Vulnerability Detection issue detecting old packages no longer installed

681 views
Skip to first unread message

Sérgio Henrique

unread,
Feb 3, 2025, 5:42:49 AM2/3/25
to Wazuh | Mailing List
Hi,
I am experience an issue with latest wazuh version 4.10.X

The Vulnerability Detection seem not working properly by not removing packages no longer in the system and added way before...

Is there any procedure to remove outdated or reset the content of the Vulnerability Detection?

Thank you in advance.
SM
Message has been deleted
Message has been deleted

Sérgio Henrique

unread,
Feb 3, 2025, 8:07:17 AM2/3/25
to Bony V John, Wazuh | Mailing List
  • Wazuh Manager version
    Using docker single-node:
    wazuh/wazuh-dashboard:4.10.1
    wazuh/wazuh-indexer:4.10.1
    wazuh/wazuh-manager:4.10.1
  • Wazuh Agent version
    wazuh-agent  4.10.1-1 arm64
  • Package names and their versions
     dpkg -la|grep linux
    ii  binutils-aarch64-linux-gnu      2.40-2                         arm64        GNU binary utilities, for aarch64-linux-gnu target
    ii  console-setup-linux             1.221                          all          Linux specific part of console-setup
    ii  firmware-linux-free             20200122-1                     all          Binary firmware for various drivers in the Linux kernel
    ii  libselinux1:arm64               3.4-1+b6                       arm64        SELinux runtime shared libraries
    ii  linux-base                      4.9                            all          Linux image base package
    ii  linux-image-6.12.9+bpo-arm64    6.12.9-1~bpo12+1               arm64        Linux 6.12 for 64-bit ARMv8 machines (signed)
    ii  linux-image-arm64               6.12.9-1~bpo12+1               arm64        Linux for 64-bit ARMv8 machines (meta-package)
    ii  util-linux                      2.38.1-5+deb12u3               arm64        miscellaneous system utilities
    ii  util-linux-extra                2.38.1-5+deb12u3               arm64        interactive login tools
    ii  util-linux-locales              2.38.1-5+deb12u3               all          locales files for util-linux

