Vulnerability False Positives in Server 2016

243 views
Skip to first unread message

charl...@gmail.com

unread,
Aug 16, 2021, 8:47:09 AM8/16/21
to Wazuh mailing list
Hi All,

I know there have been numerous threads on this topic, namely:


I have a Server 2016 box that is fully updated, yet shows 1435 vulnerabilities.

My MSU hash is 585fc4ec76ebc05a9edbcb43e48a96c1e6ce33ad68de5325773029a113a05011 which seems up to date according to the packages page

Both server and client are 4.1.5

I did find the below 2 issue:
KB5005043, is in Microsoft Update Catalog but not the Wazuh MSU, supersedes 10 patch which is in my list of missing KB's
10 Patches in question are:

  • KB4467691
  • KB4462917
  • KB4493470
  • KB4494440
  • KB5000803
  • KB5004238
  • KB5003197
  • KB5003638
  • KB5001347
  • KB5004948

The GGroup link quoted about refers to missing KB4512517 which should be fixed in this MSU, however I am still detecting it as missing

Below are the installed Hotfixes:

KB3192137
KB3211320
KB3213986
KB4103720
KB4502496
KB4535680
KB4535684
KB4535685
KB4589210
KB5001402
KB5005043

Below are the KB's according to Wazuh are missing:

KB4343887
KB4457131
KB4284880
KB4338814
KB4467691
KB4462917
KB4598243
KB4471321
KB4480961
KB4487026
KB4489882
KB4503267
KB4493470
KB4494440
KB4525236
KB4512517
KB4507460
KB4516044
KB4519998
KB4519335
KB4530689
KB4534271
KB4540670
KB4577015
KB4537764
KB4550929
KB4580346
KB4556813
KB4561616
KB4565511
KB4571694
KB4601318
KB4586830
KB4593226
KB5000803
KB5004238
KB5003197
KB5003638
KB5001347
KB5004948
KB4343887
KB4457131
KB4284880
KB4338814
KB4467691
KB4462917
KB4598243
KB4471321
KB4480961
KB4487026
KB4489882
KB4503267
KB4493470
KB4494440
KB4525236
KB4512517
KB4507460
KB4516044
KB4519998
KB4519335
KB4530689
KB4534271
KB4540670
KB4577015
KB4537764
KB4550929
KB4580346
KB4556813
KB4561616
KB4565511
KB4571694
KB4601318
KB4586830
KB4593226
KB5000803
KB5004238
KB5003197
KB5003638
KB5001347
KB5004948

Apologies for the long thread, but all this makes me think that my Wazuh is only querying the Wazuh MSU and not Microsofts MSU as well?
Do anybody have similar issues? Any assistance would be apprieciated.
Regards,
Charl

Alvaro Romero Sepulveda

unread,
Aug 17, 2021, 3:53:31 AM8/17/21
to Wazuh mailing list

Hello, Charl

Thank you for posting in our community group!

Your case seems to be a recurring problem in users with Windows agents, inevitably caused by our MSU's updating schedule.

MSU is a Wazuh-generated feed that includes security-related information from two of Microsoft's official sources: Its catalog and the MSRC API. This feed is manually updated by our team, usually once or twice per month, meaning that there'll always be periods between updates when Microsoft's information does not 100% match with the one in our feed. Though we try to update the feed at a good pace, this behavior ends up bringing new unavoidable false positives each time a hotfix is released before an MSU update. The good news is that we are working on a way to improve our MSU generation and updating schedule, as you can check, for example, in this issue

With that in mind, our MSU is currently lacking that information since it was uploaded last 04/08/2021, while said hotfix was updated last 09/08/2021. Just to be sure, I've just checked a newly generated MSU and I can confirm that includes the information you've mentioned, so, considering that it's been almost two weeks since our last MSU update, we'll proceed to update and upload it. Hopefully, it'll be available soon this week, so I'll let you know when the new MSU is available

I hope this helps! Let me know if you have more related questions.


Alvaro Romero Sepulveda

unread,
Aug 17, 2021, 5:08:33 AM8/17/21
to Wazuh mailing list
Hi again, Charl

We've just recently uploaded a new MSU feed with hash b67c89aa2663acdce9219023620abf78cfe9c6ff0b63838ba86d1b70b7cd9fe5, so the missing information should start being acknowledged in subsequent scans. The feed is automatically downloaded by default by the Wazuh manager, but you can find it here in case you need to perform an offline update.

If you have any questions, do not hesitate to ask!

Charl Jordan

unread,
Aug 17, 2021, 5:17:02 AM8/17/21
to Alvaro Romero Sepulveda, Wazuh mailing list
Hi Alvaro,

Thank you for the quick response here!
That makes perfect sense, I always assumed that the MSU was a Wazuh managed function to deal with discrepancies, but that Wazuh would still query Microsoft Update Catalog as well. Thank you for clearing that process up. 
Excellent thank you! I will update my MSU, ensure that its the new version and reply with the results!
Regards,
Charl

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e879e479-9034-4420-bc3c-72611757f77bn%40googlegroups.com.

charl...@gmail.com

unread,
Aug 19, 2021, 6:03:17 AM8/19/21
to Wazuh mailing list
Hi Alvaro,

Just to update this thread, the new MSU solved all my issues!
Thank you,
Regards,
Charl

Alvaro Romero Sepulveda

unread,
Aug 20, 2021, 2:56:30 AM8/20/21
to Wazuh mailing list
Hi, Charl

I'm glad you got your problem solved! Please, do not hesitate to contact us again if you have any further questions.

Best regards,
Álvaro Romero
Reply all
Reply to author
Forward
0 new messages