,Obsolete Software,Ubuntu Linux,Web","check_id":null,"cves":"","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"complete","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":10.000845454680942,"cvss_v2_integrity_impact":"complete","cvss_v2_score":10,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:C/I:C/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":3.8870427750000003,"cvss_v3_impact_score":6.0477304915445185,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"changed","cvss_v3_score":10,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","denial_of_service":false,"description":"This release has passed its End of Life. There may be unpatched security vulnerabilities. Please check with https://wiki.ubuntu.com/Releases (https://wiki.ubuntu.com/Releases) for supported versions.","exploits":[],"first_found":"2018-11-25T09:27:44Z","id":"ubuntu-obsolete-version","key":"Ubuntu Linux 12.04","last_found":"2022-08-23T18:31:27.909Z","links":[],"malware_kits":[],"modified":"2025-03-28T00:00:00Z","nic":null,"pci_cvss_score":10,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"This operating system version is no longer supported by the vendor, and results in an automatic failure. ","pci_status":"fail","port":null,"proof":"\\u003cp\\u003e\\u003cp\\u003eVulnerable OS: Ubuntu Linux 12.04\\u003cp\\u003e\\u003c/p\\u003e\\u003c/p\\u003e\\u003c/p\\u003e","protocol":null,"published":"2013-05-06T00:00:00Z","references":"","reintroduced":null,"risk_score":891.5,"severity":"critical","severity_score":10,"solution_fix":"\\u003cp\\u003eUpgrade to a supported version of Ubuntu Linux\\u003c/p\\u003e","solution_id":"ubuntu-obsolete-version","solution_summary":"Upgrade Ubuntu","solution_type":"workaround","status":"VULNERABLE_VERS","title":"Obsolete Version of Ubuntu","vulnerability_id":"ubuntu-obsolete-version"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":22,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":32,"exploits":17,"id":"12123455-1234-5678-0912-28dabcdefabe-default-asset-3709","ip":"175.16.199.2","last_assessed_for_vulnerabilities":"2022-04-23T18:04:36.094Z","last_scan_end":"2022-04-23T18:04:36.094Z","last_scan_start":"2022-04-23T17:56:27.286Z","malware_kits":0,"moderate_vulnerabilities":58,"os_architecture":"","os_description":"Linux LINUX 2.6.9 - 2.6.27 2.6.9","os_family":"Linux","os_name":"LINUX 2.6.9 - 2.6.27","os_system_name":"Linux","os_type":"General","os_vendor":"Linux","os_version":"2.6.9","risk_score":128750.1171875,"severe_vulnerabilities":307,"tags":[{"name":"No_Hostname","type":"CUSTOM"},{"name":"all_assets2","type":"CUSTOM"},{"name":"snow_test","type":"CUSTOM"},{"name":"all_assets","type":"CUSTOM"},{"name":"lab","type":"SITE"}],"total_vulnerabilities":397,"unique_identifiers":[],"vulnerability":{"added":"2019-10-16T00:00:00Z","categories":"CentOS","check_id":null,"cves":"CVE-2019-9506","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"adjacent","cvss_v2_authentication":"none","cvss_v2_availability_impact":"none","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":6.457932765007019,"cvss_v2_impact_score":4.938243839970231,"cvss_v2_integrity_impact":"partial","cvss_v2_score":4.8,"cvss_v2_vector":"(AV:A/AC:L/Au:N/C:P/I:P/A:N)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"adjacent","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.83525473,"cvss_v3_impact_score":5.177088,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":8.1,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","denial_of_service":false,"description":"The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka \"KNOB\") that can decrypt traffic and inject arbitrary ciphertext without the victim noticing.","exploits":[],"first_found":"2021-02-23T18:39:30Z","id":"centos_linux-cve-2019-9506","key":"","last_found":"2022-04-23T18:04:36.094Z","links":[{"href":"http://rhn.redhat.com/errata/RHSA-2019-3076.html","id":"RHSA-2019:3076","source":"redhat"},{"href":"http://rhn.redhat.com/errata/RHSA-2019-3055.html","id":"RHSA-2019:3055","source":"redhat"},{"href":"http://rhn.redhat.com/errata/RHSA-2019-3165.html","id":"RHSA-2019:3165","source":"redhat"},{"href":"http://rhn.redhat.com/errata/RHSA-2019-3187.html","id":"RHSA-2019:3187","source":"redhat"},{"href":"http://rhn.redhat.com/errata/RHSA-2019-3220.html","id":"RHSA-2019:3220","source":"redhat"},{"href":"http://rhn.redhat.com/errata/RHSA-2019-3231.html","id":"RHSA-2019:3231","source":"redhat"},{"href":"http://www.kb.cert.org/vuls/id/918987","id":"918987","source":"cert-vn"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2019-9506","id":"CVE-2019-9506","source":"nvd"},{"href":"http://rhn.redhat.com/errata/RHSA-2019-3517.html","id":"RHSA-2019:3517","source":"redhat"},{"href":"http://rhn.redhat.com/errata/RHSA-2019-3309.html","id":"RHSA-2019:3309","source":"redhat"},{"href":"http://rhn.redhat.com/errata/RHSA-2020-0204.html","id":"RHSA-2020:0204","source":"redhat"},{"href":"http://rhn.redhat.com/errata/RHSA-2019-3218.html","id":"RHSA-2019:3218","source":"redhat"},{"href":"http://rhn.redhat.com/errata/RHSA-2019-3217.html","id":"RHSA-2019:3217","source":"redhat"},{"href":"http://rhn.redhat.com/errata/RHSA-2019-2975.html","id":"RHSA-2019:2975","source":"redhat"},{"href":"http://rhn.redhat.com/errata/RHSA-2019-3089.html","id":"RHSA-2019:3089","source":"redhat"}],"malware_kits":[],"modified":"2023-05-25T00:00:00Z","nic":null,"pci_cvss_score":4.8,"pci_fail":true,"pci_severity_score":3,"pci_special_notes":"","pci_status":"fail","port":null,"proof":"

Vulnerable OS: CentOS Linux 7.6.1810

Vulnerable software installed: Linux kernel 3.10.0-957.el7

  • Required patch [CVE-2019-9506] is not installed, no patches discovered.

","protocol":null,"published":"2019-08-14T00:00:00Z","references":"cert-vn:918987,nvd:CVE-2019-9506,redhat:RHSA-2019:2975,redhat:RHSA-2019:3055,redhat:RHSA-2019:3076,redhat:RHSA-2019:3089,redhat:RHSA-2019:3165,redhat:RHSA-2019:3187,redhat:RHSA-2019:3217,redhat:RHSA-2019:3218,redhat:RHSA-2019:3220,redhat:RHSA-2019:3231,redhat:RHSA-2019:3309,redhat:RHSA-2019:3517,redhat:RHSA-2020:0204","reintroduced":null,"risk_score":573.71,"severity":"severe","severity_score":5,"solution_fix":"Take a look at all possible solutions for vulnerability","solution_id":"unknown-centos_linux-cve-2019-9506","solution_summary":"The solution is unknown for vuln centos_linux-cve-2019-9506","solution_type":"workaround","status":"VULNERABLE_VERS","title":"CentOS Linux: CVE-2019-9506: Important: kernel security and bug fix update (Multiple Advisories)","vulnerability_id":"centos_linux-cve-2019-9506"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":135,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":139,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":445,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":8,"exploits":32,"host_name":"SBS2008-PREM-U","id":"12324565-1234-abcd-1234-21234567890e-default-asset-1239","ip":"175.16.199.1","last_assessed_for_vulnerabilities":"2023-06-23T19:51:46.262Z","last_scan_end":"2023-06-23T19:51:46.262Z","last_scan_start":"2023-06-23T19:39:28.295Z","mac":"00:00:5E:00:53:00","malware_kits":1,"moderate_vulnerabilities":7,"os_architecture":"","os_description":"Microsoft Windows Small Business Server 2008","os_family":"Windows","os_name":"Windows Small Business Server 2008","os_system_name":"Microsoft Windows","os_type":"General","os_vendor":"Microsoft","risk_score":15638.8798828125,"severe_vulnerabilities":12,"tags":[{"name":"Windows","type":"CUSTOM"},{"name":"snow_test","type":"CUSTOM"},{"name":"SI","type":"CUSTOM"},{"name":"my tag test","type":"CUSTOM"},{"name":"all_assets","type":"CUSTOM"},{"name":"all_assets2","type":"CUSTOM"},{"name":"lab","type":"SITE"}],"total_vulnerabilities":27,"unique_identifiers":[],"vulnerability":{"added":"2011-04-13T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,IAVM,Microsoft,Microsoft Patch,Microsoft Windows,Remote Execution","check_id":null,"cves":"CVE-2011-0661","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"complete","cvss_v2_confidentiality_impact":"complete","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":10.000845454680942,"cvss_v2_integrity_impact":"complete","cvss_v2_score":10,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:C/I:C/A:C)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"high","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":3.8870427750000003,"cvss_v3_impact_score":5.873118720000001,"cvss_v3_integrity_impact":"high","cvss_v3_privileges_required":"none","cvss_v3_scope":"unchanged","cvss_v3_score":9.8,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","denial_of_service":false,"description":"This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker created a specially crafted SMB packet and sent the packet to an affected system. Firewall best practices and standard default firewall configurations can help protect networks from attacks originating outside the enterprise perimeter that would attempt to exploit these vulnerabilities.","exploits":[],"first_found":"2019-02-15T05:37:32Z","id":"windows-hotfix-ms11-020","key":"","last_found":"2023-06-23T19:51:46.262Z","links":[{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:12076","id":"12076","source":"oval"},{"href":"http://iase.disa.mil/stigs/iavm-cve.html","id":"2011-A-0050","source":"iavm"},{"href":"http://technet.microsoft.com/security/bulletin/MS11-020","id":"MS11-020","source":"ms"},{"href":"http://www.securityfocus.com/bid/47198","id":"47198","source":"bid"},{"href":"http://www.us-cert.gov/cas/techalerts/TA11-102A.html","id":"TA11-102A","source":"cert"},{"href":"http://iase.disa.mil/stigs/iavm-cve.html","id":"Category I","source":"disa_severity"},{"href":"http://iase.disa.mil/stigs/iavm-cve.html","id":"V0026521","source":"disa_vmskey"},{"href":"https://support.microsoft.com/en-us/kb/2508429","id":"KB2508429","source":"mskb"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2011-0661","id":"CVE-2011-0661","source":"cve"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","nic":null,"pci_cvss_score":10,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"","pci_status":"fail","port":445,"proof":"

