Skip to main content

Vulnerability Analysis

Overview

Network device operating systems can be vulnerable to security flaws. Publicly disclosed vulnerabilities are assigned a CVE (Common Vulnerabilities and Exposures) ID number and a severity level based on their impact. CVEs help IT professionals prioritize and address these vulnerabilities to secure systems and networks.

Networking vendors often fix security vulnerabilities by issuing new OS versions. Therefore, network operators need to evaluate their devices' operating systems regularly. However, the number of vulnerabilities and affected devices can be overwhelming, making it difficult to determine which devices should be updated first.

OS Vulnerability Analysis

To simplify this process, Forward Enterprise provides a network device vulnerability analysis tool. This tool automatically compares CVE information from the vendors and the NIST National Vulnerability Database (NVD) with the OS versions running on your devices, producing a list of possibly affected devices and related vulnerabilities.

  • CVE Database Updates: The CVE database on Forward SaaS is updated daily. On-premises deployments receive the CVE database with each release but can also update it independently. For more information, see Update CVE database.
info
  • Vulnerability analysis is available for most the OS versions and vendors that are supported in Forward Enterprise.

Enhanced Vulnerability Analysis

Some vulnerabilities impact devices only if specific configurations are present, specific features are enabled, or the device is deployed in a certain way.

Some vendors, like Cisco, provide detailed descriptions of some CVEs, including required configurations that are vulnerable. This information is available at vendor-specific sites; for example, the Cisco Security Advisories can be found here.

Forward Enterprise's Enhanced Vulnerability Analysis incorporates these descriptions and automatically checks them against device configurations. This helps determine a device's actual vulnerability status, aiding in prioritizing remediation efforts.

warning

Even with enhanced analysis, we always recommend checking the details of the CVE before deciding the next appropriate actions.

note

Enhanced analysis is currently available on CVEs affecting A10, Arista, Checkpoint, Cisco, Dell, Fortinet, F5, Juniper, and Palo Alto Networks devices. The specific list of OS versions with enhanced analysis is published within the Feature Matrix section of the documentation. Forward Enterprise will continue to expand the number of CVEs and vendors in future releases of the Forward vulnerability database.

The following NQE query can be used to retrieve the complete list of device vendors and OSes with enhanced analysis support:

foreach cveDatabase in [network.cveDatabase]
foreach cve in cveDatabase.cves
foreach vendorInfo in cve.vendorInfos
foreach criteria in vendorInfo.criteria
where criteria.osCriteria.dependsOnConfig == true
select distinct{
  vendor: vendorInfo.vendor,
  criteria.osCriteria.OS
}

Navigating the Vulnerability Analysis Page

To view the Vulnerability Analysis page, navigate to Security > Vulnerability from the left navigation menu.

Each tabbed view of the Vulnerability Analysis page displays a list of key metrics and two views for CVE-specific information: Devices and CVEs.

Devices Tab

The Devices tab is the default view when navigating the page. This tab applies a device-centric filter to the vulnerabilities list, focusing on listing all CVEs detected for each impacted device.

Key Metrics at the top of this tab display numerical counts for device-related vulnerability data:

  • Devices analyzed: Total number of devices included in the analysis.
  • Devices vulnerable: Number of devices confirmed as vulnerable, with counts broken down by:
    • Impacted by CVEs with known exploits
    • Addressable from the Internet
    • Impacted by recent CVEs (last 30 days)
  • Devices potentially vulnerable: Number of devices that may be exposed to CVEs but cannot be validated because configuration checks are unsupported or inconclusive. Counts are broken down by:
    • Impacted by CVEs with known exploits
    • Addressable from the Internet
    • Impacted by recent CVEs (last 30 days)

Clicking any metric applies a filter to the displayed results.

