Closed MiguelazoDS closed 10 months ago
MiguelazoDS
commented
11 months ago One reason was the inconsistency in the new vulnerability detector databases, once we let them complete finish, the scan can found multiple vulnerabilities
Even so, the disparity still exists.
pereyra-m
commented
11 months ago A comparison of the vulnerabilities reported and ignored for both engines will be performed.
937acfc87d, content offset 281100Reference:
Only a small subset of the 955 vulnerabilities were analyzed to get a general overview of the scanner accuracy.
8.0.25-0ubuntu0.20.10.1 (https://ubuntu.com/security/CVE-2023-21972 https://nvd.nist.gov/vuln/detail/CVE-2023-21972). The vulnerability is in the server, not in the client. The vendor states that mysql-8.0 before 8.0.33 is vulnerable but it isn't clear how it matches with the name libmysqlclient21. The result is found twice (amd64 and i386). Same as: CVE-2023-21976, CVE-2023-21977, and many more for libmysqlclient21.3.20200609.0ubuntu0.20.04.2 (https://ubuntu.com/security/CVE-2022-21123 https://nvd.nist.gov/vuln/detail/CVE-2022-21123). The version matcher isn't considering the Ubuntu version, it has found the vulnerability but using the 18.04 candidate instead of the 20.04/21.10 one (MATCH Package: intel-microcode, Version: 3.20200609.0ubuntu0.20.04.2, CVE: CVE-2022-21123, Ver: 0, RLT: 3.20220510.0ubuntu0.18.04.1, RLTE:). Sames as: CVE-2022-21125, CVE-2022-21127, and many more for intel-microcode.2:3.55-1ubuntu3.1 (https://ubuntu.com/security/CVE-2023-5388). No info in NVD yet. The vendor shows Deferred status. Not clear if it should match, the legacy vuln-det says Package unfixed. The result is found twice (amd64 and i386)2.0.1-1 (https://ubuntu.com/security/CVE-2022-29799 https://nvd.nist.gov/vuln/detail/CVE-2022-29799). The version matcher has skipped 2.1-2~ubuntu20.04.3 (maybe due to ~) and matched with 21.10 MATCH Package: networkd-dispatcher, Version: 2.0.1-1, CVE: CVE-2022-29799, Ver: 0, RLT: 2.1-2ubuntu0.21.10.2, RLTE:. It should be investigated.18.9.0-11 (https://ubuntu.com/security/CVE-2023-46137 https://nvd.nist.gov/vuln/detail/CVE-2023-46137). The vendor shows Needs triage but the descriptions says it's vulnerable. The name appears as twisted instead in the vulnerable. The refactored vuln-det ignores python3-twisted and reports twisted (probably due to NVD). Same for python3-twisted-bin. We could investigate the name transformation that the legacy vuln-det is making with the packages.2:11.1.5-1ubuntu1 (https://ubuntu.com/security/CVE-2023-20900 https://nvd.nist.gov/vuln/detail/CVE-2023-20900). The version matcher skips 2:11.3.0-2ubuntu0~ubuntu20.04.6 and 2:12.1.5-3~ubuntu0.22.04.3, but matches with 2:12.1.5-3ubuntu0.23.04.2.6.0-25ubuntu1 (https://ubuntu.com/security/CVE-2021-4217 https://nvd.nist.gov/vuln/detail/CVE-2021-4217). The vulnerability is correctly found but the comparison isn't considering the OS of the agent. It matches correctly with MATCH Package: unzip, Version: 6.0-25ubuntu1, CVE: CVE-2021-4217, Ver: 0, RLT: 6.0-25ubuntu1.1, RLTE: (focal) but only after failing against bionic (6.0-21ubuntu1.2). If the content would have the candidates in a different order, it'd have matched against jammy (6.0-26ubuntu3.1).4.0-1ubuntu2 (https://ubuntu.com/security/CVE-2022-2806 https://nvd.nist.gov/vuln/detail/CVE-2022-2806). The legacy vuln-det detects this as vulnerable because version is lower than 4.3-1ubuntu0.20.04.2 (focal) but the refactored module fails to find this vulnerability because its vendor is Eric Desrochers <slashd@ubuntu.com> and the scan against the NVD doesn't find a match (it even has a different version type).5.2.4-1ubuntu1 (https://ubuntu.com/security/CVE-2022-1271 https://nvd.nist.gov/vuln/detail/CVE-2022-1271). The legacy module says that the package is vulnerable because is less than 5.2.4-1ubuntu1.1 but the references say that the vulnerable packages are gzip and xz-utils. The refactored module doesn't have any match for this name. This happens in both architectures. 