Tag list and their meaning within vulnscan

There are two kind of probes performed by vulnscan. One kind is remotely checking for a known vulnerability (or CVE) with an active, innocuous and non-intrusive test. This check is based on sanitized version of public Proof-of-Concept exploit codes. Some vulnerability check can detected a specific CVE but also associated CVEs. That’s the case with proxyshell check where noting less than 3 CVEs are detected.

The other kind is based on different technics used to gather an exact version of a product. Sometimes, a product is so verbose you just have to parse HTML responses and sometimes you have to send a specific application request to gather its exact version.

First kind is called ‘check-based’ vulnerability detection, and the second one is called ‘version-based’ vulnerability detection. We always prefer to use ‘check-based’ version detection, but we have our own policy to decide whether to include a CVE check or not. ‘Version-based’ will always be the fallback choice.

To know how the CVE has been identified, you have to understand the meaning of tags.

Check-based tags

When a check is launched, there are three possibilities as a result:

• An active check was performed and the device is asserted vulnerable to the given CVE
• An active check was performed and the device is asserted NOT vulnerable to the given CVE
• An active check was performed and the device MAY BE vulnerable to the given CVE
• An active check was performed and we can’t say if the device is vulnerable or not to the given CVE

We avoid the last possibility to the maximum extent possible. There is only one such case today with the proxynotshell check.

Thus, corresponding tags are set:

tag:vulnerable
tag:notvulnerable
tag:maybevulnerable
tag:unknownvulnerable

Version-based tags

On version detection cases, there are five possibilities as a result:

• A version detection was performed and the version is asserted vulnerable against our CVE list
• A version detection was performed and the version is asserted NOT vulnerable against our CVE list
• A version detection was performed and the device MAY BE vulnerable to the given CVE
• A version detection was performed but the version was partially identified (not at the patch level)
• A version detection was performed but the version was not found or identified
• A version detection was performed but we currently don’t have CVEs associated with the version identified

Corresponding tags are set:

tag:vulnerableversion
tag:notvulnerableversion
tag:maybevulnerableversion
tag:partialversion
tag:unknownversion
tag:version

Other tags

There are many other tags, but the most important are as follows:

• tag:“anssi::top10”: filter vulnerable devices by using the TOP 10 CVEs from french cybersecurity agency called ANSSI
• tag:“cisa::kev”: filter vulnerable devices by using the US CISA Known Exploited Vulnerabilities catalog
• tag:“nsa::top25”: filter using the TOP 25 most exploited CVEs from US NSA agency
• tag:“nsa::top5”: filter using the TOP 5 most exploited CVEs from US NSA agency
• tag:“fireeye::arsenal”: filter using the leaked exploit code from FireEye arsenal
• tag:log4shell: filter for log4shell vulnerabilities

Of course, if there is a CVE field in the result, you will know which vulnerability has been identified on the device.