Vulnerability Detector - False positive: Grafana - CVE-2023-4822

sebasfalcone commented 1 month ago

Description

Currently, we are identifying Grafana as vulnerable to the CVE-2023-4822 in Ubuntu and RedHat systems

DoD

[x] Perform a RCA
[x] Propose a solution

sebasfalcone commented 1 month ago

RCA

Why this is a false positive?

If we take a look at the CVE for each vendor:

RedHat 8

      {
        "defaultStatus": "unaffected",
        "platforms": [
          "cpe:/a:redhat:enterprise_linux:8",
          "cpe:/a:redhat:enterprise_linux:8::appstream",
          "cpe:/a:redhat:enterprise_linux:8::crb",
          "cpe:/a:redhat:enterprise_linux:8::highavailability",
          "cpe:/a:redhat:enterprise_linux:8::nfv",
          "cpe:/a:redhat:enterprise_linux:8::realtime",
          "cpe:/a:redhat:enterprise_linux:8::resilientstorage",
          "cpe:/a:redhat:enterprise_linux:8::sap",
          "cpe:/a:redhat:enterprise_linux:8::sap_hana",
          "cpe:/a:redhat:enterprise_linux:8::supplementary",
          "cpe:/o:redhat:enterprise_linux:8",
          "cpe:/o:redhat:enterprise_linux:8::baseos"
        ],
        "product": "grafana",
        "vendor": "redhat"
      }

Ubuntu

      {
        "defaultStatus": "unknown",
        "platforms": [
          "bionic",
          "trusty",
          "xenial"
        ],
        "product": "grafana",
        "vendor": "canonical"
      }

NVD

    {
      "cpes": [
        "cpe:2.3:a:grafana:grafana-enterprise:*:*:*:*:enterprise:*:*:*"
      ],
      "defaultStatus": "unaffected",
      "product": "grafana-enterprise",
      "vendor": "contact@grafana.com",
      "versions": [
        {
          "lessThan": "10.0.7",
          "status": "affected",
          "version": "10.0.0",
          "versionType": "custom"
        },
        {
          "lessThan": "10.1.3",
          "status": "affected",
          "version": "10.1.0",
          "versionType": "custom"
        },
        {
          "lessThan": "9.4.16",
          "status": "affected",
          "version": "8.0.0",
          "versionType": "custom"
        },
        {
          "lessThan": "9.5.11",
          "status": "affected",
          "version": "9.5.0",
          "versionType": "custom"
        }
      ]
    }

Both Ubuntu and RedHat identify Grafana as not vulnerable

Why is matching?

If we follow the analysis performed here:

https://github.com/wazuh/wazuh/issues/24677#issuecomment-2248992138

We see that the checks are against version 9.4.16, one of the versions described by the NVD

The reason why the NVD is selected as the corresponding CNA is because the vendor for Grafana packages is contact@grafana.com, the getCNA logic identifies no feed for this information but the NVD

Why is matching

Seems like this sanitization didn't impact the content yet:

./rocks_db_query_testtool -d ~/Documents/work/development/wazuh-master/src/queue/vd/feed/ -c nvd -f /home/sebas/Documents/work/development/wazuh-master/src/wazuh_modules/vu
lnerability_scanner/schemas/vulnerabilityCandidate.fbs -k grafana_CVE-2023-4822

grafana_CVE-2023-4822 ==> {
  "candidates": [
    {
      "cveId": "CVE-2023-4822",
      "defaultStatus": "unaffected",
      "versions": [
        {
          "version": "10.0.0",
          "lessThan": "10.0.7",
          "versionType": "custom"
        },
        {
          "version": "10.1.0",
          "lessThan": "10.1.3",
          "versionType": "custom"
        },
        {
          "version": "8.0.0",
          "lessThan": "9.4.16",
          "versionType": "custom"
        },
        {
          "version": "9.5.0",
          "lessThan": "9.5.11",
          "versionType": "custom"
        }
      ],
      "vendor": "grafana"
    }
  ]
}

I asked the team to see if CTI contains or not the sanitization (because I don't have this access)

Main issue

On the other hand, the NVD is wrongly used in this scenario, I will attempt to propose a solution

sebasfalcone commented 1 month ago

Update

I updated the content via offsets. The old Grafana CVE disappeared from the NVD as expected

./rocks_db_query_testtool -d ~/Documents/work/development/wazuh-master/src/queue/vd/feed/ -c nvd -f /home/sebas/Documents/work/development/wazuh-master/src/wazuh_modules/vulnerability_scanner/schemas/vulnerabilityCandidate.fbs -k grafana-enterise_CVE-2023-4822

Unable to find resource.

./rocks_db_query_testtool -d ~/Documents/work/development/wazuh-master/src/queue/vd/feed/ -c nvd -f /home/sebas/Documents/work/development/wazuh-master/src/wazuh_modules/vulnerability_scanner/schemas/vulnerabilityCandidate.fbs -k grafana-enterprise_CVE-2023-4822

grafana-enterprise_CVE-2023-4822 ==> {
  "candidates": [
    {
      "cveId": "CVE-2023-4822",
      "defaultStatus": "unaffected",
      "versions": [
        {
          "version": "10.0.0",
          "lessThan": "10.0.7",
          "versionType": "custom"
        },
        {
          "version": "10.1.0",
          "lessThan": "10.1.3",
          "versionType": "custom"
        },
        {
          "version": "8.0.0",
          "lessThan": "9.4.16",
          "versionType": "custom"
        },
        {
          "version": "9.5.0",
          "lessThan": "9.5.11",
          "versionType": "custom"
        }
      ],
      "vendor": "contact@grafana.com"
    }
  ]
}

And if we re-run the false positive efficacy tests, they now are passing:

================================================================== 2 passed, 23 skipped in 124.13s (0:02:04) ==================================================================

sebasfalcone commented 1 month ago

Conclusion

This immediate issue will be solved once the content is updated

To fix this behaviour we need to re-think the way we determine the CNA for a given package

sebasfalcone commented 1 month ago

Proposed solution

The proposed solution can be found here

https://github.com/wazuh/wazuh/issues/25096

Dwordcito commented 3 weeks ago

Analysis understood, this does not mean that we will address it with what is proposed in: https://github.com/wazuh/wazuh/issues/25096

wazuh / wazuh