Missing superseders in MSU Vulnerabilities feed - false positive missing KB4511553 (CVE-2019-1226,CVE-2019-1222,CVE-2019-1182,CVE-2019-1181)

[Mateusz Tyborski]

Hi,

I suspect there is missing KB superseders in https://feed.wazuh.com/vulnerability-detector/windows/msu-updates.json.gz or there change in  lookup of  superseders  in db is needed.
Let me describe my case:

1. After patching Windows Server in June Wazuh detect missing KB4511553 (CVE-2019-1226,CVE-2019-1222,CVE-2019-1182,CVE-2019-1181)

2. Since we've patch system again these week so last to KB installed on system are:
        sqlite3 /var/ossec/queue/db/186.db 'select hotfix from sys_hotfixes where hotfix in ("KB5015811","KB5014692");'
        KB5014692
        KB5015811

3. KB4511553 in from August 2019 - https://support.microsoft.com/en-us/topic/august-13-2019-kb4511553-os-build-17763-678-c7509839-3e89-60ca-50fc-1d7872894e46

4. In CVE db KB4511553 has many superseders
    sqlite3 /var/ossec/queue/vulnerabilities/cve.db --header "select count(*) from MSU_SUPERSEDENCE where PATCH=4511553;"
        count(*)
        74

5. Latest updates are not one of them:
    sqlite3 /var/ossec/queue/vulnerabilities/cve.db --header "select count(*) from MSU_SUPERSEDENCE where PATCH=4511553 and SUPER in ("5015811","5014692");"
        count(*)
        0

6. I find out though KB5015811 supersedes other KBs which supersede KB4511553, so KB5015811 supersedes KB4511553 indirect:
    sqlite3 /var/ossec/queue/vulnerabilities/cve.db --header "select count(*) from MSU_SUPERSEDENCE where PATCH=4511553 and SUPER in (select PATCH from MSU_SUPERSEDENCE where SUPER=5015811)"
        count(*)
        32

PS. Wazuh 4.3.5

Regards

Mateusz

[Mateusz Tyborski]

With this select we can list many paths between KB4511553 and KB5015811.

select a.PATCH as OLD_PATCH, b.PATCH as INT_PATCH, b.SUPER as END_PATCH from MSU_SUPERSEDENCE a, MSU_SUPERSEDENCE b where a.SUPER=b.PATCH and a.PATCH='4511553' and b.SUPER='5015811';

OLD_PATCH    INT_PATCH    END_PATCH
4511553    4519338    5015811
4511553    4523205    5015811
4511553    4530715    5015811
4511553    4532691    5015811
4511553    4534273    5015811
4511553    4538461    5015811
4511553    4549949    5015811
4511553    4551853    5015811
4511553    4558998    5015811
4511553    4561608    5015811
4511553    4565349    5015811
4511553    4570333    5015811
4511553    4577668    5015811
4511553    4586793    5015811
4511553    4592440    5015811
4511553    4598230    5015811
4511553    4601345    5015811
4511553    5000822    5015811
4511553    5001342    5015811
4511553    5003171    5015811
4511553    5003646    5015811
4511553    5004244    5015811
4511553    5004947    5015811
4511553    5005030    5015811
4511553    5005568    5015811
4511553    5006672    5015811
4511553    5007206    5015811
4511553    5008218    5015811
4511553    5009557    5015811
4511553    5010351    5015811
4511553    5011503    5015811
4511553    5012647    5015811
4511553    5013941    5015811

So maybe populate table with combinations like this or change search algorithm to look recursive for indirect results.

Regards

Mateusz

[Julia Magán Rodríguez]

Hello,

In order to be sure, in the Microsoft Update Catalog, it should appear that one patch specifically replaces another. If we check the following patches:

• KB5015811
• KB5014692

We see that the patch KB4511553 is not in the “This update replaces the following updates” section.

In this issue, we are researching to make sure that it is actually a problem with the official Microsoft Update Catalog and then perform a patch correlation with the data we have from the MSU.

​

[Mateusz Tyborski]

14134 it is not first time when there is no information or it has been changed in Microsoft Update Catalog.

I suspect Microsoft has removed this info from KB4511553, because somehow it still is in MSU feed for Wazuh, so probably implementing more complex query to search superseders of  superseders could save us all many false positives :)

I'm looking forward for patch.

thanks and good day

Mateusz