Common Platform Enumeration (CPE) with Nessus

Common Platform Enumeration (CPE) with Nessus

You may know the folks over at MITRE for their work on the CVE (Common Vulnerabilities & Exposures). Standards such as CVE help us track and document thousands of vulnerabilities released each year. Along the same lines, a new project from MITRE called CPE (Common Platform Enumeration) provides the public with a standard method to enumerate software:

"CPE is a structured naming scheme for information technology systems, platforms, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a language for describing complex platforms, a method for checking names against a system, and a description format for binding text and tests to a name."

For uniformity, CPE uses the following format:

Each field is defined as follows, first by the required fields:

• Part - Determines the platform type using the following codes: a = application, h = hardware, o = operating system
• Vendor - Defines the vendor name as the "highest organization-specific label of the organization's DNS name", which, in our case, would be "Tenable Security".
• Product - Product name as specified in the CPE database, e.g., itunes, quicktime and firefox

The following fields are "optional" and completed according to each specific entry:

• Version - The version numbers as represented by the product itself.
• Update - The CPE name for the update or service pack, such as "Service Pack 3" in the case of Windows XP.
• Edition - The edition of the software, such as "pro" for "Professional Edition". For hardware, this would also denote the architecture, such as "i386".
• Language - For example, "English" or other language as specified by the software.

Currently the official CPE dictionary has approximately 20,000 unique CPE IDs. You can find some use cases and more technical details on the official CPE web site at http://cpe.mitre.org/.

CPE and Nessus

Recently a Nessus plugin (and associated library) was developed that includes CPE information about supported targets. If no entry exists in the CPE database, the plugin will attempt to create one and apply all of the appropriate information in the CPE defined format. I ran a scan against my test network and then filtered for CPE entries:

The first scan I ran was network-based and did not include credentials to any of the target hosts. A Windows XP host on the network provided the following CPE information:

Since both Service Pack 2 and 3 are installed on this system, Nessus reports both in the CPE section of the report. Network services are also enumerated and the associated CPE information is included as shown by the Solaris host included in the scan:

If no CPE matches are found, Nessus will report the information as an "inferred" CPE as is the case with the following Ubuntu system:

More detailed CPE information was collected when I added credentials to the scan, as shown by the following Window XP host:

Conclusion

CPE is another great project from the folks over at MITRE and helps organizations standardize on a format that can enumerate the software running on a host. This is important for software inventory, vulnerability management and especially interoperability between tools.
Tenable is very committed to open standards such as CPE, which is also supported in Tenable's Passive Vulnerability Scanner. CPE tags can be leveraged inside SecurityCenter 4 for asset tagging, discovery and reporting. Look for more blogs from Tenable in the near future which will discuss strategies to leverage active and passive network discovery with CPE enumeration.