Looking for a Specific Vulnerability (CVE)

Certain key vulnerabilities may present themselves from time to time. These vulnerabilities, typically called zero-day vulnerabilities, are a flaw or weakness in software, hardware, or firmware unknown to the vendor and does not immediately have a patch available. These vulnerabilities are called zero-day vulnerabilities because once the vulnerability is discovered or exploited, there are zero days to address the issue before potential attacks occur.

A CVE identifier is structured in the format of CVE-YYYY-NUMBER, where YYYY is the year the vulnerability was assigned and NUMBER is a unique identifier for that vulnerability within the year. Tenable maintains a list of CVE and their affected products. Tenable then augments the data to include Tenable Plugins that detect each vulnerability. To view the newest CVE, which CVE are currently of interest, have been recently updated, along with which CVE are actively being monitored, visit the Tenable CVE Overview page.

This page also has links for associated RSS feeds related to CVE.

For example, CVE-2020-1350 is a critical Remote Code Execution vulnerability which exists in Microsoft Windows Domain Name System servers. To identify if this vulnerability exists within the environment there are several options:

  • Searching the Vulnerability Database (Analysis in Tenable Security Center or Findings in Tenable Vulnerability Management) will present results which are present in the environment.

  • Using Tenable Vulnerability Intelligence (will also present results which are active in the environment, but will also present results which are not present in the environment, such as findings for a CVE which is actively being tracked by Tenable Security Response Teams. See the Tenable Vulnerability Intelligence section of this reference for more information).

Note: When a CVE has a Nessus Plugin associated with it, the Plugin will be enabled by default when scans are conducted. By default, new plugins do not need to be enabled. However, analysts do have the option to create Advanced scans, and enable select plugins. To create a Custom Scan follow the Tenable guidance for your product.

Tenable Security Center

Navigate to the Analysis tab, selecting Vulnerabilities. Click the +Customize link to add a filter for CVE ID, select within that filter Exact Match (or contains if you only have a partial CVE ID), and click the Apply button.

Note: Exact Match is case sensitive. Use capital letters when searching such as “CVE” as lower case “cve” will not return results when using Exact Match.

In this case, two plugins are returned.

  • 138600 Windows DNS Server RCE (CVE-2020-1350)

  • 138554 Microsoft DNS Server Remote Code Execution (SIGRed)

Clicking the Go to Vulnerability Detail link provides a vast amount of information related to this vulnerability.

A synopsis of the vulnerability, including a full description, along with steps to remediate are provided. Plugin output is displayed to help analysts determine the affected version, and what the fixed version of the software is, in this case the Plugin Output is:

Installed version : 6.1.7601.23865 Fixed version : 6.1.7601.24557

Risk information is presented along the right side, with Exploit Information, Plugin Information, Vulnerability Priority Rating (VPR) and Key Drivers, Vulnerability Information, Assessment Configuration data, and Reference Information. The Reference Information section contains a CVE reference. Clicking this link opens the Vulnerability Intelligence Overview Page also known as the Vulnerability Profile Page for the CVE.

Note: Tenable Vulnerability Intelligence is only available within Tenable Security Center with version 6.6 and higher. For all previous versions of Security Center the CVE Reference link will open the NIST page at the National Vulnerability Database for the CVE.

The Vulnerability Profile Page contains four sections:

  • Vulnerability Information - Allows the analyst to view the CVSS, Vulnerability Priority Rating (VPR), and Exploit Prediction Scoring System (EPSS) for the vulnerability.

  • How Does This Affect Me - Allows the analyst to view affected assets and products in the environment and build queries to refine search results.

  • Sources - Allows the analyst to view contextual intelligence such as security advisories on the external website where they appear.

  • Vulnerability Metrics - Allows the analyst to view metrics which have been broken down by general information, risk profiles, severity, and plugin coverage.

The Vulnerability Profile Page is a tremendously useful resource to assist organizations prioritize vulnerabilities. Immediately, analysts can fully comprehend and be able to expertly relay critical information to others regarding the vulnerabilities. Important information found here is:

  • The number of affected assets in the environment, quickly allows organization to view the impact of the vulnerability (found in the How Does This Affect Me section).

  • The products which are affected by this vulnerability (found under Products in the Vulnerability Information section).

  • The available Nessus plugins (Found under Plugins in the Vulnerability Information section) This is useful if an organization wants to create a scan specifically for this vulnerability.

  • Complete vulnerability metrics, providing full risk profiles of the vulnerability along with Summary details and a Events timeline, to assist organizations in correctly prioritizing risk remediation efforts based on the number of affected assets.

For vulnerabilities in which a Nessus Plugin has been published, the date is available in the Events time line.

As shown above, the two plugins 138600 and 138554, which were located in the Vulnerability Database are displayed here. This signifies that there are known vulnerabilities present for all the Nessus plugins associated with this CVE. Additionally, there is a link in the Vulnerability Metrics section which displays the Latest Plugin Coverage. Clicking this link will load a new browser tab for the Tenable Plugin site, displaying information on the latest plugin for this CVE.

