search

wazuh / wazuh

Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
https://wazuh.com/
Other
10.7k stars 1.64k forks source link

No vulnerabilities are reported in the manager when agent is installed on Amazon Linux 2 or macOS Ventura (13.5) #18716

Closed mauromalara closed 1 year ago

mauromalara commented 1 year ago
Wazuh version Component Install type Install method Platform
4.5.2-rc1 Vulnerability Detector Agent Packages Amazon Linux 2 or macOS Ventura

Description

Wazuh does not report vulnerabilities of an agent installed on Amazon Linux 2 and macOS Ventura. This was found while testing Wazuh in this Release Testing issue.

Steps to reproduce

0. Install Wazuh Indexer, Manager, Worker, and Dashboard in separate VMs as shown [in this issue](https://github.com/wazuh/wazuh/issues/18679) (using the unattended installer) 1. Install Wazuh agent using packages from pre-release (4.5.2) **CONNECT IT TO THE MASTER NODE** ``` # sudo WAZUH_MANAGER='REAL_IP' WAZUH_AGENT_NAME='alas2' yum install -y https://packages-dev.wazuh.com/pre-release/yum/wazuh-agent-4.5.2-1.x86_64.rpm . . Running transaction Installing : wazuh-agent-4.5.2-1.x86_64 1/1 Verifying : wazuh-agent-4.5.2-1.x86_64 1/1 Installed: wazuh-agent.x86_64 0:4.5.2-1 Complete! # sudo systemctl daemon-reload # sudo systemctl enable wazuh-agent # sudo systemctl start wazuh-agent ``` 2. Configure the master node ``` yes 5m 6h yes yes trusty xenial bionic focal jammy 1h yes buster bullseye 1h yes 5 6 7 8 9 1h yes amazon-linux amazon-linux-2 1h no 11-server 11-desktop 12-server 12-desktop 15-server 15-desktop 1h no 1h yes 1h yes 1h ``` 3. Restart and check that the scan was executed ``` # systemctl restart wazuh-manager && tail -F /var/ossec/logs/ossec.log | grep -E ".*agent '001'" 2023/08/30 01:42:26 wazuh-modulesd:vulnerability-detector[18451] wm_vuln_detector.c:2788 at wm_vuldet_check_agent_vulnerabilities(): DEBUG: (5439): A partial scan will be run on agent '001' 2023/08/30 01:42:26 wazuh-modulesd:vulnerability-detector[18451] wm_vuln_detector.c:5670 at wm_vuldet_collect_agent_software(): DEBUG: (5437): Collecting agent '001' software. 2023/08/30 01:42:26 wazuh-modulesd:vulnerability-detector[18451] wm_vuln_detector.c:2807 at wm_vuldet_check_agent_vulnerabilities(): INFO: (5450): Analyzing agent '001' vulnerabilities. 2023/08/30 01:42:26 wazuh-modulesd:vulnerability-detector[18451] wm_vuln_detector.c:2826 at wm_vuldet_check_agent_vulnerabilities(): INFO: (5471): Finished vulnerability assessment for agent '001' 2023/08/30 01:42:26 wazuh-modulesd:vulnerability-detector[18451] wm_vuln_detector.c:2827 at wm_vuldet_check_agent_vulnerabilities(): DEBUG: (5470): It took '0' seconds to 'scan' vulnerabilities in agent '001' 2023/08/30 01:49:53 wazuh-modulesd:vulnerability-detector[18451] wm_vuln_detector.c:2788 at wm_vuldet_check_agent_vulnerabilities(): DEBUG: (5439): A partial scan will be run on agent '001' 2023/08/30 01:49:53 wazuh-modulesd:vulnerability-detector[18451] wm_vuln_detector.c:5670 at wm_vuldet_collect_agent_software(): DEBUG: (5437): Collecting agent '001' software. 2023/08/30 01:49:53 wazuh-modulesd:vulnerability-detector[18451] wm_vuln_detector.c:2807 at wm_vuldet_check_agent_vulnerabilities(): INFO: (5450): Analyzing agent '001' vulnerabilities. 2023/08/30 01:49:53 wazuh-modulesd:vulnerability-detector[18451] wm_vuln_detector.c:2826 at wm_vuldet_check_agent_vulnerabilities(): INFO: (5471): Finished vulnerability assessment for agent '001' 2023/08/30 01:49:53 wazuh-modulesd:vulnerability-detector[18451] wm_vuln_detector.c:2827 at wm_vuldet_check_agent_vulnerabilities(): DEBUG: (5470): It took '0' seconds to 'scan' vulnerabilities in agent '001' ``` 4. Install a vulnerable package ``` # yum install golang -y ``` 5. Check the vulnerable package in the master node ``` # sqlite3 /var/ossec/queue/db/001.db sqlite> .tables ciscat_results sca_scan_info sys_osinfo fim_entry scan_info sys_ports metadata sync_info sys_processes pm_event sys_hotfixes sys_programs sca_check sys_hwinfo vuln_cves sca_check_compliance sys_netaddr vuln_metadata sca_check_rules sys_netiface sca_policy sys_netproto sqlite> select * from sys_programs where name="golang"; 0|2023/08/30 00:55:59|rpm|golang| |Unspecified|8204324|Amazon Linux|1693355570|1.20.7-1.amzn2.0.1|x86_64|| |The Go Programming Language| |1|||6cb0447037eab4f0d7aa729c381c48d822a41089|a228dc12ec824e55598c5272e9254f6ac5228569 ``` 6. Check if the vulnerability scan information has been updated. ``` # sqlite3 /var/ossec/queue/db/001.db sqlite> select * from vuln_metadata; 1693360193|1693332192 sqlite> select * from vuln_cves; ``` 8. Check if the vulnerability exists in the database ``` # sqlite3 /var/ossec/queue/vulnerabilities/cve.db sqlite> select target,count(*) from vulnerabilities group by target; Amazon-Linux|52428 Amazon-Linux-2|31394 BIONIC|24768 FOCAL|17859 JAMMY|16190 RHEL5|24936 RHEL6|85476 RHEL7|102786 RHEL8|113123 RHEL9|33927 TRUSTY|34522 XENIAL|31341 sqlite> select * from NVD_CVE where CVE_ID = 'CVE-2023-24538'; 211911|2023|CVE-2023-24538|CWE-94|security@golang.org|Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution.||2023-04-06T16:15:07.800|2023-04-17T16:54:18.527|Analyzed ```

