Vulnerability Detector Windows patch false positives

734 views
Skip to first unread message

Gen

unread,
Feb 7, 2020, 4:36:27 AM2/7/20
to Wazuh mailing list
Hi guys,

How does the vulnerability detector module check for installed Windows patches?

I have a fully up-to-date Windows 10 machine that is being reported as having missing various Windows patches, e.g:

data.vulnerability.cve: CVE-2019-0707
data.vulnerability.package.condition: 4499181 patch is not installed.

Anything I can check to troubleshoot?

Thanks,
Gen.

Juan Cabrera

unread,
Feb 7, 2020, 5:52:16 AM2/7/20
to Wazuh mailing list

Hi Gen,

The `vulnerability detector` checks the packages installed on your system with the necessary patches to fix vulnerabilities provided by Microsoft

According to the vulnerability CVE-2019-0707, for `Windows 10 Version 1703 for x64-based Systems` or `Windows 10 Version 1703 for 32-bit Systems`
- Vulnerability Description: Windows NDIS Elevation of Privilege Vulnerability
- Correction patch: KB4499181, https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4499181
- Requires restart to apply patch: yes.   

In addition, we check that no packages on your system contain the package that fixes the vulnerability.

The problem is that Windows is more sensitive, so currently Wazuh does not check the latest packages. This happens because we update the windows package list in every new release of the product. We do not have the latest information until Microsoft publishes it and we release a new version.

In your case, you may have the package `KB4534296` containing `KB4499181`. This package is from late January 2020, so Wazuh does not yet have information on these packages. In the next version, these packages will be checked without any problem.

Thank you very much.

Gen

unread,
Feb 10, 2020, 6:00:06 AM2/10/20
to Wazuh mailing list
Hi Juan,

Thanks for the explanation!

Gen.

Schil tech

unread,
Feb 12, 2020, 12:03:19 PM2/12/20
to Wazuh mailing list
Hello,

I actually think that there is some false positive.
My Wazuh agent think that i have CVE-2019-1226.
But i double check with nessus and nessus didn't detect the CVE on the same system ?
I don't know which tool i can trust.
(This CVE is critical...)

Regards,

Schiltech
Message has been deleted
Message has been deleted

Juan Cabrera

unread,
Feb 17, 2020, 7:27:31 AM2/17/20
to Wazuh mailing list

You can check if you’re vulnerable manually.

First, look at the ID of the agent you want to check:

/var/ossec/bin/agent_control -l

You can make a database query to check the packages installed in that agent:

sqlite3 /var/ossec/queue/db/AGENT_ID.db "SELECT * FROM sys_hotfixes"

If you have any of the following packages in your agent, you are not vulnerable:

  • KB4503279
  • KB4507450
  • KB4512507
  • KB4516068
  • KB4499162
  • KB4505055
  • KB4503289
  • KB4509476
  • KB4507467
  • KB4512474
  • KB4516059
  • KB4522011
  • KB4520010
  • KB4524151
  • KB4525245
  • KB4530711
  • KB4534296
  • KB4537765

Like I said, the problem is that Windows is more sensitive, so currently Wazuh does not check the latest packages. This happens because we update the windows package list in every new release of the product. We do not have the latest information until Microsoft publishes it and we release a new version.

Soon, we want this information to be available more quickly.

Schil tech

unread,
Feb 18, 2020, 3:59:14 AM2/18/20
to Wazuh mailing list
I check your list with the list of hotfix that is installed on the workstation :
KB4465065
KB4470788
KB4483452
KB4486153
KB4486163
KB4489899
KB4489907
KB4516115
KB4519565
KB4523204
KB4530715
KB4532937
KB4533001
KB4534273
Didn't find a match, so i think your list is not exhaustive (as you said) with the CVE 2019-1226 the last KB for W101809 is KB4511553 (august 2019) . so i decided to check supersedences and finally i find a match (KB4489899) for the security updates in March 12 2019.
Thank you for your responce. Next time i will double check with Nessus.


Regards,

Schil tech

Juan Cabrera

unread,
Feb 18, 2020, 4:53:31 AM2/18/20
to Wazuh mailing list

Sorry, the above list is for CVE-2019-0707 that we were talking about at the beginning. I didn’t read that we were talking about another CVE now.

For CVE-2019-1226 in Windows, the list is:

For Windows 10 Version 1803:

  • KB4512501
  • KB4516058
  • KB4512509
  • KB4516045
  • KB4522014
  • KB4519978
  • KB4520008
  • KB4524149
  • KB4525237
  • KB4530717
  • KB4534293
  • KB4534308
  • KB4537762

For Windows 10 Version 1809

  • KB4511553
  • KB4512578
  • KB4512534
  • KB4516077
  • KB4522015
  • KB4519338
  • KB4520062
  • KB4524148
  • KB4523205
  • KB4530715
  • KB4534273
  • KB4534321
  • KB4532691

For Windows 10 Version 1903

  • KB4512508
  • KB4515384
  • KB4512941
  • KB4517211
  • KB4522016
  • KB4517389
  • KB4522355
  • KB4524147
  • KB4524570
  • KB4530684
  • KB4528760
  • KB4532695
  • KB4532693

This vulnerability was released at the end of 2019, so we have no data on it until we release the next version of the product.

I hope I’ve helped you, greetings,
Juan Cabrera

Schil tech

unread,
Feb 18, 2020, 5:10:00 AM2/18/20
to Wazuh mailing list
Hello,

Thank you for your answers and your work.

Regards,

Schil tech
Reply all
Reply to author
Forward
0 new messages