Known vulnerabilities

Caution

This section of the documentation has not yet been updated to include changes present in the latest version of our platform. User interface elements might be different, and there is likely new functionality that is not covered by this article.

Software Composition Analysis (SCA) is an essential practice in the security of IoT devices. It is crucial to identify and manage all the third-party components that are used in IoT firmware to prevent any security vulnerabilities that can be exploited by attackers. This is particularly important because many IoT devices run on embedded Linux firmware that often includes a complex mix of open-source and proprietary software components. To ensure that the IoT devices are secure, it is important to have an accurate and up-to-date Software Bill of Materials (SBOM) that lists all the components used in the firmware.

BugProve helps reduce the time and resources required to manually analyze the firmware, and provides a reliable and comprehensive inventory of all the components. The tool can automatically scan the firmware, identify open-source and proprietary components used, and generate an SBOM that can be used for further analysis and management. With an automated SCA tool, like BugProve, security professionals can easily identify and track vulnerabilities or issues associated with the components used in the firmware and take necessary action to mitigate them.

Below, we will explain the pieces of information shown on BugProve’s Known Vulnerabilities page to help you with streamlining your Product Security processes with automated dependency scanning.

Note

Here’s the thing, standards change over time and change leads to confusion. When you see a 10.0 High* and a 9.8 Critical CVSS score next to each other, you know something is up. And you are right, 10.0 High is a CVSS v2 rating, while 9.8 Critical is defined by CVSS v3. We use a * to mark ratings that were created with an earlier version of CVSS.

We show the CVSS version for every score on the side panel, just select a finding from the list. Find out more about the rating change on the Vulnerability metrics page of the National Vulnerability Database (NVD).

Summary

Known Vulnerabilities page for firmware image scans

The summary view of Known Vulnerabilities will collect dependencies and associated CVEs in a table.

You can filter results using the tabulated controls.

• All
  This option shows all CVEs that BugProve found to be affecting the system.

• Application
  This option filters the table to include only user-space components, such as open source libraries or executables/utilities.

• Kernel
  This option filters the table to include only CVEs associated with the Linux kernel.

  Caution

  Currently, the kernel CVE list is not contextualised, and it will list vulnerabilities in driver code that might not be present in the kernel build extracted from the uploaded image.

For each CVE row, we display the most important information:

• Severity
• CVSS score
• CVE ID
• Component name
• Component version
• Attack vector

CVE Details

CVE details for firmware image scans

Clicking on a CVE, will bring up the detailed view including a summary, in-depth descriptions, and solutions for mitigation.

You will be able to see the following data.

Header

The header contains essential basic information on the CVE.

• Component name
• Status
• Published
• Last modified
• Source

Description

The description provides detail on the component version and the particular attack vector, including technical information.

CVSS score
We display the appropriate CVSS version score, including:

• Base severity
• Attack vector
• Vector string

CWE category
This is the common weakness enumeration category for the CVE. For more information, please refer to https://cwe.mitre.org/.

References
Links to sources providing more technical information on the particular issue.

Affected files
We link the files on the file system that are affected by the CVE.