CVE Search Dashboard and Web Report now available!

Marjan 2022-04-25 17:15:58 UTC #1

The BigFix Team is pleased to announce the release of the CVE Search Dashboard and Web Report as part of a new Vulnerability Reporting site (included in the BigFix Lifecycle and Compliance suites)! This solution enables quick and easy methods to search for Fixlet content associated with vulnerabilities based on a list of CVE IDs. These can be pre-defined (such as the CISA Known Exploited Vulnerabilities) or user-defined lists.

For a given CVE, BigFix users will be able to report on the following via either the Console Dashboard or Web Report:

BigFix Fixlet coverage:
- Provides detailed visibility into available content across all HCL-published Fixlet sites associated with the CVE in question
Total Fixlet count per CVE
Total count of vulnerable instances based on Fixlet applicability
Additional CVE metadata (such as CVSS) where available

The CVE Search Dashboard provides an additional ability to create remediation baselines for selected CVEs or Fixlets.

Additional Information about this release:

Documentation link: https://help.hcltechsw.com/bigfix/10.0/lifecycle/c_cve_search_dashboard.html
Please find the ‘Vulnerability Reporting’ Fixlet Site from the License Overview Dashboard under the Lifecyle or Compliance Sections
- For more information on enabling sites, please see https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Console/c_license_overview_dashboard.html

FatScottishGuy 2022-04-26 09:44:10 UTC #2

Is there much advantage of this over using WebUI and the CVE field on the patching site?

I also believe Web Reports already had the ability to search by CVE from the Content area.

I do like the Vulnerability Trends Over Time report though (not sure if that was new or not).

Can you list out what is new from a Web Reports stand point and what the advantages of using the new Dashboard on the console are (if any).

JasonWalker 2022-04-26 13:39:18 UTC #3

Several things the dashboard offers (probably not exhaustive) -

Search on a list of CVEs, not just one-at-a-time.
Prebuilt list for CISA KEV (BOD 22-01). US Gov and Critical Infrastructure are responsible to report and remediate a specific “Known Exploited Vulnerabilities” list, and we package that list as a preset
Report includes which CVEs are not covered by BigFix content - so it’s visible that certain hardware/router/firewall/third party CVEs need outside checking.
Report includes CVEs that are covered by BigFix, but delivered in sites you have not enabled - so some guidance you may need to subscribe/activate additional sites.
Ability to create a Baseline from the CVEs, either all of the Fixlets or only the relevant ones.

FatScottishGuy 2022-04-26 15:47:31 UTC #4

Perfect! Thanks Jason

ageorgiev 2022-04-27 10:22:20 UTC #5

This is really interesting but the problem I have is how do we validate those vulnerabilities IF they are essentially not covered by BigFix? In other words, dashboard shows “0” instances found but you can clearly see that Fixlet Count = 0, which automatically means that the instance data is untrustworthy, doesn’t it? How would BigFix know that the instances are 0 if it doesn’t have fixlets to confirm it and if that is the case, then it really should have some kind of way to highlight that it may not really be “0”. Similarly, some kind of indication that one may be covered by a site that is not enabled would also be good. Last but not least, the fact it has no export capability, even in Web Reports, is a bit limiting.

One additional question - does the dashboard support custom content?

Are there “Next Steps”/Long-term plans to take this further? For example, if this is ever linked to IVR where you do have another source of vulnerability discovery and you can in fact confirm what the true found instances are even for stuff not covered by BigFix, it would be something…

FatScottishGuy 2022-04-27 14:11:58 UTC #6

I used this today properly with almost 300 CVE’s that were listed and it returned 0 on 0 however the frustrating part was that when I wanted then to check just a few CVE’s I had to manually remove all the ones listed. There’s no clear or reset button

Aram 2022-04-27 14:20:20 UTC #7

Agreed! This is a good suggestion, thank you. We can work to improve the ‘Instances Found’ and Fixlet counts fields to provide additional context based on Fixlet Availability.

Actually, there is an ability to export in both the Dashboard, and the Web Report! We will update the documentation (and include links here), but you can export by clicking the following button:

I’ll check/confirm on custom content support and follow-up. And yes, there are absolutely plans to improve this, and we appreciate your feedback to help us do so!

Aram 2022-04-27 14:23:58 UTC #8

Agreed, a clear or reset button on the Search screen would be helpful, thank you for the suggestion. In the meantime, one workaround is to right-click in the white space, and select ‘reload’:

88mztr 2022-04-27 14:45:15 UTC #9

I found that if you add the CVE numbers to the CVE ID field on the properties tab of the task or fixlet, your custom content would show up in the list. Depending on how many CVE’s are fix with a particular version of that software, the list can get quite long.

dsomers 2022-04-27 17:37:19 UTC #10

Good day all; I am in an airgap env, I just downloaded a new response file and went into the license Overview screen looking to enable vulnreport., but I am not seeing it. vulnreport, I do see one called Managed Vulnerabilities. Is this the same thing?_

Marjan 2022-04-27 17:38:41 UTC #11

That’s not the one. Try running the license update first. And then you should see a site called vulnreport (or Vulnerability Reporting).

ageorgiev 2022-04-27 18:18:09 UTC #12

Thanks, Aram!

That download button is well-hidden!

dsomers 2022-04-27 18:24:05 UTC #13

Thanks Marjan;
I did go through the update process. I think because we are on isolated network it is not pulling down the latest license and therefor the Vulnreport is not being enabled out our site. We should be getting a new 2008R2 Extended Support license any day, so hopefully that will contain the vulnrepot module.
The 3 I see listed are
BigFix Insights for Vulnerability Remediation
Managed Vulnerabilities
QRader Vulnerabilities

and you said it was not Managed Vulnerabilities

Marjan 2022-04-27 18:31:39 UTC #14

@dsomers – if you are subscribed to the Compliance or LifeCycle modules, I believe that the airgap tool should pull the latest license info for you. I suggest opening a support ticket if you don’t see it, so that we can look at your exact problem.

ncpeteusa 2022-04-28 11:39:23 UTC #15

Curious,

Is this report available for export into other tools via the REST api? If so what would the REST query look like for JSON?

Marjan 2022-05-02 16:52:06 UTC #16

@ncpeteusa – This data is not stored anywhere – it is calculated inside the wr/dashboard. The rest query would have to pull all the Fixlets and then do the same calculation as wr/dashboard. If you need something like that, you might want to engage with the services team and we should be able to help out.

QvR 2022-05-12 11:26:49 UTC #17

@Aram, quick question. When using the dashboard and searching for a specific CVE which appears in a vulnerability scan, the results returned displays “Subscription Needed” under fixlets available. What does that particular output mean? CVE_SEARCH

FatScottishGuy 2022-05-12 12:03:15 UTC #18

At a guess - I’m gonna say it needs the ESU

JasonWalker 2022-05-12 12:13:01 UTC #19

There are Fixlets that address the CVE, in a site that you do not have subscribed. Hover-over the “Subscription Needed” result and a pop-up will tell you which sites, and you can decide whether to enable them.

QvR 2022-05-12 12:20:07 UTC #20

Thanks Jason. The site is “Vulnerabilities to Windows Systems” which seems to have been deprecated. Not sure how it makes it a “requirement” then.