In part 1 of this blog, we introduced the Tesorion Vulnerability Explorer and provided background information on the Exploit Prediction Scoring System (EPSS). In this blog we take a deep dive into the application and provide information to use the application yourself!
Background
Tesorion Vulnerability Explorer is built to help Incident Response teams identify software vulnerabilities in applications, prioritized by likelihood of exploitation. This is done by combining information from five scoring systems and frameworks, which are described below:
- Common Vulnerabilities and Exposures (CVE) is used to identify vulnerabilities.
- Common Vulnerability Scoring System (CVSS) is a system to score the potential impact of a vulnerability.
- Exploit Prediction Scoring System (EPSS) provides a system to score the likelihood a vulnerability will be exploited in the next 30 days for a given date. This is based on the CVSS score and real-world exploit data.
- Common Platform Enumeration (CPE) is used to filter vulnerabilities for a specific product.
- CISA Known Exploited Vulnerabilities catalog (KEV) is a good reference for known exploited vulnerabilities.
Get started with Tesorion Vulnerability Explorer
The application is currently in development, but available for testing and review purposes. The source code and a Windows binary of the application can be downloaded from the following location:
First use of Tesorion Vulnerability Explorer
During the first use of the Tesorion Vulnerability Explorer, a database is created in the current directory. This database is empty and needs to be populated with CVE, CVSS, EPSS and KEV data. The CVE and CVSS data are part of one source: the NIST NVD. The data for EPSS and KEV are downloaded respectively from FIRST and CISA.
Click the “Update all” button to populate the database. The data for all three sources will be downloaded and stored in the database to be used for your analysis. Depending on your internet connection and hardware used, this may take a few minutes. Keep an eye on the “Console” at the bottom of the screen to monitor the progress.
Figure 1 – Tesorion Vulnerability Explorer database is empty on first use.
You can use the “Update all” button anytime to update the information stored in your local database. Updating once a day should be sufficient, as information is not updated that often.
Figure 2 – Tesorion Vulnerability Explorer with a populated database.
EPSS Date
The EPSS score indicates the probability a vulnerability will be exploited in the next 30 days for a given date. To be able to calculate EPSS scores, a given date is required. This date can be entered in the field “EPSS Date” in the format “yyyy-mm-dd”. By default, this field is set to yesterday as the information of today is not always available.
After the date is changed, click the “Update EPSS” button. The EPSS data for the new date is downloaded. Once the data is updated, the “EPSS Date” in the table should correspond to the date entered.
The EPSS trendlines in the vulnerability details pop-up show the trend for the past 30 days and is not affected by the “EPSS Date” entered.
Your first analysis with Tesorion Vulnerability Explorer
Currently Tesorion Vulnerability Explorer contains the information of the National Vulnerability Database (NVD) since 2010, which includes the information of about 150.000 different vulnerabilities. Filters can be applied to select a specific set of vulnerabilities, based on the CVE number or CPE. Both filters are discussed below.
Filtering on CVE
Filtering on CVE is straightforward. A comma separated list of CVE numbers can be provided in the field “CVE filter”. The button “Filter on CVE” applies the filter. The button “Clear CVE filter” will clear the textbox and remove the filter.
For demo purposes, a filter for the vulnerabilities patched during the Oracle CPU of July 2022 is used in the example below.
Figure 3 – CVE filter applied.
Filtering on CPE
CPE is a structured naming scheme for information technology systems, software, and packages. It can be used to filter specific products and corresponding vulnerabilities. The CPE filter string can be provided in the field “CPE filter”. The “Filter on CPE” button applies the filter. The button “Clear CPE filter” clears the textbox and removes the filter.
| Be aware that either the CVE or CPE filter is active. The filters are not complementary. |
The following format is used to build a CPE filter string. Each field may contain a wildcard (*), except the part “cpe:2.3”.
| cpe:2.3:<part>:<vendor>:<product>:<version>:<update>:<edition> |
- cpe:2.3 – this is a static string for the used version of CPE, and already prefilled in the search box.
<part> – this field is either of the following three options:- a – application
- o – operating system
- h – hardware
- <vendor> – The name of the vendor.
- <product> – The name of the product.
- <version> – The version of the product.
- <update> – Update or service pack information, also referred to as minor version.
