Known Exploited Vulnerabilities Catalog

twaller · March 4, 2022, 8:51pm

Does InsightVM ingest a catalog of known exploited vulnerabilities? Like the Known Exploited Vulnerabilities Catalog from CISA or some other source.
The idea is to first focus on assets that have vulnerabilities known to be actively exploited.

brandon_mcclure · March 4, 2022, 9:11pm

Yes, it reports if there is a known Malwarekit or Metasploit module available for the vulnerability

twaller · March 4, 2022, 9:33pm

Thank you for your reply.
Does it include your assets that are affected by the vulnerability?
For example: your assets include three servers. Two 2016 servers, one of these two is at a higher patch level than the other. One 2019 server.
A vulnerability for Server 2016 is published and being actively exploited. The affected version is the server at a lower patch level. Will the tool identify the affected server and the vulnerability that affects it?

brandon_mcclure · March 4, 2022, 9:53pm

Yes, It searches for vulnerabilities based on CVE or other criteria

it will list out all the Assets affected by this with a “Proof” as to why it is vulnerable

trevor_capps · March 8, 2022, 7:58pm

If you are using the data warehouse, this query will show your exposure to the CISA Top Exploited CVE’s as of 3/7/22. You will notice that items CISA reports as actively exploited are not flagged as such by Rapid7. CISA provides a CSV export of the CVE’s, to ease updating the list, copy the CVE’s to a txt file and run the following to get the right syntax. Then just update the WHERE clause in the data CTE.

cat CVES.txt | sed -e "s/\(.*\)/'\1'/" | tr '\n' ','

CISA Exploited SQL Report:
(edit) The severity_adjustment is an outcome of this specific project, where we noticed the Rapid7 Real Risk score was failing to provide an accurate risk profile when compared to CVSS or CISA. Many requests for info about how the risk_score is calculated wen’t unresolved, so we’re trying to adjust it ourselves.

WITH
r7 AS (
	SELECT vulnerability_id, category_name
    FROM dim_vulnerability_category 
    WHERE category_name = 'Rapid7 Critical'
	UNION
	SELECT vulnerability_id, 'Rapid7 Critical' AS "category_name"
	FROM custom_critical
),