From here analysts can easily convey to the rest of the organization the full impact of any CVE identified during a vulnerability scan and track remediation efforts.

Tenable Vulnerability Management

Navigate to the Findings tab, selecting Vulnerabilities. Click the Advanced filter option to add a filter for CVE ID, select within that filter Exact Match (or contains if you only have a partial CVE ID), and click the Apply button.

Note: Exact Match is case sensitive. Use capital letters when searching such as “CVE” as lower case “cve” will generate an error with Exact Match.

Provided that the Group By Plugin option is selected, two plugins are returned.

  • 138600 Windows DNS Server RCE (CVE-2020-1350)

  • 138554 Microsoft DNS Server Remote Code Execution (SIGRed)

Clicking on one of the plugin results opens a preview of the Details Window. A synopsis of the vulnerability, including a full description, along with steps to remediate (Solution) are provided.

To view the full details, select the option in the preview pane to Open in Findings. This will reset the view. Once again, click on the plugin and when the preview pane opens you will have the option to See All Details. Clicking on this option displays the full vulnerability details.

Plugin output is displayed to help analysts determine the affected version, and what the fixed version of the software is, in this case the Plugin Output is:

Installed version : 6.1.7601.24214 Fixed version : 6.1.7601.24557

Risk information is presented along the right side, with Exploit Information, Plugin Information, Vulnerability Priority Rating (VPR) and Key Drivers, Vulnerability Information, Assessment Configuration data, and Reference Information. The Reference Information section contains a CVE reference. Clicking this link opens the Vulnerability Intelligence Overview Page also known as the Vulnerability Profile Page for the CVE.

The Vulnerability Profile Page contains four sections:

  • Vulnerability Information - Allows the analyst to view the CVSS, Vulnerability Priority Rating (VPR), and Exploit Prediction Scoring System (EPSS) for the vulnerability.

  • How Does This Effect Me - Allows the analyst to view affected assets and products in the environment and build queries to refine search results.

  • Sources - Allows the analyst to view contextual intelligence such as security advisories on the external website where they appear.

  • Vulnerability Metrics - Allows the analyst to view metrics which have been broken down by general information, risk profiles, severity, and plugin coverage.

The Vulnerability Profile Page is a tremendously useful resource to assist organizations prioritize vulnerabilities. Immediately, analysts can fully comprehend and be able to expertly relay critical information to others regarding the vulnerabilities. Important information found here is:

  • The number of affected assets in the environment, quickly allows organization to view the impact of the vulnerability (found in the How Does This Effect Me section).

  • The products which are affected by this vulnerability (found under Products in the Vulnerability Information section).

  • The available Nessus plugins (Found under Plugins in the Vulnerability Information section) This is useful if an organization wants to create a scan specifically for this vulnerability.

  • Complete vulnerability metrics, providing full risk profiles of the vulnerability along with Summary details and a Events timeline, to assist organizations in correctly prioritizing risk remediation efforts based on the number of affected assets.

For vulnerabilities in which a Nessus Plugin has been published, the date is available in the Events time line.

As shown above, the two plugins 138600 and 138554, which were located in the Vulnerability Database are displayed here. This signifies that there are known vulnerabilities present for all the Nessus plugins associated with this CVE. Additionally, there is a link in the Vulnerability Metrics section which displays the Latest Plugin Coverage. Clicking this link will load a new browser tab for the Tenable Plugin site, displaying information on the latest plugin for this CVE.

From here analysts can easily convey to the rest of the organization the full impact of any CVE identified during a vulnerability scan and track remediation efforts.

Tenable Vulnerability Intelligence

Tenable Vulnerability Intelligence is available within Tenable Security Center and Tenable Vulnerability Management, by selecting the Vulnerability Intelligence icon on the left side bar within both products.

The Tenable Vulnerability Intelligence landing page displays all vulnerabilities known to Tenable. The vulnerabilities come from Tenable’s database, which draws on sources such as internal expertise, vendor advisories, the GitHub Advisory Database, and the National Vulnerability Database (NVD).

The Vulnerability Intelligence section also holds curated categories that blend known risk indicators with insights from the Tenable Research Team to surface the most crucial vulnerabilities. To select a curated category click on the cell for that category. The page will update to display the number of current findings and the number of affected assets in your environment. Also displayed will be a listing of all the CVE, risk scores, important event dates, and the Nessus Plugins that have been assigned to this vulnerability.

To search for a specific CVE, such as CVE-2020-1350, enter the CVE identifier into the search bar in the top right corner. Partial identifiers (at least 5 characters required) can be entered in the search bar to retrieve a list of suggestions you may choose from.

Choosing any CVE from the results will open the Vulnerability Intelligence Overview Page also known as the Vulnerability Profile Page for the CVE.

From here analysts can easily convey to the rest of the organization the full impact of any CVE, not only those identified during a vulnerability scan and affected assets, but also those CVE currently being tracked by Tenable which may induce future risk.