  • Running CIFS service

Vulnerable OS: Microsoft Windows Small Business Server 2008

Based on the result of the "windows-hotfix-ms09-050" test, this node is applicable to this issue.

","protocol":"TCP","published":"2011-04-13T00:00:00Z","references":"oval:12076,iavm:2011-A-0050,bid:47198,cve:CVE-2011-0661,disa_severity:Category I,mskb:KB2508429,ms:MS11-020,cert:TA11-102A,disa_vmskey:V0026521","reintroduced":null,"risk_score":900.45,"severity":"critical","severity_score":10,"solution_fix":"Take a look at all possible solutions for vulnerability","solution_id":"unknown-windows-hotfix-ms11-020","solution_summary":"The solution is unknown for vuln windows-hotfix-ms11-020","solution_type":"workaround","status":"VULNERABLE_VERS","title":"MS11-020: Vulnerability in SMB Server Could Allow Remote Code Execution (2508429)","vulnerability_id":"windows-hotfix-ms11-020"}} +{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":22,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":135,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":139,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"},{"port":445,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":11,"exploits":37,"host_name":"SHOCKWAVE-P","id":"12123455-1234-5678-9012-abcdefabcd0e-default-asset-152","ip":"175.16.199.3","last_assessed_for_vulnerabilities":"2023-06-23T19:39:41.339Z","last_scan_end":"2023-06-23T19:39:41.339Z","last_scan_start":"2023-06-23T19:36:27.824Z","mac":"00:00:5E:00:53:00","malware_kits":1,"moderate_vulnerabilities":4,"os_architecture":"","os_description":"Microsoft Windows XP","os_family":"Windows","os_name":"Windows XP","os_system_name":"Microsoft Windows","os_type":"General","os_vendor":"Microsoft","risk_score":14912.1123046875,"severe_vulnerabilities":8,"tags":[{"name":"my tag test","type":"CUSTOM"},{"name":"Windows","type":"CUSTOM"},{"name":"SI","type":"CUSTOM"},{"name":"snow_test","type":"CUSTOM"},{"name":"all_assets","type":"CUSTOM"},{"name":"all_assets2","type":"CUSTOM"},{"name":"lab","type":"SITE"}],"total_vulnerabilities":23,"unique_identifiers":[],"vulnerability":{"added":"2006-07-12T00:00:00Z","categories":"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution","check_id":null,"cves":"CVE-2006-1314,CVE-2006-1315","cvss_v2_access_complexity":"low","cvss_v2_access_vector":"network","cvss_v2_authentication":"none","cvss_v2_availability_impact":"partial","cvss_v2_confidentiality_impact":"partial","cvss_v2_exploit_score":9.996799945831299,"cvss_v2_impact_score":6.442976653521584,"cvss_v2_integrity_impact":"partial","cvss_v2_score":7.5,"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:P/I:P/A:P)","cvss_v3_attack_complexity":"low","cvss_v3_attack_vector":"network","cvss_v3_availability_impact":"none","cvss_v3_confidentiality_impact":"high","cvss_v3_exploit_score":2.83525473,"cvss_v3_impact_score":3.5952,"cvss_v3_integrity_impact":"none","cvss_v3_privileges_required":"low","cvss_v3_scope":"unchanged","cvss_v3_score":6.5,"cvss_v3_user_interaction":"none","cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","denial_of_service":false,"description":"This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \"Vulnerability Details\" section of this bulletin. We recommend that customers apply the update immediately.","exploits":[{"description":"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)","id":"2057","name":"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)","rank":"average","skill_level":"expert","source":"exploitdb"},{"description":"This module triggers a kernel pool corruption bug in SRV.SYS. Each\n call to the mailslot write function results in a two byte return value\n being written into the response packet. The code which creates this packet\n fails to consider these two bytes in the allocation routine, resulting in\n a slow corruption of the kernel memory pool. These two bytes are almost\n always set to \"\\xff\\xff\" (a short integer with value of -1).","id":"auxiliary/dos/windows/smb/ms06_035_mailslot","name":"Microsoft SRV.SYS Mailslot Write Corruption","rank":"normal","skill_level":"intermediate","source":"metasploit"}],"first_found":"2018-11-25T08:24:37Z","id":"windows-hotfix-ms06-035","key":"","last_found":"2023-06-23T19:39:41.339Z","links":[{"href":"http://www.kb.cert.org/vuls/id/189140","id":"189140","source":"cert-vn"},{"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/26818","id":"win-mailslot-bo(26818)","source":"xf"},{"href":"http://www.securityfocus.com/bid/18863","id":"18863","source":"bid"},{"href":"https://support.microsoft.com/en-us/kb/917159","id":"KB917159","source":"mskb"},{"href":"http://www.us-cert.gov/cas/techalerts/TA06-192A.html","id":"TA06-192A","source":"cert"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2006-1314","id":"CVE-2006-1314","source":"cve"},{"href":"http://nvd.nist.gov/vuln/detail/CVE-2006-1315","id":"CVE-2006-1315","source":"cve"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3","id":"3","source":"oval"},{"href":"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600","id":"600","source":"oval"},{"href":"http://www.osvdb.org/27155","id":"27155","source":"osvdb"},{"href":"http://www.osvdb.org/27154","id":"27154","source":"osvdb"},{"href":"http://technet.microsoft.com/security/bulletin/MS06-035","id":"MS06-035","source":"ms"},{"href":"http://www.securityfocus.com/bid/18891","id":"18891","source":"bid"},{"href":"http://technet.microsoft.com/en-us/security/bulletin/MS06-035","id":"http://technet.microsoft.com/en-us/security/bulletin/MS06-035","source":"url"},{"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/26820","id":"win-smb-information-disclosure(26820)","source":"xf"},{"href":"http://www.kb.cert.org/vuls/id/333636","id":"333636","source":"cert-vn"}],"malware_kits":[],"modified":"2025-02-18T00:00:00Z","nic":null,"pci_cvss_score":7.5,"pci_fail":true,"pci_severity_score":5,"pci_special_notes":"","pci_status":"fail","port":null,"proof":"

Vulnerable OS: Microsoft Windows XP

Server responded with vulnerable error code: 2 and class: 1

","protocol":null,"published":"2006-07-11T00:00:00Z","references":"bid:18863,bid:18891,cert-vn:189140,osvdb:27154,osvdb:27155,oval:3,cert-vn:333636,oval:600,cve:CVE-2006-1314,cve:CVE-2006-1315,mskb:KB917159,ms:MS06-035,cert:TA06-192A,url:http://technet.microsoft.com/en-us/security/bulletin/MS06-035,xf:win-mailslot-bo(26818),xf:win-smb-information-disclosure(26820)","reintroduced":null,"risk_score":756.61,"severity":"critical","severity_score":8,"solution_fix":"Take a look at all possible solutions for vulnerability","solution_id":"unknown-windows-hotfix-ms06-035","solution_summary":"The solution is unknown for vuln windows-hotfix-ms06-035","solution_type":"workaround","status":"VULNERABLE_EXPL","title":"MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)","vulnerability_id":"windows-hotfix-ms06-035"}} diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log-expected.json b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log-expected.json index a1e2bff35ed..8bc3272473d 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log-expected.json +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/_dev/test/pipeline/test-asset-vulnerability.log-expected.json @@ -3142,8 +3142,8 @@ "vendor": "Rapid7" }, "package": { - "name": "CentOS Linux 7.6.1810", - "version": "CentOS Linux 7.6.1810" + "name": "mariadb-libs - version 1:5.5.60-1.el7_5", + "version": "mariadb-libs - version 1:5.5.60-1.el7_5" }, "rapid7_insightvm": { "asset_vulnerability": { @@ -3695,8 +3695,8 @@ }, "package": { "fixed_version": "latest", - "name": "Debian Linux 6.0", - "version": "Debian Linux 6.0" + "name": "ISC BIND 9.7.3", + "version": "ISC BIND 9.7.3" }, "rapid7_insightvm": { "asset_vulnerability": { @@ -4597,7 +4597,8 @@ }, "package": { "fixed_version": "latest", - "name": "PHP" + "name": "PHP 5.4.16", + "version": "PHP 5.4.16" }, "rapid7_insightvm": { "asset_vulnerability": { @@ -5111,6 +5112,812 @@ "severity": "Critical", "title": "Obsolete Version of Ubuntu" } + }, + { + "@timestamp": "2022-04-23T18:04:36.094Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2021-02-23T18:39:30.000Z", + "id": "12123455-1234-5678-0912-28dabcdefabe-default-asset-3709|centos_linux-cve-2019-9506|2022-04-23T18:04:36.094Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":22,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":32,\"exploits\":17,\"id\":\"12123455-1234-5678-0912-28dabcdefabe-default-asset-3709\",\"ip\":\"175.16.199.2\",\"last_assessed_for_vulnerabilities\":\"2022-04-23T18:04:36.094Z\",\"last_scan_end\":\"2022-04-23T18:04:36.094Z\",\"last_scan_start\":\"2022-04-23T17:56:27.286Z\",\"malware_kits\":0,\"moderate_vulnerabilities\":58,\"os_architecture\":\"\",\"os_description\":\"Linux LINUX 2.6.9 - 2.6.27 2.6.9\",\"os_family\":\"Linux\",\"os_name\":\"LINUX 2.6.9 - 2.6.27\",\"os_system_name\":\"Linux\",\"os_type\":\"General\",\"os_vendor\":\"Linux\",\"os_version\":\"2.6.9\",\"risk_score\":128750.1171875,\"severe_vulnerabilities\":307,\"tags\":[{\"name\":\"No_Hostname\",\"type\":\"CUSTOM\"},{\"name\":\"all_assets2\",\"type\":\"CUSTOM\"},{\"name\":\"snow_test\",\"type\":\"CUSTOM\"},{\"name\":\"all_assets\",\"type\":\"CUSTOM\"},{\"name\":\"lab\",\"type\":\"SITE\"}],\"total_vulnerabilities\":397,\"unique_identifiers\":[],\"vulnerability\":{\"added\":\"2019-10-16T00:00:00Z\",\"categories\":\"CentOS\",\"check_id\":null,\"cves\":\"CVE-2019-9506\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"adjacent\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"none\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":6.457932765007019,\"cvss_v2_impact_score\":4.938243839970231,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":4.8,\"cvss_v2_vector\":\"(AV:A/AC:L/Au:N/C:P/I:P/A:N)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"adjacent\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.83525473,\"cvss_v3_impact_score\":5.177088,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":8.1,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"denial_of_service\":false,\"description\":\"The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka \\\"KNOB\\\") that can decrypt traffic and inject arbitrary ciphertext without the victim noticing.\",\"exploits\":[],\"first_found\":\"2021-02-23T18:39:30Z\",\"id\":\"centos_linux-cve-2019-9506\",\"key\":\"\",\"last_found\":\"2022-04-23T18:04:36.094Z\",\"links\":[{\"href\":\"http://rhn.redhat.com/errata/RHSA-2019-3076.html\",\"id\":\"RHSA-2019:3076\",\"source\":\"redhat\"},{\"href\":\"http://rhn.redhat.com/errata/RHSA-2019-3055.html\",\"id\":\"RHSA-2019:3055\",\"source\":\"redhat\"},{\"href\":\"http://rhn.redhat.com/errata/RHSA-2019-3165.html\",\"id\":\"RHSA-2019:3165\",\"source\":\"redhat\"},{\"href\":\"http://rhn.redhat.com/errata/RHSA-2019-3187.html\",\"id\":\"RHSA-2019:3187\",\"source\":\"redhat\"},{\"href\":\"http://rhn.redhat.com/errata/RHSA-2019-3220.html\",\"id\":\"RHSA-2019:3220\",\"source\":\"redhat\"},{\"href\":\"http://rhn.redhat.com/errata/RHSA-2019-3231.html\",\"id\":\"RHSA-2019:3231\",\"source\":\"redhat\"},{\"href\":\"http://www.kb.cert.org/vuls/id/918987\",\"id\":\"918987\",\"source\":\"cert-vn\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2019-9506\",\"id\":\"CVE-2019-9506\",\"source\":\"nvd\"},{\"href\":\"http://rhn.redhat.com/errata/RHSA-2019-3517.html\",\"id\":\"RHSA-2019:3517\",\"source\":\"redhat\"},{\"href\":\"http://rhn.redhat.com/errata/RHSA-2019-3309.html\",\"id\":\"RHSA-2019:3309\",\"source\":\"redhat\"},{\"href\":\"http://rhn.redhat.com/errata/RHSA-2020-0204.html\",\"id\":\"RHSA-2020:0204\",\"source\":\"redhat\"},{\"href\":\"http://rhn.redhat.com/errata/RHSA-2019-3218.html\",\"id\":\"RHSA-2019:3218\",\"source\":\"redhat\"},{\"href\":\"http://rhn.redhat.com/errata/RHSA-2019-3217.html\",\"id\":\"RHSA-2019:3217\",\"source\":\"redhat\"},{\"href\":\"http://rhn.redhat.com/errata/RHSA-2019-2975.html\",\"id\":\"RHSA-2019:2975\",\"source\":\"redhat\"},{\"href\":\"http://rhn.redhat.com/errata/RHSA-2019-3089.html\",\"id\":\"RHSA-2019:3089\",\"source\":\"redhat\"}],\"malware_kits\":[],\"modified\":\"2023-05-25T00:00:00Z\",\"nic\":null,\"pci_cvss_score\":4.8,\"pci_fail\":true,\"pci_severity_score\":3,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"port\":null,\"proof\":\"

Vulnerable OS: CentOS Linux 7.6.1810

Vulnerable software installed: Linux kernel 3.10.0-957.el7

  • Required patch [CVE-2019-9506] is not installed, no patches discovered.

