CISecurity / OVALRepo

266 stars 124 forks source link

FP of CVE-2020-1009 on Windows Server 2016 #1863

Open gunnsth opened 4 years ago

gunnsth commented 4 years ago

Hi. I am looking at some possible FPs for some recent vulnerabilities in Windows Server 2016.

The check seems to be the following: https://github.com/CISecurity/OVALRepo/blob/068b63248b25d9ad0ed23535f354561c01cf973f/repository/definitions/vulnerability/oval_org.cisecurity_def_7487.xml#L46

That the version of ntoskrnl.exe is less than 10.0.14393.10000 however, looking at a system where the patch for this has been deployed (KB4550929) the version of this file is: 10.0.14393.3630 which is significantly less... and causes the vulnerability to be raised.

Any insights into this? @JovalAutomation @DavidRies

DavidRies commented 4 years ago

Hello @gunnsth,

Thank you for the feedback. You're exactly right. We've reviewed this content and the patch and 10.0.14393.3630 is the correct file version for that patch and testing for 10.0.14393.10000 would likely generate a FP. There appears to have been an error of some sort in a data feed that led to this mistake. We are looking into the cause, why our test lab did not detect this issue, and the best way to resolve by fixing this content and as well as future content. Thank you for reporting this!

-David

gunnsth commented 2 years ago

Hi @DavidRies Did you figure out something more about this? It seems like the content is still inaccurate.

DavidRies commented 2 years ago

HI @gunnsth , thank you for circling back on this. Would you be interested in making this fix and submitting a PR?

gunnsth commented 2 years ago

Hi @DavidRies I could look into it. You mentioned a data feed previously, is that something that is accessible? Because finding those specific version numbers for these files is not trivial.