search

wazuh / wazuh

Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
https://wazuh.com/
Other
9.34k stars 1.48k forks source link

Vulnerability Detection - Wrong OS scanning mapping #23336

Closed sebasfalcone closed 1 week ago

sebasfalcone commented 1 week ago

Description

It was found that some OSs are unable to detect some vulnerabilities

OS Problem Possible cause
windows 8.1 No OS vulnerabilities cpe global map
windows 7 No OS vulnerabilities cpe global map
popOS Only vulnerabilities from NVD are detected feed global maps
linux mint Only vulnerabilities from NVD are detected feed global maps

DoD

GabrielEValenzuela commented 1 week ago

Research analysis

Objective

This research aims to find the possible root cause that makes some OS are not fully scanned by vulnerability detection.

Setup

To make this research we installed a Manager using the install assistant in a Ubuntu 22 OS and connected agents to it

Windows 8 - Results

For Windows 8, some OS vulnerabilities are being skipped due no remediations were found

2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:228 at operator()(): DEBUG: Match found for OS: windows_8 for vulnerability: CVE-2012-2897 due to default status.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:228 at operator()(): DEBUG: Match found for OS: windows_8 for vulnerability: CVE-2013-0006 due to default status.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:228 at operator()(): DEBUG: Match found for OS: windows_8 for vulnerability: CVE-2013-0007 due to default status.

2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:228 at operator()(): DEBUG: Match found for OS: windows_8 for vulnerability: CVE-2013-7332 due to default status.

2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:228 at operator()(): DEBUG: Match found for OS: windows_8 for vulnerability: CVE-2014-1767 due to default status.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:228 at operator()(): DEBUG: Match found for OS: windows_8 for vulnerability: CVE-2014-1824 due to default status.

2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:228 at operator()(): DEBUG: Match found for OS: windows_8 for vulnerability: CVE-2017-0050 due to default status.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:228 at operator()(): DEBUG: Match found for OS: windows_8 for vulnerability: CVE-2018-6947 due to default status.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:228 at operator()(): DEBUG: Match found for OS: windows_8 for vulnerability: CVE-2018-7249 due to default status.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:228 at operator()(): DEBUG: Match found for OS: windows_8 for vulnerability: CVE-2018-7250 due to default status.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:291 at handleRequest(): DEBUG: No remediation available for OS 'windows_8' on Agent '001' for CVE: 'CVE-2018-7250', discarding.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:291 at handleRequest(): DEBUG: No remediation available for OS 'windows_8' on Agent '001' for CVE: 'CVE-2018-6947', discarding.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:291 at handleRequest(): DEBUG: No remediation available for OS 'windows_8' on Agent '001' for CVE: 'CVE-2018-7249', discarding.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:291 at handleRequest(): DEBUG: No remediation available for OS 'windows_8' on Agent '001' for CVE: 'CVE-2014-1824', discarding.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:291 at handleRequest(): DEBUG: No remediation available for OS 'windows_8' on Agent '001' for CVE: 'CVE-2013-0006', discarding.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:291 at handleRequest(): DEBUG: No remediation available for OS 'windows_8' on Agent '001' for CVE: 'CVE-2012-2897', discarding.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:291 at handleRequest(): DEBUG: No remediation available for OS 'windows_8' on Agent '001' for CVE: 'CVE-2014-6324', discarding.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:291 at handleRequest(): DEBUG: No remediation available for OS 'windows_8' on Agent '001' for CVE: 'CVE-2013-0007', discarding.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:291 at handleRequest(): DEBUG: No remediation available for OS 'windows_8' on Agent '001' for CVE: 'CVE-2013-7332', discarding.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:291 at handleRequest(): DEBUG: No remediation available for OS 'windows_8' on Agent '001' for CVE: 'CVE-2014-1767', discarding.

Due to these vulnerabilities being for default status, this could be the expected behavior.

