CPE found by OpenVAS Scanner is missing in NIST database

Vulnerability Tests
1

Hi there,

with our IT team we performed some Vulnerability Assessment scans thanks to Greenbone Source Edition and the OpenVAS Scanner.
Specifically, for testing, we ran a first scan to a single target: a QNAP ts-x53u model.

The results showed us that OpenVAS Scanner has found the following CPE: cpe:/h:qnap:ts-x53u:5.0.0_20211221

The model and the product version are the right ones. But we have some doubts around this CPE because we tried to search in the NIST Official site, with no results.

After a research in the Greenbone Community Portal, we found this thread.

So, we got that OpenVAS Scanner utilize “.nasl” scripts to perform detection of version and product of the targets, which in our case it is a qnap ts-x53u with QTS 5.0.0.

From this, we assume that OpenVAS Scanner generates it’s own CPEs with this .nasl scripts.

Questions:

  1. Is it true that OpenVAS uses .nasl scripts to get product model and version of the target?
  2. Is it true that OpenVAS generates it’s own CPEs thanks to the infos gathered through these scripts? If yes, how? If no, can you explain how OpenVAS handles CPEs?

We saw that for the cpe:/h:qnap:ts-x53u:5.0.0_20211221, OpenVAS has found some CVEs:

post#3
post#31902Ă—230 23.9 KB

Last questions: How OpenVAS can address those CVEs if it uses a CPE that is not present on NIST database? Which is the process behind the link between the CPE generated (cpe:/h:qnap:ts-x53u:5.0.0_20211221) and the CVEs discovered and assigned to it?

Thanks!

2

Yes, this is true / valid.

  1. Is it true that OpenVAS generates it’s own CPEs thanks to the infos gathered through these scripts? If yes, how?

Yes, this is true. Even without having any NASL / programming skills checking the source code of VTs like e.g. gb_qnap_nas_detect.nasl gives some hints:

  cpe = "cpe:/h:qnap";

  if( cpe_model )
    cpe += ":" + cpe_model;

  if( version != "unknown" )
    cpe += ":" + version;

  if( build )
    cpe += "_" + build;
*snip*
  register_product( cpe:cpe, location:install, port:port, service:"www" );

The cpe variable is filled with the related CPE as defined / created by the VT developer who had implemented that detection and the CPE is then registered internally (with additional info on the found application) in the redis knowledge base and made available to other VTs through that one.

1 Like