View firmware vulnerability data in NCM

NCM helps identify risks to network security by detecting potential vulnerabilities in your managed nodes using information provided by the National Institute of Standards and Technology (NIST). Each night, NCM retrieves the latest firmware vulnerability data from NIST and stores it on solarwinds.com in the cve-all.json.zip and cpematch.json.zip files. When the firmware vulnerability feature is enabled, NCM downloads this data from solarwinds.com and correlates it with your managed nodes to determine if any nodes are potentially at risk.

The firmware vulnerability feature is disabled by default. If necessary, you can enable or disable this feature or change other default settings.

Device types

If you have an NCM license, potential vulnerabilities are detected in the following device types:

• Cisco IOS
• Cisco IOS XE and IOS XR
• Cisco Adaptive Security Appliance (ASA)
• Cisco Nexus
• Juniper

Get an overview of potential threats to your managed nodes

The Firmware Vulnerabilities widget on the Config Summary page provides an overview of the number of nodes potentially at risk from firmware vulnerabilities.

Click My Dashboards > Network Configuration > Config Summary.

• If you are using the classic Config Summary dashboard, the Firmware Vulnerabilities widget lists vulnerabilities that could affect nodes managed by NCM.

  

• If you are using the modern Config Summary dashboard, the Firmware Vulnerabilities widget shows how many nodes managed by NCM could be affected by vulnerabilities of each severity.

  

View firmware vulnerability details on the Vulnerability Summary page

When a firmware vulnerability potentially affects one or more managed nodes, use the Vulnerability Summary page to get additional information and track the remediation status.

• From the classic Config Summary dashboard, click a vulnerability's Entry ID on the Firmware Vulnerabilities widget to open the Vulnerability Summary page.

• From the modern Config Summary dashboard:

  1. Click any severity to open the Vulnerabilities for each Node report, which lists the vulnerabilities that could affect each node.

  2. Click a vulnerability's Entry ID to open the Vulnerability Summary page.

The Vulnerability Summary page displays a summary and the current state. You can click the URL to open the National Vulnerability Database web page for detailed information and links to related advisories and solutions.

Change the state of a vulnerability on a node

Set the state of a firmware vulnerability on a node to track remediation efforts. You can also set the state to indicate that the vulnerability does not apply to that node.

1. Open the Vulnerability Summary page to display a list of potentially affected nodes.

2. Select the checkbox in the left column for each row whose vulnerability state you want to change. To select all currently displayed rows, select the checkbox in the table header.

   When one or more rows is selected, the Change State option is displayed above the table.

3. Click Change State.

   The Change Node CVE States dialog opens.

4. Under State, select the state that reflects the current remediation status:

   State	Description
   Potential vulnerability	The vulnerability has not yet been verified. (This is the default.)
   Confirmed vulnerability	The vulnerability is confirmed but no remediation is planned.
   Not applicable	The vulnerability does not affect or cannot be exploited on the selected nodes.
   Remediation planned	Action to remediate the threat is planned but has not been taken.
   Remediated	The vulnerability is confirmed and action to remediate the threat has been taken on the selected nodes.
   Waiver	A waiver has been issued to exempt the selected nodes from remediation.

5. Optionally, add a comment to record findings, plans, or completed actions.
6. Click Change.

View information about state changes

Click the value in the State column on the Vulnerability Summary page to open the Change State Details dialog. This dialog displays the date and time of the most recent state change, as well as any comments.

View firmware vulnerability reports

Firmware vulnerability reports list vulnerabilities discovered in the last run of the vulnerability matching logic. That logic is based on data last downloaded from sources in Firmware Vulnerability Settings.

1. Click Reports > All Reports.
2. In the Group By list, select Report Category.
3. Click the NCM Security category.
4. Click the report name:

   • Nodes for each Vulnerability is organized by vulnerability. The associated nodes are listed below each vulnerability.

   • Vulnerabilities for each Node is organized by node. The associated vulnerabilities are listed below each node.

   • Vulnerabilities for each Node - <stageName> lists only the nodes and associated vulnerabilities in a specific remediation stage (for example, Confirmed or Remediation planned).

Each report includes the following information.

Field	Description
Caption/Entry ID	The Common Vulnerabilities and Exposures (CVE) identifier for a specific vulnerability. Click the CVE identifier to open the Vulnerability Summary page.
IOS Version	The operating system software versions to which the CVE pertains.
IOS Image	The operating system software image to which the CVE pertains.
URL	The location of the CVE on the NIST website from which NCM retrieved vulnerability data.
Score	A score that reflects the severity of the vulnerability. This score is calculated using the Common Vulnerability Scoring System (CVSS). Use this information to prioritize remediation activities.
Severity	The severity of the vulnerability based on the CVSS score. The CVSS score includes five categories: None (0.0) Low (0.1-3.9) Medium (4.0-6.9) High (7.0-8.9) Critical (9.0-10.0)
State	The current status of remediation activities on the associated nodes.
Last State Change	The date on which the State last changed for the associated nodes.