\",\"protocol\":null,\"published\":\"2019-08-14T00:00:00Z\",\"references\":\"cert-vn:918987,nvd:CVE-2019-9506,redhat:RHSA-2019:2975,redhat:RHSA-2019:3055,redhat:RHSA-2019:3076,redhat:RHSA-2019:3089,redhat:RHSA-2019:3165,redhat:RHSA-2019:3187,redhat:RHSA-2019:3217,redhat:RHSA-2019:3218,redhat:RHSA-2019:3220,redhat:RHSA-2019:3231,redhat:RHSA-2019:3309,redhat:RHSA-2019:3517,redhat:RHSA-2020:0204\",\"reintroduced\":null,\"risk_score\":573.71,\"severity\":\"severe\",\"severity_score\":5,\"solution_fix\":\"Take a look at all possible solutions for vulnerability\",\"solution_id\":\"unknown-centos_linux-cve-2019-9506\",\"solution_summary\":\"The solution is unknown for vuln centos_linux-cve-2019-9506\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"title\":\"CentOS Linux: CVE-2019-9506: Important: kernel security and bug fix update (Multiple Advisories)\",\"vulnerability_id\":\"centos_linux-cve-2019-9506\"}}", + "severity": 5, + "type": [ + "info" + ] + }, + "host": { + "id": "12123455-1234-5678-0912-28dabcdefabe-default-asset-3709", + "ip": [ + "175.16.199.2" + ], + "os": { + "family": "Linux", + "full": "Linux LINUX 2.6.9 - 2.6.27 2.6.9", + "name": "LINUX 2.6.9 - 2.6.27", + "platform": "linux", + "type": "linux", + "version": "2.6.9" + }, + "risk": { + "static_score": 128750.1171875 + } + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "name": "Linux kernel 3.10.0-957.el7", + "version": "Linux kernel 3.10.0-957.el7" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 32, + "exploits": 17, + "id": "12123455-1234-5678-0912-28dabcdefabe-default-asset-3709", + "ip": "175.16.199.2", + "last_assessed_for_vulnerabilities": "2022-04-23T18:04:36.094Z", + "last_scan_end": "2022-04-23T18:04:36.094Z", + "last_scan_start": "2022-04-23T17:56:27.286Z", + "malware_kits": 0, + "moderate_vulnerabilities": 58, + "os": { + "description": "Linux LINUX 2.6.9 - 2.6.27 2.6.9", + "family": "Linux", + "name": "LINUX 2.6.9 - 2.6.27", + "system_name": "Linux", + "type": "General", + "vendor": "Linux", + "version": "2.6.9" + }, + "risk_score": 128750.1171875, + "severe_vulnerabilities": 307, + "total_vulnerabilities": 397, + "vulnerability": { + "added": "2019-10-16T00:00:00.000Z", + "categories": [ + "CentOS" + ], + "cves": [ + "CVE-2019-9506" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "adjacent", + "authentication": "none", + "availability_impact": "none", + "confidentiality_impact": "partial", + "exploit_score": 6.457932765007019, + "impact_score": 4.938243839970231, + "integrity_impact": "partial", + "score": 4.8, + "vector": "(AV:A/AC:L/Au:N/C:P/I:P/A:N)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "adjacent", + "availability_impact": "none", + "confidentiality_impact": "high", + "exploit_score": 2.83525473, + "impact_score": 5.177088, + "integrity_impact": "high", + "privileges_required": "none", + "scope": "unchanged", + "score": 8.1, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" + }, + "denial_of_service": false, + "description": "The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka \"KNOB\") that can decrypt traffic and inject arbitrary ciphertext without the victim noticing.", + "first_found": "2021-02-23T18:39:30.000Z", + "id": "centos_linux-cve-2019-9506", + "last_found": "2022-04-23T18:04:36.094Z", + "links": [ + { + "href": "http://rhn.redhat.com/errata/RHSA-2019-3076.html", + "id": "RHSA-2019:3076", + "source": "redhat" + }, + { + "href": "http://rhn.redhat.com/errata/RHSA-2019-3055.html", + "id": "RHSA-2019:3055", + "source": "redhat" + }, + { + "href": "http://rhn.redhat.com/errata/RHSA-2019-3165.html", + "id": "RHSA-2019:3165", + "source": "redhat" + }, + { + "href": "http://rhn.redhat.com/errata/RHSA-2019-3187.html", + "id": "RHSA-2019:3187", + "source": "redhat" + }, + { + "href": "http://rhn.redhat.com/errata/RHSA-2019-3220.html", + "id": "RHSA-2019:3220", + "source": "redhat" + }, + { + "href": "http://rhn.redhat.com/errata/RHSA-2019-3231.html", + "id": "RHSA-2019:3231", + "source": "redhat" + }, + { + "href": "http://www.kb.cert.org/vuls/id/918987", + "id": "918987", + "source": "cert-vn" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2019-9506", + "id": "CVE-2019-9506", + "source": "nvd" + }, + { + "href": "http://rhn.redhat.com/errata/RHSA-2019-3517.html", + "id": "RHSA-2019:3517", + "source": "redhat" + }, + { + "href": "http://rhn.redhat.com/errata/RHSA-2019-3309.html", + "id": "RHSA-2019:3309", + "source": "redhat" + }, + { + "href": "http://rhn.redhat.com/errata/RHSA-2020-0204.html", + "id": "RHSA-2020:0204", + "source": "redhat" + }, + { + "href": "http://rhn.redhat.com/errata/RHSA-2019-3218.html", + "id": "RHSA-2019:3218", + "source": "redhat" + }, + { + "href": "http://rhn.redhat.com/errata/RHSA-2019-3217.html", + "id": "RHSA-2019:3217", + "source": "redhat" + }, + { + "href": "http://rhn.redhat.com/errata/RHSA-2019-2975.html", + "id": "RHSA-2019:2975", + "source": "redhat" + }, + { + "href": "http://rhn.redhat.com/errata/RHSA-2019-3089.html", + "id": "RHSA-2019:3089", + "source": "redhat" + } + ], + "modified": "2023-05-25T00:00:00.000Z", + "pci": { + "cvss_score": 4.8, + "fail": true, + "severity_score": 3, + "status": "fail" + }, + "proof": "Vulnerable OS: CentOS Linux 7.6.1810\n\n\n\nVulnerable software installed: Linux kernel 3.10.0-957.el7\n\n\nRequired patch [CVE-2019-9506] is not installed, no patches discovered.", + "published": "2019-08-14T00:00:00.000Z", + "references": "cert-vn:918987,nvd:CVE-2019-9506,redhat:RHSA-2019:2975,redhat:RHSA-2019:3055,redhat:RHSA-2019:3076,redhat:RHSA-2019:3089,redhat:RHSA-2019:3165,redhat:RHSA-2019:3187,redhat:RHSA-2019:3217,redhat:RHSA-2019:3218,redhat:RHSA-2019:3220,redhat:RHSA-2019:3231,redhat:RHSA-2019:3309,redhat:RHSA-2019:3517,redhat:RHSA-2020:0204", + "risk_score": 573.71, + "severity": "severe", + "severity_score": 5, + "solution": { + "fix": "Take a look at all possible solutions for vulnerability", + "id": "unknown-centos_linux-cve-2019-9506", + "summary": "The solution is unknown for vuln centos_linux-cve-2019-9506", + "type": "workaround" + }, + "status": "VULNERABLE_VERS", + "title": "CentOS Linux: CVE-2019-9506: Important: kernel security and bug fix update (Multiple Advisories)" + } + } + }, + "related": { + "hosts": [ + "12123455-1234-5678-0912-28dabcdefabe-default-asset-3709" + ], + "ip": [ + "175.16.199.2" + ] + }, + "resource": { + "id": "12123455-1234-5678-0912-28dabcdefabe-default-asset-3709" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "CentOS" + ], + "classification": "CVSS", + "description": "The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka \"KNOB\") that can decrypt traffic and inject arbitrary ciphertext without the victim noticing.", + "enumeration": "CVE", + "id": [ + "CVE-2019-9506" + ], + "published_date": "2019-08-14T00:00:00.000Z", + "reference": [ + "http://rhn.redhat.com/errata/RHSA-2019-3076.html", + "http://rhn.redhat.com/errata/RHSA-2019-3055.html", + "http://rhn.redhat.com/errata/RHSA-2019-3165.html", + "http://rhn.redhat.com/errata/RHSA-2019-3187.html", + "http://rhn.redhat.com/errata/RHSA-2019-3220.html", + "http://rhn.redhat.com/errata/RHSA-2019-3231.html", + "http://www.kb.cert.org/vuls/id/918987", + "http://nvd.nist.gov/vuln/detail/CVE-2019-9506", + "http://rhn.redhat.com/errata/RHSA-2019-3517.html", + "http://rhn.redhat.com/errata/RHSA-2019-3309.html", + "http://rhn.redhat.com/errata/RHSA-2020-0204.html", + "http://rhn.redhat.com/errata/RHSA-2019-3218.html", + "http://rhn.redhat.com/errata/RHSA-2019-3217.html", + "http://rhn.redhat.com/errata/RHSA-2019-2975.html", + "http://rhn.redhat.com/errata/RHSA-2019-3089.html" + ], + "scanner": { + "vendor": "Rapid7" + }, + "score": { + "base": 8.1, + "version": "3.0" + }, + "severity": "High", + "title": "Important: kernel security and bug fix update (Multiple Advisories)" + } + }, + { + "@timestamp": "2023-06-23T19:51:46.262Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2019-02-15T05:37:32.000Z", + "id": "12324565-1234-abcd-1234-21234567890e-default-asset-1239|windows-hotfix-ms11-020|2023-06-23T19:51:46.262Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":135,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":139,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":445,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":8,\"exploits\":32,\"host_name\":\"SBS2008-PREM-U\",\"id\":\"12324565-1234-abcd-1234-21234567890e-default-asset-1239\",\"ip\":\"175.16.199.1\",\"last_assessed_for_vulnerabilities\":\"2023-06-23T19:51:46.262Z\",\"last_scan_end\":\"2023-06-23T19:51:46.262Z\",\"last_scan_start\":\"2023-06-23T19:39:28.295Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":1,\"moderate_vulnerabilities\":7,\"os_architecture\":\"\",\"os_description\":\"Microsoft Windows Small Business Server 2008\",\"os_family\":\"Windows\",\"os_name\":\"Windows Small Business Server 2008\",\"os_system_name\":\"Microsoft Windows\",\"os_type\":\"General\",\"os_vendor\":\"Microsoft\",\"risk_score\":15638.8798828125,\"severe_vulnerabilities\":12,\"tags\":[{\"name\":\"Windows\",\"type\":\"CUSTOM\"},{\"name\":\"snow_test\",\"type\":\"CUSTOM\"},{\"name\":\"SI\",\"type\":\"CUSTOM\"},{\"name\":\"my tag test\",\"type\":\"CUSTOM\"},{\"name\":\"all_assets\",\"type\":\"CUSTOM\"},{\"name\":\"all_assets2\",\"type\":\"CUSTOM\"},{\"name\":\"lab\",\"type\":\"SITE\"}],\"total_vulnerabilities\":27,\"unique_identifiers\":[],\"vulnerability\":{\"added\":\"2011-04-13T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,IAVM,Microsoft,Microsoft Patch,Microsoft Windows,Remote Execution\",\"check_id\":null,\"cves\":\"CVE-2011-0661\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"complete\",\"cvss_v2_confidentiality_impact\":\"complete\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":10.000845454680942,\"cvss_v2_integrity_impact\":\"complete\",\"cvss_v2_score\":10,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:C/I:C/A:C)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"high\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":3.8870427750000003,\"cvss_v3_impact_score\":5.873118720000001,\"cvss_v3_integrity_impact\":\"high\",\"cvss_v3_privileges_required\":\"none\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":9.8,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"denial_of_service\":false,\"description\":\"This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker created a specially crafted SMB packet and sent the packet to an affected system. Firewall best practices and standard default firewall configurations can help protect networks from attacks originating outside the enterprise perimeter that would attempt to exploit these vulnerabilities.\",\"exploits\":[],\"first_found\":\"2019-02-15T05:37:32Z\",\"id\":\"windows-hotfix-ms11-020\",\"key\":\"\",\"last_found\":\"2023-06-23T19:51:46.262Z\",\"links\":[{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:12076\",\"id\":\"12076\",\"source\":\"oval\"},{\"href\":\"http://iase.disa.mil/stigs/iavm-cve.html\",\"id\":\"2011-A-0050\",\"source\":\"iavm\"},{\"href\":\"http://technet.microsoft.com/security/bulletin/MS11-020\",\"id\":\"MS11-020\",\"source\":\"ms\"},{\"href\":\"http://www.securityfocus.com/bid/47198\",\"id\":\"47198\",\"source\":\"bid\"},{\"href\":\"http://www.us-cert.gov/cas/techalerts/TA11-102A.html\",\"id\":\"TA11-102A\",\"source\":\"cert\"},{\"href\":\"http://iase.disa.mil/stigs/iavm-cve.html\",\"id\":\"Category I\",\"source\":\"disa_severity\"},{\"href\":\"http://iase.disa.mil/stigs/iavm-cve.html\",\"id\":\"V0026521\",\"source\":\"disa_vmskey\"},{\"href\":\"https://support.microsoft.com/en-us/kb/2508429\",\"id\":\"KB2508429\",\"source\":\"mskb\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2011-0661\",\"id\":\"CVE-2011-0661\",\"source\":\"cve\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"nic\":null,\"pci_cvss_score\":10,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"port\":445,\"proof\":\"

