When running a Network Scan on your perimeter server using Acunetix Online Vulnerability Scanner (OVS), one of the Informational alerts shown in the scan results is the CPE Inventory. The data that is collected during the scan is aggregated using the CPE standard, originally defined by MITRE, and is maintained by the U.S. National Institute of Standards and Technology (NIST) as part of the Security Content Automation Protocol (SCAP).
CPE is considered to be an industry standard that is used to provide a uniform way to show information on Operating Systems, hardware and software. It can be used for software and hardware inventory, and better vulnerability management when using the results from one product to be tracked in a different product.
CPE entries in the CPE Inventory use the following format:
Let’s look at each field in more detail:
- part: Defines the type of system detected, and can have one of the following values:
- a – for Application
- h – for Hardware
- o – for Operating System
- vendor: Contains the name of the organization that developed the product.
- product: Contains the name of the product that has been detected.
- version: Lists the version number for the product.
- update: Lists the update for the product and version detected (e.g. R2 for Windows 2012, or beta for a beta version of the product).
- edition: Shows the edition of the software (e.g. server or pro or x86).
- language: Shows the language detected (e.g. English).
When Acunetix OVS reports on the CPE Inventory, it will omit the fields that have not been identified. So, the CPE Inventory will often only include the first 3 fields. The IP address of the scanned server is also included before each CPU entry. Here is an example of how CPE information looks in Acunetix OVS, showing that the applciation OpenSSH version 5.3p1 has been detected on openbsd, which is running on 220.127.116.11: