PaulDotCom mailing list archives

Scanning of cumulative vulns/patches

From: rgula at tenablesecurity.com (Ron Gula)
Date: Wed, 17 Feb 2010 16:42:00 -0500

On 2/17/2010 2:17 PM, Albert R. Campa wrote:

What do you guys think of scanning and reporting of cumulative vulnerabilities?


It is a very slippery slope. The more you reduce what is being reported,
the less detail you have. If you reduce enough, you can get to reports
that really over summarize such as "Here are the systems that aren't
being patched". You lose any visibility of the types of vulns that have
been subsumed into the "cumulative" report. It's also not as easy as it
seems.

For example. If you have vulnerability A that supercedes vulnerability
B. Nessus will report both A and B as vulnerable, but for patching
only Vulnerability A needs to be patched. So why report vulnerability
B? Should the scanner ingore superceded vulnerabilities? Is the only
plus to reporting both A and B is to have a history of old
vulnerabilities not patched?


Your example is over simplistic. In lots of cases you have complex
progressions of vuln reporting such as product 2.0 to 2.5 is vulnerable,
but not product 2.6 and high or 3.x. One vulnerability might be present
in each of these releases. Also, would the "fix" be to upgrade to 2.5 or
3.0 in this case?

Don't put your vuln scanner in charge of your IT.  Use your vuln scanner
to measure how IT is doing.

What about metrics? A and B might be vulnerable but only patch A needs
to be installed.


This is absolutely an issue, but vuln scanners need to test for both if
a cumulative patch or service patch has been installed, or if a simple
hotfix has been installed.

If an admin gets a vuln report with both A and B, can they easily
figure out oh, this is cumulative, so I only need to install A, or are
they going to try to install both.


If you are giving an admin a vuln report, I hope it is from a
credentialed patch audit with a focus on missing patches. If you aren't
doing credentialed scans, you are not speaking the same language as as
admin unless you are narrowly testing for some issue like MS08-68
(Confiker's exploit) or one of the Adobe flaws.

Ron Gula, CEO
Tenable Network Security

Current thread:

Scanning of cumulative vulns/patches Albert R. Campa (Feb 17)
- Scanning of cumulative vulns/patches Jamie Starkel (Feb 17)
- Scanning of cumulative vulns/patches Ron Gula (Feb 17)
- Scanning of cumulative vulns/patches Paul Asadoorian (Feb 17)
  - Scanning of cumulative vulns/patches Albert R. Campa (Feb 17)
- Scanning of cumulative vulns/patches Shane Kelly (Feb 18)