First time running a scan and "Closed CVEs" is populated

Hi all,

I ran a scan on about 7 machines, a mix of Linux and Windows and at the end of the scan, the first time I’ve ever run it, the Closed CVEs is populated with about 24 results even though there were absolutely no attempts to fix any vulnerabilities.

I would have assumed that Closed CVEs would show results when active CVEs were found in the first scan AND then they were resolved in a second or third scan ?

There is virtually no information about Closed CVEs online.

Can someone explain this to me ?

GSA 22.9.0
openvas-scanner 22.7.7-1

Maybe What is the difference between CVE and Closed CVE in an report? - #2 by Olli gives some background already?


and welcome to this community portal.

The “Vulnerability Tests” category chosen for this posting should be only used for discussing e.g. the results of VTs / NASL files as outlined in the category description. Other questions like this are completely outside of the category scope. The “Closed CVEs” functionality is part of our software stack and thus e.g. the “Advanced topic” could better fit here.

For the “Closed CVEs” tab / functionality a (quite short) description is available here:

which is:

CVEs of originally detected vulnerabilities which were already confirmed as solved during the scan.

Thanks Bricks for the response but unfortunately it doesn’t help, and I’ve actually read it already. It explains logically how it would work (and of course the answer makes sense) but that’s not how it works in my case where during the first scan ever done on those hosts the CVE’s already show as “closed”, and for further information its just CVE’s related to Windows - “Microsoft MSXX-XXX security check” of which 24 are closed instantly.

It makes me worried that maybe they were actually found and OpenVAS has a bug where it puts them straight into Closed status for unknown reasons.

Thanks CFI for your response and for that link (I read the description and while vague I think I understand) but can you understand why during the first ever scan of certain hosts CVE’s would end up already Closed when absolutely no effort to resolve them was carried out.

My thinking on this would be:

  • Scan a host
  • Find 6 vulnerabilities (all 6 are CVE’s)
  • Fully resolve 3 CVE’s on the problematic host (either with updates, closing ports, mitigation etc)
  • Rescan the host
  • Now only 3 vulnerabilities are found and 3 are under “Closed CVE’s”

However in my case its:

  • Scan 7 hosts for the first time (mix of Linux and Windows)
  • Find 53 vulnerabilities of which 24 are closed CVE’s instantly
  • All 24 closed CVE’s are “Microsoft security checks”.

Is it possible that Windows realising its being scanned shuts its services off from the OpenVAS machine and while the scan is running goes from “vulnerabilities detectable” to “undetectable”, but that would assume that OpenVAS scans every host multiple times for the same vulnerability to go from “found this vulnerability at 13:00” to “found that it had been closed at 13:02” and personally I doubt that would be the case (but then again I’m no expert)…

From my very limited knowledge on this functionality it doesn’t work like this / like your are expecting it.

IIRC instead if works that if e.g. a version has been found on the target not to be vulnerable against a specific CVE this CVE will be included in the “Closed CVEs” tab. And this doesn’t require two or more subsequent scans and can already work for / with the initial first scan.

Unfortunately I don’t really understand what you mean, here’s an attempt at an example:

Are you suggesting that a particular version, for example of IIS, that is detected and is supposed to be vulnerable to MSXX-XXX but we didn’t find the vulnerability as expected so we’ll put this in Closed CVEs ?

Imagine Windows has 50,000 possible vulnerabilities in total and in doing a scan of a Windows host, 49,997 are found NOT to affect my host because my host is relatively up to date and follows best practices in relation to security. Why don’t I see a list of 49,997 that are closed because they weren’t detected. Surely posting that X was NOT found is superfluous information that isn’t required. I just want to know what was found, what I have to fix and afterwards whether I fixed it successfully or not.

Obviously, none of this confusion is your fault (unless of course you develop the software or the doc) so don’t take my challenges to this functionality as anything personal - I’m just trying to understand how and why and what is going on with this Closed CVE’s section.

Yes, exactly this is how i understand that the functionality is working. Just a short example:

  • CVE is affecting versions < 1.2.3 of a product
  • During a scan version 1.2.3 is found which is not vulnerable
  • The CVE in question will be placed into the “Closed CVEs” tab
    • Note: There might be some additional prerequisites before this is happening

Unfortunately i can’t give more details as i’m not working on this part of software stack / have no knowledge how the functionality is working in detail.

The “Closed CVEs” tab has not been designed for this purpose. But you should be able to use a delta comparison between two scan results to determine if the flaw was fixed successfully:

GSM Manual: 11.2.5 Creating a Delta Report

Thanks CFI, appreciate the detailed response and glad to understand a little bit better the functionality of this software.

1 Like