The BigFix Team is pleased to announce the release of the CVE Search Dashboard and Web Report as part of a new Vulnerability Reporting site (included in the BigFix Lifecycle and Compliance suites)! This solution enables quick and easy methods to search for Fixlet content associated with vulnerabilities based on a list of CVE IDs. These can be pre-defined (such as the CISA Known Exploited Vulnerabilities) or user-defined lists.
For a given CVE, BigFix users will be able to report on the following via either the Console Dashboard or Web Report:
BigFix Fixlet coverage:
Provides detailed visibility into available content across all HCL-published Fixlet sites associated with the CVE in question
Total Fixlet count per CVE
Total count of vulnerable instances based on Fixlet applicability
Additional CVE metadata (such as CVSS) where available
The CVE Search Dashboard provides an additional ability to create remediation baselines for selected CVEs or Fixlets.
Several things the dashboard offers (probably not exhaustive) -
Search on a list of CVEs, not just one-at-a-time.
Prebuilt list for CISA KEV (BOD 22-01). US Gov and Critical Infrastructure are responsible to report and remediate a specific âKnown Exploited Vulnerabilitiesâ list, and we package that list as a preset
Report includes which CVEs are not covered by BigFix content - so itâs visible that certain hardware/router/firewall/third party CVEs need outside checking.
Report includes CVEs that are covered by BigFix, but delivered in sites you have not enabled - so some guidance you may need to subscribe/activate additional sites.
Ability to create a Baseline from the CVEs, either all of the Fixlets or only the relevant ones.
This is really interesting but the problem I have is how do we validate those vulnerabilities IF they are essentially not covered by BigFix? In other words, dashboard shows â0â instances found but you can clearly see that Fixlet Count = 0, which automatically means that the instance data is untrustworthy, doesnât it? How would BigFix know that the instances are 0 if it doesnât have fixlets to confirm it and if that is the case, then it really should have some kind of way to highlight that it may not really be â0â. Similarly, some kind of indication that one may be covered by a site that is not enabled would also be good. Last but not least, the fact it has no export capability, even in Web Reports, is a bit limiting.
One additional question - does the dashboard support custom content?
Are there âNext Stepsâ/Long-term plans to take this further? For example, if this is ever linked to IVR where you do have another source of vulnerability discovery and you can in fact confirm what the true found instances are even for stuff not covered by BigFix, it would be somethingâŚ
I used this today properly with almost 300 CVEâs that were listed and it returned 0 on 0 however the frustrating part was that when I wanted then to check just a few CVEâs I had to manually remove all the ones listed. Thereâs no clear or reset button
Agreed! This is a good suggestion, thank you. We can work to improve the âInstances Foundâ and Fixlet counts fields to provide additional context based on Fixlet Availability.
Actually, there is an ability to export in both the Dashboard, and the Web Report! We will update the documentation (and include links here), but you can export by clicking the following button:
Iâll check/confirm on custom content support and follow-up. And yes, there are absolutely plans to improve this, and we appreciate your feedback to help us do so!
Agreed, a clear or reset button on the Search screen would be helpful, thank you for the suggestion. In the meantime, one workaround is to right-click in the white space, and select âreloadâ:
I found that if you add the CVE numbers to the CVE ID field on the properties tab of the task or fixlet, your custom content would show up in the list. Depending on how many CVEâs are fix with a particular version of that software, the list can get quite long.
Good day all; I am in an airgap env, I just downloaded a new response file and went into the license Overview screen looking to enable vulnreport., but I am not seeing it. vulnreport, I do see one called Managed Vulnerabilities. Is this the same thing?_
Thanks Marjan;
I did go through the update process. I think because we are on isolated network it is not pulling down the latest license and therefor the Vulnreport is not being enabled out our site. We should be getting a new 2008R2 Extended Support license any day, so hopefully that will contain the vulnrepot module.
The 3 I see listed are
BigFix Insights for Vulnerability Remediation
Managed Vulnerabilities
QRader Vulnerabilities
@dsomers â if you are subscribed to the Compliance or LifeCycle modules, I believe that the airgap tool should pull the latest license info for you. I suggest opening a support ticket if you donât see it, so that we can look at your exact problem.
@ncpeteusa â This data is not stored anywhere â it is calculated inside the wr/dashboard. The rest query would have to pull all the Fixlets and then do the same calculation as wr/dashboard. If you need something like that, you might want to engage with the services team and we should be able to help out.
@Aram, quick question. When using the dashboard and searching for a specific CVE which appears in a vulnerability scan, the results returned displays âSubscription Neededâ under fixlets available. What does that particular output mean?
There are Fixlets that address the CVE, in a site that you do not have subscribed. Hover-over the âSubscription Neededâ result and a pop-up will tell you which sites, and you can decide whether to enable them.
Thanks Jason. The site is âVulnerabilities to Windows Systemsâ which seems to have been deprecated. Not sure how it makes it a ârequirementâ then.