CVE Risks in Censys Attack Surface Management
Overview
Note
If you have any risk-related integrations or scripts, enabling CVE Risks in ASM may generate a large volume of alerts, as CVEs are detected in your workspace. We recommend working with your customer success team to enable the feature.
In Censys Attack Surface Management (ASM), use Common Vulnerabilities and Exposures (CVE) data, Known Exploited Vulnerability (KEV) information, and the Common Vulnerability Scoring System (CVSS) to quickly prioritize vulnerabilities and initiate remediation.
CVEs are common identifiers for publicly-known security vulnerabilities. Their severity is determined based on CVSS scores. CVSSv2 and CVSSv3 scores are present on most CVEs, though some older CVEs may not have CVSSv3 scores. Any CVEs that are known to be exploited by threat actors are classified as KEVs by the Cybersecurity and Infrastructure Security Agency (CISA). With the CVE risk feature, these metrics are tracked for all software detected in Censys Attack Surface Management.
When a new CVE is cataloged by the National Vulnerability Database (NVD), it becomes discoverable in Censys ASM alongside its CVSS score within 24 hours. When Censys discovers new software in a given attack surface, Censys maps all known CVEs for that software and presents them as risks. Use the CVSS score and KEV flag to immediately understand the severity and exploitability of the vulnerability.
By default, only CVEs that match the following criteria are enabled:
- CVSS Score High to Critical
- Present in KEV catalog
- Network Attack Vector
Using CVEs as Risks in Censys ASM
On the Risk Instances page in the ASM web interface, you can see CVE risks for new, active, and closed software vulnerability risks. On the Risk Instances page, CVE risks are shown using the following format: “Vulnerable [software vendor] [software product] [associated CVE count].” The associated CVE count links to a table in which you can see all of the individual CVEs associated with the software.
Note
On the Risk Instances page, risks with the naming format “Vulnerable [software product] [CVE ID],” such as “Vulnerable OpenSSH [CVE-2024-6387],” are rapid response risks.
View CVE context on the Risk Instances page
- Log in to your Censys ASM workspace and click Risks > Risk Instances at the top of the page.
- On the left side of a CVE risk entry for an asset, to the left of the checkbox, click > to expand its details. A summary of information about the CVE or CVEs associated with this software is shown:
- The CPE string used to identify the software.
- The maximum severity level of associated CVEs.
- The vendor name.
- The product name.
- The product version.
- Whether any of the associated vulnerabilities are present in CISA’s KEV catalog.
- The highest CVSSv3 score of associated vulnerabilities.
- The highest CVSSv2 score of associated vulnerabilities.
- The asset ID.
- When the software was first seen in your attack surface.
- When the software was last seen in your attack surface.
In the example shown in these screenshots, Apache HTTP Server version 2.2.15 was identified on the asset. Censys automatically checked NVD for any CVEs related to this version and returned 22 results.
- Click the link to see the full list of CVEs.
In this list, you can quickly see each CVE ID, whether the CVE is a KEV, the CVSS score, and the date this vulnerability was first seen in your attack surface. Click any of the hyperlinked CVEs to view that entry in the National Vulnerability Database (NVD).
- Click the Investigate on button below the list to navigate to the associated CVE information on the affected asset’s inventory page.
CVE Risks on the Asset Details Page
When viewing the CVE risk details for a CVE risk on the asset details page, you can see the same information provided in the risk instances list page.
Click the Associated CVEs tab to see the list of CVE IDs.
Tuning vulnerability alerts on the Configure CVEs page
The volume of CVEs you see in Censys ASM is dependent on your attack surface. We recommend that you start with the highest severity CVEs enabled, then determine whether you should adjust your filters to include more CVEs.
In ASM, navigate to Risks > Configure CVEs to manage your CVE risk settings. To save changes to your configuration, click Submit at the top of the page. Click Reset to return settings to their default configuration.
Disable or enable CVE risks
In the top-right corner of the page, you can use the toggle to enable or disable CVE risks in their entirety in your workspace.
Tuning by CVSS score
Select which score ranges to include in the Risk Instances table. By default, this is set to include high and critical severities.
Tuning by Attack Vector
Choose which attack vectors to include in the Risk Instances table. By default, only network attack vector is selected.
Tuning by KEV
Select whether to always include Known Exploited Vulnerabilities in the Risk Instances table, regardless of severity. This option is recommended because KEVs are known to be exploited by threat actors and pose a serious risk to your attack surface. By default, this option is enabled.
Search for CVEs on the Configure Risk Types page
To see if a specific CVE is present in your attack surface, you can search for it in the Configure Risks page.
- In ASM, navigate to Risks > Configure Risk Types.
- Locate the search bar on the top right. Enter the CVE ID you are searching for.
- In the results, check the “Risk Instances” column to see if a count appears.
- Click the Risk Type to see important context about the CVE, like CVSS score and whether it is a KEV.
Common use cases
Investigating critical vulnerabilities
If you are an analyst investigating a specific vulnerability, like CVE-2022-47966, you need to confirm whether the vulnerability is in your environment and whether the data is fresh. To accomplish this task using CVE risks in ASM, use the following process.
First, log in to your ASM instance and navigate to Risks > Risk Instances > Configure Risk Types. New risk types are added here within 24 hours of NVD publishing a CVE.
On this page, in the upper right corner, you search for CVE-2022-47966. From the list view, look at the Risk Instances column to see whether there are any instances of this CVE in your attack surface.
Click the CVE to expand its details. From here, quickly see whether this is known to be exploited and how critical the vulnerability is.
Monitoring vulnerabilities on your external attack surface
If you are an analyst who needs to monitor any potential vulnerabilities in your environment, you need to quickly understand and remediate the highest priority vulnerabilities. To do this using CVE risks in ASM, use the following process.
First, log in to your ASM instance and navigate to Risks > Risk Instances. On this page, you can see at a glance whether there are new vulnerabilities, how many CVEs are associated with the vulnerabilities, and whether they are known to have been exploited.
Expand the details of the risk to view these details and remediation recommendations. To assess risk and prioritize vulnerabilities, look at CVSS scores, KEV data, and length of exposure:
You can also click View Associated CVEs to view and investigate all CVEs associated with the software. In the Associated CVEs table, click the CVE ID to view the related NVD page with additional information.
CVE risks FAQs
If you have questions about CVE risks in ASM, reference our FAQ document to see if your question is addressed.
Comments
0 comments
Article is closed for comments.