Understanding Shodan Vulnerability Assessment

There are 2 types of vulnerabilities that can be attached to the banners in Shodan: verified and unverified. Unverified vulnerabilities are vulnerabilities that are implied based on the metadata we’ve collected. For example, if a server is running an old version of Apache then we will associate known issues with that version and set the associated verified property in the banner to False. Shodan has increasingly also started to verify vulnerabilities when possible. If a verified vulnerability is discovered then we set the verified property to True. Unverified vulnerabilities can have significant false positives depending on the device/ software so they typically require additional verification to make sure the service is vulnerable. They should be seen as a starting point for further investigation. Note that Shodan Monitor only sends out notifications for verified vulnerabilities.

On the website, we will tell you if some of the vulnerabilities are unverified with a small visual disclaimer:

And within the data itself there is a verified property that will tell you whether it’s been verified or not.

Sample Data

All vulnerability information is stored in a vulns property in the banner. You can see how it looks like from the Raw tab on the IP information page on the website or by looking at the API response directly. The top-level vulns property is an object where the keys are the vulnerability identifiers (ex. CVE-2014-0160) and the values contain the information about the vulnerability.

{
    "CVE-2008-2939": {
        "references": [
            "http://lists.apple.com/archives/security-announce/2009/May/msg00002.html",
            "http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00000.html",
            "http://marc.info/?l=bugtraq&m=123376588623823&w=2",
            "http://marc.info/?l=bugtraq&m=125631037611762&w=2",
            "http://rhn.redhat.com/errata/RHSA-2008-0967.html",
            "http://sunsolve.sun.com/search/document.do?assetkey=1-26-247666-1",
            "http://support.apple.com/kb/HT3549",
        ],
        "verified": false,
        "cvss": 4.3,
        "summary": "Cross-site scripting (XSS) vul..."
    },
    "CVE-2010-0408": {
        "references": [
            "http://httpd.apache.org/security/vulnerabilities_22.html",
            "http://www.vupen.com/english/advisories/2010/1411",
            "https://bugzilla.redhat.com/show_bug.cgi?id=569905"
        ],
        "verified": false,
        "cvss": 5,
        "summary": "The ap_proxy_ajp_request function in mod_proxy_ajp..."
    }
}

Frequently Asked Questions

Which vulnerabilities does Shodan verify?

You can get that list by using the vuln.verified facet and searching across all results. The facet analysis page of the main Shodan website can be used to see the results or you can run a command via the CLI such as shodan stats --facets vuln.verified:100 net:0/0.

I patched my service and it’s still showing as vulnerable

Most likely the vulnerability you’re seeing is an unverified vulnerability that Shodan is associating based on metadata. If the security patch doesn’t change the version number (ex. running an enterprise Linux distribution) then it won’t be detected as fixed by Shodan.

Can you start checking/ verifying a new issue?

Maybe! We can’t check for every vulnerability across the Internet but if there’s something you think we should verify let us know by requesting a new verified vulnerability via support@shodan.io.