5.2.4-1ubuntu1 (https://ubuntu.com/security/CVE-2022-1271 https://nvd.nist.gov/vuln/detail/CVE-2022-1271). There is a match but the scanner is comparing against another OSs firts.1.5.2-0ubuntu1~20.10.2 (https://ubuntu.com/security/CVE-2023-25153 https://nvd.nist.gov/vuln/detail/CVE-2023-25153). Should match with another OS version MATCH Package: containerd, Version: 1.5.2-0ubuntu1~20.10.2, CVE: CVE-2023-25153, Ver: 0, RLT: 1.6.12-0ubuntu1~18.04.1+esm1, RLTE:.1:3.5.12-1 (https://ubuntu.com/security/CVE-2022-44617 https://nvd.nist.gov/vuln/detail/CVE-2022-44617). The package is called libxpm4 but the vendor feed uses the name libxpm, so there isn't any candidate that matches for the refactored vuln-det. Same for both architectures.1.0.0.errata1-3build1 (https://ubuntu.com/security/CVE-2021-30473 https://nvd.nist.gov/vuln/detail/CVE-2021-30473). The package is called libaom0 but the vendor feed uses the name aom, so there isn't any candidate that matches for the refactored vuln-det. Same for both architectures. Same as CVE-2021-30474, CVE-2021-304751:8.3p1-1 (https://ubuntu.com/security/ CVE-2021-41617 https://nvd.nist.gov/vuln/detail/ CVE-2021-41617). The legacy vuln-det says Package unfixed, the refactored doesn't find candidates because the reported name is openssh. Same for openssh-server and openssh-sftp-server.1.12.20-1ubuntu1 (https://ubuntu.com/security/ CVE-2023-34969 https://nvd.nist.gov/vuln/detail/ CVE-2023-34969). The package is called dbus-user-session but the vendor feed uses the name dbus, so there isn't any candidate that matches for the refactored vuln-detThe vulnerabilities discarded for the legacy module were analyzed to find a result that appears in the refactored module when it shouldn't.
Some regex like .*MATCH.*CVE-XXXX.* with different years were used. The oldest years are more probable to be affected for this type of issues.
1:5.38-5 (https://ubuntu.com/security/CVE-2012-1571 https://nvd.nist.gov/vuln/detail/ CVE-2012-1571). This could be hided if the OS filter were implemented. The legacy module discarded the vulnerability with the Package 'file' not vulnerable to 'CVE-2012-1571'. Version (1:5.38-5) not 'less than or equal' '5.10' (feed 'NVD'). (probably because the agent OS isn't listed in the vendor feed for this vulnerability). But the refactored vuln-det detects it as vulnerable due to a version matcher error MATCH Package: file, Version: 1:5.38-5, CVE: CVE-2012-1571, Ver: 0, RLT: 5.03-5ubuntu1.1, RLTE:. Same for CVE-2009-0947 MATCH Package: file, Version: 1:5.38-5, CVE: CVE-2009-0947, Ver: 0, RLT: 5.02-1, RLTE:, CVE-2009-0948 MATCH Package: file, Version: 1:5.38-5, CVE: CVE-2009-0948, Ver: 0, RLT: 5.02-1, RLTE: and CVE-2009-1515 MATCH Package: file, Version: 1:5.38-5, CVE: CVE-2009-1515, Ver: 0, RLT: 5.02-1, RLTE:0.1 (https://ubuntu.com/security/CVE-2011-0729 https://nvd.nist.gov/vuln/detail/ CVE-2011-0729). The python package language-selector (/usr/lib/python3/dist-packages/language_selector-0.1.egg-info/PKG-INFO) doesn't have a vendor, and it matches in the NVD MATCH Package: language-selector, Version: 0.1, CVE: CVE-2011-0729, Ver: 0, RLT: , RLTE: 0.6.6. But the package is in fact language-selector-common 0.211. The