MSU feed missing recent Windows hotfixes

[Soren]

Dear Wazuh team,

the Wazuh MSU feed is missing recent May 11 hotfixes, for example:

KB5003171: 

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-24588

The above hotfix fixes CVE 2020-24588:

https://nvd.nist.gov/vuln/detail/CVE-2020-24588

This in turn means that vulnerability-detector does not generate alerts for Windows hosts that are affected by related CVEs.

I've taken a look at the 2021 NVD CVE feed, where it appears that the CVEs assigned to the aforementioned hotfixes contain no data in cve.configurations.nodes (with none of the cpe23Uri entries that would normally list the affected software/OS):

{

"cve" : {

  "data_type" : "CVE",

  "data_format" : "MITRE",

  "data_version" : "4.0",

  "CVE_data_meta" : {

    "ID" : "CVE-2020-24588",

    "ASSIGNER" : "c...@mitre.org"

  },

[...],

"configurations" : {

  "CVE_data_version" : "4.0",

  "nodes" : [ ]

},

"impact" : { },

"publishedDate" : "2021-05-11T20:15Z",

"lastModifiedDate" : "2021-05-11T21:15Z"

}

Just to be sure - does this issue exist because the NVD CVE feed contains preliminary data without any configurations/impact/etc, which in turn means that the MSU feed is unable to create new entries? 

Best regards

Soren

[Alvaro Romero Sepulveda]

Hello, Sorem

Thank you for posting in our community group!

As you have rightfully seen, our current MSU feed does not contain the mentioned patch yet, as we last updated said feed before these hotfixes were available. Mind that we currently update our MSU feed manually, usually once or twice per month, so all the hotfixes that are released after our last MSU update will not be considered by the vulnerability scan until the next update is available. However, we understand that this behavior ends up bringing new unavoidable false positives each time a hotfix is released, so we are working on a way to improve our MSU generation and updating schedule, as you can check, for example, in this issue.

The good news is that we have just generated a new MSU feed with all the recent missing patches (including KB5003171), which will hopefully be available during the next 24 hours. This feed is downloaded automatically by default by Wazuh manager.

Finally, regarding the CVE you've shared: As the NVD itself specifies, this CVE is in "Awaiting Analysis" state, meaning that it has no associated CPEs yet. Currently, our vulnerability detector uses these CPEs to perform a proper vulnerability diagnosis, meaning that until the NVD finishes its analysis process, our vulnerability scan can't detect said CVE as vulnerable.

I hope this helps! Don't hesitate to keep asking if you have any doubts regarding this issue.

[Alvaro Romero Sepulveda]

Hi again, Sorem!

I wanted to tell you that our new MSU feed is already available, which includes all the patches that have been released during these last weeks (including KB5003171). Remember that this feed is automatically downloaded by Wazuh manager.

I hope this helps!

[Soren]

Hi Alvaro,

thanks for the clarification. I'm looking forward to daily MSU generation; fixing issue #6996 was already a huge step forward for Windows vulnerability detection in our environment.

Big props to you and your team for always posting quick and helpful replies!

Best regards

Soren