    The issue it resolved some but others were not ... they were first detected on previous agent and manager version 4.9.2:
    package.name,package.version,vulnerability.description,vulnerability.severity,vulnerability.id
    "linux-image-6.1.0-25-arm64","6.1.106-3","TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.","Medium","CVE-2004-0230"
    "linux-image-6.1.0-25-arm64","6.1.106-3","Linux kernel 2.4 and 2.6 allows attackers to cause a denial of service (memory exhaustion and panic) by creating a large number of connected file descriptors or socketpairs and setting a large data transfer buffer, then preventing Linux from being able to finish the transfer by causing the process to become a zombie, or closing the file descriptor without closing an associated reference.","Medium","CVE-2005-3660"
    "linux-image-6.1.0-25-arm64","6.1.106-3","The process scheduler in the Linux kernel 2.6.16 gives preference to ""interactive"" processes that perform voluntary sleeps, which allows local users to cause a denial of service (CPU consumption), as described in ""Secretly Monopolizing the CPU Without Superuser Privileges.""","Low","CVE-2007-3719"
    "linux-image-6.1.0-25-arm64","6.1.106-3","Mounting /proc filesystem via chroot command silently mounts it in read-write mode. The user could bypass the chroot environment and gain write access to files, he would never have otherwise.","Low","CVE-2008-2544"
    "linux-image-6.1.0-25-arm64","6.1.106-3","The TCP implementation in (1) Linux, (2) platforms based on BSD Unix, (3) Microsoft Windows, (4) Cisco products, and probably other operating systems allows remote attackers to cause a denial of service (connection queue exhaustion) via multiple vectors that manipulate information in the TCP state table, as demonstrated by sockstress.","High","CVE-2008-4609"
    "linux-image-6.1.0-25-arm64","6.1.106-3","The Linux kernel, when using IPv6, allows remote attackers to determine whether a host is sniffing the network by sending an ICMPv6 Echo Request to a multicast address and determining whether an Echo Reply is sent, as demonstrated by thcping.","Medium","CVE-2010-4563"
    "linux-image-6.1.0-25-arm64","6.1.106-3","Memory leak in drivers/media/video/videobuf-core.c in the videobuf subsystem in the Linux kernel 2.6.x through 4.x allows local users to cause a denial of service (memory consumption) by leveraging /dev/video access for a series of mmap calls that require new allocations, a different vulnerability than CVE-2007-6761.  NOTE: as of 2016-06-18, this affects only 11 drivers that have not been updated to use videobuf2 instead of videobuf.","Medium","CVE-2010-5321"
    "linux-image-6.1.0-25-arm64","6.1.106-3","fs/proc/base.c in the Linux kernel through 3.1 allows local users to obtain sensitive keystroke information via access to /proc/interrupts.","Low","CVE-2011-4915"
    "linux-image-6.1.0-25-arm64","6.1.106-3","Linux kernel through 3.1 allows local users to obtain sensitive keystroke information via access to /dev/pts/ and /dev/tty*.","Low","CVE-2011-4916"
    "linux-image-6.1.0-25-arm64","6.1.106-3","In the Linux kernel through 3.1 there is an information disclosure issue via /proc/stat.","Low","CVE-2011-4917"
    "linux-image-6.1.0-25-arm64","6.1.106-3","block/scsi_ioctl.c in the Linux kernel through 3.8 does not properly consider the SCSI device class during authorization of SCSI commands, which allows local users to bypass intended access restrictions via an SG_IO ioctl call that leverages overlapping opcodes.","Medium","CVE-2012-4542"
    "linux-image-6.1.0-25-arm64","6.1.106-3","The snd_compr_tstamp function in sound/core/compress_offload.c in the Linux kernel through 4.7, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not properly initialize a timestamp data structure, which allows attackers to obtain sensitive information via a crafted application, aka Android internal bug 28770164 and Qualcomm internal bug CR568717.","Medium","CVE-2014-9892"
    "linux-image-6.1.0-25-arm64","6.1.106-3","The ethtool_get_wol function in net/core/ethtool.c in the Linux kernel through 4.7, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not initialize a certain data structure, which allows local users to obtain sensitive information via a crafted application, aka Android internal bug 28803952 and Qualcomm internal bug CR570754.","Medium","CVE-2014-9900"
    "linux-image-6.1.0-25-arm64","6.1.106-3","Kernel Samepage Merging (KSM) in the Linux kernel 2.6.32 through 4.x does not prevent use of a write-timing side channel, which allows guest OS users to defeat the ASLR protection mechanism on other guest OS instances via a Cross-VM ASL INtrospection (CAIN) attack.  NOTE: the vendor states ""Basically if you care about this attack vector, disable deduplication."" Share-until-written approaches for memory conservation among mutually untrusting tenants are inherently detectable for information disclosure, and can be classified as potentially misunderstood behaviors rather than vulnerabilities","Low","CVE-2015-2877"
    "linux-image-6.1.0-25-arm64","6.1.106-3","An issue was discovered in the Linux kernel through 4.17.2. Since the page allocator does not yield CPU resources to the owner of the oom_lock mutex, a local unprivileged user can trivially lock up the system forever by wasting CPU resources from the page allocator (e.g., via concurrent page fault events) when the global OOM killer is invoked. NOTE: the software maintainer has not accepted certain proposed patches, in part because of a viewpoint that ""the underlying problem is non-trivial to handle.","Medium","CVE-2016-10723"
    "linux-image-6.1.0-25-arm64","6.1.106-3","The XFS subsystem in the Linux kernel through 4.8.2 allows local users to cause a denial of service (fdatasync failure and system hang) by using the vfs syscall group in the trinity program, related to a ""page lock order bug in the XFS seek hole/data implementation.""","Medium","CVE-2016-8660"
