Issue: Vulnerability Detector - Windows Agent

[Sudipto Jena]

Good morning! Team,

I have seen a lot of posts regarding problems around Vulnerability Detector and I am adding to the list. Below is a triage of what I have done so far, but success alludes me. May I kindly request Wazuh Team to help in this matter. I have tried install of Wazuh Manager (WM) using both methods - package and source. The events posted below is from a test instance running compiled source, version 4.3.6.

Any help would be appreciated, please. Thank you!

SJ

1) curl -k -X GET "https://192.168.50.100:55000/?pretty=true" -H "Authorization: Bearer $TOKEN"
{
   "data": {
      "title": "Wazuh API REST",
      "api_version": "4.3.6",
      "revision": 40318,
      "license_name": "GPL 2.0",
      "license_url": "https://github.com/wazuh/wazuh/blob/4.3/LICENSE",
      "hostname": "ubuntu20vanilla",
      "timestamp": "2022-08-06T05:41:28Z"
   },
   "error": 0

2) curl -k -X GET "https://192.168.50.100:55000/agents?pretty=true" -H "Authorization: Bearer $TOKEN"

{
            "os": {
               "build": "19044",
               "major": "10",
               "minor": "0",
               "name": "Microsoft Windows 10 Pro",
               "platform": "windows",
               "uname": "Microsoft Windows 10 Pro",
               "version": "10.0.19044"
            },
            "status": "active",
            "manager": "ubuntu20vanilla",
            "configSum": "ab73af41699f13fdd81903b5f23d8d00",
            "name": "cappc",
            "dateAdd": "2022-08-06T04:10:20Z",
            "version": "Wazuh v4.3.6",
            "node_name": "node01",
            "ip": "172.25.158.10",
            "id": "003",
            "lastKeepAlive": "2022-08-06T05:43:33Z",
            "group": [
               "default"
            ],
            "mergedSum": "4a8724b20dee0124ff9656783c490c4e",
            "registerIP": "any"
         }

For the purpose of test best only 1 agent 003 (Windows 10 Pro 21H2) + 000 (WM agent id)

3) Agent OSSEC Conf for Vulnerability Detector

  <!-- System inventory -->
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>1h</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <hotfixes>yes</hotfixes>
    <ports all="no">yes</ports>
    <processes>yes</processes>

    <!-- Database synchronization settings -->
    <synchronization>
      <max_eps>10</max_eps>
    </synchronization>
  </wodle>

4) WM OSSEC Conf

 <vulnerability-detector>
    <enabled>yes</enabled>
    <interval>5m</interval>
    <min_full_scan_interval>6h</min_full_scan_interval>
    <run_on_start>yes</run_on_start>

   <!-- Windows OS vulnerabilities -->
    <provider name="msu">
      <enabled>yes</enabled>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Aggregate vulnerabilities -->
    <provider name="nvd">
      <enabled>yes</enabled>
      <update_from_year>2010</update_from_year>
      <update_interval>1h</update_interval>
    </provider>
  </vulnerability-detector>

Information stored within /var/ossec/queue/db/003.db

5) sqlite> select count(1) from sys_programs;
     12 (user installed programs)

6) sqlite> select count(1) from sys_hotfixes;

     18 (hotfixes applied)

7) select * from vuln_metadata;
     1659765791|1659759475

8) sqlite> select count(1) from vuln_cves ;
    0

9)  sqlite> select hostname, os_name, os_version, scan_time from sys_osinfo ;
       CAPPC|Microsoft Windows 10 Enterprise|10.0.19044|2022/08/06 05:14:32

Information stored within /var/ossec/queue/vulnerabilities/cve.db

10) sqlite> select count(1) from agents;
     0
11) sqlite> select count(1) from AGENT_HOTFIXES ;
     0

12) sqlite> select distinct PRODUCT from MSU;

output snipped

.NET 5.0
.NET 6.0
.NET Core 3.1
ASP.NET MVC 5.2 on Microsoft Visual Studio 2013 Update 5
ASP.NET MVC 5.2 on Microsoft Visual Studio 2015 Update 3
ASP.NET Web Pages 3.2.3 on Microsoft Visual Studio 2013 Update 5
ASP.NET Web Pages 3.2.3 on Microsoft Visual Studio 2015 Update 3
Adobe Flash Player on Windows 10 Version 1511 for 32-bit Systems
Adobe Flash Player on Windows 10 Version 1511 for x64-based Systems
Adobe Flash Player on Windows 10 Version 1607 for 32-bit Systems
Adobe Flash Player on Windows 10 Version 1607 for x64-based Systems
Adobe Flash Player on Windows 10 Version 1703 for 32-bit Systems

13) sqlite> select count(distinct PRODUCT) from MSU;
       907

14) sqlite> select count(1) from NVD_METADATA;
       13

15) sqlite> select count(1) from nvd_cpe;
       256197

16) sqlite> select count(1) from nvd_cve;
       150702

Let me force WM to conduct a forced baseline scan of agent id 003 and capture the logs of Vulnerability process

17) sqlite> update vuln_metadata set  LAST_PARTIAL_SCAN=0, LAST_FULL_SCAN = 0;
       sqlite> select * from vuln_metadata ;
       0 | 0

18) restart wazuh services

19 Output of debug logs in /var/ossec/logs/ossec.json (attached 003_vulnerability_oosec.debug.log)

[Miguel Angel Cazajous]

Hi,

I'm not seeing anything wrong with your exploratory. The configuration is fine and the logs don't report any kind of error or warning that may affect the scan.

It's normal to have fewer packages on Windows systems than on Linux systems, and if you have the hotfixes up to date it is expected to have 0 vulnerabilities in the inventory.

You could try installing Wireshark 2.4.5 and check if any vulnerability is reported for that well-known vulnerable package.

On the other hand, the information you want to get from these queries is filled during the scan and immediately erased after the correlation between packages, os, hotfixes, and CVEs. So it is ok to be empty.

Information stored within /var/ossec/queue/vulnerabilities/cve.db

10) sqlite> select count(1) from agents;
     0
11) sqlite> select count(1) from AGENT_HOTFIXES ;
     0

After you correctly forced the baseline scan I see that most vulnerabilities are fixed due to a KB installed in the system and some of them are not being evaluated due to the lack of information in the Microsoft catalog, which again, is expected.

Could you provide more information about why you think this triage is not successful?

Regards!

[Sudipto Jena]

Hi Team,

May I kindly request a response incase I have missed anything in my triage of the problem or atleast if someone has more insight into solving this issue, please! (even a response like "Please use another tool for vulnerability management!" will do). Our team has to take a decision of go-no-go.

I can use Greenbone as an alternative, but would like to minimize the number of components within a deployment, if the same objective can be solved with Wazuh. Adding more 3P tools just does away with philosophy of simplicity.

Any help or suggestions are honestly appreciated, thank you much!

SJ

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/42d6e1d0-6c18-4a27-9e9b-d270b7738018n%40googlegroups.com.

[Miguel Angel Cazajous]

It's hard to continue with this issue until we have more details about the problem you are reporting, so far, I'm not seeing anything bad in the config nor errors in the log messages. The suggestion was to evaluate the vulnerabilities of a well-known vulnerable application.

If the problem you're facing is the zero vulnerabilities reported I shared an explanation in the comment above, if it is not clear enough let me know.

Regards!