Screenshot of device-centric view

Each row in the list of devices includes the following details:

  • Name: The name of the device. Clicking the device name opens a new browser tab in Search, displaying additional details about the device for further investigation. Device Details drawer in Search
  • Result summary: Displays a summary of the device status based on the currently applied filters: Vulnerable, Potentially vulnerable, Config not vulnerable.
  • CVE detection results: Describes how the CVE was identified on the device. See Detection Results for details on result categories.
  • CVE count by known exploits: Shows how many detected CVEs on the device have documented exploits. Filter options include Has known exploits and No known exploits.
  • CVE severities: Lists the count of severities of the detected CVEs from Critical to Low.
  • CVE ages: Lists the counts of cves within each age bucket (past 30 days, 1 month to 12 months, older than 1 year).
  • CVE base score: The base score of the CVE, representing the severity of the vulnerability.
  • CVE published date: The date when the CVE was officially published.
  • Internet addressable: Indicates whether the device receives traffic from the Internet, which can impact its vulnerability risk.
  • Vendor: The vendor of the device.
  • OS: The operating system of the device.
  • OS Version: The specific OS versions on the device.
  • Tags: Tags associated with the impacted devices for easier identification and filtering.
  • Location: Assigned location of the device.

Clicking the View details icon opens a drawer with additional information about the selected device. The drawer displays:

  • Device details: Displays device-specific information.
  • Detection results: Displays the number of detection results for configs confirmed vulnerable and configs confirmed not vulnerable.
  • CVE severities: Displays the count of CVE severities detected on the device, broken into categories: Critical, High, Medium.

The drawer also provides a table of known exploits, with the following details for each CVE:

  • CVE ID: The unique identifier for each CVE. Clicking this opens detailed CVE information, including associated CWE (Common Weakness Enumeration) and KEV (Known Exploited Vulnerabilities) identifiers when available. Both CWE and KEV values are clickable links to external references.
  • Detection result: Describes how the CVE was identified on the device. See Detection Results for details on result categories.
  • Severity: The severity rating of the CVE.
  • CVE base score: The CVSS base score of the CVE.
  • Published date: The date when the CVE was officially published.
  • CWE: Associated CWE identifiers, hyperlinked to the MITRE CWE database.
  • Description: A brief description of the CVE and its impact.
  • Known Exploits: Shows if the CVE has a published exploit. Entries display the source (CISA or vendor). CISA entries link directly to the CISA Known Exploited Vulnerabilities Catalog.
  • CVE age: Displays the age of the CVE.

Screenshot of additional device details

Detection Results

The detection result indicates how a device's vulnerability status was determined. Results fall into one of five categories:

  • Vulnerable: Configuration-independent vulnerability (Platform)
  • Potentially Vulnerable: Config detection not supported (Platform)
  • Potentially Vulnerable: Unable to confirm configuration (Platform)
  • Vulnerable: Config confirmed vulnerable (Platform and configuration)
  • Not Vulnerable: Config confirmed not vulnerable (Platform and configuration)

In the UI, results are color-coded by severity:

  • Vulnerable (red)
  • Potentially Vulnerable (orange)
  • Not Vulnerable (black)

Explaination of Detection Result Types

CVEs Tab

Selecting the CVEs tab applies a CVE-centric filter to the vulnerabilities list.

Key Metrics at the top of this tab display numerical counts for CVE-related data:

  • Total CVEs detected: Overall number of CVEs identified.
  • CVEs affecting devices: Number of CVEs confirmed to impact devices, with counts broken down by:
    • CVEs with known exploits
    • CVEs impacting Internet-addressable devices
    • Recent CVEs (last 30 days)
  • CVEs possibly affecting devices: Number of CVEs that may impact devices, with counts broken down by:
    • CVEs with known exploits
    • CVEs impacting Internet-addressable devices
    • Recent CVEs (last 30 days)

Screenshot of CVE-centric view

The CVEs list includes:

