SQL Query for Multiple Vulns by CVE

Matt · November 22, 2021, 5:43pm

Hello, I’m really new to SQL so forgive my generic request. I’m looking for a specific solution and I’ve only been able to get my query to spit out some of the info I’m after.

First, I’m looking for a query that will pull a list of assets based on specific CVEs and lay it out where an asset has an individual row for each cve. So, if an asset is exposed to 3 of the 7 vulns I’m looking at, that hostname would have 3 rows, one for each cve.

My problem is two-fold. Firstly, I can get the query to run but it’s only pulling back information on the first OR condition meaning, it is finding assets vulnerable to cve-1 or cve-2 but doesn’t continue looking for assets exposed to cve-3 through cve-7 from what I can tell.

Second, the results that do come back are rolled up into a single row with cve-1 and cve-2 separated by commas in the nexpose_id column rather than each cve being on it’s own row. Again, I’m super green to SQL so I’m sure I’m overlooking something obvious here.

An example of my code is below (with the actual CVEs just generically labeled 1-7). I don’t really need the solution and fix in the report. I’m really just looking for CVE ID, Asset ID, IP, and Risk Score.

Thanks in advance!

WITH remediations AS (
    SELECT DISTINCT fr.solution_id AS ultimate_soln_id, summary, fix, estimate, riskscore, dshs.solution_id AS solution_id
    FROM fact_remediation(10,'riskscore DESC') fr
    JOIN dim_solution ds USING (solution_id)
    JOIN dim_solution_highest_supercedence dshs ON (fr.solution_id = dshs.superceding_solution_id AND ds.solution_id = dshs.superceding_solution_id)
),
 
assets AS (
    SELECT DISTINCT asset_id, host_name, ip_address
    FROM dim_asset
    GROUP BY asset_id, host_name, ip_address
)
 
SELECT DISTINCT
   csv(DISTINCT dv.nexpose_id) AS "Vulnerability InsightVM ID",
   host_name AS "Asset Hostname", ip_address AS "Asset IP",
   round(sum(dv.riskscore)) AS "Asset Risk"
 
FROM remediations r
   JOIN dim_asset_vulnerability_solution dvs USING (solution_id)
   JOIN dim_vulnerability dv USING (vulnerability_id)
   JOIN assets USING (asset_id)
 
WHERE (
dv.nexpose_id = 'msft-cve-1'
OR dv.nexpose_id = 'msft-cve-2'
OR dv.nexpose_id = 'msft-cve-3'
OR dv.nexpose_id = 'msft-cve-4'
OR dv.nexpose_id = 'msft-cve-5'
OR dv.nexpose_id = 'msft-cve-6'
OR dv.nexpose_id = 'msft-cve-7'
)
 
GROUP BY r.riskscore, host_name, ip_address, asset_id
ORDER BY "Asset Risk" DESC

holly_wilsey · November 29, 2021, 7:46pm

Hey Matt! I was looking through some of my saved queries and I found something that I think is similar to what you’re looking for. I made some small adjustments to it:

select dv.nexpose_id as "Vulnerability InsightVM ID", da.host_name,
       da.ip_address, round(dv.riskscore) as "Risk Score"
from dim_vulnerability dv
join fact_asset_vulnerability_finding favf
on dv.vulnerability_id = favf.vulnerability_id
join dim_asset da
on favf.asset_id = da.asset_id
where dv.nexpose_id in ('msft-cve-1', 'msft-cve-2', 'msft-cve-3')
group by dv.nexpose_id, da.host_name, da.ip_address, dv.riskscore

It’s different in structure to try to achieve the “one asset row per CVE” thing you mentioned. The “where” clause is also different to avoid any issues with using “OR’s.” So in this case you would just add whichever CVE’s to the list in parentheses that I created.

I hope that helps!

