Vuln-detector: Discard inactive Linux kernel packages Almalinux

[fabfive]

Hi Folks

I'm running version 4.7.1 as a single node docker install.

I have AlmaLinux 8 clients (Version 4.7.1) that report old , not running kernels in the vulneranbility detection.

but according to https://github.com/wazuh/wazuh/pull/4996 this should be fixed, right?

Example: Client running: 4.18.0-513.9.1.el8_9.x86_64 Vuln-Detector complains about: kernel-core-4.18.0-477.27.2.el8_8.x86_64 rpm with condition: Package less than 4.18.0-513.5.1.el8_9

How can this be fixed?

Thax for any help fab

[MarcelKemp]

Hi @fabfive,

• Could you share an active vulnerability affected by this issue?

As far as I can see, it is possible that kernel packages are discarded, but the kernel-core case is not.

However, to verify if this is a problem, we would need the following information from an affected agent:

• Packages, OS info and vulnerabilities from the API

  To get the packages, OS info and vulnerabilities, you can get the information directly from the API, using the following queries (for example from the WUI you can use the following tool to run the queries: Modules -> tools -> API console):

  GET /syscollector/{agent_id}/packages
  GET /syscollector/{agent_id}/os
  GET /vulnerability/{agent_id}

I look forward to your reply.

[fabfive]

Hi @MarcelKemp

• Could you share an active vulnerability affected by this issue? CVE-2023-4732 and CVE-2023-5178 for kernel-core and kernel-modules

• GET /syscollector/{agent_id}/os

  {
  "data": {
  "affected_items": [
    {
      "os": {
        "codename": "Midnight Oncilla",
        "major": "8",
        "minor": "9",
        "name": "AlmaLinux",
        "platform": "almalinux",
        "version": "8.9"
      },
      "scan": {
        "id": 0,
        "time": "2024-01-04T09:15:11+00:00"
      },
      "architecture": "x86_64",
      "sysname": "Linux",
      "version": "#1 SMP Sat Dec 2 05:23:44 EST 2023",
      "hostname": "xxxxxxx",
      "release": "4.18.0-513.9.1.el8_9.x86_64",
      "agent_id": "006"
    }
  ],
  "total_affected_items": 1,
  "total_failed_items": 0,
  "failed_items": []
  },
  "message": "All specified syscollector information was returned",
  "error": 0
  }

• GET /vulnerability/{agent_id}

  
  
