FP of CVE-2020-1009 on Windows Server 2016

[gunnsth]

Hi. I am looking at some possible FPs for some recent vulnerabilities in Windows Server 2016.

The check seems to be the following: https://github.com/CISecurity/OVALRepo/blob/068b63248b25d9ad0ed23535f354561c01cf973f/repository/definitions/vulnerability/oval_org.cisecurity_def_7487.xml#L46

That the version of ntoskrnl.exe is less than 10.0.14393.10000 however, looking at a system where the patch for this has been deployed (KB4550929) the version of this file is: 10.0.14393.3630 which is significantly less... and causes the vulnerability to be raised.

Any insights into this? @JovalAutomation @DavidRies

[DavidRies]

Hello @gunnsth,

Thank you for the feedback. You're exactly right. We've reviewed this content and the patch and 10.0.14393.3630 is the correct file version for that patch and testing for 10.0.14393.10000 would likely generate a FP. There appears to have been an error of some sort in a data feed that led to this mistake. We are looking into the cause, why our test lab did not detect this issue, and the best way to resolve by fixing this content and as well as future content. Thank you for reporting this!

-David

[gunnsth]

Hi @DavidRies Did you figure out something more about this? It seems like the content is still inaccurate.

[DavidRies]

HI @gunnsth , thank you for circling back on this. Would you be interested in making this fix and submitting a PR?

[gunnsth]

Hi @DavidRies I could look into it. You mentioned a data feed previously, is that something that is accessible? Because finding those specific version numbers for these files is not trivial.