Tag list and their meaning within vulnscan

There are two kind of probes performed by vulnscan. One kind is remotely checking for a known vulnerability (or CVE) with an active, innocuous and non-intrusive test. This check is based on sanitized version of public Proof-of-Concept exploit codes. Some vulnerability check can detected a specific CVE but also associated CVEs. That’s the case with proxyshell check where noting less than 3 CVEs are detected.

The other kind is based on different technics used to gather an exact version of a product. Sometimes, a product is so verbose you just have to parse HTML responses and sometimes you have to send a specific application request to gather its exact version.

First kind is called ‘check-based’ vulnerability detection, and the second one is called ‘version-based’ vulnerability detection. We always prefer to use ‘check-based’ version detection, but we have our own policy to decide whether to include a CVE check or not. ‘Version-based’ will always be the fallback choice.

To know how the CVE has been identified, you have to understand the meaning of tags.

Check-based tags

When a check is launched, there are four possibilities as a result:

• An active check was performed and the device is asserted vulnerable to the given CVE (tag:vulnerable)
• An active check was performed and the device is asserted NOT vulnerable to the given CVE (tag:notvulnerable)
• An active check was performed and the device MAY BE vulnerable to the given CVE (tag:maybevulnerable)
• An active check was performed and we can’t say if the device is vulnerable or not to the given CVE (tag:unknownvulnerable)

We avoid the last possibility to the maximum extent possible. There is only one such case today with the proxynotshell check.

Thus, corresponding tags are set:

tag:vulnerable
tag:notvulnerable
tag:maybevulnerable
tag:unknownvulnerable

Version-based tags

On version detection cases, there are six possibilities as a result:

• A version detection was performed and the version is asserted vulnerable against our CVE list (tag:vulnerableversion)
• A version detection was performed and the version is asserted NOT vulnerable against our CVE list (tag:notvulnerableversion)
• A version detection was performed and the device MAY BE vulnerable to the given CVE (tag:maybevulnerableversion)
• A version detection was performed but the version was partially identified (not at the patch level) (tag:partielversion)
• A version detection was performed but the version was not found or identified (tag:unknownversion)
• A version detection was performed but we currently don’t have CVEs associated with the version identified (tag:version)

Corresponding tags are set:

tag:vulnerableversion
tag:notvulnerableversion
tag:maybevulnerableversion
tag:partialversion
tag:unknownversion
tag:version

Other tags

There are many other tags, but the most important are as follows:

• tag:“anssi::top10”: filter vulnerable devices by using the TOP 10 CVEs from french cybersecurity agency called ANSSI
• tag:“cisa::kev”: filter vulnerable devices by using the US CISA Known Exploited Vulnerabilities catalog
• tag:“nsa::top25”: filter using the TOP 25 most exploited CVEs from US NSA agency
• tag:“nsa::top5”: filter using the TOP 5 most exploited CVEs from US NSA agency
• tag:“fireeye::arsenal”: filter using the leaked exploit code from FireEye arsenal
• tag:log4shell: filter for log4shell vulnerabilities

Of course, if there is a CVE field in the result, you will know which vulnerability has been identified on the device.