Closed sebasfalcone closed 1 week ago
This research aims to find the possible root cause that makes some OS are not fully scanned by vulnerability detection.
To make this research we installed a Manager using the install assistant
in a Ubuntu 22 OS and connected agents to it
For Windows 8, some OS vulnerabilities are being skipped due no remediations were found
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:228 at operator()(): DEBUG: Match found for OS: windows_8 for vulnerability: CVE-2012-2897 due to default status.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:228 at operator()(): DEBUG: Match found for OS: windows_8 for vulnerability: CVE-2013-0006 due to default status.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:228 at operator()(): DEBUG: Match found for OS: windows_8 for vulnerability: CVE-2013-0007 due to default status.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:228 at operator()(): DEBUG: Match found for OS: windows_8 for vulnerability: CVE-2013-7332 due to default status.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:228 at operator()(): DEBUG: Match found for OS: windows_8 for vulnerability: CVE-2014-1767 due to default status.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:228 at operator()(): DEBUG: Match found for OS: windows_8 for vulnerability: CVE-2014-1824 due to default status.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:228 at operator()(): DEBUG: Match found for OS: windows_8 for vulnerability: CVE-2017-0050 due to default status.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:228 at operator()(): DEBUG: Match found for OS: windows_8 for vulnerability: CVE-2018-6947 due to default status.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:228 at operator()(): DEBUG: Match found for OS: windows_8 for vulnerability: CVE-2018-7249 due to default status.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:228 at operator()(): DEBUG: Match found for OS: windows_8 for vulnerability: CVE-2018-7250 due to default status.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:291 at handleRequest(): DEBUG: No remediation available for OS 'windows_8' on Agent '001' for CVE: 'CVE-2018-7250', discarding.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:291 at handleRequest(): DEBUG: No remediation available for OS 'windows_8' on Agent '001' for CVE: 'CVE-2018-6947', discarding.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:291 at handleRequest(): DEBUG: No remediation available for OS 'windows_8' on Agent '001' for CVE: 'CVE-2018-7249', discarding.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:291 at handleRequest(): DEBUG: No remediation available for OS 'windows_8' on Agent '001' for CVE: 'CVE-2014-1824', discarding.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:291 at handleRequest(): DEBUG: No remediation available for OS 'windows_8' on Agent '001' for CVE: 'CVE-2013-0006', discarding.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:291 at handleRequest(): DEBUG: No remediation available for OS 'windows_8' on Agent '001' for CVE: 'CVE-2012-2897', discarding.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:291 at handleRequest(): DEBUG: No remediation available for OS 'windows_8' on Agent '001' for CVE: 'CVE-2014-6324', discarding.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:291 at handleRequest(): DEBUG: No remediation available for OS 'windows_8' on Agent '001' for CVE: 'CVE-2013-0007', discarding.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:291 at handleRequest(): DEBUG: No remediation available for OS 'windows_8' on Agent '001' for CVE: 'CVE-2013-7332', discarding.
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:291 at handleRequest(): DEBUG: No remediation available for OS 'windows_8' on Agent '001' for CVE: 'CVE-2014-1767', discarding.
Due to these vulnerabilities being for default status,
this could be the expected behavior.
One error related to content was found
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] osScanner.hpp:92 at operator()(): DEBUG: Scanning OS - 'windows_8' (Installed Version: 6.3.9600, Security Vulnerability: CVE-2012-0159). Identified vulnerability: Version: consumer_preview. Required Version Threshold: . Required Version Threshold (or Equal): .
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] versionMatcher.hpp:201 at createVersionObject(): DEBUG: Error creating VersionObject (DPKG). Version string doesn't match the specified type. Version string: consumer_preview
And several errors/warnings related with vendor
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] packageScanner.hpp:356 at operator()(): DEBUG: The vendor is not the same for Package: onenote, Version: 16.0.3030.1024, CVE: CVE-2004-0200, Content vendor: microsoft, Package vendor: microsoft corporation
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] packageScanner.hpp:356 at operator()(): DEBUG: The vendor is not the same for Package: onenote, Version: 16.0.3030.1024, CVE: CVE-2006-3877, Content vendor: microsoft, Package vendor: microsoft corporation
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] packageScanner.hpp:356 at operator()(): DEBUG: The vendor is not the same for Package: onenote, Version: 16.0.3030.1024, CVE: CVE-2007-0671, Content vendor: microsoft, Package vendor: microsoft corporation
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] packageScanner.hpp:356 at operator()(): DEBUG: The vendor is not the same for Package: onenote, Version: 16.0.3030.1024, CVE: CVE-2008-3068, Content vendor: microsoft, Package vendor: microsoft corporation
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] packageScanner.hpp:356 at operator()(): DEBUG: The vendor is not the same for Package: onenote, Version: 16.0.3030.1024, CVE: CVE-2014-2815, Content vendor: microsoft, Package vendor: microsoft corporation
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] packageScanner.hpp:356 at operator()(): DEBUG: The vendor is not the same for Package: onenote, Version: 16.0.3030.1024, CVE: CVE-2015-2503, Content vendor: microsoft, Package vendor: microsoft corporation
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] packageScanner.hpp:356 at operator()(): DEBUG: The vendor is not the same for Package: onenote, Version: 16.0.3030.1024, CVE: CVE-2016-3315, Content vendor: microsoft, Package vendor: microsoft corporation
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] packageScanner.hpp:356 at operator()(): DEBUG: The vendor is not the same for Package: onenote, Version: 16.0.3030.1024, CVE: CVE-2017-0197, Content vendor: microsoft, Package vendor: microsoft corporation
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] packageScanner.hpp:356 at operator()(): DEBUG: The vendor is not the same for Package: onenote, Version: 16.0.3030.1024, CVE: CVE-2017-8509, Content vendor: microsoft, Package vendor: microsoft corporation
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] packageScanner.hpp:327 at operator()(): DEBUG: The platform is not in the list for Package: onenote, Version: 16.0.3030.1024, CVE: CVE-2023-21721, OS CPE: cpe:/o:microsoft:windows_8::::::, OS code name:
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] packageScanner.hpp:356 at operator()(): DEBUG: The vendor is not the same for Package: onenote, Version: 16.0.3030.1024, CVE: CVE-2023-33140, Content vendor: microsoft, Package vendor: microsoft corporation
2024/05/07 17:43:45 wazuh-modulesd:vulnerability-scanner[86326] packageScanner.hpp:356 at operator()(): DEBUG: The vendor is not the same for Package: onenote, Version: 16.0.3030.1024, CVE: CVE-2023-36769, Content vendor: microsoft, Package vendor: microsoft corporation
Conclusion: A few packages were scanned, and this is not an error of VD. The possible cause could be syscollector.
For Windows 7, we found a similar behavior related with OS scan as Windows 8. Also, even more few packages were scanned.
The OS was scanned successfully, but the dataset used to scan the packages was nvd
this is because the ID of each OS is not in the map of CNA. Fixing this inconvenience will scan the packages with the appropriate CNA (Debian or Canonlcal)
The issue related with vendors and mismatch with content, is present in all OS.
Description
It was found that some OSs are unable to detect some vulnerabilities
DoD