Matt · November 30, 2021, 7:36pm

Thank you so much for the reply, ma’am! I just tested it and unfortunately the report came back blank (other than the headers of course) . Any ideas?

holly_wilsey · November 30, 2021, 7:42pm

If it’s blank, my initial thought is that it’s related to the CVE’s used in the “where” clause. Did you update those to valid values to run the query against actual vulns that exist in your environment?

Engineer_Matt · December 6, 2021, 2:13pm

Yes, ma’am, I did. Even when I cut it down to just a single CVE, the query comes back blank.

troy_newcomb · December 7, 2021, 12:50am

@Engineer_Matt Try this, just replace with valid CVEs first:

SELECT dvr.reference, asset_id , da.ip_address, round(dv.riskscore::numeric, 0) AS risk

FROM fact_asset_vulnerability_finding favf 
   JOIN dim_asset da USING (asset_id) 
   JOIN dim_vulnerability dv USING (vulnerability_id) 
   JOIN dim_vulnerability_reference dvr using (vulnerability_id) 

where dvr.reference in ('CVE-2021-xxxx','CVE-2021-xxxx')

ORDER BY da.ip_address ASC, dv.title ASC

NOTE: Not all R7 vulnerabilities have a CVE reference like you would expect. As of today, there are 124 that are missing a CVE reference but do have a CVE mentioned in the title, description, or ID. I have Raised an R7 support case to try and get them fixed.

Engineer_Matt · December 8, 2021, 3:30pm

@troy_newcomb Thank you, sir! The script works perfectly. I’m going to open a case as well with our TAM regarding the missing CVEs. I was trying to figure out why it seemed like the script wasn’t pulling as many devices in as I thought but this makes perfect sense. Do you happen to have a list of which vulns are missing CVEs?

troy_newcomb · December 8, 2021, 9:04pm

@Engineer_Matt glad to hear the query worked.

The below list seems to be missing CVE references. My expectation is that if the vuln mentioned a CVE, it should be included in the CVE reference.

