Rapid7 scan results may not display the vulnerable path for several reasons, based on the configuration and behavior of the scan or the specific vulnerability being reported.
Here are the key factors that could explain this issue:
1. Web Spidering Settings: If the scan involves web applications, the vulnerable path might not be shown if web spidering is disabled or misconfigured. Rapid7’s InsightVM and Nexpose use a Web Spider feature to probe websites for directory structures, files, and potential vulnerabilities. If this feature is turned off or specific paths are excluded (e.g., via the robots.txt file or scan template settings), the scan may not identify or report vulnerable paths. To resolve this, ensure web spidering is enabled in the scan template and check for any exclusions in the configuration.
2. Scan Template Configuration: The scan template used may not include checks that detect vulnerable paths. Rapid7 allows customization of scan templates to focus on specific vulnerability checks. If the template excludes certain checks (e.g., those related to path-based vulnerabilities like unquoted service paths or directory traversal), the vulnerable path won’t be reported. Verify the scan template settings, particularly the “Vulnerabilities” and “Web Spidering” sections, to ensure relevant checks are enabled.
3. Credentialed vs. Non-Credentialed Scans: Credentialed scans provide deeper access to systems, potentially revealing more detailed information like vulnerable paths (e.g., file system paths for services with problematic permissions). If the scan is non-credentialed, it may lack the access needed to identify specific paths. Ensure proper credentials are provided in the site configuration to enable local checks that could reveal vulnerable paths.
4. Vulnerability Type and Reporting: Not all vulnerabilities reported by Rapid7 include a “vulnerable path” as part of the output. For example, vulnerabilities identified through version checks (e.g., outdated software) or network-based checks may not involve a specific file path. If the vulnerability is not path-related (e.g., a protocol issue or a missing patch), the scan won’t provide a path. Check the vulnerability details to confirm whether a path is relevant to the issue.
5. Scan Diagnostics and False Positives: If Scan Diagnostics checks are enabled, they may report issues like credential failures as “vulnerabilities,” which don’t include paths. Additionally, false positives or overridden checks (e.g., due to backporting or compensating controls like firewalls) might suppress path-related details. Review the vulnerability result codes (e.g., “ov” for overridden version checks or “ep” for excluded potential vulnerabilities) to see if the issue was filtered out.
6. Incomplete or Failed Scans: If the scan was interrupted, paused, or failed (e.g., due to network issues, low memory, or assets going offline), it may not collect complete data, including vulnerable paths. Check the scan status in the Scan Progress table to ensure it completed successfully. If the status is “Failed” or “Incomplete,” review the scan logs for errors and consider restarting the scan.
7. Filtering or Report Configuration: The scan results or reports might be filtered to exclude certain vulnerabilities or details like vulnerable paths. For example, report scope settings or filters based on severity, CVSS score, or vulnerability categories could omit path-related information. Verify the report configuration to ensure it includes all relevant vulnerability categories and details.
8. Specific Asset or Service Behavior: Certain assets, like printers or IoT devices, may not provide path-related data due to their limited HTTP services or configurations. If the scan targets such devices, the results might not include paths. Consider creating a separate site for these assets with tailored scan templates to avoid issues like scan hangs or incomplete data.
Recommended Actions
• Check Scan Template: Go to the scan template configuration in InsightVM or Nexpose and ensure that web spidering and relevant vulnerability checks (e.g., for unquoted service paths or directory traversal) are enabled.
• Enable Credentials: Use credentialed scanning to allow deeper access to file systems and services, which may reveal vulnerable paths.
• Review Vulnerability Details: Click the vulnerability name in the scan results to view detailed information, including any associated paths or attack vectors. If no path is listed, the vulnerability may not involve one.
• Inspect Scan Logs: Enable enhanced logging in the scan template to capture detailed scan data, which can help identify why a vulnerable path wasn’t reported. Submit logs to Rapid7 support if needed.
• Verify Report Filters: Ensure the report scope includes all relevant vulnerability categories and severity levels, and check for any exclusions that might omit path-related data.
• Run a Targeted Manual Scan: Perform a manual scan with a specific scan template (e.g., “Full audit with Web Spider”) on the affected asset to focus on path-related vulnerabilities.
• Contact Rapid7 Support: If the issue persists, submit a support case with scan logs and details to investigate potential inaccuracies or bugs in the scan results.
Nice
ReplyDelete