Vulnerability Scanning Wazuh 4.8.1

[MichaelK]

On Windows endpoints we have vulnerabilities being reported incorrectly for Firefox and Chrome.  See the attached image for details.

Is there a way this can be fixed?

Regards

Michael

[Abdullah Al Rafi Fahim]

Hello Michael,

To detect vulnerabilities, Wazuh agents collect a list of installed applications from monitored endpoints and send it periodically to the Wazuh server. Local SQLite databases in the Wazuh server store this list. Within the Wazuh server, the Vulnerability Detection module correlates the software inventory data with vulnerability content documents to detect vulnerable software on the monitored endpoint. These documents are Common Vulnerabilities and Exposures (CVE) records that are available in our Cyber Threat Intelligence (CTI) platform. Reference: https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.html

In Wazuh 4.8, the Vulnerability Detector module has been redesigned to allow users to perform global queries of vulnerabilities across various endpoints. Users can now view vulnerabilities across all monitored endpoints within an IT infrastructure. The Vulnerability Detector module pulls this data from the Wazuh repository, ensuring users can access the latest vulnerability information. Reference: https://wazuh.com/blog/introducing-wazuh-4-8-0/

In the Inventory section, you can see all the active vulnerabilities from all endpoints in a listed table. Now, clicking on the details button, you can check more details of a vulnerability and vulnerability.package.condition there will help you to get the exact package condition. You can solve the vulnerability by upgrading the packages to the latest version as described there. 

I hope it helps. Please let us know if you have any further issue here. 

On Tuesday, July 30, 2024 at 2:43:11 PM UTC+6 Abdullah Al Rafi Fahim wrote:

Hello Michael,

To detect vulnerabilities, Wazuh agents collect a list of installed applications from monitored endpoints and send it periodically to the Wazuh server. Local SQLite databases in the Wazuh server store this list. Within the Wazuh server, the Vulnerability Detection module correlates the software inventory data with vulnerability content documents to detect vulnerable software on the monitored endpoint. These documents are Common Vulnerabilities and Exposures (CVE) records that are available in our Cyber Threat Intelligence (CTI) platform. Reference: 

In Wazuh 4.8, the Vulnerability Detector module has been redesigned to allow users to perform global queries of vulnerabilities across various endpoints. Users can now view vulnerabilities across all monitored endpoints within an IT infrastructure. The Vulnerability Detector module pulls this data from the Wazuh repository, ensuring users can access the latest vulnerability information. Reference: https://wazuh.com/blog/introducing-wazuh-4-8-0/

In the Inventory section, you can see all the active vulnerabilities from all endpoints in a listed table. Now, clicking on the details button, you can check more details of a vulnerability and vulnerability.package.condition there will help you to get the exact package condition. You can solve the vulnerability by upgrading the packages to the latest version as described there. 

I hope it helps. Please let us know if you have any further issue here. 

[MichaelK]

Abdullah

Thanks for the reply.  The image I originally attached which displayed 10 vulnerabilities was from the inventory section and from your post, I have looked at this further.   

The versions installed are the latest version and other vulnerability management systems do not flag these items which suggests to me that these are false positives.  Looking at the details for the vulnerabilities, none of them have the condition item listed.   

I have included the details for 2 of the 10 vulnerabilities below.

{ "_index": "wazuh-states-vulnerabilities-wazuh", "_id": "004_b211dbe8cfbbcc94b63eaf276e7ec0bb1cab3192_CVE-2007-0896", "_score": 0, "_source": { "agent": { "id": "004", "name": "TEST01", "type": "wazuh", "version": "v4.8.1" }, "host": { "os": { "full": "Microsoft Windows 11 Pro 10.0.22631.3880", "name": "Microsoft Windows 11 Pro", "platform": "windows", "type": "windows", "version": "10.0.22631.3880" } }, "package": { "architecture": "x86_64", "name": "Mozilla Firefox (x64 en-US)", "path": "C:\\Program Files\\Mozilla Firefox", "size": 0, "type": "win", "version": "128.0.3" }, "vulnerability": { "category": "Packages", "classification": "CVSS", "description": "Cross-site scripting (XSS) vulnerability in the (1) Sage before 1.3.10, and (2) Sage++ extensions for Firefox, allows remote attackers to inject arbitrary web script or HTML via a \"<SCRIPT/=''SRC='\" sequence in an RSS feed, a different vulnerability than CVE-2006-4712.", "detected_at": "2024-07-29T16:51:21.030Z", "enumeration": "CVE", "id": "CVE-2007-0896", "published_at": "2007-02-13T11:28:00Z", "reference": "http://jvn.jp/jp/JVN%2384430861/index.html, http://secunia.com/advisories/24086, http://mozdev.org/bugs/show_bug.cgi?id=16320, http://osvdb.org/33131, http://sage.mozdev.org/blog/archives/2007/1/sage_1_3_10_released.html, http://www.securityfocus.com/bid/22493, http://www.securitytracker.com/id?1017624, https://exchange.xforce.ibmcloud.com/vulnerabilities/32395", "scanner": { "vendor": "Wazuh" }, "score": { "base": 4.3, "version": "2.0" }, "severity": "Medium" }, "wazuh": { "cluster": { "name": "wazuh" }, "schema": { "version": "1.0.0" } } }, "fields": { "vulnerability.detected_at": [ "2024-07-29T16:51:21.030Z" ], "vulnerability.published_at": [ "2007-02-13T11:28:00.000Z" ] } }

{ "_index": "wazuh-states-vulnerabilities-wazuh", "_id": "004_71437203eefb5db941c9e5c7e03c5189c05a7953_CVE-2013-6662", "_score": 0, "_source": { "agent": { "id": "004", "name": "TEST01", "type": "wazuh", "version": "v4.8.1" }, "host": { "os": { "full": "Microsoft Windows 11 Pro 10.0.22631.3880", "name": "Microsoft Windows 11 Pro", "platform": "windows", "type": "windows", "version": "10.0.22631.3880" } }, "package": { "architecture": "x86_64", "name": "Google Chrome", "size": 0, "type": "win", "version": "127.0.6533.73" }, "vulnerability": { "category": "Packages", "classification": "CVSS", "description": "Google Chrome caches TLS sessions before certificate validation occurs.", "detected_at": "2024-07-29T16:51:20.870Z", "enumeration": "CVE", "id": "CVE-2013-6662", "published_at": "2017-04-13T17:59:00Z", "reference": "https://bugs.chromium.org/p/chromium/issues/detail?id=305220", "scanner": { "vendor": "Wazuh" }, "score": { "base": 4.3, "version": "2.0" }, "severity": "Medium" }, "wazuh": { "cluster": { "name": "wazuh" }, "schema": { "version": "1.0.0" } } }, "fields": { "vulnerability.detected_at": [ "2024-07-29T16:51:20.870Z" ], "vulnerability.published_at": [ "2017-04-13T17:59:00.000Z" ] } }  

Regards

Michael

[MichaelK]

Hi

Is there an official way to report false positives in the new vulnerability scanning which is part of version 4.8?

Regards

Michael

[Abdullah Al Rafi Fahim]

Hello Michael,

I am trying to replicate this issue in my lab environment with the same version as yours in case of Wazuh Components and the packages indicating vulnerabilities. Please allow me some time to work on it and identify the exact root cause. 

We will get back to as soon as possible.

[Aditya Sharma]

Hi Michael,

I have verified your case and I confirm that it is an incorrect vulnerability detection. We have identified some cases like this and are addressing them in this issue of our public repository. Here is more information specifically for Firefox.
We hope to resolve it soon and send the update of the definitions so that you stop seeing it in the vulnerability list.