Wazuh not showing up latest CVE

[Armando Martinez]

Hello All, 

I was trying to get a report from wazuh for all my endpoints affected by CVE-2024-38063 but wazuh is showing none. 

I already confirm in some devices that are affected by this CVE, is there a way to update the database or isn't it public yet? 

Thanks.

[Md. Nazmur Sakib]

Hi Armando Martinez,

Based on my findings the CVE-2024-38063(Windows TCP/IP Remote Code Execution Vulnerability) was released on 13th August 2024.

Ref: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063

It is not updated in our CTI feed yet.

As you can see the last update was on 6th August 2024. I believe we will get the update in a few days. 

You can use this command to verify the latest release date of the CTI feed.

response=$(curl -s -X GET https://cti.wazuh.com/api/v1/catalog/contexts/vd_1.0.0/consumers/vd_4.8.0)

echo "$response" | jq -r '.data.last_snapshot_link'

echo "$response" | jq -r '.data.last_snapshot_at'

Let me know if you need any further information on this.

[Kamil Tańcula]

Hello,

I have a similar problem.
There is CVE-2024-49112 which was published on December 10 and it is a vulnerability confirmed on more Windows systems.
Nevertheless, wazuh did not detect it.
CTI I have the latest :

 
https://cti.wazuh.com/store/contexts/vd_1.0.0/consumers/vd_4.8.0/1131217_1734339092.zip
2024-12-16T08:51:32.034230Z

Where could be the problem ?
How to verify if CTI has an entry on this CVE ?
How to verify if maybe some condition is not met when detecting this CVE.

Thank you for your help. 

[Damian Alfredo Mangold]

The reason why this vulnerability is not available in CTI is that, in NVD, it is currently in the state "Undergoing Analysis". This status indicates that there is not yet sufficient information available about the vulnerability.

https://nvd.nist.gov/vuln/detail/CVE-2024-49112

Since this is a vulnerability of interest, we can manually add the missing information and proceed to publish it. I will create an issue to carry out this task and ensure that the vulnerability is properly reflected in the content.

If you need more details or have any additional suggestions, please feel free to let me know.

[Kamil Tańcula]

Hello,

 

Sorry for the delay in writing back but I was unavailable.

Thank you for the information.

Please add this CVE to the CTI.

 

Question, how can I check which CVEs are in CTI , so as not to bother unnecessarily ?

[Iacob Berar]

+1

[Damian Alfredo Mangold]

Hello,

The issue to add that CVE to CTI has already been created and assigned to the team responsible for this task. To keep you informed about the progress, I’ve created a follow-up issue, which I’m sharing here so you can track when it will be available in CTI.

 - https://github.com/wazuh/wazuh/issues/27491

Additionally, we are actively working on developing a web interface that will allow easier access to CTI content. In the meantime, as a temporary solution, you can download the full CTI content and manually search for the CVE of interest.

 - Downloading the Wazuh vulnerabilities file

We understand that this is not the most optimal solution, but it’s a temporary measure until the web interface is fully implemented.

Please let me know if you have any further questions.