Windows vuln feed incorrect mapping

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)

https://fleetdm.com

Other

3.15k stars 432 forks source link

Windows vuln feed incorrect mapping #16518

Closed xpkoala closed 7 months ago

xpkoala commented 9 months ago

Fleet version: main gc4da90f7f

Web browser and operating system: N/A

💥 Actual behavior

Windows internal tool may be incorrectly mapping build versions to product id's.

🧑‍💻 Steps to reproduce

With the latest version of Fleet installed.
Analyze the fleet_msrc_Windows_11-2024_01_31.json created in the /tmp/vulndb directory.

🕯️ More info (optional)

The build version in the Microsoft feed 10.0.22621.1574 is mapping to Windows 11 version 21H2. The 22621 convention implies that this build is related to a 22H2 version. This was discovered when viewing the following entries in the msrc file.

Mapping issue:

 "5022287": {
            "FixedBuilds": [
                "10.0.22000.1455"
            ],
            "ProductIDs": {
                "11926": true,
                "11927": true

 "5022836": {
            "FixedBuilds": [
                "10.0.22621.1574"
            ],
            "ProductIDs": {
                "11926": true,
                "11927": true

This is potentially an issue with Microsoft's mapping. @mostlikelee discovered this potential issue and might be able to provide more context.

sharon-fdm commented 9 months ago

@xpkoala @mostlikelee This was opened 26 days ago as unreleased_bug. Where do we stand with it? Is it really unreleased?

mostlikelee commented 9 months ago

I believe this should transition to a released bug

sharon-fdm commented 8 months ago

@mostlikelee Please note that as per the new process we need to merge into the patch branch patch-fleet-v4.47.1

getvictor commented 7 months ago

I confirmed that this bug is present in the Microsoft feed. https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2023-Feb

<vuln:Remediation Type="Vendor Fix">
<vuln:Description>5022836</vuln:Description>
<vuln:URL>https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5022836</vuln:URL>
<vuln:Supercedence>5022287</vuln:Supercedence>
<vuln:ProductID>11926</vuln:ProductID>
<vuln:ProductID>11927</vuln:ProductID>
<vuln:AffectedFiles/>
<vuln:RestartRequired>Yes</vuln:RestartRequired>
<vuln:SubType>Security Update</vuln:SubType>
<vuln:FixedBuild>10.0.22621.1574</vuln:FixedBuild>
</vuln:Remediation>

However, this is not an issue because KB5023698 superseded this fix (KB5022836) in March 2023. From our JSON:

    "5023698": {
      "FixedBuilds": [
        "10.0.22000.1696"
      ],
      "ProductIDs": {
        "11926": true,
        "11927": true
      },
      "Supersedes": 5022836
    },

It doesn't make sense to add custom code for this when we don't expect any of our customers to run into this issue. @mostlikelee, do you agree we can close this as Won't Fix?

mostlikelee commented 7 months ago

That seems reasonable to me, I figure it's extremely unusual for customers not to patch systems for a year+

getvictor commented 7 months ago

Closing as Won't Fix because the buggy KB (in Microsoft feed) has been superseded in March 2023.

fleet-release commented 7 months ago

Windows version map awry, In the cloud city, clarity, Fleet brings truth to light.