Tesorion Vulnerability explorer is an easy-to-use application to support Incident Response teams finding vulnerabilities for a given application, and enriching it with information to score the probability of exploitation with the power of EPSS.
Determining how an adversary gained access to the IT infrastructure is essential during incident response cases. The Adversary trail may lead to an application or device, which “magically” led to initial access, privilege escalation or lateral movement. The “magic” in these cases is the exploitation of a vulnerability residing in an application or device.
With the vast number of applications and devices in use today, it is impossible to be aware of all vulnerabilities. Being able to quickly identify relevant vulnerabilities, specifically those with a high chance of exploitation, will enhance the abilities of incident response teams to quickly respond and minimise impact.
The Common Vulnerability Scoring System (CVSS) is a well-known system, developed by FIRST. CVSS is a powerful metric to score the potential impact of a vulnerability, but not the likelihood of that vulnerability being exploited. That is where the Exploit Prediction Scoring System (EPSS), also developed by FIRST, comes into play. EPSS provides a system to score the chance a vulnerability will be exploited in the next 30 days for a given date.
Although the initial use-case for developing EPSS was the prioritization of patches during a patch management process, T-CERT (Tesorion Computer Emergence Response Team) believes it can also be used to identify potentially exploited vulnerabilities during an incident response engagement. To leverage the power of EPSS, T-CERT created the Tesorion Vulnerability Explorer application. This easy-to-use application enriches the NIST NVD CVE database with the corresponding CVSS and EPSS scores as well as the CISA Known Exploited Vulnerabilities (KEV) catalog. Using the Common Platform Enumeration (CPE) notation system, you can easily filter for a specific product.
The Tesorion Vulnerability Explorer gets its power from combining different scoring systems and frameworks. More information about those can be found in the overview below:
- EPSS - Exploit Prediction Scoring System - An open, data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. This system is build and maintained by FIRST.
- CVE - Common Vulnerabilities and Exposures - The registration system for keeping track of known vulnerabilities. Tesorion Vulnerability Explorer uses the enriched dataset set from the NIST NVD, which is built upon and fully synchronized with the CVE List.
- CVSS - Common Vulnerability Scoring System - An open framework for communicating the characteristics and severity of software vulnerabilities. The framework is developed and maintained by FIRST. The scores for individual CVEs are assigned by NIST NVD.
- CPE - Common Platform Enumeration - A structured naming scheme for information technology systems, software, and packages. The CVE information from the NVD is enriched with the impacted products in the CPE format. Tesorion Vulnerability Explorer leverages this format, to select vulnerabilities for specific products.
- CISA KEV catalog - CISA Known Exploited Vulnerabilities catalog - CISA keeps track of vulnerabilities identified as known to be exploited in the wild.
- CWE - Common Weakness Enumeration - A community-developed system to categorize hardware and software weaknesses and vulnerabilities.
We credit FIRST, NIST, CISA and Mitre for their effort building and maintaining the respective scoring systems and frameworks.
- Download the released executable. All required packages are included.
- Start the executable, no external dependencies exist.
- Make sure you have Python 3 installed
- Clone the repository
- Install the required packages
pip install -r requirements.txt
- Make sure you have Python Tkinter installed.
- Windows - Part of the Python installer
- Linux - Install the python3-tk package
apt-get install python3-tk- MacOS - Install the Tkinter package
brew install tkinter - Start the application
python3 .\Tesorion Vulnerability Explorer.py
During the first start, an SQLite database is created in the current working directory. To fill the database with CVE, CVSS, EPSS and KEV data, perform the following action:
- Click the button "Update all". This will perform the following three actions:
- Update CVE - Download all CVE and CVSS information from the NVD since the given year.
- Update CISA KEV - Download the CVEs listed by CISA as known exploited.
- Update EPSS - Download the EPSS scores from First, for all existing CVEs.
- Update CWE - Download the CWE information from Mitre.
- Monitor the process using the console at the bottom of the screen.
- Once all data is loaded, the tables are populated and ready to use.
Regular user flow:
- Make sure your data is up-to-date. You can hit either the "Update All" button to update all sources, or the specific update buttons to update the information of a specific source.
- Filter on either CPE, CVE or file-input to find relevant vulnerabilities.
