CPE outdated

[German DiCasas]

Hi team,

I Have several servers, windows, that do not have any vulnerability detected. All it is ok but not that last. I chequed over Api Console (GET /syscollector/004/hotfixes

GET /syscollector/004/packages) and I have hotfixes/packages  listed. But with  GET /vulnerability/004 i get "message": "No vulnerabilities were returned".

After read some blogs I did a install over that windows agent with a software vulnerable version and worked. The agent, after some time, display some vulnerabilities. I uninstalled the program and then everything went back as before.

In searching for how to solve what I previously indicated, I verified that cpe_helper.json is not updated. I can see that cpe_helper.json over my wazuh have the update_date field is  not updated. This is the file  /var/ossec/queue/vulnerabilities/dictionaries/cpe_helper.json that I have

{
    "version": "1.0",
    "format_version": "1.0",
    "update_date": "2023-04-21T11:43Z",
    "dictionary": [
        {
            "target": "windows",
            "source": {
                "vendor": [
                    "Microsoft Corporation"
                ],
                "product": [
                    "^Microsoft ASP.NET Core ([0-9]\\.*[0-9]*\\.*[0-9]*)"
                ],
                "version": [
                    "^Microsoft ASP.NET Core ([0-9]\\.*[0-9]*\\.*[0-9]*)"
                ]
            },
            "translation": {
                "vendor": [
                    "microsoft"
                ],
                "product": [
                    "asp.net_core"
                ],
                "version": []
            },

.

.

.

The field "update_date": "2023-04-21T11:43Z", need to be like cpe-helper?  NVD - CPE (nist.gov)  

1. Official CPE Dictionary v2.3, gz format - 19.95 MB, Updated:  04/09/2024; 12:41:51 a.m. -0400

I meen, why is not updated my "update_date" field? Or does not it matter. 

Thanks team

[Federico Damian Lo Iacono]

Hi German, thank you for choosing Wazuh.

The field `update_date` inside the `cpe_helper.json` file only refers to the date that the dictionary section inside it was modified for the last time. The Official CPE Dictionary's date refers to the last time it was updated with CVEs and translations for them. The date mismatch should not affect the Vulnerability Detector's functioning.

Best regards.

[German DiCasas]

So, even though it is almost a year apart, there is no difference in detection? I don't understand. So, what is it for or what file is the one updated with the CVSs?

I mean, Is outdated. how can I force to update that file? Thanks Federico for your time over this

Regards

German

[Federico Damian Lo Iacono]

German,

As you point out, the date themselves do not determine the vulnerability detection. They just serve tracking purposes for when the last change was made to each file. They are not indicative of schema release date (as in other formats such as XML). That does not mean that the file is not outdated, since the Official CPE Dictionary's definitions you are interested in may have changed. To update the file, just overwrite the dictionary section of `cpe_helper.json` with any changes you might require.

Best regards,

Federico.

[German DiCasas]

I don't understand. For wazuh to detect today's current CVEs, does it matter if the cpe_helper.json is outdated? That is, if this week (2024-04-05) a cve was published and my cpe_helper.jason shows "update_date": "2023-04-21T11:43Z" (one year old), can it still identify the new cve? If so, there is something I am not understanding. Can you explain to me then how and where the new CVEs are updated so that Wazuh can stay up to date in detecting new threats? 

Also, What would be the purpose of editing the date of spec_helper.json that you indicate if it does not make any difference in the detection of new vulnerabilities?

Thanks.. hope you can explain the flow to understand . The idea is that wazuh detect the last cve updated on CPE ano not only the old ones

[Federico Damian Lo Iacono]

German,

I want to apologize, I was under the wrong impression about `cpe_helper.json`. Yes, it is, as you point out, outdated. The reason for this is that beginning from Wazuh v4.8.0, the vulnerability detector module is refactored, and in favor of a dictionary file such as `cpe_helper.json`, CVE feeds will be updated automatically. For that reason, the last time the file was updated was on April 21st, 2023. You could add any dictionary entries you find necessary as of today following the guide you linked, so that the vulnerability detection works as you expect it, but I wouldn't expect for that file to be updated in the near future.

Regards.

[German DiCasas]

Federico... thanks for the rejply...Can you then tell me the difference in my query in the case of 4.7 and in the case of 4.8? That is, in the same situation, what difference are there in responses to vulnerabilities between versions 4.7 and 4.8. Wazuh 4.8 does not use cpe_helper.json?

Also, Could you please explain to me what is the process that wazuh performs from the collection of packages and hotfixes of the Windows agent to how wazuh, in those two versions, detect the vulnerability? If it can be with the related files, this way I solve possible problems

Regards,.

[German DiCasas]

I mean,   cpe_helper.json  today (dd-mm--yyyy  17-04-2024) show  "update_date": "2023-04-21T11:43Z", One year old, outdated.     

The NVD - CPE show   Updated:  04/17/2024; 12:42:10 a.m. -0400          How I fix that? i do not wanto to just overwrite, I need that file updated so will detect new vulnerabilies. Correct? it that is correct, how?

