Approved

For a more robust vulnerability scanner we want to find a better search capability that would return a JSON structure so we can parse out useful information from the CVE

Vulnerability Scanner in a query

This query will perform a very basic vulnerability scan. What is does is generate a list of all installed applications on the device and collect their publisher, name and version information.  We exclude things from the list that do not have version numbers  (These tend to be patches/hotfixes from microsoft). Now that we have that list we craft a curl statement to check the CVE site on the internet with the appropriate search criteria.  The curl request will return HTML and we need to check that HTML to see if it has any results in it.  We use a key word match for an indicator that only shows on the HTML page if a result was found.  If we have a match we then show the result information with the URL that the admin can use to get more information on the identified vulnerability.

WARNING this is not a 'real' vulnerability scanner in that it is only checking for applications, it uses a very crude method to identify the application and matching CVE's ect. 

I thought it would be a nice toy for folks that do not have professional vulnerability scanners as it is better than nothing...

Only works on Windows and Windows Server. Likely has FP and FN challanges

Have FUN

WITH program_list AS ( 
   SELECT
      REPLACE(REPLACE(REPLACE(name,',',' '),'+',' '),'.',' ') name,  -- STRIP out some characters not normally found in product names to improve chances of finding it in the CSV DB
      version,
      REPLACE(REPLACE(REPLACE(publisher,',',' '),'+',' '),'.',' ') publisher
   FROM programs 
   WHERE version > ''
   )
/******************************************************************************************************\
| We will search for the Publisher, Product Name and version and use some wild cards '%'' after we     | 
| create a simple one word name for the publisher and product. The expectation is that these three     | 
| pices of information should be relativly unique, but we can still get FPs                            |
\******************************************************************************************************/
SELECT 
   publisher, 
   CAST(name AS TEXT) || ' ' || version Application, 
   url 'Identified CVE List' 
FROM program_list 
   JOIN curl ON 
      url = 'https://www.cvedetails.com/version-search.php?vendor=' 
         || replace(program_list.publisher, ltrim(program_list.publisher, replace(program_list.publisher, ' ', '')), '') 
         || '%&product=' 
         || replace(program_list.name, ltrim(program_list.name, replace(program_list.name, ' ', '')), '') 
         || '%&version=' 
         || program_list.version
WHERE result 
   LIKE '%Details for%';

  • I have the same behaviour. Have you been able to solve it? Is there anything else that needs to be taken in the script? 

  • I'd like to look into using a different service for the vuln scanner in a query.  I've been looking at NIST and their National Vuln Database and their API doesn't require authentication and it returns JSON based results!  A quick change up of the code above allows us to get a great set of information back that we can parse out into more fields within a Live Query.

    In this case I am limiting the scope to lookup to an specific application with or without a verson.  Keen to get this to search based off an iterated list from installed applications detected on the endpoint and then return more results as my JSON parsing is to the first entry.

    -- Variables $$Unmanaged App$$ as STRING
    
    WITH program_list AS ( 
       SELECT
          publisher,
          REPLACE(REPLACE(REPLACE(name,',',' '),'+',' '),'.',' ') name,
          version
       FROM programs 
       WHERE name LIKE '%$$Unmanaged App$$%'
          )
    
    SELECT 
       publisher, 
       CAST(name AS TEXT) Application,
       json_extract(curl.result,'$.result.CVE_Items[0].cve.CVE_data_meta.ID') CVE_ID,
       url 'NIST Vuln Info'
       
    FROM program_list 
       JOIN curl ON 
          url = 'https://services.nvd.nist.gov/rest/json/cves/1.0?keyword=' 
             || replace(program_list.name, ltrim(program_list.name, replace(program_list.name, ' ', '')), '') 
             || '+' 
             || program_list.version

  • How do I see if it actually worked? Completed without data. Does it mean no vulnerabilities found or does it mean, it did'nt run as expected?

    Selected the 3 oldest machines here hoping to find some unpatched stuff.

    0 Complete, data sent

    3 Complete, no data sent

    0 Complete, errors

    0 Not responded yet

  • Hi Karl, great script. Is very very helpful in my case. Cheers!