Vulnerability Exceptions

We are being asked by our internal audit department to provide a count of how many vulnerabilities have been excepted by various asset groups. For instance we have an asset group for workstations. Is there a query that would provide a list of what vulnerabilities have been excpepted on this asset group and a count for the number of instances for each vulnerability.

There doesn’t seem to be a good dashboard or way to view what vulnerability exceptions have been applied to what system aside from viewing the asset page of each device

Hopefully this question make some sense.

As a concrete example we have vulnerability exceptions in place for any workstation for the following vulnerabilities but not all workstations will have these vulnerabilities.

Obsolete version of Microsoft MSXML 4

Cisco AnyConnect: CVE-2021-1366: Cisco AnyConnect Secure Mobility Client for Windows with VPN Posture (HostScan) Module DLL Hijacking Vulnerability]

Is there a way to get a count of the instances that each of these vulnerabilities have exceptions for on this asset group?

1 Like

Anyone have any ideas on how to do this? All I really need to do is figure out how many systems have a particular exception applied to them. There has to be some way to get this either via a SQL query or from within the data warehouse.

If I’m correctly understanding the data you need, I think you could do this just by using the dim_vulnerability_exception table. It contains every instance of an exception and you can sort by asset ID or group.

select count(dve.vulnerability_exception_id)
from dim_vulnerability_exception dve
join dim_asset_group dag on dve.group_id = dag.asset_group_id
where dag.name = 'Asset Group Name'

Hi Holly,

Thanks for your help. Lets say I wanted to get a list of hostnames and IP addresses that had exceptions in place for a particular vulnerability? Is there a way to do that with SQL inside of Rapid7? I can see that when I look up a vulnerability Rapid7 will tell me how many exceptions exist for it but there doesn’t seem to be an easy way to get a list of hostnames/IP addresses of the systems that have the exception in place.

Hi Gabe! Getting that info with SQL should be doable, though your query is going to differ depending on the type of vulnerability exception. This is because exceptions can vary when it comes to scope, since they can be global, or done by asset, site, asset group, etc. The dim_vulnerability_exception table has some descriptions toward the bottom that can make it a little easier to understand.

So if the scope of your exception is site-level, your query would join with the dim_site_asset table to get the ID’s of those assets, and the with the dim_asset table to get the IP and hostname you’re looking for. If your scope is an asset group, that would mean joining with the dim_asset_group_asset table to get the ID’s of those in that asset group.

Here’s a simple example of what it would look like with a site-level scope. Hopefully that helps.

select vulnerability_exception_id, da.ip_address, da.host_name
from dim_vulnerability_exception dve
join dim_site_asset dsa
on dve.site_id = dsa.site_id
join dim_asset da
on dsa.asset_id = da.asset_id
where vulnerability_id = 'ID'