data AS (
	SELECT dvr.*, asset_id, nexpose_id, title, cvss_score, cvss_vector, exploit, malware_kit, malware_popularity, cvss_v3_score, cvss_v3_vector,
		CASE 
    	    WHEN risk_score >= 900 OR nexpose_id = 'tlsv1_0-enabled' OR (r7.category_name = 'Rapid7 Critical' AND nexpose_id NOT LIKE '%sweet32%') THEN 'Critical'
    	    WHEN risk_score >= 700 AND risk_score < 900 THEN 'High'
    	    WHEN risk_score >= 400 AND risk_score < 700 THEN 'Medium'
    	    ELSE 'Low'
   	 END AS "corp_severity"
	FROM dim_vulnerability_reference dvr
	JOIN fact_asset_vulnerability_instance USING(vulnerability_id)
	JOIN dim_vulnerability dv  USING(vulnerability_id)
	LEFT JOIN r7 USING(vulnerability_id)
	WHERE reference IN ('CVE-2021-27104','CVE-2021-27102','CVE-2021-27101','CVE-2021-27103','CVE-2021-21017','CVE-2021-28550','CVE-2018-4939','CVE-2018-15961','CVE-2018-4878','CVE-2020-5735','CVE-2019-2215','CVE-2020-0041','CVE-2020-0069','CVE-2017-9805','CVE-2021-42013','CVE-2021-41773','CVE-2019-0211','CVE-2016-4437','CVE-2019-17558','CVE-2020-17530','CVE-2017-5638','CVE-2018-11776','CVE-2021-30858','CVE-2019-6223','CVE-2021-30860','CVE-2020-27930','CVE-2021-30807','CVE-2020-27950','CVE-2020-27932','CVE-2020-9818','CVE-2020-9819','CVE-2021-30762','CVE-2021-1782','CVE-2021-1870','CVE-2021-1871','CVE-2021-1879','CVE-2021-30661','CVE-2021-30666','CVE-2021-30713','CVE-2021-30657','CVE-2021-30665','CVE-2021-30663','CVE-2021-30761','CVE-2021-30869','CVE-2020-9859','CVE-2021-20090','CVE-2021-27562','CVE-2021-28664','CVE-2021-28663','CVE-2019-3398','CVE-2021-26084','CVE-2019-11580','CVE-2019-3396','CVE-2021-42258','CVE-2020-3452','CVE-2020-3580','CVE-2021-1497','CVE-2021-1498','CVE-2018-0171','CVE-2020-3118','CVE-2020-3566','CVE-2020-3569','CVE-2020-3161','CVE-2019-1653','CVE-2018-0296','CVE-2019-13608','CVE-2020-8193','CVE-2020-8195','CVE-2020-8196','CVE-2019-19781','CVE-2019-11634','CVE-2020-29557','CVE-2020-25506','CVE-2018-15811','CVE-2018-18325','CVE-2017-9822','CVE-2019-15752','CVE-2020-8515','CVE-2018-7600','CVE-2021-22205','CVE-2018-6789','CVE-2020-8657','CVE-2020-8655','CVE-2020-5902','CVE-2021-22986','CVE-2021-35464','CVE-2019-5591','CVE-2020-12812','CVE-2018-13379','CVE-2020-16010','CVE-2020-15999','CVE-2021-21166','CVE-2020-16017','CVE-2021-37976','CVE-2020-16009','CVE-2021-30632','CVE-2020-16013','CVE-2021-30633','CVE-2021-21148','CVE-2021-37973','CVE-2021-30551','CVE-2021-37975','CVE-2020-6418','CVE-2021-30554','CVE-2021-21206','CVE-2021-38000','CVE-2021-38003','CVE-2021-21224','CVE-2021-21193','CVE-2021-21220','CVE-2021-30563','CVE-2020-4430','CVE-2020-4427','CVE-2020-4428','CVE-2019-4716','CVE-2016-3715','CVE-2016-3718','CVE-2020-15505','CVE-2021-30116','CVE-2020-7961','CVE-2021-23874','CVE-2021-22506','CVE-2021-22502','CVE-2014-1812','CVE-2021-38647','CVE-2016-0167','CVE-2020-0878','CVE-2021-31955','CVE-2021-1647','CVE-2021-33739','CVE-2016-0185','CVE-2020-0683','CVE-2020-17087','CVE-2021-33742','CVE-2021-31199','CVE-2021-33771','CVE-2021-31956','CVE-2021-31201','CVE-2021-31979','CVE-2020-0938','CVE-