  • Running CIFS service

Vulnerable OS: Microsoft Windows Small Business Server 2008

Based on the result of the "windows-hotfix-ms09-050" test, this node is applicable to this issue.

\",\"protocol\":\"TCP\",\"published\":\"2011-04-13T00:00:00Z\",\"references\":\"oval:12076,iavm:2011-A-0050,bid:47198,cve:CVE-2011-0661,disa_severity:Category I,mskb:KB2508429,ms:MS11-020,cert:TA11-102A,disa_vmskey:V0026521\",\"reintroduced\":null,\"risk_score\":900.45,\"severity\":\"critical\",\"severity_score\":10,\"solution_fix\":\"Take a look at all possible solutions for vulnerability\",\"solution_id\":\"unknown-windows-hotfix-ms11-020\",\"solution_summary\":\"The solution is unknown for vuln windows-hotfix-ms11-020\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_VERS\",\"title\":\"MS11-020: Vulnerability in SMB Server Could Allow Remote Code Execution (2508429)\",\"vulnerability_id\":\"windows-hotfix-ms11-020\"}}", + "severity": 10, + "type": [ + "info" + ] + }, + "host": { + "hostname": "SBS2008-PREM-U", + "id": "12324565-1234-abcd-1234-21234567890e-default-asset-1239", + "ip": [ + "175.16.199.1" + ], + "mac": [ + "00-00-5E-00-53-00" + ], + "name": "SBS2008-PREM-U", + "os": { + "family": "Windows", + "full": "Microsoft Windows Small Business Server 2008", + "name": "Windows Small Business Server 2008", + "platform": "windows", + "type": "windows" + }, + "risk": { + "static_score": 15638.8798828125 + } + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "name": "Microsoft Windows Small Business Server 2008", + "version": "Microsoft Windows Small Business Server 2008" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 8, + "exploits": 32, + "host_name": "SBS2008-PREM-U", + "id": "12324565-1234-abcd-1234-21234567890e-default-asset-1239", + "ip": "175.16.199.1", + "last_assessed_for_vulnerabilities": "2023-06-23T19:51:46.262Z", + "last_scan_end": "2023-06-23T19:51:46.262Z", + "last_scan_start": "2023-06-23T19:39:28.295Z", + "mac": "00-00-5E-00-53-00", + "malware_kits": 1, + "moderate_vulnerabilities": 7, + "os": { + "description": "Microsoft Windows Small Business Server 2008", + "family": "Windows", + "name": "Windows Small Business Server 2008", + "system_name": "Microsoft Windows", + "type": "General", + "vendor": "Microsoft" + }, + "risk_score": 15638.8798828125, + "severe_vulnerabilities": 12, + "total_vulnerabilities": 27, + "vulnerability": { + "added": "2011-04-13T00:00:00.000Z", + "categories": [ + "CVSS Score Predicted with Rapid7 AI", + "IAVM", + "Microsoft", + "Microsoft Patch", + "Microsoft Windows", + "Remote Execution" + ], + "cves": [ + "CVE-2011-0661" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "network", + "authentication": "none", + "availability_impact": "complete", + "confidentiality_impact": "complete", + "exploit_score": 9.996799945831299, + "impact_score": 10.000845454680942, + "integrity_impact": "complete", + "score": 10.0, + "vector": "(AV:N/AC:L/Au:N/C:C/I:C/A:C)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "network", + "availability_impact": "high", + "confidentiality_impact": "high", + "exploit_score": 3.8870427750000003, + "impact_score": 5.873118720000001, + "integrity_impact": "high", + "privileges_required": "none", + "scope": "unchanged", + "score": 9.8, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + "denial_of_service": false, + "description": "This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker created a specially crafted SMB packet and sent the packet to an affected system. Firewall best practices and standard default firewall configurations can help protect networks from attacks originating outside the enterprise perimeter that would attempt to exploit these vulnerabilities.", + "first_found": "2019-02-15T05:37:32.000Z", + "id": "windows-hotfix-ms11-020", + "last_found": "2023-06-23T19:51:46.262Z", + "links": [ + { + "href": "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:12076", + "id": "12076", + "source": "oval" + }, + { + "href": "http://iase.disa.mil/stigs/iavm-cve.html", + "id": "2011-A-0050", + "source": "iavm" + }, + { + "href": "http://technet.microsoft.com/security/bulletin/MS11-020", + "id": "MS11-020", + "source": "ms" + }, + { + "href": "http://www.securityfocus.com/bid/47198", + "id": "47198", + "source": "bid" + }, + { + "href": "http://www.us-cert.gov/cas/techalerts/TA11-102A.html", + "id": "TA11-102A", + "source": "cert" + }, + { + "href": "http://iase.disa.mil/stigs/iavm-cve.html", + "id": "Category I", + "source": "disa_severity" + }, + { + "href": "http://iase.disa.mil/stigs/iavm-cve.html", + "id": "V0026521", + "source": "disa_vmskey" + }, + { + "href": "https://support.microsoft.com/en-us/kb/2508429", + "id": "KB2508429", + "source": "mskb" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2011-0661", + "id": "CVE-2011-0661", + "source": "cve" + } + ], + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 10.0, + "fail": true, + "severity_score": 5, + "status": "fail" + }, + "port": 445, + "proof": "Running CIFS service\n\n\nVulnerable OS: Microsoft Windows Small Business Server 2008\n\n\n\nBased on the result of the \"windows-hotfix-ms09-050\" test, this node is applicable to this issue.", + "protocol": "TCP", + "published": "2011-04-13T00:00:00.000Z", + "references": "oval:12076,iavm:2011-A-0050,bid:47198,cve:CVE-2011-0661,disa_severity:Category I,mskb:KB2508429,ms:MS11-020,cert:TA11-102A,disa_vmskey:V0026521", + "risk_score": 900.45, + "severity": "critical", + "severity_score": 10, + "solution": { + "fix": "Take a look at all possible solutions for vulnerability", + "id": "unknown-windows-hotfix-ms11-020", + "summary": "The solution is unknown for vuln windows-hotfix-ms11-020", + "type": "workaround" + }, + "status": "VULNERABLE_VERS", + "title": "MS11-020: Vulnerability in SMB Server Could Allow Remote Code Execution (2508429)" + } + } + }, + "related": { + "hosts": [ + "SBS2008-PREM-U", + "12324565-1234-abcd-1234-21234567890e-default-asset-1239" + ], + "ip": [ + "175.16.199.1" + ] + }, + "resource": { + "id": "12324565-1234-abcd-1234-21234567890e-default-asset-1239", + "name": "SBS2008-PREM-U" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "CVSS Score Predicted with Rapid7 AI", + "IAVM", + "Microsoft", + "Microsoft Patch", + "Microsoft Windows", + "Remote Execution" + ], + "classification": "CVSS", + "description": "This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker created a specially crafted SMB packet and sent the packet to an affected system. Firewall best practices and standard default firewall configurations can help protect networks from attacks originating outside the enterprise perimeter that would attempt to exploit these