CISA's Known-Exploited Vulnerabilities Catalog

CISA maintains a list of CVEs known to be being actively exploited, available here:
https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Is there any work being done to create a InsightVM dashboard widget, report, etc that will show us if any of the vulnerabilities in our org are on this list?

2 Likes

Hi there, the CVEs tracked by CISA’s KEV catalog are included in two dashboard cards:

  • Assets With Actively Targeted Vulnerabilities
  • Most Common Actively Targeted Vulnerabilities

Please see this blog post for some background on those cards.

Greg is probably right about those dashboard cards including CISA. If you are just interested in the CISA catalog, I use the following powershell script to download and parse the catalog. The script will generate the query that I then paste in Query Builder. (Switch to Expert and copy the result in Vulnerability filter). Please note the script does not output anything on the screen, it is only putting the data in the clipboard.

$CISA_Catalog = Invoke-WebRequest https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json | ConvertFrom-Json
$Vuln = $CISA_Catalog.vulnerabilities.cveID
$Query = “vulnerability.cveIds IN [”
ForEach ($CVEID in $Vuln)
{
$Query = $Query + “’” + $CVEID + “’,”
}
$Query = $Query.Substring(0,$Query.Length-1)
$Query = $Query + “]”
$Query | clip

1 Like

I would love to see this included in the product natively. We are doing similar to Sylvain and manually keeping a dashboard query up to date when CISA releases things, but it would be great for Rapid7 to keep it pre-populated for us.

The widgets Greg mentioned are a good start, but it would be a whole lot cleaner if there was a Dashboard Query that was maintained by Rapid7 via some automated process, or Rapid7-maintained dashboard we could load from the R7 Library, or something like that. Something that specifically said ‘CISA Known-Exploited Vulnerabilities Catalog’ so I know what I’m looking at. Making it a query that filters down the data across the entire dashboard provides other visuals and more data than just what is in those two widgets. But, I need visibility enough to know what filter I’m applying so I know I’m looking at the right thing.

I like Sylvain’s way of getting to that list, as a band-aid until there is something baked in. Thank you very much for sharing that. I ported that code to python for those of us on Macs instead of Windows.

#!python
import urllib2, json

catalog = json.loads(urllib2.urlopen('https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json').read())

cvelist = 'vulnerability.cveIds IN [' + ', '.join(['\'{}\''.format(x['cveID'].encode('ascii', 'ignore')) for x in catalog['vulnerabilities']]) + ']'

print cvelist

### bonus: if you want to auto copy into clipboard, 'pip install pyperclip' then un-# these:
#import pyperclip
#pyperclip.copy(cvelist)


Great to see this thread. We are also manually creating this list of CVEs and making a query for it in R7. +1 that it would be great to have this natively.

I used the Rapid7 python library and InsightVM console API to automatically import the list of cve’s every week in to a group for easy tracking.

# get the json data CISA and convert to python json text
url = requests.get('https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json')
text = url.text
jsondata = json.loads(text)

#pull out just the vulnerabilities section of the json file
listofvulns = jsondata['vulnerabilities']

# create an instance of the API class
api_instance = rapid7vmconsole.AssetGroupApi(client)

id = 123 # int | The identifier of the asset group.
CISACVEs = []
for x in listofvulns:
	CVECriteria = { "field": "cve", "operator": "is", "value": x['cveID'] }
	CISACVEs.append(CVECriteria)
matchAnyOrAll='any'
criteria = rapid7vmconsole.SearchCriteria(match=matchAnyOrAll,filters=CISACVEs) # SearchCriteria | The search criteria specification. (optional)
api_instance.set_asset_group_search_criteria(id, criteria=criteria)

Check it out!!! CISA Kev is now a dedicated category in 6.6.136 :smiling_face_with_three_hearts: this is gonna make our lives so much easier. Thank you R7

image

2 Likes

This is very helpful! I am having an issue though. I believe I figured out how to get to copy into the Vulnerability filter in expert mode - bit list of cve’s show up. But when I go about filling in the other filters within expert mode, I don’t get the option to apply and see what is generated. What might I be missing? What do you put in the Asset filter and Finding filter?

Like another posted, this is great the Rapid7 is incorporating the CISA KEV.
image

However, comparing my remediation projects I created based on the CISA KEV website to the R7 vuln category they’ve created and it is missing a number of CVEs. At first I thought that maybe it’s just because some are semi new - end of March that I already have. But I noticed that is not the case since it did match up with one from the CISA KEV that is end of March. This leads me to wonder if the CISA KEV database R7 has is incomplete and not fully populated. This can be an issue especially for those that are having to get these remediated by the CISA due date; which is typically two weeks.

Is anyone else seeing discrepancies in the catalog vs their CVEs and compared to what their query comes back with “vulnerability.categories STARTS WITH ‘cisa kev’”? I recommend double checking the old fashion way to be sure.

I’m seeing the same thing on my end - the CISA KEV category is missing a large number of CVEs from my manually populated list. I checked a number of older vulnerabilities, and they weren’t in the CISA KEV category. I’m hoping this gets filled out from R7’s end, but until then, I agree, worth keeping with the old fashioned way.

1 Like

Agreed with @steve_spohn and @todd_cox . For example, all Microsoft Windows CVEs are missing from the Rapid7 CISA KEV category. So despite my initial excitement we can’t use this yet and are back to updating our queries manually :disappointed:

1 Like

This should now be fixed, with the CISA KEV category now correctly identifying the missing Microsoft Windows CVEs

3 Likes

Thank you Kevin for letting us know! Looking much better on our end. :slightly_smiling_face:

1 Like