legacy module doesn't seem to be scanning the python packages. Same as CVE-2015-1330 for unattended-upgrades1.1.1f-1ubuntu4 (https://ubuntu.com/security/CVE-2018-0734 https://nvd.nist.gov/vuln/detail/ CVE-2018-0734). The legacy module doesn't report this Package 'openssl' not vulnerable to 'CVE-2018-0734'. Version (1.1.1f-1ubuntu4) not 'less than' '1.1.1a-1ubuntu2' (feed 'OVAL')., Package 'openssl' not vulnerable to 'CVE-2018-0734'. Version (1.1.1f-1ubuntu4.4) not 'less than or equal' '1.0.2p' (feed 'NVD'). and Package 'openssl' not vulnerable to 'CVE-2018-0734'. Version (1.1.1f-1ubuntu4.4) not 'less than or equal' '1.1.0i' (feed 'NVD').. But the refactored module finds a match MATCH Package: openssl, Version: 1.1.1f-1ubuntu4, CVE: CVE-2018-0734, Ver: 0, RLT: 1.1.1-1ubuntu2.1, RLTE:1:2017.3.23AR.3-3ubuntu2 (https://ubuntu.com/security/CVE-2019-9755 https://nvd.nist.gov/vuln/detail/CVE-2019-9755). The legacy vuln-det doesn't report this but the refactored module finds a match MATCH Package: ntfs-3g, Version: 1:2017.3.23AR.3-3ubuntu2, CVE: CVE-2019-9755, Ver: 0, RLT: 1:2017.3.23-2ubuntu0.18.04.1, RLTE:1.0.5-1 (https://ubuntu.com/security/CVE-2020-0256 https://nvd.nist.gov/vuln/detail/ CVE-2020-0256). The OS filter should fix this because it's matching with upstream.pereyra-m
commented
11 months ago The legacy vulnerability detector doesn't directly compare the collected package by syscollector but uses some extra sources
It's required to consider the platform field of the content during the scan and/or consider the Ubuntu OS version at the end of the package version
We could consider changing the strategy of the scanner. If the package is about to be scanned with the NVD but there isn't a match in the CPE, it's very likely that the scan will fail and that the vendor feed should be used as a fallback.
There is a problem with the version comparison.
These packages that don't have a vendor and are scanned against the NVD without a CPE cause false positives
pereyra-m
commented
11 months ago A comparison of the vulnerabilities reported and ignored for both engines will be performed.
ae2b8ef88b, content offset 281100Reference:
Only a small subset of the 1142 vulnerabilities were analyzed to get a general overview of the scanner accuracy.
0.076-460.el9 (https://access.redhat.com/security/cve/CVE-2023-31486 https://nvd.nist.gov/vuln/detail/CVE-2023-31486). The legacy module finds this vulnerability The 'perl-http-tiny' package (0.076-460.el9) from agent '000' is vulnerable to 'CVE-2023-31486'. Condition: 'Package less than 0.076-461.el9' even when the package is reported by syscollector as perl-HTTP-Tiny. But the refactored module can't find any candidates because it looks for perl-http-tiny and the database has it like perl-HTTP-Tiny. The scanner forces to lower case all package names.2.35.2-9.el9 (https://access.redhat.com/security/cve/CVE-2022-38533 https://nvd.nist.gov/vuln/detail/CVE-2022-38533). The legacy module reports this vulnerability but the refactored module doesn't. The vendor says that won't fix this package, but the current normalized content doesn't reflects this. Also, to avoid false positives, the scanner could mix the results from the NVD also.pereyra-m
commented
11 months ago The scanner always transforms the package name of the packages to lower case but sometimes the package name used by the vendor doesn't follow this rule
https://github.com/wazuh/intelligence-platform/issues/1307
The normalized content isn't considering the unfixed packages as vulnerable. Also, the scanner only considers the candidates of the vendor for the scan.
GabrielEValenzuela
commented
11 months ago We continue working on this issue. We generated an environment test as described in the next figure:
Pod are represented as Docker containers, meanwhile Windows machines, macOS, and Solaris are VirtualMachine. Some versions can't be tested due to hardware limitations, the final report will contain a detailed list of OS tested.
The testing methodology involves:
Docker OS:
Virtual Machines (VMs):
QA Analysis:
As of now, all identified issues have been systematically addressed in line with the testing approach described above. And other like:
Unfortunately, due to unforeseen inconveniences, the completion of this task is expected to be delayed by two days. The revised estimated time of completion (ETA) is set for 01/10 or earlier.
GabrielEValenzuela
commented
10 months ago PRETTY_NAME="Ubuntu 22.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.3 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammyAmount of scanned packages: 152 Amount installed packages: 149 Total vulnerabilities found: 8
2024/01/06 15:05:13 wazuh-modulesd:vulnerability-scanner[48599] packageScanner.hpp:118 at operator()(): INFO: Match found, the package 'procps', is vulnerable to 'CVE-2023-4016'. Current version: '2:3.3.17-6ubuntu2.1' (less than '2:4.0.3-1ubuntu1.23.04.1' or equal to ''). - Agent 'agent_ubuntu_22' (ID: '001', Version: '').
2024/01/06 15:05:14 wazuh-modulesd:vulnerability-scanner[48599] packageScanner.hpp:118 at operator()(): INFO: Match found, the package 'tar', is vulnerable to 'CVE-2022-48303'. Current version: '1.34+dfsg-1ubuntu0.1.22.04.2' (less than '1.34+dfsg-1ubuntu0.1.22.10.1' or equal to ''). - Agent 'agent_ubuntu_22' (ID: '001', Version: '').
2024/01/06 15:05:14 wazuh-modulesd:vulnerability-scanner[48599] packageScanner.hpp:118 at operator()(): INFO: Match found, the package 'util-linux', is vulnerable to 'CVE-2021-3995'. Current version: '2.37.2-4ubuntu3' (less than '2.37.3-1' or equal to ''). - Agent 'agent_ubuntu_22' (ID: '001', Version: '').
2024/01/06 15:05:14 wazuh-modulesd:vulnerability-scanner[48599] packageScanner.hpp:118 at operator()(): INFO: Match found, the package 'util-linux', is vulnerable to 'CVE-2021-3996'. Current version: '2.37.2-4ubuntu3' (less than '2.37.3-1' or equal to ''). - Agent 'agent_ubuntu_22' (ID: '001', Version: '').
2024/01/06 15:05:14 wazuh-modulesd:vulnerability-scanner[48599] packageScanner.hpp:118 at operator()(): INFO: Match found, the package 'libcap2', is vulnerable to 'CVE-2023-2602'. Current version: '1:2.44-1ubuntu0.22.04.1' (less than '1:2.44-1ubuntu0.22.10.1' or equal to ''). - Agent 'agent_ubuntu_22' (ID: '001', Version: '').
2024/01/06 15:05:14 wazuh-modulesd:vulnerability-scanner[48599] packageScanner.hpp:118 at operator()(): INFO: Match found, the package 'libcap2', is vulnerable to 'CVE-2023-2603'. Current version: '1:2.44-1ubuntu0.22.04.1' (less than '1:2.44-1ubuntu0.22.10.1' or equal to ''). - Agent 'agent_ubuntu_22' (ID: '001', Version: '').