- You can sort on a column by clicking the respective header.
- You can view more detailed information regarding a vulnerability by double clicking an item in the table. A pop-up will be displayed.
- Export data to Excel for more fine-grained searching or reporting purposes. The current filter is applied to the export.
You apply either the CPE, CVE or file-input filter.
Provide a valid CPE filter string and hit the button "Filter on CPE". With the help of the respective NIST API, the CVE-number(s) of products matching the CPE filter will be returned. This is limited to the first 2000 CPE matches. In case the limit is reached a warning is given in the console at the bottom of the screen. Make the CPE filter more specific to reduce the number of matches.
One CPE match may be related to multiple CVEs. Several CPE matches can have overlapping CVEs, these are deduplicated.
The following format is used to build a CPE filter string. Each field may contain a wildcard (*), excepted for the “cpe:2.3” part.
cpe:2.3:<part>:<vendor>:<product>:<version>:<update>:<edition>
Fields explained:
- cpe:2.3 – this is a static string for the used version of CPE, and already prefilled in the search box.
- - this field is either of the following three options:
- a – application
- o - operating system
- h – hardware
- - The name of the vendor.
- - The name of the product.
- - The version of the product.
- - Update or service pack information, also referred to as minor version.
- - A further granularity describing the build of the product.
NIST developed a search engine for CPE on their website, which is a great help for building and testing your CPE filter strings. You can find the engine here: https://nvd.nist.gov/products/cpe/search
You apply either the CPE, CVE or file-input filter.
Enter a valid CVE number, or multiple CVE numbers separated by a comma (,) and click the button "Filter on CVE".
You apply either the CPE, CVE or file-input filter.
Whitespaces are not allowed in the filename.
Enter the filename containing the CVE information to be imported, choose the file-type and click the button "Filter on File". File-type is either "TXT" or "OSV":
- TXT - any text file containing CVE information. There are no specific format requirements, TVE will extract CVE information with the help of regular expression.
- OSV - the JSON output of the OSV-Scanner. More information: https://osv.dev/#use-the-cli. E.g.:
osv-scanner -r --json <PATH_TO_YOUR_PROJECT> > osv-output.json
You apply either the CPE, CVE or file-input filter.
Remove the current filter and display all available CVEs. Selecting a filter will automatically deactivate any previous filter (if applied).
Enable dark mode
Enable light mode
Export the current displayed CVEs to Excel. The current filter is applied on the export. By removing all filters, a full export of all data can be created.
The CVE and CVSS information is updated from the NIST NVD. Data is downloaded per year, and only if newer data is available. The data is stored in the Tesorion Vulnerability Explorer database. Data is downloaded, since the given year. If the year is changed, data will be either downloaded to or removed from the database.
The CISA KEV catalog is downloaded from CISA and stored in the Tesorion Vulnerability Explorer database.
The EPSS information is downloaded from FIRST for the given date and stored in the Tesorion Vulnerability Explorer database.
The CWE information is downloaded from Mitre and stored in the Tesorion Vulnerability Explorer database. The CWE ID and a short description are stored for enrichment purposes.
Perform an update on all data sources. This will perform the following actions:
- Update CVE - Download all CVE and CVSS information from the NIST NVD since the given year.
- Update CISA KEV - Download the CVEs listed by CISA as known exploited.
- Update EPSS - Download the EPSS scores from FIRST, for all existing CVEs.
- Update CWE - Download the CWE information from Mitre.
The EPSS framework includes a time element, as the probability of exploitation of a vulnerability is time dependent. The value of this field is used by the "Update EPSS" process. The EPSS date must be in the past and in the format "yyyy-mm-dd". By default the field is populated with the date of Yesterday, as the data of today might not be available yet.
Allows the user to specify the start-year for the download of the NIST NVD data. All data since the given year will be downloaded. By default this value is set to the oldest year available in the database. If no data is available in the database, the default is 10 years in the past. If the year is changed to a more recent year, older data will be removed from the database.
CVE data is available since 1999. The data of 1999-2002 is stored in one file, and is downloaded when the year "2002" is selected.
After changing the year, click the "Update CVE" button to download new data or remove older data.
A listing of the actions performed and events generated by the application.