No CVSS Scores with Qualys XML
This article explains the reason behind why CVSS Scores are not provided by the Platform when importing Qualys XML files from Qualys VM or Qualys WAS scans
How CVSS Scores are calculated
CVSS Scores are calculated from the corresponding CVSS Vector string provided with most (not all) publicly-disclosed vulnerabilities. In most, if not all cases, publicly-disclosed vulnerabilities are catalogued and assigned a CVE reference or CVE ID.
MITRE, NVD and FIRST are all good sources of information for understanding the score and categorisation of Common Vulnerabilities and Exposures (CVEs).
Consider this article by the NVD, that introduces the concepts for ‘Vulnerability Metrics’:
[quote]: The Common Vulnerability Scoring System (CVSS) is a method used to supply a qualitative measure of severity. CVSS is not a measure of risk. CVSS v2.0 and CVSS v3.x consist of three metric groups: Base, Temporal, and Environmental. The Base metrics result in a numerical score ranging from 0 to 10, which can then be modified by assessing the Temporal and Environmental metrics. A CVSS assessment is also represented as a vector string, a compressed textual representation of the values used to derive the score
Going into detail around the calculations and metrics used behind a CVSS Score is beyond the scope of this article. However the important thing to note is that a CVSS Score is the numerical measurement (the ‘score') of a vulnerability that is derived from a vulnerability’s CVSS Vector string.
Given that a vulnerability's CVSS Score is derived from its associated CVSS Vector string, then it stands to reasons that, in the absence of a CVSS Vector string, the CVSS Score for a vulnerability on its own doesn’t provide sufficient context on how the vulnerability’s CVSS Score was calculated (as there is no CVSS Vector string to work from)
As an example, using the CVSS v3.1 scoring system, the CVSS Vector string for a vulnerability would look like this:
AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:HNOTE: The CVSS Vector string can include many more metric:value pairs if additional scoring beyond Base is available/used. See here for more information
CVSS Scores in the Platform
When importing vulnerability data into the Platform, to assign an appropriate CVSS Score to the resulting issue(s), the imported vulnerabilities must be accompanied with their CVSS Vector string.
During import, the Platform processes the CVSS Vector string for each vulnerability and populates the both the CVSS Vector string and the CVSS Score into the resulting issue(s)
In short, no CVSS Vector string = no CVSS Score.
Qualys XML lacks CVSS Vector Strings
Now to get to the crux of the problem when importing Qualys XML files into the Platform.
In short, the XML content on which the Platform relies (when processing vulnerabilities) doesn’t include the CVSS Vector string for an vulnerabilities.
Rootshell Security have confirmed this during various tests when building the Qualys XML parser and conclude that the following XML report types lack the necessary CVSS Vector string information:
Qualys VM XML Scan-based Report - the output from exporting a Qualys VM network scan
Qualys VM XML Host-based Report - the output from exporting a Qualys VM network scan or Cloud-agent based report
Qualys WAS XML (Scan Report) - the output when exporting a Quals WAS scan report.
To elaborate; below is an extract from a Qualys VM XML Scan-based Report. This XML extract shows a VMWare related vulnerability along with all available information pertaining to this particular vulnerability:
<CAT value="Security Policy">
<VULN number="105928" severity="5">
<TITLE><![CDATA[EOL/Obsolete Operating System: VMware ESXi 6.0 Detected]]></TITLE>
<LAST_UPDATE><![CDATA[2020-11-05T22:31:22Z]]></LAST_UPDATE>
<CVSS_BASE source="service">10.0</CVSS_BASE>
<CVSS_TEMPORAL>8.1</CVSS_TEMPORAL>
<CVSS3_BASE>9.8</CVSS3_BASE>
<CVSS3_TEMPORAL>8.7</CVSS3_TEMPORAL>
<CVSS3_VERSION>3.1</CVSS3_VERSION>
<PCI_FLAG>1</PCI_FLAG>
<VENDOR_REFERENCE_LIST>
<VENDOR_REFERENCE>
<ID><![CDATA[VMware Lifecycle Product Matrix]]></ID>
<URL><![CDATA[https://www.vmware.com/files/pdf/support/Product-Lifecycle-Matrix.pdf]]></URL>
</VENDOR_REFERENCE>
</VENDOR_REFERENCE_LIST>
<DIAGNOSIS><![CDATA[VMware ESXi 6.0 has been detected on the host. <BR>
Support for VMware ESXi 6.0 ended on March 12, 2020
<P>
QID Detection Logic (unauthenticated):<BR>
This QID reviews OS information from VMware API SOAP request.<BR>
<P>]]></DIAGNOSIS>
<CONSEQUENCE><![CDATA[The system is at high risk of being exposed to security vulnerabilities. Since the vendor no longer provides updates, obsolete software is more vulnerable to viruses and other attacks.<P>]]></CONSEQUENCE>
<SOLUTION><![CDATA[Update to a supported version of ESXi. Refer to <A HREF="https://www.vmware.com/" TARGET="_blank">VMware</A> for information on obtaining the latest version.<P>]]></SOLUTION>
<RESULT><![CDATA[VMware ESXi 6.0 Detected]]></RESULT>
</VULN>
</CAT>Whilst the vulnerability detail includes multiple CVSS Score details (e.g. the Version, Base score and Temporal score), there is not mention of the CVSS Vector string.
Conclusion
Whilst the Platform will provide all information it can with regard to imported vulnerability data, the Platform ultimately relies on the content of the imported data to build all the metadata for an issue.
In the case of Qualys XML files, unfortunately the problem lies with Qualys. The current version of their XML output lacks the necessary information to populate CVSS information into the issue once imported into the Platform
An Alternate Approach for Qualys VM Integration?
There is however another option if integrating the Platform with Qualys VM scan results…..
The Qualys VM API does provide additional vulnerability metadata including the CVSS Vector, the CVSS Score and the CVE ID.
So where possible, Rootshell recommend using the Platform’s API-based integration with Qualys VM to retrieve a more comprehensive set of metadata for imported vulnerabilities