Thanks

[German DiCasas]

hi team,

There are any fix over this issue? or the fix that you propose is upgrade to 4.8?  and 4.7 do not work any more over vulnerability deteccion since  April 21st, 2023, I mean for new cve´s. 

Regards

German

[Federico Damian Lo Iacono]

German,

I'm asking the development team the particulars about this file and the subsequent maintenance of it. I ask for a bit of patience until I get a reply.

Thanks!

[Federico Damian Lo Iacono]

Hello again German, I've received an update on this issue.

The `cpe_helper.json` file is basically static, and was updated in some releases. It is somewhat unfriendly from the development side to update this file, so the only workaround there is nowadays for detecting newer vulnerabilities is, as I mentioned before, updating the file with the entries you are interested in, and, as outlined in this issue, also updating the date field by hand, such that vulnerability detector accepts the new dictionary.

4.8 is still in beta, so I wouldn't recommend upgrading yet, but once it's out, the `cpe_helper.json` file disappears completely from Wazuh's file tree, and the vulnerabilities database will be periodically, and automatically, updated via a repository and a new tool in development. The file won't be updated for newer versions.

Regards.

[German DiCasas]

So wazuh 4.7.3 is not detecting new vulnerabilities since 2023-04-21 since "update_date" has that date and will not be fixed in version 4.7.3 since it will only be fixed in version 4.8, correct? That is, wazuh 4.7.3 is not detecting the vulnerabilities that happened from that date until now and the only solution is to modify cpe_helper.json daily by hand according to the NVE date until we have version 4.8, correct? Please tell me if what I understood is correct.

To be clearer about the temporary solution you propose, until version 4.8 is released, "update_date" must be modified with the correct date from https://nvd.nist.gov/products/cpe (today 04/20/2024 ; 12:39:20 a.m. -0400) and that way the wazuh CVE list will be updated with the last NVD? That modification will allow wazuh to detect new CVEs, yes?

Please tell me if it is correct and thank you very much for taking the time to report this bug.

[German DiCasas]

Also, I have another wazuh that /var/ossec/queue/vulnerabilities/dictionaries/cpe_helper.json has a date of 2019-10 and I see that the vulnerability report has more current vulnerability detections than 2019 (2024-04-18). I attach a photo.So I'm not understanding something

Regards

[Federico Damian Lo Iacono]

German,

To be clear, CPE does not store vulnerabilitiies in it. Taken from NIST's website:

"Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise's computing assets. CPE does not identify unique instantiations of products on systems, such as the installation of XYZ Visualizer Enterprise Suite 4.2.3 with serial number Q472B987P113. Rather, CPE identifies abstract classes of products, such as XYZ Visualizer Enterprise Suite 4.2.3, XYZ Visualizer Enterprise Suite (all versions), or XYZ Visualizer (all variations)."

cpe_helper.json helps translate applications and OSes into common, agreed upon naming schemes to later be used when querying for vulnerabilities from different vendors and CVE providers. It is a way to catalog the applications in your agents. Vulnerabilities are a different matter altogether. The vulnerability detector module does update automatically with the feeds from different vendors and providers: vulnerability detection.

That's why, even if CPE helper is outdated, some of the translations still hold up and an application catalog can be formed, and later, the VD module can get vulnerabilities for such applications and operating systems.

Lastly, regarding this:

> To be clearer about the temporary solution you propose, until version 4.8 is released, "update_date" must be modified with the correct date from https://nvd.nist.gov/products/cpe (today 04/20/2024 ; 12:39:20 a.m. -0400) and that way the wazuh CVE list will be updated with the last NVD? That modification will allow wazuh to detect new CVEs, yes?

No. The cpe_helper.json's "update_date" field must be changed to the date you made the modifications to the file. For example, if done today, it would be "2024-04-22THH:MMZ".

Warm regards.

[German DiCasas]

Thank you very much, now a little more about the use of that file. The CPE is the translation between what is in the agents (without versions) and what was downloaded from the CVE Provides, ok. It is an auxiliary dictionary but what I don't understand is why it has been out of date for a year. That is, many programs are created in a year. Why would that file be one year out of date? Shouldn't it be updated? please correct me. Shouldn't this update at least once a month?

On the other hand, how can I know if the vulnerabilities from different vendors and CVE providers are updated? What files do I have to verify to know if the cve are updated in the case of windows system for example. Also, how often is that db or file updated related to the frequency and url, or api, that is used.

Thanks a lot

German

[Federico Damian Lo Iacono]

German,

You can query the vulnerability database with SQLite. Please refer to the following guide: https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/querying-the-vulnerability-database.html

In order to verify how often the database is updated, you can check your ossec.conf file in your server: https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/configuring-scans.html

As for why this file is outdated... I cannot attest for our development team, but I'll try to get an explanation from them. As explained before, the combination of user-unfriendliness and better feed update alternatives in development could have led to this situation.

[Federico Damian Lo Iacono]

German, hi again.

Dev team has confirmed that the two reasons outlined are why the file has not been updated. They also reassured me that the file was being used in cases where there was a misalignment between the CVE database and the catalog (which is not often) and not updating it does not mean that new vulnerabilities are not going to be detected.