search

wazuh / wazuh

Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
https://wazuh.com/
Other
11.09k stars 1.68k forks source link

Analysis of vulnerabilities reported by patrik-vetter on Slack #25353

Closed Tostti closed 6 days ago

Tostti commented 3 months ago

Description

A community user has reported that version 4.8.0 of the vulnerability detector incorrectly reports some vulnerabilities. This issue aims to investigate these reports, verify the accuracy of the vulnerability detection, and address any discrepancies. The user didn't provide complete information, only mentioned that it is Windows Server 2022.

image image image

Transcription:

Package: Microsoft Office Standard 2019 - sv-se 16.0.10411.20011
OS: Windows Server 2022
CVEs: CVE-1999-0794, CVE-2004-0848, CVE-2006-4694, CVE-2007-3109, CVE-2007-3282, CVE-2021-43905
Package: Microsoft Office Professional Plus 2019 - sv-se 16.0.10411.20011
OS: Windows Server 2022
CVEs: CVE-1999-0794 , CVE-2004-0848, CVE-2006-4694, CVE-2007-3109, CVE-2007-3282, CVE-2021-43905
Package: Microsoft Windows Server 2016 Standard 10.1.14393.7070
OS: Windows Server 
CVEs: CVE-2017-0078

Context

Accurate vulnerability detection is critical for maintaining the security and reliability of systems. Incorrectly reported vulnerabilities can lead to unnecessary concerns or, conversely, missed critical security issues. It is essential to thoroughly investigate these reports to ensure the detector's reliability and trustworthiness.

Expected

Steps to Complete

  1. Gather Information:

    • Obtain detailed reports from the user, including CVE-IDs, affected versions, and any additional relevant information.

  2. Analyze Reports:

    • Review the reported vulnerabilities to understand the context and specifics of the incorrect detections.
    • Cross-reference the detections with official vulnerability databases such as NVD, vendor advisories, and other reputable sources.

  3. Document Findings:

    • For each vulnerability analyzed, document the findings, including the CVE-ID, vendor, and nature of the discrepancy.

  4. Create Sanitization Issues:

    • Create individual sanitization issues for each CVE-ID and vendor where incorrect detections were found.

Deliverables

matias-braida commented 3 months ago

CVE-2017-0078

NVD Content

image

Installed package

Microsoft Windows Server 2016 Standard version = 10.1.14393.7070

Conclusion

The information provided by NVD is not sufficient to confirm whether the vulnerability has been accurately reported or if a patch version is available. It is necessary to conduct a more thorough search in other sources to gather additional details about the reported issue. This further investigation will enable us to determine the appropriate sanitization measures to apply.

matias-braida commented 3 months ago

CVE-1999-0794

NVD Content

image

Microsoft Content

image

Installed package

Microsoft Office Standard 2019 - sv-se version = 16.0.10411.20011 Microsoft Office Professional Plus 2019 - sv-se version = 16.0.10411.20011

Conclusion

The information provided by NVD is not sufficient to confirm whether the vulnerability has been accurately reported or if a patch version is available.

The information provided by Microsoft seems to be that the vulnerability only applies to: Microsoft Excel 97, whether shipped alone or as part of Office 97. Microsoft Excel 2000, whether shipped alone or as part of Office 2000.

It is necessary to conduct a more thorough search in other sources to gather additional details about the reported issue. This further investigation will enable us to determine the appropriate sanitization measures to apply.

matias-braida commented 3 months ago

CVE-2004-0848

NVD Content

image image

Installed package

Microsoft Office Standard 2019 - sv-se version = 16.0.10411.20011 Microsoft Office Professional Plus 2019 - sv-se version = 16.0.10411.20011

Conclusion

The information provided by NVD is not sufficient to confirm whether the vulnerability has been accurately reported or if a patch version is available. It is necessary to conduct a more thorough search in other sources to gather additional details about the reported issue. This further investigation will enable us to determine the appropriate sanitization measures to apply.

matias-braida commented 3 months ago

CVE-2006-4694

NVD Content

image

Microsoft Content

https://learn.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-058

image

Installed package

Microsoft Office Standard 2019 - sv-se version = 16.0.10411.20011 Microsoft Office Professional Plus 2019 - sv-se version = 16.0.10411.20011

Conclusion

The information provided by NVD is not sufficient to confirm whether the vulnerability has been accurately reported or if a patch version is available.

The information provided by Microsoft seems to be that the vulnerability only applies to: Microsoft Office 2000 Service Pack 3 Microsoft Office XP Service Pack 3 Microsoft Office 2003 Service Pack 1 or Service Pack 2 Microsoft Office 2004 for Mac Microsoft Office v. X for Mac

It is necessary to conduct a more thorough search in other sources to gather additional details about the reported issue. This further investigation will enable us to determine the appropriate sanitization measures to apply.

matias-braida commented 3 months ago

CVE-2007-3109

NVD Content

image

Installed package

Microsoft Office Standard 2019 - sv-se version = 16.0.10411.20011 Microsoft Office Professional Plus 2019 - sv-se version = 16.0.10411.20011

Conclusion

The information provided by NVD is not sufficient to confirm whether the vulnerability has been accurately reported or if a patch version is available. It is necessary to conduct a more thorough search in other sources to gather additional details about the reported issue. This further investigation will enable us to determine the appropriate sanitization measures to apply.

matias-braida commented 3 months ago

CVE-2007-3282

NVD Content

image

Installed package

Microsoft Office Standard 2019 - sv-se version = 16.0.10411.20011 Microsoft Office Professional Plus 2019 - sv-se version = 16.0.10411.20011

Conclusion

The information provided by NVD is not sufficient to confirm whether the vulnerability has been accurately reported or if a patch version is available. It is necessary to conduct a more thorough search in other sources to gather additional details about the reported issue. This further investigation will enable us to determine the appropriate sanitization measures to apply.

matias-braida commented 3 months ago

CVE-2021-43905

NVD Content

image

Microsoft Content

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-43905

image

Installed package

Microsoft Office Standard 2019 - sv-se version = 16.0.10411.20011 Microsoft Office Professional Plus 2019 - sv-se version = 16.0.10411.20011

Conclusion

The information provided by NVD and Microsoft suggests that the vulnerability has been correctly detected.

This is a true positive case. No sanitization is needed.

jftuduri commented 3 months ago

I move this issue to blocked. When all sanitizations has been applied, this issue can be closed.

Damian-Mangold commented 2 months ago

Reviewed: awaiting sanitizations.

Damian-Mangold commented 2 months ago

Reviewed: awaiting sanitizations.

Damian-Mangold commented 2 months ago

Reviewed: awaiting sanitizations.

Damian-Mangold commented 2 months ago

Reviewed: awaiting sanitizations.

Damian-Mangold commented 1 month ago

Sanitizations applied, efficacy tests should be added.

matias-braida commented 1 month ago

I moved this issue to blocked. When all sanitizations have been applied, the efficacy tests could be done.

Damian-Mangold commented 6 days ago

Added sanitizations and efficacy test.