2020-17144','CVE-2020-0986','CVE-2020-1020','CVE-2021-38645','CVE-2021-34523','CVE-2017-7269','CVE-2021-36948','CVE-2021-38649','CVE-2020-0688','CVE-2017-0143','CVE-2016-7255','CVE-2019-0708','CVE-2021-34473','CVE-2020-1464','CVE-2021-1732','CVE-2021-34527','CVE-2021-31207','CVE-2019-0803','CVE-2020-1040','CVE-2021-28310','CVE-2020-1350','CVE-2021-26411','CVE-2019-0859','CVE-2021-40444','CVE-2017-8759','CVE-2018-8653','CVE-2019-0797','CVE-2021-36942','CVE-2019-1215','CVE-2018-0798','CVE-2018-0802','CVE-2012-0158','CVE-2015-1641','CVE-2021-27085','CVE-2019-0541','CVE-2017-11882','CVE-2020-0674','CVE-2021-27059','CVE-2019-1367','CVE-2017-0199','CVE-2020-1380','CVE-2019-1429','CVE-2017-11774','CVE-2020-0968','CVE-2020-1472','CVE-2021-26855','CVE-2021-26858','CVE-2021-27065','CVE-2020-1054','CVE-2021-1675','CVE-2021-34448','CVE-2020-0601','CVE-2019-0604','CVE-2020-0646','CVE-2019-0808','CVE-2021-26857','CVE-2020-1147','CVE-2019-1214','CVE-2016-3235','CVE-2019-0863','CVE-2021-36955','CVE-2021-38648','CVE-2020-6819','CVE-2020-6820','CVE-2019-17026','CVE-2019-15949','CVE-2020-26919','CVE-2019-19356','CVE-2020-2555','CVE-2012-3152','CVE-2020-14871','CVE-2015-4852','CVE-2020-14750','CVE-2020-14882','CVE-2020-14883','CVE-2020-8644','CVE-2019-18935','CVE-2021-22893','CVE-2020-8243','CVE-2021-22900','CVE-2021-22894','CVE-2020-8260','CVE-2021-22899','CVE-2019-11510','CVE-2019-11539','CVE-2021-1906','CVE-2021-1905','CVE-2020-10221','CVE-2021-35395','CVE-2017-16651','CVE-2020-11652','CVE-2020-11651','CVE-2020-16846','CVE-2018-2380','CVE-2010-5326','CVE-2016-9563','CVE-2020-6287','CVE-2020-6207','CVE-2016-3976','CVE-2019-16256','CVE-2020-10148','CVE-2021-35211','CVE-2016-3643','CVE-2020-10199','CVE-2021-20021','CVE-2019-7481','CVE-2021-20022','CVE-2021-20023','CVE-2021-20016','CVE-2020-12271','CVE-2020-10181','CVE-2017-6327','CVE-2019-18988','CVE-2017-9248','CVE-2021-31755','CVE-2020-10987','CVE-2018-14558','CVE-2018-20062','CVE-2019-9082','CVE-2019-18187','CVE-2020-8467','CVE-2020-8468','CVE-2020-24557','CVE-2020-8599','CVE-2021-36742','CVE-2021-36741','CVE-2019-20085','CVE-2020-5849','CVE-2020-5847','CVE-2019-16759','CVE-2020-17496','CVE-2019-5544','CVE-2020-3992','CVE-2020-3950','CVE-2021-22005','CVE-2020-3952','CVE-2021-21972','CVE-2021-21985','CVE-2020-4006','CVE-2020-25213','CVE-2020-11738','CVE-2019-9978','CVE-2021-27561','CVE-2021-40539','CVE-2020-10189','CVE-2019-8394','CVE-2020-29583','CVE-2021-22204','CVE-2021-40449','CVE-2021-42321','CVE-2021-42292','CVE-2020-11261','CVE-2018-14847','CVE-2021-37415','CVE-2021-40438','CVE-2021-44077','CVE-2021-44515','CVE-2019-13272','CVE-2021-35394','CVE-2019-7238','CVE-2019-0193','CVE-2021-44168','CVE-2017-17562','CVE-2017-12149','CVE-2010-1871','CVE-2020-17463','CVE-2020-8816','CVE-2019-10758','CVE-2021-44228','CVE-2021-43890','CVE-2021-4102','CVE-2021-22017','CVE-2021-36260','CVE-2020-6572','CVE-2019-1458','CVE-2013-3900','CVE-2019-2725','CVE-2019-9670','CVE-2018-13382','CVE-2018-13383','CVE-2019-1579','CVE-2019-10149','CVE-2015-7450','CVE-2017-1000486','