Interpret Vulnerability Scan Results
View the List of Vulnerable Packages
After running a vulnerability scan, examine the results in the Halo Portal. You can access them from either the Dashboard or the Server Scan History page.
A. From the Halo Portal Dashboard:
Go to Servers > Software Risks or click the Software icon ( ) on the Dashboard page.
Scroll or search to find the name of the server whose vulnerabilities you want to examine. Click the number of critical or non-critical vulnerable packages for that server (in the Critical or Other column in the list of servers) to display the server's Software Scan Results page, which shows the results of the most recent vulnerability scan.
B. From the Portal's Server Scan History page:
Go to Servers > Scan History. The server scan history page displays all saved scans of all types on all servers. (Only users with a Halo Professional account can see vulnerability scans.)
Scroll or re-sort the contents of the page to find the server and vulnerabilities that you want to examine. For example, you might sort first by server and then scroll through all types of scans to find the most recent scan (labeled "Current scan") of type "Software".
This page shows you not only the most recent vulnerability scan, but also earlier scans. In the above example, you can see that the most recent scan (on 2012-12-07) detected three critical vulnerabilities that did not appear in the previous vulnerability scan (on 2012-11-01).
To view the details of any of this server's scans, click the Details link. The server's Software Scan Details page appears, showing the detailed results of your selected scan.
C. View the Server Scan Details page:
However you access it, the Server Scan Details page differs slightly between Linux and Windows. By default, critically vulnerable packages are listed first, followed by those with a lower vulnerability score.
Note that you can use the links at the top of the table to save a PDF report of this page, go to the Server Scan History page to see other scans of this server, or launch a new vulnerability scan of this server.
If you want to see a full inventory of all installed packages on the server, click the View Full Report (with Passes) link. The table expands to show all the non-vulnerable packages as well as the vulnerable ones.
For Windows only:
- CPE. This is the Windows "Common Platform Enumeration" name for the listed package. It is a standardized NIST specification of the name and version of the software in question. If NIST has not created a specification for the package, the value in the CPE column is "No NIST CPE".
- Security updates. Clicking the View Security Updates link at the top of the table displays the following page relating to the software installed on this server:
This table is an inventory of all the security updates (patches) that have been applied to the server. Each update is identified by its its "kb" number, the unique ID of the Microsoft knowledge base article that describes the update. The installation date for the update is displayed, if it is known. The CVE(s) that the update addresses are also listed. This information is useful for verifying whether a specific update has been applied to the server, or for quickly determining which CVEs a given update addressed.
Note: The set of CVEs associated with a given update in the table includes not only CVEs that were explicitly addressed in that update, but also all CVEs that were addressed in earlier updates that have been superseded by that update.
View Vulnerability Details
On the Software Scan Details page for any server, if you click the CVE reference number for a vulnerability, the Vulnerability Details page for that CVE is displayed.
The information on this page comes directly from the NIST database.
- Vulnerability Details. Where and in which versions of what software modules this vulnerability exists, what kind of exploit it allows, and possibly additional details on how an exploit could work.
- Published and Last Modified. How long this vulnerability has been known, and whether/when NIST has updated this information.
- CVSS Base Metrics. Important information on how severe this vulnerability is:
- NIST CVSS Base Score. The numerical severity score for this vulnerability. By default, Halo classifies any score over 5.0 as a critical security event, although you can change that threshold on the Software Vulnerability Assessment Settings page in the Portal.
- Access Vector. How remote an attacker can be. A value of Network means that the attacker does not need physical access, local-account access, or local-network access to the target.
- Access Complexity. How common the conditions are in which this vulnerability can be exploited. A value of Low means that it is very common.
- Authentication. Whether and how many times an attacker must authenticate to the target system to perform the exploit. A value of NONE means that no authentication is required.
- Confidentiality impact. The impact that a successful exploit could have on the confidentiality of the target. A value of Complete means total information disclosure.
- Integrity impact. The impact that a successful exploit could have on the integrity of the target. A value of Complete means total compromise of system integrity.
- Availability impact. The impact that a successful exploit could have on the availability of the target. A value of Complete means a total shutdown of the affected resource.
All of the above information is taken into account in assigning the numeric score to the vulnerability. For more details, click the NIST FAQ on Base Metrics link.
- Affected Packages. The name(s) of the package or packages that exhibit this vulnerability. This is the CPE (Common Platform Enumeration) of the affected Linux or Windows package.
- External References. A list of links to additional information about this vulnerability.
Take both the numeric score and the values for the individual CVSS base metrics into account in assessing your organization's priority for remediating each vulnerability. The next section discusses remediation strategies.
// <![CDATA[ var pdfTitle="Software Vulnerability Assessment"; var pdfURL="http://www.cloudpassage.com/document_images/SVA_Guide/software_vulnerability.pdf"; specifyPDF(pdfTitle, pdfURL); // ]]>