vulnerabilities.", + "enumeration": "CVE", + "id": [ + "CVE-2011-0661" + ], + "published_date": "2011-04-13T00:00:00.000Z", + "reference": [ + "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:12076", + "http://iase.disa.mil/stigs/iavm-cve.html", + "http://technet.microsoft.com/security/bulletin/MS11-020", + "http://www.securityfocus.com/bid/47198", + "http://www.us-cert.gov/cas/techalerts/TA11-102A.html", + "https://support.microsoft.com/en-us/kb/2508429", + "http://nvd.nist.gov/vuln/detail/CVE-2011-0661" + ], + "scanner": { + "vendor": "Rapid7" + }, + "score": { + "base": 9.8, + "version": "3.0" + }, + "severity": "Critical", + "title": "Vulnerability in SMB Server Could Allow Remote Code Execution (2508429)" + } + }, + { + "@timestamp": "2023-06-23T19:39:41.339Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "created": "2018-11-25T08:24:37.000Z", + "id": "12123455-1234-5678-9012-abcdefabcd0e-default-asset-152|windows-hotfix-ms06-035|2023-06-23T19:39:41.339Z", + "kind": "event", + "original": "{\"assessed_for_policies\":false,\"assessed_for_vulnerabilities\":true,\"credential_assessments\":[{\"port\":22,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":135,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":139,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"},{\"port\":445,\"protocol\":\"TCP\",\"status\":\"NO_CREDS_SUPPLIED\"}],\"critical_vulnerabilities\":11,\"exploits\":37,\"host_name\":\"SHOCKWAVE-P\",\"id\":\"12123455-1234-5678-9012-abcdefabcd0e-default-asset-152\",\"ip\":\"175.16.199.3\",\"last_assessed_for_vulnerabilities\":\"2023-06-23T19:39:41.339Z\",\"last_scan_end\":\"2023-06-23T19:39:41.339Z\",\"last_scan_start\":\"2023-06-23T19:36:27.824Z\",\"mac\":\"00:00:5E:00:53:00\",\"malware_kits\":1,\"moderate_vulnerabilities\":4,\"os_architecture\":\"\",\"os_description\":\"Microsoft Windows XP\",\"os_family\":\"Windows\",\"os_name\":\"Windows XP\",\"os_system_name\":\"Microsoft Windows\",\"os_type\":\"General\",\"os_vendor\":\"Microsoft\",\"risk_score\":14912.1123046875,\"severe_vulnerabilities\":8,\"tags\":[{\"name\":\"my tag test\",\"type\":\"CUSTOM\"},{\"name\":\"Windows\",\"type\":\"CUSTOM\"},{\"name\":\"SI\",\"type\":\"CUSTOM\"},{\"name\":\"snow_test\",\"type\":\"CUSTOM\"},{\"name\":\"all_assets\",\"type\":\"CUSTOM\"},{\"name\":\"all_assets2\",\"type\":\"CUSTOM\"},{\"name\":\"lab\",\"type\":\"SITE\"}],\"total_vulnerabilities\":23,\"unique_identifiers\":[],\"vulnerability\":{\"added\":\"2006-07-12T00:00:00Z\",\"categories\":\"CVSS Score Predicted with Rapid7 AI,Microsoft,Microsoft Patch,Remote Execution\",\"check_id\":null,\"cves\":\"CVE-2006-1314,CVE-2006-1315\",\"cvss_v2_access_complexity\":\"low\",\"cvss_v2_access_vector\":\"network\",\"cvss_v2_authentication\":\"none\",\"cvss_v2_availability_impact\":\"partial\",\"cvss_v2_confidentiality_impact\":\"partial\",\"cvss_v2_exploit_score\":9.996799945831299,\"cvss_v2_impact_score\":6.442976653521584,\"cvss_v2_integrity_impact\":\"partial\",\"cvss_v2_score\":7.5,\"cvss_v2_vector\":\"(AV:N/AC:L/Au:N/C:P/I:P/A:P)\",\"cvss_v3_attack_complexity\":\"low\",\"cvss_v3_attack_vector\":\"network\",\"cvss_v3_availability_impact\":\"none\",\"cvss_v3_confidentiality_impact\":\"high\",\"cvss_v3_exploit_score\":2.83525473,\"cvss_v3_impact_score\":3.5952,\"cvss_v3_integrity_impact\":\"none\",\"cvss_v3_privileges_required\":\"low\",\"cvss_v3_scope\":\"unchanged\",\"cvss_v3_score\":6.5,\"cvss_v3_user_interaction\":\"none\",\"cvss_v3_vector\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"denial_of_service\":false,\"description\":\"This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \\\"Vulnerability Details\\\" section of this bulletin. We recommend that customers apply the update immediately.\",\"exploits\":[{\"description\":\"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)\",\"id\":\"2057\",\"name\":\"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)\",\"rank\":\"average\",\"skill_level\":\"expert\",\"source\":\"exploitdb\"},{\"description\":\"This module triggers a kernel pool corruption bug in SRV.SYS. Each\\n call to the mailslot write function results in a two byte return value\\n being written into the response packet. The code which creates this packet\\n fails to consider these two bytes in the allocation routine, resulting in\\n a slow corruption of the kernel memory pool. These two bytes are almost\\n always set to \\\"\\\\xff\\\\xff\\\" (a short integer with value of -1).\",\"id\":\"auxiliary/dos/windows/smb/ms06_035_mailslot\",\"name\":\"Microsoft SRV.SYS Mailslot Write Corruption\",\"rank\":\"normal\",\"skill_level\":\"intermediate\",\"source\":\"metasploit\"}],\"first_found\":\"2018-11-25T08:24:37Z\",\"id\":\"windows-hotfix-ms06-035\",\"key\":\"\",\"last_found\":\"2023-06-23T19:39:41.339Z\",\"links\":[{\"href\":\"http://www.kb.cert.org/vuls/id/189140\",\"id\":\"189140\",\"source\":\"cert-vn\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/26818\",\"id\":\"win-mailslot-bo(26818)\",\"source\":\"xf\"},{\"href\":\"http://www.securityfocus.com/bid/18863\",\"id\":\"18863\",\"source\":\"bid\"},{\"href\":\"https://support.microsoft.com/en-us/kb/917159\",\"id\":\"KB917159\",\"source\":\"mskb\"},{\"href\":\"http://www.us-cert.gov/cas/techalerts/TA06-192A.html\",\"id\":\"TA06-192A\",\"source\":\"cert\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2006-1314\",\"id\":\"CVE-2006-1314\",\"source\":\"cve\"},{\"href\":\"http://nvd.nist.gov/vuln/detail/CVE-2006-1315\",\"id\":\"CVE-2006-1315\",\"source\":\"cve\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3\",\"id\":\"3\",\"source\":\"oval\"},{\"href\":\"https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600\",\"id\":\"600\",\"source\":\"oval\"},{\"href\":\"http://www.osvdb.org/27155\",\"id\":\"27155\",\"source\":\"osvdb\"},{\"href\":\"http://www.osvdb.org/27154\",\"id\":\"27154\",\"source\":\"osvdb\"},{\"href\":\"http://technet.microsoft.com/security/bulletin/MS06-035\",\"id\":\"MS06-035\",\"source\":\"ms\"},{\"href\":\"http://www.securityfocus.com/bid/18891\",\"id\":\"18891\",\"source\":\"bid\"},{\"href\":\"http://technet.microsoft.com/en-us/security/bulletin/MS06-035\",\"id\":\"http://technet.microsoft.com/en-us/security/bulletin/MS06-035\",\"source\":\"url\"},{\"href\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/26820\",\"id\":\"win-smb-information-disclosure(26820)\",\"source\":\"xf\"},{\"href\":\"http://www.kb.cert.org/vuls/id/333636\",\"id\":\"333636\",\"source\":\"cert-vn\"}],\"malware_kits\":[],\"modified\":\"2025-02-18T00:00:00Z\",\"nic\":null,\"pci_cvss_score\":7.5,\"pci_fail\":true,\"pci_severity_score\":5,\"pci_special_notes\":\"\",\"pci_status\":\"fail\",\"port\":null,\"proof\":\"

