AnsweredAssumed Answered

CVE vs. QID

Question asked by Chris Jones on Jan 20, 2020
Latest reply on Jan 31, 2020 by Jake VanMast

Hi All,

 

Thought I would raise a finding here which I feel is questionable. Interested to hear other viewpoints.

 

This is regarding the recent MS Vulnerability, CryptAPI. The CVE reference is 2020-0601. Microsoft have patched this as part of the January 2020 roll up - In other words, lots of additional CVE's are covered in the patch.

 

Qualys have released 2 QID's - 91595 & 91596.

91595 relates explicitly to CVE-2020-0601 and provides results based on this specific vulnerability ONLY. This is a 1-2-1 mapping (1 QID, 1 CVE)

91596 relates to the patch and the list of CVE's which are re-mediated by deploying the patch. This is a 1-2-Many mapping where 1 QID covers multiple CVE's (Quite common)

 

My issue is when I search for QID 91595 I get 57 Assets.

When I search for CVE-2020-0601, I get over 120 assets.....

 

The 120+ assets include OS's NOT vulnerable to the CVE.

It seems that the search for CVE-2020-0601 is translating the search to QID 91596, then returning ALL the windows assets that need the January patch, even though 70 or so aren't vulnerable to CVE-2020-0601?

 

Surely CVE-2020-0601 should return ONLY those assets which are vulnerable and not those assets which need the same patch, despite not being vulnerable to one of the CVE's.

 

Hope that makes sense - Look forward to hearing opinions on this. Maybe rdellimmagine or DMFezzaReed could clarify???

Outcomes