search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
2.64k stars 377 forks source link

Use MSRC for all Windows Software Vuln Detection #20039

Open mostlikelee opened 4 days ago

mostlikelee commented 4 days ago

Problem

Currently some CVEs in NVD are not reported accurately. Most recently CVE-2024-30103 which does not provide affected version ranges to Microsoft Office resulting in an inability to properly detect that vulnerability.

Potential solutions

For more accurate vulnerability reporting on Microsoft applications, Fleet should use the MSRC feed.

noahtalerman commented 4 days ago

Thanks for tracking this @mostlikelee.

If I'm understanding correctly, we parse Microsoft resources to get CVEs for Microsoft Office apps installed on macOS: https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Vulnerability-processing.md#mac-office-release-notes

Are you thinking we use MSRC for all Microsoft apps on Windows and macOS? (remove the parsing we do for macOS)

noahtalerman commented 4 days ago

FYI @sharon-fdm @mostlikelee I pulled this request off the release board because I see we decided to address the CVE-2024-30103 false negative bug as a quick fix: https://github.com/fleetdm/confidential/issues/7014#issuecomment-2192751197

mostlikelee commented 4 days ago

@noahtalerman I think we can keep the existing parsing for macOS Office apps for now, but using MSRC would be a more reliable data source in the future for those apps (rather than scraping release notes). IMO the higher priority is to use MSRC for Windows Office apps.

mostlikelee commented 2 days ago

To keep the scope in check, I think there is plenty to do for Office365 vulnerability detection (as opposed to ALL Microsoft applications). Further research is showing that even the MSRC feed is not providing version ranges. The only source I've found are the Microsoft Office release notes which we will have to parse. The release notes are also what the MSRC feed points to for these vulnerabilities.

There is also some research needed to ensure the information we get from osquery: the version number from OfficeClickToRun.exe, is adequate for vulnerability detection. When the clickToRun is installed, the individual Office applications are not detected by osquery as they do not appear in the uninstall registry.