  {
      "cve": "CVE-2023-4732",
      "architecture": "x86_64",
      "cvss2_score": 0,
      "name": "kernel-core",
      "severity": "Medium",
      "external_references": [
        "https://access.redhat.com/errata/RHSA-2023:6901",
        "https://access.redhat.com/errata/RHSA-2023:7077",
        "https://access.redhat.com/errata/RHSA-2023:7539",
        "https://access.redhat.com/security/cve/CVE-2023-4732",
        "https://bugzilla.redhat.com/show_bug.cgi?id=2236982",
        "https://nvd.nist.gov/vuln/detail/CVE-2023-4732"
      ],
      "type": "PACKAGE",
      "detection_time": "2024-01-02T16:07:55+00:00",
      "cvss3_score": 4.7,
      "condition": "Package less than 4.18.0-513.5.1.el8_9",
      "title": "CVE-2023-4732 affects kernel-core",
      "published": "2023-10-03",
      "updated": "2023-11-28",
      "status": "VALID",
      "version": "4.18.0-477.27.2.el8_8"
    },
    {
      "cve": "CVE-2023-5178",
      "architecture": "x86_64",
      "cvss2_score": 0,
      "name": "kernel-core",
      "severity": "High",
      "external_references": [
        "https://access.redhat.com/errata/RHSA-2023:7370",
        "https://access.redhat.com/errata/RHSA-2023:7379",
        "https://access.redhat.com/errata/RHSA-2023:7418",
        "https://access.redhat.com/errata/RHSA-2023:7548",
        "https://access.redhat.com/errata/RHSA-2023:7549",
        "https://access.redhat.com/errata/RHSA-2023:7551",
        "https://access.redhat.com/errata/RHSA-2023:7554",
        "https://access.redhat.com/errata/RHSA-2023:7557",
        "https://access.redhat.com/errata/RHSA-2023:7559",
        "https://access.redhat.com/security/cve/CVE-2023-5178",
        "https://bugzilla.redhat.com/show_bug.cgi?id=2241924",
        "https://lore.kernel.org/linux-nvme/20231002105428.226515-1-sagi@grimberg.me/",
        "https://security.netapp.com/advisory/ntap-20231208-0004/",
        "https://nvd.nist.gov/vuln/detail/CVE-2023-5178"
      ],
      "type": "PACKAGE",
      "detection_time": "2024-01-02T16:07:56+00:00",
      "cvss3_score": 8.8,
      "condition": "Package less than 4.18.0-513.9.1.el8_9",
      "title": "CVE-2023-5178 affects kernel-core",
      "published": "2023-11-01",
      "updated": "2023-12-08",
      "status": "VALID",
      "version": "4.18.0-477.27.2.el8_8"
    },
    {
      "cve": "CVE-2023-4732",
      "architecture": "x86_64",
      "cvss2_score": 0,
      "name": "kernel-modules",
      "severity": "Medium",
      "external_references": [
        "https://access.redhat.com/errata/RHSA-2023:6901",
        "https://access.redhat.com/errata/RHSA-2023:7077",
        "https://access.redhat.com/errata/RHSA-2023:7539",
        "https://access.redhat.com/security/cve/CVE-2023-4732",
        "https://bugzilla.redhat.com/show_bug.cgi?id=2236982",
        "https://nvd.nist.gov/vuln/detail/CVE-2023-4732"
      ],
      "type": "PACKAGE",
      "detection_time": "2024-01-02T16:07:55+00:00",
      "cvss3_score": 4.7,
      "condition": "Package less than 4.18.0-513.5.1.el8_9",
      "title": "CVE-2023-4732 affects kernel-modules",
      "published": "2023-10-03",
      "updated": "2023-11-28",
      "status": "VALID",
      "version": "4.18.0-477.27.2.el8_8"
    },
    {
      "cve": "CVE-2023-5178",
      "architecture": "x86_64",
      "cvss2_score": 0,
      "name": "kernel-modules",
      "severity": "High",
      "external_references": [
        "https://access.redhat.com/errata/RHSA-2023:7370",
        "https://access.redhat.com/errata/RHSA-2023:7379",
        "https://access.redhat.com/errata/RHSA-2023:7418",
        "https://access.redhat.com/errata/RHSA-2023:7548",
        "https://access.redhat.com/errata/RHSA-2023:7549",
        "https://access.redhat.com/errata/RHSA-2023:7551",
        "https://access.redhat.com/errata/RHSA-2023:7554",
        "https://access.redhat.com/errata/RHSA-2023:7557",
        "https://access.redhat.com/errata/RHSA-2023:7559",
        "https://access.redhat.com/security/cve/CVE-2023-5178",
        "https://bugzilla.redhat.com/show_bug.cgi?id=2241924",
        "https://lore.kernel.org/linux-nvme/20231002105428.226515-1-sagi@grimberg.me/",
        "https://security.netapp.com/advisory/ntap-20231208-0004/",
        "https://nvd.nist.gov/vuln/detail/CVE-2023-5178"
      ],
      "type": "PACKAGE",
      "detection_time": "2024-01-02T16:07:56+00:00",
      "cvss3_score": 8.8,
      "condition": "Package less than 4.18.0-513.9.1.el8_9",
      "title": "CVE-2023-5178 affects kernel-modules",
      "published": "2023-11-01",
      "updated": "2023-12-08",
      "status": "VALID",
      "version": "4.18.0-477.27.2.el8_8"
    },

- GET /syscollector/{agent_id}/packages
this is a bit strange!
there are no kernel-core packages in the output
just one kernel-module

  {
    "scan": {
      "id": 0,
      "time": "2024-01-02T15:38:55+00:00"
    },
    "install_time": "1703782147",
    "architecture": "x86_64",
    "location": " ",
    "name": "kernel-modules",
    "source": " ",
    "priority": " ",
    "format": "rpm",
    "section": "System Environment/Kernel",
    "size": 26220908,
    "description": "kernel modules to match the core kernel",
    "vendor": "AlmaLinux",
    "version": "4.18.0-513.9.1.el8_9",
    "agent_id": "006"
  },

but on the system:

[root@wazuh home]# rpm -qa | grep kernel-core kernel-core-4.18.0-513.9.1.el8_9.x86_64 kernel-core-4.18.0-477.27.2.el8_8.x86_64 [root@wazuh home]# rpm -qa | grep kernel-modules kernel-modules-4.18.0-513.9.1.el8_9.x86_64 kernel-modules-4.18.0-477.27.2.el8_8.x86_64

and in Inventory data on the wazuh dashboard kernel-core and kernel-modules pakages are listed
![Screenshot from 2024-01-04 11-35-17](https://github.com/wazuh/wazuh/assets/8616103/54fe6765-f2d7-4e91-ad6a-882fa5b8d01f)

I hope this helps

best
Fab

[MarcelKemp]

Thank you very much! I'll research it, as soon as I get a conclusion I'll let you know.

[MarcelKemp]

Hi @fabfive,

Sorry for the delay.

It seems to be a problem in the conditions that have been added in the following code:

• https://github.com/wazuh/wazuh/blob/96a21591ee01d24caa7283620af286c1adefd5c7/src/wazuh_modules/vulnerability_detector/wm_vuln_detector.c#L6833-L6841

For this case, if you also have other kernel-*, we should take this into account so that they are discarded and only take the case we want.

We are going to consider this problem to be solved together with the VD refactor:

• 14153 (version 4.8)

Thanks for reporting it!

[nbrys]

This doesn't seem to be resolved in manager 4.8.0 and client 4.7.4. The dashboard is still reporting on older kernels