Vulnerability Disappearance

We have been dealing with the CIFS Account PW Never Expires vulnerability and how to handle it because we use Cyberark to rotate passwords. The box for “Password Never Expires” has to be checked for Cyberark to be able to do this. So naturally, it gets flagged as a vulnerability. I was planning to exclude these, but when I went to check on all 200+ of them, only 15 remained. We (me, infrastructure, cyberark) can’t figure out why or how or any of that. The box is still checked. The vulnerability itself hasn’t been modified for years. Scan engines are working fine. The 15 that are still here are on assets that haven’t been scanned in over a week. When I scanned one of them, the vulnerability disappeared, so now I’m down to 14.

Any ideas?

Hi Todd,

I can’t seem to find the vulnerability you are talking about specifically. I have found one that may match but I am not sure. Would you be able to share the vulnerability id for me and I might be able to provide more information? The id of the one I think may match is the follow vuln db entry:

I have noticed there is no check logic for this which means it should not trigger. However from memory I am unsure if that would cause the flip in logic required to fire not vulnerable against the asset and clearing the vulnerability. But it does sound like something is flipping the vulnerability status on the latest scans.

If you need an urgent answer you can always reach out to support who can usually do some review and get you a full answer within a few days. Takes some time because they actually go through to check the logic going on and check for any supersedence or correlation logic but you’ll get a full answer.

Hi Conor,

Thanks for your response! Yes, that is the vulnerability that you linked, vulnID=4150, ID cifs-acct-password-never-expires. I am not 100% understanding the check logic that you mention. You say there is none, but I thought it was checking whether it’s flagged to expire or not. But I may just not fully understand. So I guess I am wondering what it is actually checking for and if, like you mention, something got switched? I appreciate your help!