I have three CVEs that I want to know if InsightVM is testing for. I’ve identified these vulnerabilities using a different scanning tool and they aren’t showing up in InsightVM and I’m trying to figure out why.
If you have the three CVEs on hand I can quickly check if we have coverage, and thus content, for them?
In general, our Recurring Coverage would be a great start to figuring out whether InsightVM has content for particular products or services.
CVE-2020-10108 - In Twisted Web < 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.
CVE-2020-10109 - In Twisted Web < 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.
CVE-2022-21712 - Twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the
twisted.web. BrowserLikeRedirectAgent functions.
All right, thanks for those!
So while we don’t have recurring coverage for Twisted/Twisted Web, this falls under an interesting situation in which various Unix vendors have put forward remediated packages for these vulnerabilities. As we have recurring coverage for those vendors, we therefor have vulnerability checks specific to these vendor’s remediation(s).
I’ll use one example to illustrate this: CVE-2020-10109 for Amazon Linux AMI 2.
Amazon Linux have remediations for this put forward in ALAS-2-2020-1428, and as we cover them, we therefor have vulnerability content for CVE-2020-10109 that will run on AMI 2 assets.
Here’s what our coverage for these three vulnerabilities look like:
CVE-2020-10108 & CVE-2020-10109:
- RedHat Linux
- Oracle Solaris
- Oracle Linux
- Amazon Linux AMI 2
- Gentoo Linux
If you’re assessing assets that run these operating systems, you’ll likely have visibility into remediation status for Twisted/Twisted Web. Outside of these, we don’t have recurring coverage.
If you’re assessing one of these operating systems and you’re not seeing the expected results, I’d suggest opening up a support case so our team can look into that but hopefully this helps!
Thank you for digging into this on our behalf. So our issue is that this is being found on vCenter running the latest vCenter image. We had outside penetration testers identify these by Rapid7 InsightVM did not. So the internal team is like why didn’t we know about these? How can we validate that they’ve been fixed? Both of which are valid questions.
Hey, not a problem at all! Apologies for the delay, I was on leave for a bit.
As I said before, you’ll likely want to work on this via a Support case as a potential false-negative. From our side we’ll want to start by looking at the results being found by the scan (and any issues that might be present there), which isn’t particularly feasible via the Discuss forum.
That being said, the answer is likely to be that we don’t have recurring coverage for Twisted which is why you haven’t seen any results here. At a quick glance there’s no vCenter-specific advisories for these CVEs, meaning our vCenter-specific coverage wouldn’t have vulnerability checks for these either. As a last caveat, we only cover vCenter Server and not the underlying PhotonOS, which might also come into play.
I would recommend working through this with the Support team though, so we can confirm this for certain - the above is just a quick look at the overall situation.