The Vulnerable Package capability is supported from sensor version 0.4.0.
Intezer Protect scans installed packages to identify vulnerabilities at runtime. The packages are sorted by priority.
Note: This feature is currently only supported on Ubuntu based operating systems.
How does it work?
- The Intezer Protect sensor scans for packages installed by package managers DEB every 24 hours.
- A list of installed packages is displayed for each host.
- The packages are scanned for vulnerabilities and matched with CVEs (Common Vulnerabilities and Exposures).
- Each CVE links to its dedicated NVD (National Vulnerability Database) page for additional information and remediation.
- Each package gets a calculated Vulnerability Status. The Vulnerability Status marks the highest severity CVE found in the package. Packages with no identified vulnerabilities get a Safe Vulnerability Status. For example, if my_package has 4 CVEs (1 High, 2 Medium, 1 Low), the Vulnerability Status of the package will be High. The Vulnerability Status of packages affects the Vulnerability Status of the host. The status of the host represents the highest vulnerability identified in it.
- Follow the instructions in NVD to remediate the CVEs. The next scan will identify the fixed package and refresh the Vulnerability Status of the package.
Viewing Installed Packages
- In the menu, click on the Assets menu item.
- Click on one of the assets on the list.
- You can filter the assets by their Vulnerability Status.
- Click on the Installed Packages tab.
Tip: The color of the circle in the tab indicates the package with the highest Vulnerability Status found on the asset.
- A prioritized list of installed packages is displayed.
Available attributes are:- Vulnerability Status: Marks the highest severity CVE found in the package. Available values are High, Medium, Low, and Safe.
- Package Name
- Package Version
- First Seen: The first time the package was seen in the organization.
- CVEs - Common Vulnerabilities and Exposures unique IDs.
- Active: Indicates whether the package has run in the environment or not. Available values are:
- Active: The package has run in the environment.
- Not active: The package has never run in the environment.
- Active - Memory only: The package was updated but the app was not restarted, therefore the vulnerability exists in memory.
- Click on one of the packages to view additional information such as the full list of CVEs and more.