This post is also available in: 日本語 (Japanese)
In late 2021, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS/CISA) issued Binding Operational Directive 22-01 (BOD 22-01), which introduced a list of Known Exploited Vulnerabilities (KEVs) that threat actors have exploited. Cortex Xpanse can help users to find potentially-impacted services for further investigation, patching, or decommissioning via the new Software Potentially Impacted by CISA Known Exploited Vulnerabilities (BOD 22-01) Issue category.
As of this writing, CISA’s Known Exploited Vulnerabilities catalog accompanying BOD 22-01 contained 788 individual Common Vulnerabilities and Exposures (CVEs), impacting at least 322 unique products and services, approximately 57% of which face the public internet. These numbers continue to increase steadily as CISA adds new CVEs to the catalog.
This section includes all Xpanse Issue policies that enumerate potentially vulnerable products and services in the KEV catalog. We will continually update this list as our research and development teams add detection capabilities to our product.
Expander shows systems that are exposed to the public internet, without the need to install agents or sensors of any kind. Some of the systems below do not advertise version information, or are otherwise restricted from doing so depending on the configuration of our customers’ networks. Expander attempts to retrieve or derive version information and other metadata, but this is not possible in all cases.
We are able to determine some devices/applications with a higher degree of confidence and thereby infer vulnerability to specific CVEs in the KEV catalog. The insecure versions of the following services fall into that category, and have been automatically enabled as Issue Policies in Cortex Xpanse:
Other devices/applications do not provide this level of visibility, though Xpanse is still able to identify the presence of the active internet-facing service. These applications have Issue policies that can be enabled by your team in the Policies tab; we encourage our customers to toggle them to “On” as needed.
Customers can leverage this basic enumeration for quick identification of active internet-facing services and export of an audit list for patching. For Cortex XSOAR customers, Xpanse integration leverages the outside-in perspective to automatically check for exposed software, and in some cases record the detected versions and queue other actions.
Xpanse groups Issue types into categories or themes to make them easier to browse and filter. We’ve created a new Issue Category called Software Potentially Impacted by CISA Known Exploited Vulnerabilities (BOD 22-01) containing all existing policies covering software potentially affected by CVEs in the KEV catalog. This section offers a walk through of the user experience for enumerating assets that may be impacted by a KEV.
To find a particular Issue of interest, scroll through the list [1] or start typing the name of the Issue in the search field [2], select from the list that populates below, then click Apply [3].
As you select individual Issues, Xpanse’s cumulative findings will populate within the list view in the main part of the screen:
To export this list as a comma separated values (.csv) file, click the Export CSV button:
To get more information on an individual Issue on the list, click into it in the list view:
This will open the Issues details view, with information on the specific exposure and why Xpanse flagged it, where it was found on your network, and any IP ranges, certificates, or domains associated with the observation:
To created a detailed, shareable report on the selected Issue, use the Print to PDF button:
This generates a .pdf summary of Issue details, including all the information for that Issue in Expander:
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.