Tag list and their meaning within vulnscan
There are two kind of probes performed by vulnscan. One kind is remotely checking for a known vulnerability (or CVE) with an active, innocuous and non-intrusive test. This check is based on sanitized version of public Proof-of-Concept exploit codes. Some vulnerability check can detected a specific CVE but also associated CVEs. That’s the case with proxyshell check where noting less than 3 CVEs are detected.
The other kind is based on different technics used to gather an exact version of a product. Sometimes, a product is so verbose you just have to parse HTML responses and sometimes you have to send a specific application request to gather its exact version.
First kind is called ‘check-based’ vulnerability detection, and the second one is called ‘version-based’ vulnerability detection. We always prefer to use ‘check-based’ version detection, but we have our own policy to decide whether to include a CVE check or not. ‘Version-based’ will always be the fallback choice.
To know how the CVE has been identified, you have to understand the meaning of tags.
Check-based tags
When a check is launched, there are four possibilities as a result:
- An active check was performed and the device is asserted vulnerable to the given CVE (tag:vulnerable)
- An active check was performed and the device is asserted NOT vulnerable to the given CVE (tag:notvulnerable)
- An active check was performed and the device MAY BE vulnerable to the given CVE (tag:maybevulnerable)
- An active check was performed and we can’t say if the device is vulnerable or not to the given CVE (tag:unknownvulnerable)
We avoid the last possibility to the maximum extent possible. There is only one such case today with the proxynotshell check.
Thus, corresponding tags are set:
tag:vulnerable
tag:notvulnerable
tag:maybevulnerable
tag:unknownvulnerable
Version-based tags
On version detection cases, there are six possibilities as a result:
- A version detection was performed and the version is asserted vulnerable against our CVE list (tag:vulnerableversion)
- A version detection was performed and the version is asserted NOT vulnerable against our CVE list (tag:notvulnerableversion)
- A version detection was performed and the device MAY BE vulnerable to the given CVE (tag:maybevulnerableversion)
- A version detection was performed but the version was partially identified (not at the patch level) (tag:partielversion)
- A version detection was performed but the version was not found or identified (tag:unknownversion)
- A version detection was performed but we currently don’t have CVEs associated with the version identified (tag:version)
Corresponding tags are set:
tag:vulnerableversion
tag:notvulnerableversion
tag:maybevulnerableversion
tag:partialversion
tag:unknownversion
tag:version
Other tags
There are many other tags, but the most important are as follows:
- tag:“anssi::top10”: filter vulnerable devices by using the TOP 10 CVEs from french cybersecurity agency called ANSSI
- tag:“cisa::kev”: filter vulnerable devices by using the US CISA Known Exploited Vulnerabilities catalog
- tag:“nsa::top25”: filter using the TOP 25 most exploited CVEs from US NSA agency
- tag:“nsa::top5”: filter using the TOP 5 most exploited CVEs from US NSA agency
- tag:“fireeye::arsenal”: filter using the leaked exploit code from FireEye arsenal
- tag:log4shell: filter for log4shell vulnerabilities
Of course, if there is a CVE field in the result, you will know which vulnerability has been identified on the device.