search

greenbone / openvas-scanner

This repository contains the scanner component for Greenbone Community Edition.
https://greenbone.github.io/docs/
GNU General Public License v2.0
3.25k stars 605 forks source link

No detection of missing Windows Security Patches on Windows 10 PCs #1500

Closed bellum07 closed 1 year ago

bellum07 commented 1 year ago

Expected behavior

Detect missing Windows Security Patches on Windows 10 PCs like it is done on Windows 8.1 PCs

Actual behavior

Currently openvas doesn’t detect missing Windows Security Patches on a Windows 10 PC, though using an authenticated scan with a user which has domain admin permissions and the firewall is completely disabled on the target machine (which is member of a Windows Domain).

The Scan report shows the following:

SMB Login Successful For Authenticated Checks OID: 1.3.6.1.4.1.25623.1.0.108539 Summary It was possible to login using the provided SMB credentials. Hence authenticated checks are enabled.

Authenticated Scan / LSC Info Consolidation (Windows SMB Login) OID: 1.3.6.1.4.1.25623.1.0.108442 Detection Result Description (Knowledge base entry) : Value/Content Access to the registry possible (SMB/registry_access) : TRUE Access via WMI possible (WMI/access_successful) : TRUE Architecture of the OS (SMB/Windows/Arch) : x64 Build number of the OS (SMB/WindowsBuild) : 19044 Disable file search via WMI on Windows (win/lsc/disable_wmi_search) : FALSE Disable the usage of win_cmd_exec for remote commands on Windows (win/lsc/disable_win_cmd_exec) : FALSE Domain used for authenticated scans (kb_smb_domain()) : myDomain Enable Detection of Portable Apps on Windows (win/lsc/search_portable_apps) : FALSE Extended SMB support available via openvas-smb module (Tools/Present/smb) : TRUE Extended WMI support available via openvas-smb module (Tools/Present/wmi) : TRUE Login via SMB failed (login/SMB/failed) : FALSE Login via SMB successful (login/SMB/success) : TRUE Missing access permissions to the registry (SMB/registry_access_missing_permissions) : FALSE Name of the most recent service pack installed (SMB/CSDVersion) : Empty/None Never send SMB credentials in clear text (SMB/dont_send_in_cleartext) : TRUE Only use NTLMv2 (SMB/dont_send_ntlmv1) : FALSE Path to the OS SystemRoot (smb_get_systemroot()) : C:\Windows Path to the OS SystemRoot for 32bit (smb_get_system32root()) : C:\Windows\system32 Port configured for authenticated scans (kb_smb_transport()) : 445/tcp Port used for the successful login via SMB : 445/tcp Product name of the OS (SMB/WindowsName) : Windows 10 Pro SMB name used for authenticated scans (kb_smb_name()) : 10.10.10.10 User used for authenticated scans (kb_smb_login()) : Greenbone Version number of the OS (SMB/WindowsVersion) : 6.3 Version string of the OS (SMB/WindowsVersionString) : 21H2 Workgroup of the SMB server (SMB/workgroup) : Empty/None

In my case the missing KB5026361 hasn’t been detected but vulnerable programs like Firefox were detected.

Using the same config/settings scanning a Windows 8.1 PC, vulnerable programs and missing Windows 8.1 Security Patches were detected.

Steps to reproduce

Scan a Windows 10 PC with missing KB5026361. Scan a Windows 8.1. with missing KB5014011.

GVM versions

gsa: Greenbone Security Assistant 22.05.2

gvm: Greenbone Vulnerability Manager 22.8.0

openvas: OpenVAS 22.7.4 openvas --version

gvm-libs: gvm-libs 22.7.0

openvas-smb: 22.5.3

Environment

Operating system: Ubuntu 22.04.3 LTS

Installation method / source: source installation according https://greenbone.github.io/docs/latest/22.4/source-build/index.html#openvas-smb on Ubuntu 22.04.3 LTS

cfi-gb commented 1 year ago

This is very unlikely an issue in the scanner and rather an environmental problem on the target or similar.

For now i would suggest to close this again and see if the community can give further support on the already existing community thread:

https://forum.greenbone.net/t/no-detection-of-missing-windows-secturity-patches/15644

bellum07 commented 1 year ago

This is very unlikely an issue in the scanner and rather an environmental problem on the target or similar.

I'm not sure about this ...

For now i would suggest to close this again and see if the community can give further support on the already existing community thread:

Unfortunately I haven't got an answer in this threat about my questions. I'm absolutely willing to do all I can to troubleshoot this and help to solve this issue. But currently got stuck because I can't see what is happening inside gb_ms_kb5026361.nasl and why it's failing to detect the version of ntoskrnl.exe

cfi-gb commented 1 year ago

As the scanner isn't responsible for patch checking (this is done purely on NASL side) there would need to be a bug in e.g. either the TCP connection handling of the scanner itself, some internal crypto routine for the connection or similar.

For now i still suggest to use the community forum until it has been confirmed that there is an actual bug in the scanner (i will add a short note there later).

bellum07 commented 1 year ago

O.K. Thank you very much

jjnicola commented 1 year ago

Hello! since this was discussed in the Greenbone forum and it is not a bug in the scanner, closing here.