CVE-2019-7609','CVE-2021-27860','CVE-2021-32648','CVE-2021-25296','CVE-2021-25297','CVE-2021-25298','CVE-2021-40870','CVE-2021-33766','CVE-2021-21975','CVE-2021-21315','CVE-2021-22991','CVE-2020-14864','CVE-2020-13671','CVE-2020-11978','CVE-2020-13927','CVE-2006-1547','CVE-2012-0391','CVE-2018-8453','CVE-2021-35247','CVE-2022-22587','CVE-2021-20038','CVE-2020-5722','CVE-2020-0787','CVE-2017-5689','CVE-2014-1776','CVE-2014-6271','CVE-2014-7169','CVE-2022-21882','CVE-2021-36934','CVE-2020-0796','CVE-2018-1000861','CVE-2017-9791','CVE-2017-8464','CVE-2017-10271','CVE-2017-0263','CVE-2017-0262','CVE-2017-0145','CVE-2017-0144','CVE-2016-3088','CVE-2015-2051','CVE-2015-1635','CVE-2015-1130','CVE-2014-4404','CVE-2022-22620','CVE-2022-24086','CVE-2022-0609','CVE-2019-0752','CVE-2018-8174','CVE-2018-20250','CVE-2018-15982','CVE-2017-9841','CVE-2014-1761','CVE-2013-3906','CVE-2022-23131','CVE-2022-23134','CVE-2022-24682','CVE-2017-8570','CVE-2017-0222','CVE-2014-6352','CVE-2022-20708','CVE-2022-20703','CVE-2022-20701','CVE-2022-20700','CVE-2022-20699','CVE-2021-41379','CVE-2020-1938','CVE-2020-11899','CVE-2019-16928','CVE-2019-1652','CVE-2019-1297','CVE-2018-8581','CVE-2018-8298','CVE-2018-0180','CVE-2018-0179','CVE-2018-0175','CVE-2018-0174','CVE-2018-0173','CVE-2018-0172','CVE-2018-0167','CVE-2018-0161','CVE-2018-0159','CVE-2018-0158','CVE-2018-0156','CVE-2018-0155','CVE-2018-0154','CVE-2018-0151','CVE-2017-8540','CVE-2017-6744','CVE-2017-6743','CVE-2017-6740','CVE-2017-6739','CVE-2017-6738','CVE-2017-6737','CVE-2017-6736','CVE-2017-6663','CVE-2017-6627','CVE-2017-12319','CVE-2017-12240','CVE-2017-12238','CVE-2017-12237','CVE-2017-12235','CVE-2017-12234','CVE-2017-12233','CVE-2017-12232','CVE-2017-12231','CVE-2017-11826','CVE-2017-11292','CVE-2017-0261','CVE-2017-0001','CVE-2016-8562','CVE-2016-7855','CVE-2016-7262','CVE-2016-7193','CVE-2016-5195','CVE-2016-4117','CVE-2016-1019','CVE-2016-0099','CVE-2015-7645','CVE-2015-5119','CVE-2015-4902','CVE-2015-3043','CVE-2015-2590','CVE-2015-2545','CVE-2015-2424','CVE-2015-2387','CVE-2015-1701','CVE-2015-1642','CVE-2014-4114','CVE-2014-0496','CVE-2013-5065','CVE-2013-3897','CVE-2013-3346','CVE-2013-1675','CVE-2013-1347','CVE-2013-0641','CVE-2013-0640','CVE-2013-0632','CVE-2012-4681','CVE-2012-1856','CVE-2012-1723','CVE-2012-1535','CVE-2012-0507','CVE-2011-3544','CVE-2011-1889','CVE-2011-0611','CVE-2010-3333','CVE-2010-0232','CVE-2010-0188','CVE-2009-3129','CVE-2009-1123','CVE-2008-3431','CVE-2008-2992','CVE-2004-0210','CVE-2002-0367')
)
SELECT reference AS "CVE", corp_severity, 
CASE 
WHEN cvss_vector ~~ 'AV:N%C:C/I:C/A:C' AND cvss_score >= 9 THEN 'Critical'
WHEN cvss_vector ~~ 'AV:N%C:C/I:C/A:C' AND cvss_score >= 7 AND cvss_score < 9 THEN 'High'
END AS "severity_adjustment",
nexpose_id, title, cvss_score, cvss_vector,  
exploit, malware_kit, malware_popularity, 
cvss_v3_score, cvss_v3_vector,
COUNT(DISTINCT asset_id) AS "asset_count", COUNT(vulnerability_id) AS "vulnerability_count"
FROM data
GROUP BY 1,2,3,4,5,6,7,8,9,10,11,12
ORDER BY reference DESC