2024/01/06 15:05:20 wazuh-modulesd:vulnerability-scanner[48599] packageScanner.hpp:118 at operator()(): INFO: Match found, the package 'dpkg', is vulnerable to 'CVE-2022-1664'. Current version: '1.21.1ubuntu2.2' (less than '1.21.9ubuntu1' or equal to ''). - Agent 'agent_ubuntu_22' (ID: '001', Version: '').
2024/01/06 15:05:24 wazuh-modulesd:vulnerability-scanner[48599] packageScanner.hpp:118 at operator()(): INFO: Match found, the package 'libtasn1-6', is vulnerable to 'CVE-2021-46848'. Current version: '4.18.0-4build1' (less than '4.19.0-2' or equal to ''). - Agent 'agent_ubuntu_22' (ID: '001', Version: '').Possible issue derivated:
Docker vulnerabilities: 8 Coincidences: 0
Ref: DockerHub
Amount of scanned packages: 152 Amount installed packages: 149 Total vulnerabilities found: 44 from OVAL and 3593 from NVD (Most are because the use of '*' as a wildcard)
We noticed that
2024/01/06 20:14:05 wazuh-modulesd:vulnerability-detector[50335] wm_vuln_detector.c:2632 at wm_vuldet_linux_oval_vulnerabilities(): DEBUG: (5458): Package 'libpcre3' inserted into the vulnerability 'CVE-2017-11164'. Version (2:8.39-13ubuntu0.22.04.1) 'Unfixed' '' (feed 'OVAL').Detect Unfixed as vulnerable.
Some vulnerabilities are not detected by the new VD to known issues of the vendor.
GabrielEValenzuela
commented
10 months ago NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focalAmount of scanned packages: 130 Amount installed packages: 130 Total vulnerabilities found: 199
Docker vulnerabilities: 7 Coincidences: -
Ref: DockerHub
Amount of scanned packages: 152 Amount installed packages: 130 Total vulnerabilities found: 166 from OVAL and 3541 from NVD (Most are because the use of '*' as a wildcard)
Some vulnerabilities are false positives by the new VD to known issues of the vendor.
GabrielEValenzuela
commented
10 months ago PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"```Amount of scanned packages: 124 Amount installed packages: 124 Total vulnerabilities found: 756
Log to longPossible issue derivated:
Same above
Docker vulnerabilities: 27 Coincidences: 0
Ref: DockerHub
Amount of scanned packages: 124 Amount installed packages: 124 Total vulnerabilities found: 30 from OVAL and 3024 from NVD (Most are because the use of '*' as a wildcard)
Some vulnerabilities are not detected by the new VD to known issues of the vendor.
GabrielEValenzuela
commented
10 months ago NAME="Red Hat Enterprise Linux"
VERSION="8.9 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.9"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.9 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.9
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.9Amount of scanned packages: 209 Amount installed packages: 2130 Total vulnerabilities found: 302
Log to longDocker vulnerabilities: N/A Coincidences: -
Ref: None
Amount of scanned packages: - Amount installed packages: 2130 Total vulnerabilities found: 0 from OVAL and - from NVD (Most are because the use of '*' as a wildcard)
Some vulnerabilities are not detected by the issue of rpm version missmatch
GabrielEValenzuela
commented
10 months ago For the remaining OS, we conclude with the creation issues:
After fixing this mismatch, we should run again the E2E test.
The macOS couldn´t be tested due to an HW limitation, Solaris and Windows also support the VD legacy, and for Windows, the new VD.
Dwordcito
commented
10 months ago LGTM
Description
As part of the E2E exploratory it was found that the vulnerabilities found for both implementations of the module differ significantly from one to another. Not only the number of vulnerabilities but also the criteria to identify them are not the same.
This may be related to the following issues
https://github.com/wazuh/wazuh/issues/20961 https://github.com/wazuh/wazuh/issues/20960
Considering Debian 11 (Bullseye) we can notice the differences
The vim dependencies report 28 vulnerabilities
Only one vulnerability reported
The vulnerability detected needs revision because this is not present among the 28 vulnerabilities reported by the legacy implementation.
This evaluation does not seems to be right
DoD