  • CVE ID: The unique identifier for each CVE. Clicking this opens detailed CVE information, including associated CWE (Common Weakness Enumeration) and KEV (Known Exploited Vulnerabilities) identifiers when available. Both CWE and KEV values are clickable links to external references.
  • Severity: The severity rating of the CVE, indicating how critical the vulnerability is.
  • CVE base score: The base score of the CVE, representing the severity of the vulnerability.
  • Published date: The date when the CVE was officially published.
  • Description: A brief description of the CVE and its impact.
  • Enhanced analysis available: Indicates whether configuration-based vulnerability detection is supported for this CVE.
  • Known exploits: Shows if a CVE has a published exploit. Entries display the source (CISA or vendor). CISA entries link directly to the CISA Known Exploited Vulnerabilities Catalog.
  • Vendor: The vendor of the devices affected by the CVE.
  • OS: The operating system affected by the CVE.
  • Versions: The operating system versions affected by the CVE.
  • Devices impacted: The number of devices affected by the CVE.
  • Tags on impacted devices: Tags associated with the impacted devices for easier identification and filtering.
  • Locations of impacted devices: The assigned location of the impacted devices.
  • Receives traffic from Internet: Indicates whether the affected devices have interfaces exposed to the Internet.

Clicking the View details icon opens a drawer with additional information about the selected CVE. The drawer displays:

  • Severity: The severity rating of the CVE.
  • CWE classification: Associated CWE identifiers, hyperlinked to the MITRE CWE database.
  • CVE base score: The CVSS base score of the CVE.
  • Published date: The date when the CVE was officially published.
  • Description: A brief description of the CVE and its impact.
  • Enhanced analysis available: Indicates whether configuration-based vulnerability detection is supported.
  • Vendor / OS: The vendor and affected operating systems.
  • Vendor advisory: A link to the vendor’s published advisory, if available.
  • Known Exploits: Shows if the CVE has a published exploit. Entries display the source (CISA or vendor). CISA entries link directly to the CISA Known Exploited Vulnerabilities Catalog.

Screenshot of additional CVE details

The drawer also provides a table of impacted devices, with the following details for each device:

  • Device: The name of the impacted device. Clicking this will provide more detailed information about the device.
  • Detection Result: Describes how the CVE was detected on the device.
  • Locations: The assigned location of the impacted devices.
  • Receives traffic from Internet: Indicates whether the device receives traffic from the Internet.
  • Model: The model of the impacted device.
  • OS version: The operating system version running on the impacted device.
  • Management IPs: The management IP addresses of the impacted device.

Clicking View matching config at the end of each row displays the relevant lines of code in the device's configuration matching with that of the CVE.

To search for a CVE, enter the CVE ID in the vulnerabilities table. The search can result in:

  • At least one device is affected by the vulnerability.
  • No vulnerabilities were detected for the given CVE ID.
  • The CVE ID is not present in the Forward CVE database (it may be outdated, irrelevant to supported vendors, or outside the date range included).

CVE Database Update

On Forward SaaS, the CVE database is updated daily. For on-premises deployments, the CVE database is updated with each Forward Enterprise release but can be updated anytime.

note

The list of CVEs Forward Networks considers may not include hardware vulnerabilities or older CVEs that were not created or updated after January 1st, 2014.

Update via the Forward Enterprise GUI

  1. Download the latest CVE database from the CVE Update page.
  2. Navigate to Security > Vulnerability from the left navigation menu.
  3. Click Update CVE database (top right corner) to upload the CVE database. Optionally, enter the Checksum to verify the file's integrity.
  4. Click Update.

Update via the Forward Enterprise REST APIs

  1. Download the CVE Database: Any user with Org Admin privileges can download the latest CVE database from Forward Software Central using the Forward REST APIs via GET /api/cve-index. It returns the CVE database as a gzipped binary (.bin.gz) file.
  2. Update the CVE Database: A user with Org Admin privileges can update the CVE database using the Forward REST APIs via PUT /api/cve-index.

For detailed instructions, see the REST API docs.