- <edition> – A further granularity, describing the build of the product.
Some examples of CPE filters are:
- cpe:2.3:a:microsoft:exchange_server:4.0:sp1:
- cpe:2.3:a:oracle:database:9.0.1.5:
- cpe:2.3:a:atlassian:confluence_server:6.15*
- cpe:2.3:o:microsoft:windows*
CPE does describe more fields, but for the use with Tesorion Vulnerability Explorer the above fields should be sufficient. Although not described here, all CPE fields can be used. A full overview of all fields with some practical examples of how to use CPE can be found here:
NIST developed a search engine for CPE on their website, which is a great help for building and testing your CPE filter strings. A link to this website is embedded in Tesorion Vulnerability Explorer called “NVD CPE search (open website)” and leads to:
In the example below, a CPE filter string is used to select all vulnerabilities related to an Oracle Database version 12. This CPE strings looks as following:
- cpe:2.3:a:oracle:database:12*
Figure 4 – CPE filter applied.
The console at the bottom of the screen provides feedback on the filtering process. In case of an invalid CPE filter string, an error will be written. In this example the filter has five CPE matches, for a total of 45 matching CVEs. All 45 CVEs are available in the database of Tesorion Vulnerability Explorer and are displayed. As only the CVEs since 2010 are loaded, it is possible not all CVEs are available.
In case a CPE filter returns over 2000 matches, only the first 2000 matches are used. Additionally, a warning message will be displayed in the console at the bottom of the screen. It is advised to make the filter more specific to reduce the number of matches.
Explore the data
Once a filter is applied on either CPE or CVE, the data can be explored in the GUI. By selecting the table header for a specific column, data is sorted based on the information stored in that column. By sorting on the EPSS score, the least or most likely to be exploited vulnerability will be on top.
Only a certain set of data of a vulnerability is displayed in the table. More information for a vulnerability can be retrieved by double-clicking a row in the table. A pop-up with more detailed information is displayed, as shown in the screenshot below. For more information regarding the vulnerability, you can visit the NVD website by clicking “NVD CVE Details (open website)”.
Figure 5 – The detail screen for a specific vulnerability.
The EPSS trendlines in the pop-up show the trend for the past 30 days and is not affected by the “EPSS Date” entered in the main screen.
Export to Excel
The goal of Tesorion Vulnerability Explorer is to combine the information from several systems and frameworks in a lightweight application. It is not a full data analytics platform. An export function for Microsoft Excel is included in the application. This provides access to the capabilities of Excel regarding data enrichment, filtering, and manipulation. Additionally, it provides a method for sharing specific vulnerability information.
The current filter is applied on the export. By removing all filters, a full export of all data can be created.
Systems and frameworks used
The Tesorion Vulnerability Explorer gets its power from combining different scoring systems and frameworks. More information about these systems and frameworks can be found in the overview below, including links to their respective websites:
- EPSS – Exploit Prediction Scoring System – An open, data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. This system is built and maintained by FIRST.
- CVE – Common Vulnerabilities and Exposures – The registration system for keeping track of known vulnerabilities. Tesorion Vulnerability Explorer uses the enriched dataset set from the NIST NVD, which is built upon and fully synchronized with the CVE List.
- CVSS – Common Vulnerability Scoring System – An open framework for communicating the characteristics and severity of software vulnerabilities. The framework is developed and maintained by FIRST. The scores for individual CVEs are assigned by NIST NVD.
- CPE – Common Platform Enumeration – A structured naming scheme for information technology systems, software, and packages. The CVE information from the NIST NVD is enriched with the impacted products in the CPE format. Tesorion Vulnerability Explorer leverages this format, to select vulnerabilities for specific products.
- CISA KEV catalog – CISA Known Exploited Vulnerabilities catalog – CISA keeps track of vulnerabilities identified as known to be exploited in the wild.
Found something alarming?
If you, for any reason, have a feeling hackers might already have access to your IT-infrastructure, don’t hesitate to call the Tesorion Computer Emergency Response Team (T-CERT). This team can be engaged for Incident Response and perform digital forensics which might expose (historical) malicious activities inside your IT-infrastructure.
Need immediate Incident Response support? Call our 24/7 hotline: +31-88-2747800
More information about T-CERT