ubuntu-usn-3435-2
ubuntu-usn-3175-2
freebsd-vid-23af0425-9eac-11e5-b937-00e0814cab4e
ubuntu-usn-3260-2
freebsd-vid-97e86d10-2ea7-11e6-ae88-002590263bf5
redhat_linux-cve-2016-2518
ubuntu-usn-2915-3
ubuntu-usn-2915-2
ubuntu-usn-3391-3
ubuntu-usn-3391-2
ubuntu-usn-3477-4
ubuntu-usn-3477-2
ubuntu-usn-3477-3
ubuntu-usn-2936-3
ubuntu-usn-2936-2
freebsd-vid-b4051b52-58fa-11e2-853b-00262d5ed8ee
ubuntu-usn-2952-2
ubuntu-usn-3346-2
oracle_linux-elsa-2019-4611
oracle_linux-elsa-2019-4610
oracle_linux-elsa-2019-4609
ubuntu-usn-1687-1
oracle_linux-elsa-2021-14902
oracle_linux-elsa-2019-4756
ubuntu-usn-2908-4
freebsd-vid-7656fc62-a7a7-11e4-96ba-001999f8d30b
freebsd-vid-617959ce-a5f6-11e1-a284-0023ae8e59f0
ubuntu-usn-3522-4
linuxrpm-rhsa-2014-1948
ubuntu-usn-2516-3
amazon-linux-ami-alas-2015-552
amazon_linux-alas-2017-866
apachestruts2-s2-052
ubuntu-usn-2516-2
ubuntu-usn-3275-3
oracle_linux-elsa-2019-4598
ubuntu-usn-3087-2
ubuntu-usn-3239-3
suse-cve-2016-1551
ubuntu-usn-2903-2
ubuntu-usn-2950-5
amazon_linux-alas-2018-1047
oracle_linux-elsa-2019-4720
apsb10-22-unspecified-cve-2010-2884
oracle_linux-elsa-2018-4019
oracle_linux-elsa-2019-4719
ubuntu-usn-3579-2
ubuntu-usn-2935-2
debian-dsa-4179
ubuntu-usn-2950-3
ubuntu-usn-3544-2
oracle_linux-elsa-2019-4631
debian-dsa-3426
ubuntu-usn-2917-2
oracle_linux-elsa-2018-4018
linuxrpm-rhsa-2008-1044
freebsd-vid-152e4c7e-2a2e-11e2-99c7-00a0d181e71d
oracle_linux-elsa-2019-4718
freebsd-vid-95ee96f2-e488-11d9-bf22-080020c11455
freebsd-vid-63527d0d-b9de-11e4-8a48-206a8a720317
adobe-apsb10-14-adobe-flash-unspecified-cve-2010-2188
ubuntu-usn-3211-2
linuxrpm-rhsa-2011-0259
linuxrpm-elsa-2007-1052
oracle_linux-elsa-2020-5654
linuxrpm-rhsa-2013-0791
ubuntu-usn-3522-3
ubuntu-usn-2908-5
linuxrpm-elsa-2007-0501
oracle_linux-elsa-2018-4021
ubuntu-usn-2788-2
freebsd-vid-dbf9e66c-bd50-11e4-a7ba-206a8a720317
ubuntu-usn-1009-2
ubuntu-usn-3216-2
linuxrpm-elsa-2013-0214
ubuntu-usn-3253-2
ubuntu-usn-3047-2
ubuntu-usn-3177-2
ubuntu-usn-2950-2
ubuntu-usn-3366-2
oracle_linux-elsa-2021-15790
ubuntu-usn-2948-2
ubuntu-usn-2855-2
ubuntu-usn-2515-2
linuxrpm-rhsa-2008-1045
ubuntu-usn-3531-2
linuxrpm-elsa-2013-0213
ubuntu-usn-3430-3
oracle_linux-elsa-2018-4011
juniper-junos-os-jsa10918
appspider-apache-struts-2-framework-checks
ubuntu-usn-3239-2
freebsd-vid-f2b43905-3545-11e0-8e81-0022190034c0
ubuntu-usn-2985-2
ubuntu-usn-3276-2
ubuntu-usn-3480-2
ubuntu-usn-2950-4
ubuntu-usn-2232-4
ubuntu-usn-2880-2
amazon-linux-ami-alas-2015-496
ubuntu-usn-2497-1
ubuntu-usn-2910-2
freebsd-vid-3c259621-5d4a-11e5-9ad8-14dae9d210b8
ubuntu-usn-3272-2
ubuntu-usn-2909-2
freebsd-vid-7e01df39-db7e-11e5-b937-00e0814cab4e
freebsd-vid-0ab66088-4aa5-11e6-a7bd-14dae9d210b8
ubuntu-usn-3414-2
mfsa2013-20-cve-2013-0743
ubuntu-usn-3338-2
linuxrpm-rhsa-2014-1653
ubuntu-usn-928-1
ubuntu-usn-2935-3
ubuntu-usn-3480-3
oracle_linux-elsa-2018-4012
ubuntu-usn-3392-1
ubuntu-usn-2917-3
linuxrpm-rhsa-2008-1043
adobe-apsb10-16-adobe-flash-memory-corruption-cve-2010-2188
oracle_linux-elsa-2016-3523
f5-big-ip-k42644206
ubuntu-usn-3392-2
ubuntu-usn-3575-2
f5-big-ip-cve-2016-1551

Engineer_Matt · December 9, 2021, 1:30pm

Dumb question, kind of off topic but, I think it might be more wide-spread. Maybe you’ll know if the two are connected or not but, I did some looking and there are a bunch of CVE’s I can’t enter into the search bar and pull Vulnerability Results. Example, CVE-2021-34448. However, if I search by the vuln description, I can find it. So, when we pull queries, it grabs zero results in the output but we can clearly see there are machines susceptible to this vuln elsewhere in R7. Would the inability to search the vuln by CVE be an indicator that the vuln is missing the CVE reference?