Exploitable Since 2002: New Nessus 5 Filters

by Ron Gula
February 21, 2012

With Nessus 5, the results from a single vulnerability scan can be filtered to show which hosts have ancient vulnerabilities, which hosts aren’t being managed, and also which hosts have been exploitable for long periods of time. This blog entry discusses the new Nessus 5 filters, how they can be used to track high-risk vulnerabilities, and how enterprise users of Tenable SecurityCenter can leverage these filters for dashboards and asset-based reporting.

New Nessus 5 Filters

The following two new Nessus 5 filters are available:

  • Exploit Frameworks – Users can filter reports for vulnerabilities that can be exploited with exploit frameworks from Core, Exploit Hub, Immunity, and many others.
  • Vulnerability Publish Date – The date a vulnerability was published to the public.

Nessus 5 can also take advantage of dozens of other new filters. In addition, Tenable’s Research team can push new “tags” into the plugins, and Nessus 5 can automatically learn about and use these to filter reports and vulnerability results. These tags will allow Nessus users to “go deeper” and provide more specific filters. Here is an example listing of filters from a recent scan of my test lab:

01-filter

 

Tracking Exploitable Vulnerabilities

There are many ways to filter results from vulnerability scans and patch audits to identify exploitable issues. In the screen shot below, I’ve selected a filter to match any found vulnerabilities that correlate with exploits available from the CORE Exploit Framework.

02-core-exploit-filter

Previous Tenable blog posts have described how correlating exploits with vulnerabilities can provide you with more insight as to which systems could be adding more risk to your network than others. In short, you should consider what type of exposure a system may have to attacks from the Internet, from within a DMZ, or even from within your network by malicious insiders or clients that have been exploited with social engineering and malware.

Tracking Older Vulnerabilities

Nessus 5 can filter vulnerability scan results by the date a particular plugin was published (when Tenable produced a check for a known vulnerability), as well as the date the vulnerability was first published. You can also use filtering of parameters, such as, CERT ID, CVE, OSVDB, etc., and include strings such as “2010” to match records from the year 2010.

Below is a screen shot of scan results from my network with a filter for plugins written before January 1, 2009:

05-plugin-date-less-than-2009

Keep in mind that scans occur at one point in time and vulnerability dates are at a different point in time. If you scanned a system and saw that it was running Windows XP, the vulnerabilities may be from 2009, but the actual system could have been installed years later.

Exploitable Since 2008

Using Nessus 5’s time filter and exploitability filters, we can create a view into scan results that identifies vulnerabilities that have exploits that are also older than a certain time period. In the screen shot below, I created a filter for plugins written before January 1, 2008, that also had an exploit available. 

06-exploit-since-2008

In this case, the vulnerability was in the TFTP service and the exploit architecture was Canvas. 

SecurityCenter Exploit by Year Dashboard – Chart Vulnerabilities Exploitable Since 2002!

One of the first dashboards I made for SecurityCenter 4.2 combined assets, the exploitation filter, and strings for each year in a CVE filter. This displayed the total number of vulnerabilities for each asset on a yearly basis, as well as the total number of exploitable vulnerabilities on a yearly basis.

For this blog entry, I updated the dashboard to color cells green that had zero vulnerabilities and red for those that had at least one. Below is screen shot from my test lab:

04-Sc4-dashboard-cve-trend

The top chart lists vulnerabilities by assets by year from 2002 through 2011. The bottom chart lists the same data, but only shows exploitable vulnerabilities.

SecurityCenter has the ability to unify data from Nessus credentialed scans (patch audits), vulnerability scans, and network traffic monitoring via the Passive Vulnerability Scanner and organize the data into various repositories. This can help you create views and automate reporting based on boundary and asset classes, such as, the internal and exterior perimeters of DMZs, remote partners connecting through Intranets, home users connecting in through VPNs, server farm exposures to internal users, and much more.

For More Information

Previous Tenable Blog Entries

Tenable SecurityCenter Dashboards which track exploits

Tenable Media Sites