Check the results on macOS Ventura

Current results

Evidence

image

Expected results

mauromalara commented 1 year ago

Update

mauromalara commented 1 year ago

macOS Ventura (same scenario) 🔴

This agent is connected to the Worker node.

  1. Check the logs to see the date of the last scan (local time: 17:22:56) 
    
# grep -E ".*agent '004'" /var/ossec/logs/wazuh/2023/Aug/ossec-29.log

2023/08/29 20:22:56 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '004' vulnerabilities. 2023/08/29 20:22:56 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '004'

2. Check if there are vulnerable packages

sqlite3 /var/ossec/queue/db/004.db

sqlite> select * from vuln_cves;

3. Check if the info is being collected by Wazuh in the agent
<img width="1229" alt="image" src="https://github.com/wazuh/wazuh/assets/39094716/94f7a048-f62f-4a5b-8c9c-84adcf05e827">

4. Check if there are vulnerabilities in the manager database

sqlite3 /var/ossec/queue/vulnerabilities/cve.db

sqlite> select target,count(*) from vulnerabilities group by target; Amazon-Linux|52428 Amazon-Linux-2|31394 BIONIC|24768 BULLSEYE|30356 BUSTER|30136 FOCAL|17859 JAMMY|16190 RHEL5|24936 RHEL6|85476 RHEL7|102786 RHEL8|113123 RHEL9|33927 TRUSTY|34522 XENIAL|31341


5. Check if the API returns vulnerabilities
<img width="903" alt="image" src="https://github.com/wazuh/wazuh/assets/39094716/a986c772-1c6a-4eb0-9d5e-c02691c592f6">
mauromalara commented 1 year ago

Update

After analyzing deeper, we realized that no vulnerable packages were installed.

After installing Wazuh from scratch and installing a vulnerable package, the vulnerabilities started showing up in the first scan:

  1. Install a vulnerable package: 
    
# yum list golang --show-duplicates

yum install golang-1.16.15-1.amzn2.0.1 --skip-broken

![image](https://github.com/wazuh/wazuh/assets/39094716/3dfaef9a-48b5-4e90-a475-9b5604a48d96)

---

On the other hand, we've tested the upgrade of the vuln package to a fixed version, and the vulnerability is shown as solved quickly:

yum update golang

. . Running transaction Updating : golang-src-1.20.7-1.amzn2.0.1.noarch 1/6 Updating : golang-bin-1.20.7-1.amzn2.0.1.x86_64 2/6 Updating : golang-1.20.7-1.amzn2.0.1.x86_64 3/6 Cleanup : golang-bin-1.16.15-1.amzn2.0.1.x86_64 4/6 Cleanup : golang-1.16.15-1.amzn2.0.1.x86_64 5/6 Cleanup : golang-src-1.16.15-1.amzn2.0.1.noarch 6/6 Verifying : golang-1.20.7-1.amzn2.0.1.x86_64 1/6 Verifying : golang-src-1.20.7-1.amzn2.0.1.noarch 2/6 Verifying : golang-bin-1.20.7-1.amzn2.0.1.x86_64 3/6 Verifying : golang-src-1.16.15-1.amzn2.0.1.noarch 4/6 Verifying : golang-1.16.15-1.amzn2.0.1.x86_64 5/6 Verifying : golang-bin-1.16.15-1.amzn2.0.1.x86_64 6/6

Updated: golang.x86_64 0:1.20.7-1.amzn2.0.1

Dependency Updated: golang-bin.x86_64 0:1.20.7-1.amzn2.0.1 golang-src.noarch 0:1.20.7-1.amzn2.0.1

Complete!

systemctl restart wazuh-agent



![image](https://github.com/wazuh/wazuh/assets/39094716/54cc66e5-ec37-4749-a8d4-7ff0b27ae782)
mauromalara commented 1 year ago

Closing as this is a bad report.

MarcelKemp commented 1 year ago

Testing on macOS Ventura

After testing Vulnerability Detector on a macOS Ventura 13.4.1 agent, we have observed that it works correctly.

The macOS agent had the following system information:

And in which, 25 vulnerabilities have been detected, of which 1 affects the macOS OS and the others affect packages: