How CyberCNS scans for vulnerabilities
To be able to detect vulnerabilities, agents collect a list of installed applications and send it anonymously to the central server. The central server is a global vulnerability database, from publicly available CVE repositories, using it later to cross-correlate this information with the agent’s applications inventory data.
The global vulnerability database is created automatically, currently pulling data from the following repositories:
https://canonical.com: Used to pull CVEs for Ubuntu Linux distributions.
https://www.redhat.com: Used to pull CVEs for Red Hat and CentOS Linux distributions.
https://www.debian.org: Used to pull CVEs for Debian Linux distributions.
https://nvd.nist.gov/ : Used to pull CVEs from the National Vulnerability Database.
https://msrc.microsoft.com/ : Used to pull Microsoft CVEs
Manual Curation to fix inaccuracies
Â
Once the global vulnerability database (with the CVEs) is created, the detection process looks for vulnerable packages in the inventory databases (unique per agent). Alerts are generated when a CVE (Common Vulnerabilities and Exposures) affects a package that is known to be installed in one of the monitored servers. A package is labeled as vulnerable when its version is contained within the affected range of a CVE. The results are presented as provided in the instance with the remediations.
Windows vulnerability check
Get list of cumulative updates and key file versions on system using OSQuery
Send this to central server
Central server checks hot-fixes against DB that has been curated
It finds missing hot-fixes and security updates
It finds all vulnerabilities tagged as fixed in those versions
For each application the application is marked as Microsoft or Non Microsoft. If Microsoft then we have a DB of all application versions and the Patch associated
For Microsoft applications we run a query for highest version of patched files and then reverse lookup to see which patch it belongs to. We then determine what patches are missing and then reverse lookup vulnerabilities fixed by those versions to display the vulnerabilities
For Non Microsoft Applications we convert the app name into the CPE as defined in https://nvd.nist.gov/products/cpe
Once we determine the CPE we then fetch CVEs by CPE
We then lookup the version constraints and then based on that information get the CVEs for the application
The fixed version is then picked up by querying our Chocolatey repo to find the latest version released and provide that as a remediation