Alerting on Windows software CVEs
171 views
Skip to first unread message
Soren
Aug 23, 2021, 7:49:10 AM8/23/21
to Wazuh mailing list
Hello Wazuh team,
I'm aware that Wazuh is able to match vulnerable Windows software package versions to CVEs, but this doesn't appear to work in the following case:
CVE: CVE-2021-36949
Affected software: Microsoft Azure
Active Directory Connect (and -Provisioning Agent)
Versions: 1.6.4.0, 2.0.3.0
NVD Published Date: 08/12/2021
NVD Last Modified: 08/20/2021
Are you aware of any possible reasons, i.e. the Wazuh MSU feed lagging behind the recent NVD feed?
Today's 2021 feed "nvdcve-1.1-2021.json" contains the CVE with nodes for "cpe:2.3:a:microsoft:azure_active_directory_connect" and "cpe:2.3:a:microsoft:azure_active_directory_connect_provisioning_agent".
As always, thanks in advance!
Matias Pereyra
Aug 23, 2021, 3:43:07 PM8/23/21
to Wazuh mailing list
Hi, thanks for using Wazuh!
The MSU feed is uploaded by the Wazuh team as soon as some verification are performed to avoid false positives.
The MSU feed is uploaded by the Wazuh team as soon as some verification are performed to avoid false positives.
I'll check if there is a release date for this CVE in particular.
In the meantime, can you provide the following? So we can run some tests
- Name and version of this vulnerable software exactly as collected by Wazuh
- List of current Microsoft software updates and patches in the agent
Also, we should discard the possibility of CPE dictionary problem, there is a related section in CPE Helper.
Regards.
Regards.
Soren
Aug 30, 2021, 8:17:01 AM8/30/21
to Wazuh mailing list
Hi Matias,
sorry for the late reply.
I ran the queries you specified: https://gist.github.com/81Denton/d613eb7722764f6f5ffe23204453a6ee
Maybe there is a CPE dictionary issue since the installed software is listed as "Microsoft Azure AD Connect", but the NVD CPE dictionary v2.3 lists it as "Microsoft Azure Active Directory Connect"?
<cpe-item name="cpe:/a:microsoft:azure_active_directory_connect:1.6.4.0">
<title xml:lang="en-US">Microsoft Azure Active Directory Connect 1.6.4.0</title>
<references>
<reference href="https://www.microsoft.com/en-us/download/details.aspx?id=47594">Product</reference>
<reference href="https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history#13210">Version</reference>
</references>
<cpe-23:cpe23-item name="cpe:2.3:a:microsoft:azure_active_directory_connect:1.6.4.0:*:*:*:*:*:*:*"/>
</cpe-item>
Best regards
Soren
Matias Pereyra
Aug 30, 2021, 11:56:08 AM8/30/21
to Wazuh mailing list
Hi! No problem. Thank you very much for the detailed information you've shared.
I've confirmed this CVE is only defined by the software version and not by a system upgrade or fix, so the Wazuh MSU isn't used in this case.
I've confirmed this CVE is only defined by the software version and not by a system upgrade or fix, so the Wazuh MSU isn't used in this case.
This is indeed a CPE issue, you need to add a new entry to the dictionary located in '/var/ossec/queue/vulnerabilities/dictionaries/cpe_helper.json'
{
"target": "windows",
"source": {
"vendor": [
"Microsoft Corporation"
],
"product": [
"Microsoft Azure AD Connect"
],
"version": []
},
"translation": {
"vendor": [
"microsoft"
],
"product": [
"azure_active_directory_connect"
],
"version": []
},
"action": [
"replace_vendor",
"replace_product"
]
}
After this, the new CPE is indexed and added to the 'cve.db' database. Then, the corresponding alert is generated.
Please, try this approach and come back with the results.
Regards.
Please, try this approach and come back with the results.
Regards.
Reply all
Reply to author
Forward
0 new messages