Open Dwordcito opened 6 days ago
Since this CVE is awaiting analysis by the NVD, we must generate the baseline content ourselves. This will be addressed at:
Once this CVE is migrated we are going to proceed with this issue
Commit released, moved to on-hold
[!NOTE] The scanner is able to detect the vulnerability.
2024/07/04 16:06:36 wazuh-modulesd:vulnerability-scanner[36225] packageScanner.hpp:477 at versionMatch(): DEBUG: Match found, the package 'openssh-server', is vulnerable to 'CVE-2024-6387'. Current version: '8.7p1-34.el9' (less than '0:8.7p1-38.el9_4.1' or equal to ''). - Agent 'centos9' (ID: '002', Version: 'v4.7.3').
2024/07/04 16:07:17 wazuh-modulesd:vulnerability-scanner[36225] packageScanner.hpp:477 at versionMatch(): DEBUG: Match found, the package 'openssh', is vulnerable to 'CVE-2024-6387'. Current version: '8.7p1-34.el9' (less than '0:8.7p1-38.el9_4.1' or equal to ''). - Agent 'centos9' (ID: '002', Version: 'v4.7.3').
2024/07/04 16:07:44 wazuh-modulesd:vulnerability-scanner[36225] packageScanner.hpp:477 at versionMatch(): DEBUG: Match found, the package 'openssh-clients', is vulnerable to 'CVE-2024-6387'. Current version: '8.7p1-34.el9' (less than '0:8.7p1-38.el9_4.1' or equal to ''). - Agent 'centos9' (ID: '002', Version: 'v4.7.3').
2024/07/04 16:15:40 wazuh-modulesd:vulnerability-scanner[37329] packageScanner.hpp:477 at versionMatch(): DEBUG: Match found, the package 'openssh', is vulnerable to 'CVE-2024-6387'. Current version: '9.7p1-2' (less than '9.8p1-1' or equal to ''). - Agent 'archlinux' (ID: '001', Version: 'v4.7.4').
According to ArchLinux feed package, version 9.7p1-2 is vulnerable https://security.archlinux.org/CVE-2024-6387 According to RedHat feed package affects version 9 of the operating system. https://access.redhat.com/security/cve/cve-2024-6387
Both cases were proved above.
According to Ubuntu feed, the package was fixed in 8.9p1 https://ubuntu.com/security/CVE-2024-6387
RedHat 9
openssh_CVE-2024-6387 ==> {
"candidates": [
{
"cveId": "CVE-2024-6387",
"defaultStatus": "unaffected",
"platforms": [
"cpe:/a:redhat:enterprise_linux:9",
"cpe:/a:redhat:enterprise_linux:9::appstream",
"cpe:/a:redhat:enterprise_linux:9::crb",
"cpe:/a:redhat:enterprise_linux:9::highavailability",
"cpe:/a:redhat:enterprise_linux:9::nfv",
"cpe:/a:redhat:enterprise_linux:9::realtime",
"cpe:/a:redhat:enterprise_linux:9::resilientstorage",
"cpe:/a:redhat:enterprise_linux:9::sap",
"cpe:/a:redhat:enterprise_linux:9::sap_hana",
"cpe:/a:redhat:enterprise_linux:9::supplementary",
"cpe:/o:redhat:enterprise_linux:9",
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"versions": [
{
"version": "0",
"lessThan": "0:8.7p1-38.el9_4.1",
"versionType": "rpm"
}
]
}
]
}
ArchLinux
openssh_CVE-2024-6387 ==> {
"candidates": [
{
"cveId": "CVE-2024-6387",
"defaultStatus": "unaffected",
"versions": [
{
"version": "9.7p1-2",
"lessThan": "9.8p1-1",
"versionType": "custom"
}
]
}
]
}
canonical
openssh-server_CVE-2024-6387 ==> {
"candidates": [
{
"cveId": "CVE-2024-6387",
"defaultStatus": "unaffected",
"platforms": [
"jammy"
],
"versions": [
{
"version": "0",
"lessThan": "1:8.9p1-3ubuntu0.10",
"versionType": "custom"
}
]
},
{
"cveId": "CVE-2024-6387",
"defaultStatus": "unaffected",
"platforms": [
"mantic"
],
"versions": [
{
"version": "0",
"lessThan": "1:9.3p1-1ubuntu3.6",
"versionType": "custom"
}
]
},
{
"cveId": "CVE-2024-6387",
"defaultStatus": "unaffected",
"platforms": [
"noble"
],
"versions": [
{
"version": "0",
"lessThan": "1:9.6p1-3ubuntu13.3",
"versionType": "custom"
}
]
}
]
}
[!NOTE] I'm not getting
2024/07/04 17:41:36 wazuh-modulesd:vulnerability-scanner[63237] packageScanner.hpp:415 at versionMatch(): DEBUG: Scanning package - 'openssh-sftp-server' (Installed Version: 1:8.9p1-3ubuntu0.10, Security Vulnerability: CVE-2024-6387). Identified vulnerability: Version: 0. Required Version Threshold: 1:8.9p1-3ubuntu0.10. Required Version Threshold (or Equal): .
in qa efficacy tests, the content may be outdated.
The tar.xz file is outdated, but the information with offset: 756338 is up to date.
wazuh-modulesd:vulnerability-scanner:databaseFeedManager.hpp:227 processMessage : Processing line: 239001
wazuh-modulesd:content-updater:action.hpp:177 runActionOnDemand : Starting on-demand action for 'vulnerability_feed_manager'
wazuh-modulesd:content-updater:action.hpp:210 runAction : Action for 'vulnerability_feed_manager' started
wazuh-modulesd:content-updater:actionOrchestrator.hpp:208 runOffsetUpdate : Running 'vulnerability_feed_manager' offset update
wazuh-modulesd:content-updater:factoryOffsetUpdater.hpp:41 create : FactoryOffsetUpdater - Starting process
wazuh-modulesd:content-updater:updateCtiApiOffset.hpp:70 handleRequest : UpdateCtiApiOffset - Starting process
wazuh-modulesd:content-updater:updateCtiApiOffset.hpp:42 update : Updating offset with value: 756338
wazuh-modulesd:content-updater:action.hpp:221 runAction : Action for 'vulnerability_feed_manager' finished
wazuh-modulesd:vulnerability-scanner:databaseFeedManager.hpp:349 operator() : Feed update process completed
wazuh-modulesd:content-updater:onDemandManager.cpp:169 stopServer : Server stopped
wazuh-modulesd:content-updater:action.hpp:138 stopActionScheduler : Scheduler stopped for 'vulnerability_feed_manager'
Error removing FD from interface.
Added a new commit with needed fixes due to content changes not related to this issue.
https://github.com/wazuh/wazuh/pull/24424/commits/039115d3900a50c59eb443d1072c9f4ae5494a95
Tests are passing now, unblocked.
Description
Given the impact that CVE-2024-6387 has on the community, it is necessary to confirm that it is within the vulnerability detection capabilities of detector 4.8.
this must be done on all tier 1 platforms
DoD