Ubuntu Vulnerability scan is way out.

[Gordon O'Brien]

Hi

I've just installed a new vanilla Ubuntu desktop 22.04 and installed the agent. 

The OS is fully patched yet the vulnerability scanner shows the following:

ossec.conf includes the jammy OS under vulnerability scanning.

I assume this is an error somewhere or is Canonical just really bad at updating?

Thanks for any feedback.

[Francisco Tuduri]

Hello Gordon! And thanks for using Wazuh!

I will try to reproduce this in my lab environment and I will get back to you.

Just to be sure, what version of agent and manager are you using?

Regards!

[Gordon O'Brien]

Thanks for taking the time to look into this Francisco.

Agent and manager are running 4.3.6

I also have KDE Neon installed  on several machines which are currently still running the Focal LTS base. I've added that as an Alias on Focal and they also show a similarly high number of vulnerabilities:

Regards

Gordon

[Francisco Tuduri]

Would you be willing to share the details of the reported vulnerabilities so we can give them a closer look?

You can export the report as an csv with "Export formatted" option.

Thanks!

[Monah Baki]

Hello,

I have the same issue, attached is the reported vulnerabilities exported as csv.

Thanks

Monah

[Francisco Tuduri]

Thanks Monah! Is this agent also on Ubuntu 22.04? If not, on what OS is it running?

The cvs file only has "high" vulnerabilities. Could you please export another file with all severity levels?

Thanks again!

[Monah Baki]

cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.1 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.1 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
UBUNTU_CODENAME=jammy

[Francisco Tuduri]

Gordon, Monah,

Reviewing the list of vulnerabilities provided by Monah, we could see that a very high number, 400 out of 464, of those correspond to the vim package: 2:8.2.3995-1ubuntu2 (vim-common, vim-runtime, vim-tiny, xxd).

We checked the different CVEs that describe those vulnerabilities and effectively that package is currently listed as vulnerable. For example, you can see these two: https://nvd.nist.gov/vuln/detail/CVE-2022-2304, https://nvd.nist.gov/vuln/detailCVE-2022-2207.

In summary, the high number of vulnerabilities reported are valid but are also mostly related to that one package.

Gordon,

We don't have the report of your vulnerabilities, but I installed a fresh Ubuntu 22.04.1 and my results were very similar to yours, and found the same scenario described above. So my guess is that that is also what is happening in your case. You can check if a high number of you vulnerabilities belong to version '2:8.2.3995-1ubuntu2'. If that is not the case let us know and we will give them a look.

Regards!

[Gordon O'Brien]

I'm afraid I am away for a few days so cannot get the report just yet. However I suspect it will be very similar to that supplied by Monah.

So I'd I understand you correctly, this is mainly due to Canonical not patching these few packages? 

Thanks 

Gordon

Sent from Nine

---

From: Francisco Tuduri <francisc...@wazuh.com>
Sent: Tuesday, 23 August 2022 22:26
To: Wazuh mailing list
Subject: Re: Ubuntu Vulnerability scan is way out.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/91c9602d-785f-4cbf-ab89-b116717d4574n%40googlegroups.com.

[Francisco Tuduri]

Yes, that's right.

And if you don't need vim (or just want to try) you can remove those packages and the bulk of those vulnerabilities should go away.

Regards!