Vulnerable OS: Microsoft Windows XP

Server responded with vulnerable error code: 2 and class: 1

\",\"protocol\":null,\"published\":\"2006-07-11T00:00:00Z\",\"references\":\"bid:18863,bid:18891,cert-vn:189140,osvdb:27154,osvdb:27155,oval:3,cert-vn:333636,oval:600,cve:CVE-2006-1314,cve:CVE-2006-1315,mskb:KB917159,ms:MS06-035,cert:TA06-192A,url:http://technet.microsoft.com/en-us/security/bulletin/MS06-035,xf:win-mailslot-bo(26818),xf:win-smb-information-disclosure(26820)\",\"reintroduced\":null,\"risk_score\":756.61,\"severity\":\"critical\",\"severity_score\":8,\"solution_fix\":\"Take a look at all possible solutions for vulnerability\",\"solution_id\":\"unknown-windows-hotfix-ms06-035\",\"solution_summary\":\"The solution is unknown for vuln windows-hotfix-ms06-035\",\"solution_type\":\"workaround\",\"status\":\"VULNERABLE_EXPL\",\"title\":\"MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)\",\"vulnerability_id\":\"windows-hotfix-ms06-035\"}}", + "severity": 8, + "type": [ + "info" + ] + }, + "host": { + "hostname": "SHOCKWAVE-P", + "id": "12123455-1234-5678-9012-abcdefabcd0e-default-asset-152", + "ip": [ + "175.16.199.3" + ], + "mac": [ + "00-00-5E-00-53-00" + ], + "name": "SHOCKWAVE-P", + "os": { + "family": "Windows", + "full": "Microsoft Windows XP", + "name": "Windows XP", + "platform": "windows", + "type": "windows" + }, + "risk": { + "static_score": 14912.1123046875 + } + }, + "observer": { + "product": "Rapid7 InsightVM", + "vendor": "Rapid7" + }, + "package": { + "name": "Microsoft Windows XP", + "version": "Microsoft Windows XP" + }, + "rapid7_insightvm": { + "asset_vulnerability": { + "assessed_for_policies": false, + "assessed_for_vulnerabilities": true, + "critical_vulnerabilities": 11, + "exploits": 37, + "host_name": "SHOCKWAVE-P", + "id": "12123455-1234-5678-9012-abcdefabcd0e-default-asset-152", + "ip": "175.16.199.3", + "last_assessed_for_vulnerabilities": "2023-06-23T19:39:41.339Z", + "last_scan_end": "2023-06-23T19:39:41.339Z", + "last_scan_start": "2023-06-23T19:36:27.824Z", + "mac": "00-00-5E-00-53-00", + "malware_kits": 1, + "moderate_vulnerabilities": 4, + "os": { + "description": "Microsoft Windows XP", + "family": "Windows", + "name": "Windows XP", + "system_name": "Microsoft Windows", + "type": "General", + "vendor": "Microsoft" + }, + "risk_score": 14912.1123046875, + "severe_vulnerabilities": 8, + "total_vulnerabilities": 23, + "vulnerability": { + "added": "2006-07-12T00:00:00.000Z", + "categories": [ + "CVSS Score Predicted with Rapid7 AI", + "Microsoft", + "Microsoft Patch", + "Remote Execution" + ], + "cves": [ + "CVE-2006-1314", + "CVE-2006-1315" + ], + "cvss_v2": { + "access_complexity": "low", + "access_vector": "network", + "authentication": "none", + "availability_impact": "partial", + "confidentiality_impact": "partial", + "exploit_score": 9.996799945831299, + "impact_score": 6.442976653521584, + "integrity_impact": "partial", + "score": 7.5, + "vector": "(AV:N/AC:L/Au:N/C:P/I:P/A:P)" + }, + "cvss_v3": { + "attack_complexity": "low", + "attack_vector": "network", + "availability_impact": "none", + "confidentiality_impact": "high", + "exploit_score": 2.83525473, + "impact_score": 3.5952, + "integrity_impact": "none", + "privileges_required": "low", + "scope": "unchanged", + "score": 6.5, + "user_interaction": "none", + "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + "denial_of_service": false, + "description": "This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \"Vulnerability Details\" section of this bulletin. We recommend that customers apply the update immediately.", + "exploits": [ + { + "description": "Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)", + "id": "2057", + "name": "Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)", + "rank": "average", + "skill_level": "expert", + "source": "exploitdb" + }, + { + "description": "This module triggers a kernel pool corruption bug in SRV.SYS. Each\n call to the mailslot write function results in a two byte return value\n being written into the response packet. The code which creates this packet\n fails to consider these two bytes in the allocation routine, resulting in\n a slow corruption of the kernel memory pool. These two bytes are almost\n always set to \"\\xff\\xff\" (a short integer with value of -1).", + "id": "auxiliary/dos/windows/smb/ms06_035_mailslot", + "name": "Microsoft SRV.SYS Mailslot Write Corruption", + "rank": "normal", + "skill_level": "intermediate", + "source": "metasploit" + } + ], + "first_found": "2018-11-25T08:24:37.000Z", + "id": "windows-hotfix-ms06-035", + "last_found": "2023-06-23T19:39:41.339Z", + "links": [ + { + "href": "http://www.kb.cert.org/vuls/id/189140", + "id": "189140", + "source": "cert-vn" + }, + { + "href": "https://exchange.xforce.ibmcloud.com/vulnerabilities/26818", + "id": "win-mailslot-bo(26818)", + "source": "xf" + }, + { + "href": "http://www.securityfocus.com/bid/18863", + "id": "18863", + "source": "bid" + }, + { + "href": "https://support.microsoft.com/en-us/kb/917159", + "id": "KB917159", + "source": "mskb" + }, + { + "href": "http://www.us-cert.gov/cas/techalerts/TA06-192A.html", + "id": "TA06-192A", + "source": "cert" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2006-1314", + "id": "CVE-2006-1314", + "source": "cve" + }, + { + "href": "http://nvd.nist.gov/vuln/detail/CVE-2006-1315", + "id": "CVE-2006-1315", + "source": "cve" + }, + { + "href": "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3", + "id": "3", + "source": "oval" + }, + { + "href": "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600", + "id": "600", + "source": "oval" + }, + { + "href": "http://www.osvdb.org/27155", + "id": "27155", + "source": "osvdb" + }, + { + "href": "http://www.osvdb.org/27154", + "id": "27154", + "source": "osvdb" + }, + { + "href": "http://technet.microsoft.com/security/bulletin/MS06-035", + "id": "MS06-035", + "source": "ms" + }, + { + "href": "http://www.securityfocus.com/bid/18891", + "id": "18891", + "source": "bid" + }, + { + "href": "http://technet.microsoft.com/en-us/security/bulletin/MS06-035", + "id": "http://technet.microsoft.com/en-us/security/bulletin/MS06-035", + "source": "url" + }, + { + "href": "https://exchange.xforce.ibmcloud.com/vulnerabilities/26820", + "id": "win-smb-information-disclosure(26820)", + "source": "xf" + }, + { + "href": "http://www.kb.cert.org/vuls/id/333636", + "id": "333636", + "source": "cert-vn" + } + ], + "modified": "2025-02-18T00:00:00.000Z", + "pci": { + "cvss_score": 7.5, + "fail": true, + "severity_score": 5, + "status": "fail" + }, + "proof": "Vulnerable OS: Microsoft Windows XP\n\n\n\nServer responded with vulnerable error code: 2 and class: 1", + "published": "2006-07-11T00:00:00.000Z", + "references": "bid:18863,bid:18891,cert-vn:189140,osvdb:27154,osvdb:27155,oval:3,cert-vn:333636,oval:600,cve:CVE-2006-1314,cve:CVE-2006-1315,mskb:KB917159,ms:MS06-035,cert:TA06-192A,url:http://technet.microsoft.com/en-us/security/bulletin/MS06-035,xf:win-mailslot-bo(26818),xf:win-smb-information-disclosure(26820)", + "risk_score": 756.61, + "severity": "critical", + "severity_score": 8, + "solution": { + "fix": "Take a look at all possible solutions for vulnerability", + "id": "unknown-windows-hotfix-ms06-035", + "summary": "The solution is unknown for vuln windows-hotfix-ms06-035", + "type": "workaround" + }, + "status": "VULNERABLE_EXPL", + "title": "MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)" + } + } + }, + "related": { + "hosts": [ + "SHOCKWAVE-P", + "12123455-1234-5678-9012-abcdefabcd0e-default-asset-152" + ], + "ip": [ + "175.16.199.3" + ] + }, + "resource": { + "id": "12123455-1234-5678-9012-abcdefabcd0e-default-asset-152", + "name": "SHOCKWAVE-P" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "category": [ + "CVSS Score Predicted with Rapid7 AI", + "Microsoft", + "Microsoft Patch", + "Remote Execution" + ], + "classification": "CVSS", + "description": "This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own \"Vulnerability Details\" section of this bulletin. We recommend that customers apply the update immediately.", + "enumeration": "CVE", + "id": [ + "CVE-2006-1314", + "CVE-2006-1315" + ], + "published_date": "2006-07-11T00:00:00.000Z", + "reference": [ + "http://www.kb.cert.org/vuls/id/189140", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/26818", + "http://www.securityfocus.com/bid/18863", + "https://support.microsoft.com/en-us/kb/917159", + "http://www.us-cert.gov/cas/techalerts/TA06-192A.html", + "http://nvd.nist.gov/vuln/detail/CVE-2006-1314", + "http://nvd.nist.gov/vuln/detail/CVE-2006-1315", + "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:3", + "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:600", + "http://www.osvdb.org/27155", + "http://www.osvdb.org/27154", + "http://technet.microsoft.com/security/bulletin/MS06-035", + "http://www.securityfocus.com/bid/18891", + "http://technet.microsoft.com/en-us/security/bulletin/MS06-035", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/26820", + "http://www.kb.cert.org/vuls/id/333636" + ], + "scanner": { + "vendor": "Rapid7" + }, + "score": { + "base": 6.5, + "version": "3.0" + }, + "severity": "Critical", + "title": "Vulnerability in Server Service Could Allow Remote Code Execution (917159)" + } } ] } diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs b/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs index d0b25d826bf..68dc2187f11 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs @@ -21,7 +21,7 @@ state: redact: fields: - api_key -program: | +program: |- // The program collects all assets and enriches them with vulnerability details. // Here's a detailed overview of how this process works: diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml b/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml index 84fa8a76ce3..8236808107d 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/elasticsearch/ingest_pipeline/default.yml @@ -977,22 +977,22 @@ processors: - '^Vulnerable OS: %{DATA:_temp.os}(\n)*Vulnerable software installed: %{DATA:package.name} Required patch %{GREEDYDATA}$' - '^Vulnerable OS: %{DATA:_temp.os}(\n)*Vulnerable software installed: %{DATA:package.name} Running HTTPS service %{GREEDYDATA}$' - '^Vulnerable OS: %{DATA:_temp.os}(\n)*Vulnerable software installed: %{DATA:package.name}$' - - '^Vulnerable OS: %{DATA:_temp.os} Running %{DATA:_temp.service} service%{DATA}Vulnerable version of %{DATA} found -- %{DATA:package.name}$' - - '^Vulnerable OS: %{DATA:package.name} The property %{GREEDYDATA}$' - - '^Vulnerable OS: %{DATA:package.name} Based on the result of the %{GREEDYDATA}$' - - '^Vulnerable OS: %{DATA:package.name} succeeded with offset %{GREEDYDATA}$' - - '^Vulnerable OS: %{DATA:package.name} is installed$' - - '^Vulnerable OS: %{DATA:package.name} System replied with a malformed SMB packet$' - - '^Vulnerable OS: %{DATA:package.name} Based on the following %{DATA} results: %{GREEDYDATA}$' - - '^Vulnerable OS: %{DATA:package.name} Found an applicable package: %{GREEDYDATA}$' - - '^Vulnerable OS: %{DATA:package.name} Server responded with vulnerable error code: %{GREEDYDATA}$' + - '^Vulnerable OS: %{DATA:_temp.os}(\n)*Running %{DATA:_temp.service} service(\n)*%{DATA}(\n)*Vulnerable version of %{DATA} found -- %{DATA:package.name}$' + - '^Vulnerable OS: %{DATA:package.name}(\n)*The property %{GREEDYDATA}$' + - '^Vulnerable OS: %{DATA:package.name}(\n)*Based on the result of the %{GREEDYDATA}$' + - '^Vulnerable OS: %{DATA:package.name}(\n)*%{DATA}succeeded with offset %{GREEDYDATA}$' + - '^Vulnerable OS: %{DATA:_temp.os}(\n)*%{DATA:package.name} is installed$' + - '^Vulnerable OS: %{DATA:package.name}(\n)*System replied with a malformed SMB packet$' + - '^Vulnerable OS: %{DATA:package.name}(\n)*Based on the following %{DATA} results: %{GREEDYDATA}$' + - '^Vulnerable OS: %{DATA:package.name}(\n)*Found an applicable package: %{GREEDYDATA}$' + - '^Vulnerable OS: %{DATA:package.name}(\n)*Server responded with vulnerable error code: %{GREEDYDATA}$' - '^Vulnerable OS: %{DATA:package.name}$' - - '^Vulnerable software installed: %{DATA:package.name} Vulnerable OS: %{DATA:_temp.os}$' + - '^Vulnerable software installed: %{DATA:package.name}(\n)*Vulnerable OS: %{DATA:_temp.os}$' - '^Vulnerable software installed: %{DATA:package.name}$' - '^Vulnerable: %{DATA:package.name}$' - - '^Running CIFS service Vulnerable OS: %{DATA:package.name} Based on the result of the %{GREEDYDATA}$' - - '^Running CIFS service Vulnerable OS: %{DATA:package.name} Received vulnerable status reply$' - - '^Running %{DATA:_temp.service} service%{DATA}Vulnerable version of %{DATA} found -- %{DATA:package.name}$' + - '^Running CIFS service(\n)*Vulnerable OS: %{DATA:package.name}(\n)*Based on the result of the %{GREEDYDATA}$' + - '^Running CIFS service(\n)*Vulnerable OS: %{DATA:package.name}(\n)*Received vulnerable status reply$' + - '^Running %{DATA:_temp.service} service(\n)*%{DATA}Vulnerable version of %{DATA} found -- %{DATA:package.name}$' - '^%{GREEDYDATA}$' ignore_missing: true on_failure: From 04f7bbc04d8891d6f9f94cdbd71b44fb7d932bd1 Mon Sep 17 00:00:00 2001 From: brijesh-elastic Date: Tue, 17 Jun 2025 16:52:17 +0530 Subject: [PATCH 18/19] update changelog entry --- packages/rapid7_insightvm/changelog.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/packages/rapid7_insightvm/changelog.yml b/packages/rapid7_insightvm/changelog.yml index e7175a582df..06b9c2fae70 100644 --- a/packages/rapid7_insightvm/changelog.yml +++ b/packages/rapid7_insightvm/changelog.yml @@ -7,6 +7,9 @@ It also stores the latest copy of vulnerabilities in the destination indices, which will require additional storage. type: breaking-change link: https://github.com/elastic/integrations/pull/14079 + - description: Add temporary processor to remove the fields added by the Agentless policy. + type: bugfix + link: https://github.com/elastic/integrations/pull/14079 - version: "1.16.0" changes: - description: Update Kibana constraint to support 9.0.0. From d1ae43679badbb0b910d6efd5d613e2c1e49bcbe Mon Sep 17 00:00:00 2001 From: brijesh-elastic Date: Thu, 19 Jun 2025 11:32:14 +0530 Subject: [PATCH 19/19] resolve nits --- .../data_stream/asset_vulnerability/agent/stream/cel.yml.hbs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs b/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs index 68dc2187f11..42bc0ca7d70 100644 --- a/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs +++ b/packages/rapid7_insightvm/data_stream/asset_vulnerability/agent/stream/cel.yml.hbs @@ -74,7 +74,7 @@ program: |- ?"asset": has(state.?cursor.last_interval_time) ? optional.none() : - optional.of(("last_scan_end > " + string((timestamp(interval_time) - duration(state.initial_interval)).format(time_layout.RFC3339)))), + optional.of(("last_scan_end > " + (timestamp(interval_time) - duration(state.initial_interval)).format(time_layout.RFC3339))), }.encode_json(), }).do_request().as(resp, resp.StatusCode == 200 ? resp.Body.decode_json().as(body, {