Consolidated CVE information differs from original information

Meri · ‎10-10-2023

Hi, Community

Incorporates vulnerability information from NIST, TVM, and Tenable.
The CVE on ServiceNow is marked as "Exploit exists is Yes'', but when checking the information on the main unit (for example, TVM), it may be "Exploit exists is No".

Is there anyone experiencing the same issue?
Also, could you tell me how to make the vulnerability information on ServiceNow and the original the same?

Regards

Meri

andy_ojha · ‎10-10-2023

Hey there - good question.

This will vary depending on the specific integrations you have configured, as you pointed out.

For example, the Microsoft TVM integration, will in-fact update the "Exploit exists" field on a CVE record in the NVD Entry table, if the TVM Vulnerabilities (CVE) integration brings in a object for a given CVE-ID, where one or more Exploit Type exists - for example -> CVE-2021-1241...

The optional Shodan Exploit enrichment integration, will also update the "Exploit exists" field on a CVE record in the NVD Entry table.

For Tenable, the Third-Party Entry itself would have the Exploit Exists context from the Tenable Plugin ID.

If you have Shodan Exploit Enrichment, Tenable, NVD, and TVM all running at the same time, then you'd want to look at the CVE record and the Exploit tab, to see which sources are present, and likely the driver for setting that Exploit Exists flag.

If you have specific examples, that might help to review (or perhaps if you feel they are erroneous - you could create a Support Case to have this further reviewed with real examples)...

Reference:

Useful resources:

Meri · ‎10-11-2023

Hi, ~andy-grTDIR.do

Thank you for replying it.

I checked your information and my instance, as you said, I was able to confirm the related list exploit.

Moreover, I have three questions.

Q1.
(1) Is it determined that there is an exploit if there is a record for the exploit in the related list?

(2)
Also, if you are aware of the (1), I have an additional question.
We have DEV, STG, and PROD environments, and we import the same vulnerability information into each environment.
For the same vulnerability information (e.g. CVE-2022-4132), "Exploit exists" differs in each environment. In addition, "Exploit" in the related list also differs. Why is there a difference in whether there is an exploit or not, even though we are referring to the same information?

- DEV: Exploit exists is No
- STG: Exploit exists is Yes
- PROD: Exploit exists is Yes

Q2.
Could you please explain in more detail why there is a difference between the presence of the exploit on the original and ServiceNow?

Regards

Meri

andy_ojha · ‎10-11-2023

Hey there,

Q1) I wouldn't make this assumption, I had just saw you were trying to understand on a CVE Record, what might be setting the "Exploit Exists" field, and that will directly depend on what integrations you are using for SecOps VR ... Generally speaking, you would see the Exploit record as a related list object - when the CVE Exploit Exists is set to True, when using the ServiceNow Store Apps for either Microsoft TVM, Shodan Exploit Enrichment, etc. There may be other Store Apps out there, that enrich the CVE Records differently, and do not create records in the Exploits related list tab.

Q2) To really diagnose the data parity issue across your instances, it'd be necessary to know what are all the SecOps VR integrations you are employing, when you started to run your imports, if the import jobs have failed at any point, reviewing examples / discrepancies - it is not quite a simple answer here.

For that specific CVE -> CVE-2022-4132 - assuming you are using the MS TVM for VR Integration - in each of your environment, on that CVE record - do you see anything in the Exploits related list?
--> As you mentioned in DEV - you don't see the Exploit Exists...
--> In DEV, has your "Microsoft TVM Vulnerability (CVE) Integration" job been running successfully?
--> Did we perform a historical import the first time (setting the Import since)?
--> Did we perform the historical import, to around the same date in STG or PRD - the first time?

It might be worth a NOW Support Case to further diagnose the issue across the instance(s) there - but assuming you are using MS TVM -> suspect that the "Microsoft TVM Vulnerability (CVE) Integration" job might be the culprit, perhaps we never collected the CVEs that far back in 2022 in DEV but did in the other instances, etc... You could try backdating an import (setting Import Since) back some time to Jan 1, 2022 in DEV and check that CVE again...

Meri · ‎10-11-2023

Hi, ~andy-grTDIR.do

Thank you for telling me detail.

I apologize that my comprehension is lacking.

Q1) I understand "Exploit exist" depens on Exploit records in Related List and dosen't matter Tenable, TVM.

Is "Exploit exist" determined by the following integrations?

- CWE Comprehensive 2000 Integration

- NOST National Vulnerability Database Integration API (CVE and CPE)

Q2)

> In DEV, has your "Microsoft TVM Vulnerability (CVE) Integration" job been running successfully?

A. Yes, there haven't been error.

> Did we perform a historical import the first time (setting the Import since)?

A. No, we have executed regular integration job for three mounts.

> Did we perform the historical import, to around the same date in STG or PRD - the first time?

A. Yes, CVE from Jan 1, 2022 onwards integrated into all environments.

Q3) Is there a way to make the original and ServiceNow vulnerability exploits the same?

Because there are fluctuations in the existence of exploits, we check the original information each time we respond to a vulnerability.
This is very time consuming and troublesome...

I would like to know the reason for the difference in the existence of exploits for the original and ServiceNow vulnerabilities.

And I want the exploit for the original and ServiceNow vulnerabilities to be the same.

Regards

Meri