Ubuntu 24.04 Vulnerability Scanner: What You Need to Know About CVE Detection

Ubuntu 24.04 LTS and backporting

When you install Ubuntu 24.04 LTS and run ssh -V, you'll probably see something like OpenSSH_9.6p1 Ubuntu-3ubuntu13.5. That version number, 9.6p1, might trigger alarms if you compare it directly against vulnerability databases. There are CVEs reported for OpenSSH 9.6. But that doesn't mean your server is vulnerable.

Canonical, the company behind Ubuntu, practices something called backporting: they take security patches from newer software versions and apply them to the version included in their distribution. This means your OpenSSH 9.6p1 on Ubuntu may have all security patches from more recent versions, even though the version number doesn't change.

Any reliable Ubuntu 24.04 vulnerability scanner must account for this. A naive tool that compares raw version numbers against NVD will flood you with false positives.

Why version numbers lie

This is a common mistake in security audits: directly comparing software versions against the CVE list. A simplistic scanner that only looks at "OpenSSH 9.6" and cross-references it against NVD will report vulnerabilities that Canonical already patched.

The problem is that verifying this manually requires:

1. Identifying the exact installed package (dpkg -l openssh-server)
2. Reviewing Canonical's changelog (apt changelog openssh-server)
3. Verifying each specific CVE against applied patches
4. Assessing whether the server's specific configuration makes the CVE exploitable

For a single package, it's tedious. For the typical 700+ packages on an Ubuntu server, it's impractical. This is why automated CVE detection matters — and why the detection logic must be precise.

The importance of EPSS and CISA KEV

CVSS (Common Vulnerability Scoring System) tells you the theoretical severity of a vulnerability. But severity is not the same as real risk. A CVE with CVSS 9.8 (Critical) that nobody is actively exploiting is different from a CVE with CVSS 7.0 (High) that has public exploits and is being used in real attacks.

To build a proper security audit tool and assess real risk, you need two additional sources:

EPSS (Exploit Prediction Scoring System): Calculates the probability that a CVE will be exploited in the next 30 days. An EPSS of 0.97 means there's a 97% exploitation probability. An EPSS of 0.001 means it's practically theoretical.

CISA KEV (Known Exploited Vulnerabilities): The US government's catalog of vulnerabilities that are being actively exploited. If a CVE appears here, it's urgent — any server hardening tool worth using should flag these first.

The combination of NVD, CISA KEV, and EPSS is what makes the difference between a noisy vulnerability scanner and an actionable one.

How Kolvera solves this

Kolvera is purpose-built as a Ubuntu server security audit tool and linux vulnerability scanner. When you run kolvera scan, the agent:

1. Inventories all installed packages and generates precise CPEs
2. Cross-references each CPE against the National Vulnerability Database (NVD)
3. Integrates EPSS to calculate real exploitation probability
4. Queries CISA KEV to identify actively exploited vulnerabilities
5. Runs a server hardening checker for Nginx and SSH configurations

The result is a precise assessment that distinguishes between theoretical vulnerabilities and real risks, without the false positives from tools that only compare version numbers.

All of this in Layer 1, completely free and running offline on your server.