One error related to content was found

2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:92 at operator()(): DEBUG: Scanning OS - 'windows_8' (Installed Version: 6.3.9600, Security Vulnerability: CVE-2012-0159). Identified vulnerability: Version: consumer_preview. Required Version Threshold: . Required Version Threshold (or Equal): .
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] versionMatcher.hpp:201 at createVersionObject(): DEBUG: Error creating VersionObject (DPKG). Version string doesn't match the specified type. Version string: consumer_preview

And several errors/warnings related with vendor

2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] packageScanner.hpp:356 at operator()(): DEBUG: The vendor is not the same for Package: onenote, Version: 16.0.3030.1024, CVE: CVE-2004-0200, Content vendor: microsoft, Package vendor: microsoft corporation
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] packageScanner.hpp:356 at operator()(): DEBUG: The vendor is not the same for Package: onenote, Version: 16.0.3030.1024, CVE: CVE-2006-3877, Content vendor: microsoft, Package vendor: microsoft corporation
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] packageScanner.hpp:356 at operator()(): DEBUG: The vendor is not the same for Package: onenote, Version: 16.0.3030.1024, CVE: CVE-2007-0671, Content vendor: microsoft, Package vendor: microsoft corporation
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] packageScanner.hpp:356 at operator()(): DEBUG: The vendor is not the same for Package: onenote, Version: 16.0.3030.1024, CVE: CVE-2008-3068, Content vendor: microsoft, Package vendor: microsoft corporation
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] packageScanner.hpp:356 at operator()(): DEBUG: The vendor is not the same for Package: onenote, Version: 16.0.3030.1024, CVE: CVE-2014-2815, Content vendor: microsoft, Package vendor: microsoft corporation
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] packageScanner.hpp:356 at operator()(): DEBUG: The vendor is not the same for Package: onenote, Version: 16.0.3030.1024, CVE: CVE-2015-2503, Content vendor: microsoft, Package vendor: microsoft corporation
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] packageScanner.hpp:356 at operator()(): DEBUG: The vendor is not the same for Package: onenote, Version: 16.0.3030.1024, CVE: CVE-2016-3315, Content vendor: microsoft, Package vendor: microsoft corporation
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] packageScanner.hpp:356 at operator()(): DEBUG: The vendor is not the same for Package: onenote, Version: 16.0.3030.1024, CVE: CVE-2017-0197, Content vendor: microsoft, Package vendor: microsoft corporation
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] packageScanner.hpp:356 at operator()(): DEBUG: The vendor is not the same for Package: onenote, Version: 16.0.3030.1024, CVE: CVE-2017-8509, Content vendor: microsoft, Package vendor: microsoft corporation
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] packageScanner.hpp:327 at operator()(): DEBUG: The platform is not in the list for Package: onenote, Version: 16.0.3030.1024, CVE: CVE-2023-21721, OS CPE: cpe:/o:microsoft:windows_8::::::, OS code name: 
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] packageScanner.hpp:356 at operator()(): DEBUG: The vendor is not the same for Package: onenote, Version: 16.0.3030.1024, CVE: CVE-2023-33140, Content vendor: microsoft, Package vendor: microsoft corporation
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] packageScanner.hpp:356 at operator()(): DEBUG: The vendor is not the same for Package: onenote, Version: 16.0.3030.1024, CVE: CVE-2023-36769, Content vendor: microsoft, Package vendor: microsoft corporation

Conclusion: A few packages were scanned, and this is not an error of VD. The possible cause could be syscollector.

Windows 7 - Results

For Windows 7, we found a similar behavior related with OS scan as Windows 8. Also, even more few packages were scanned.

LinuxMint and popOS

The OS was scanned successfully, but the dataset used to scan the packages was nvd this is because the ID of each OS is not in the map of CNA. Fixing this inconvenience will scan the packages with the appropriate CNA (Debian or Canonlcal)

Aditional notes

The issue related with vendors and mismatch with content, is present in all OS.