    "linux-image-6.1.0-25-arm64","6.1.106-3","An information disclosure vulnerability in the kernel trace subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34277115.","Low","CVE-2017-0630"
    "linux-image-6.1.0-25-arm64","6.1.106-3","The acpi_ds_create_operands() function in drivers/acpi/acpica/dsutils.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.","Medium","CVE-2017-13693"
    "linux-image-6.1.0-25-arm64","6.1.106-3","The acpi_ps_complete_final_op() function in drivers/acpi/acpica/psobject.c in the Linux kernel through 4.12.9 does not flush the node and node_ext caches and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.","Low","CVE-2017-13694"
    "linux-image-6.1.0-25-arm64","6.1.106-3","procps-ng, procps is vulnerable to a process hiding through race condition. Since the kernel's proc_pid_readdir() returns PID entries in ascending numeric order, a process occupying a high PID can use inotify events to determine when the process list is being scanned, and fork/exec to obtain a lower PID, thus avoiding enumeration. An unprivileged attacker can hide a process from procps-ng's utilities by exploiting a race condition in reading /proc/PID entries. This vulnerability affects procps and procps-ng up to version 3.3.15, newer versions might be affected also.","Medium","CVE-2018-1121"
    "linux-image-6.1.0-25-arm64","6.1.106-3","In the Linux kernel 4.15.0, a NULL pointer dereference was discovered in hfs_ext_read_extent in hfs.ko. This can occur during a mount of a crafted hfs filesystem.","Medium","CVE-2018-12928"
    "linux-image-6.1.0-25-arm64","6.1.106-3","The Linux kernel 4.14.67 mishandles certain interaction among XFRM Netlink messages, IPPROTO_AH packets, and IPPROTO_IP packets, which allows local users to cause a denial of service (memory consumption and system hang) by leveraging root access to execute crafted applications, as demonstrated on CentOS 7.","Medium","CVE-2018-17977"
    "linux-image-6.1.0-25-arm64","6.1.106-3","The Linux kernel through 5.0.7, when CONFIG_IA32_AOUT is enabled and ia32_aout is loaded, allows local users to bypass ASLR on setuid a.out programs (if any exist) because install_exec_creds() is called too late in load_aout_binary() in fs/binfmt_aout.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat. NOTE: the software maintainer disputes that this is a vulnerability because ASLR for a.out format executables has never been supported","Low","CVE-2019-11191"
    "linux-image-6.1.0-25-arm64","6.1.106-3","An issue was discovered in ip6_ra_control in net/ipv6/ipv6_sockglue.c in the Linux kernel through 5.1.5. There is an unchecked kmalloc of new_ra, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). NOTE: This has been disputed as not an issue","Medium","CVE-2019-12378"
    "linux-image-6.1.0-25-arm64","6.1.106-3","An issue was discovered in con_insert_unipair in drivers/tty/vt/consolemap.c in the Linux kernel through 5.1.5. There is a memory leak in a certain case of an ENOMEM outcome of kmalloc. NOTE: This id is disputed as not being an issue","Medium","CVE-2019-12379"
    "linux-image-6.1.0-25-arm64","6.1.106-3","**DISPUTED** An issue was discovered in the efi subsystem in the Linux kernel through 5.1.5. phys_efi_set_virtual_address_map in arch/x86/platform/efi/efi.c and efi_call_phys_prolog in arch/x86/platform/efi/efi_64.c mishandle memory allocation failures. NOTE: This id is disputed as not being an issue because “All the code touched by the referenced commit runs only at boot, before any user processes are started. Therefore, there is no possibility for an unprivileged user to control it.”.","Low","CVE-2019-12380"
    "linux-image-6.1.0-25-arm64","6.1.106-3","An issue was discovered in ip_ra_control in net/ipv4/ip_sockglue.c in the Linux kernel through 5.1.5. There is an unchecked kmalloc of new_ra, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). NOTE: this is disputed because new_ra is never used if it is NULL","Medium","CVE-2019-12381"
    "linux-image-6.1.0-25-arm64","6.1.106-3","An issue was discovered in drm_load_edid_firmware in drivers/gpu/drm/drm_edid_load.c in the Linux kernel through 5.1.5. There is an unchecked kstrdup of fwstr, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). NOTE: The vendor disputes this issues as not being a vulnerability because kstrdup() returning NULL is handled sufficiently and there is no chance for a NULL pointer dereference","Medium","CVE-2019-12382"
    "linux-image-6.1.0-25-arm64","6.1.106-3","An issue was discovered in sunxi_divs_clk_setup in drivers/clk/sunxi/clk-sunxi.c in the Linux kernel through 5.1.5. There is an unchecked kstrndup of derived_name, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). NOTE: This id is disputed as not being an issue because “The memory allocation that was not checked is part of a code that only runs at boot time, before user processes are started. Therefore, there is no possibility for an unprivileged user to control it, and no denial of service.”","Medium","CVE-2019-12455"
    "linux-image-6.1.0-25-arm64","6.1.106-3","An issue was discovered in the MPT3COMMAND case in _ctl_ioctl_main in drivers/scsi/mpt3sas/mpt3sas_ctl.c in the Linux kernel through 5.1.5. It allows local users to cause a denial of service or possibly have unspecified other impact by changing the value of ioc_number between two kernel reads of that value, aka a ""double fetch"" vulnerability. NOTE: a third party reports that this is unexploitable because the doubly fetched value is not used","High","CVE-2019-12456"
    "linux-image-6.1.0-25-arm64","6.1.106-3","drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. NOTE: The security community disputes this issues as not being serious enough to be deserving a CVE id","Medium","CVE-2019-16229"
    "linux-image-6.1.0-25-arm64","6.1.106-3","drivers/gpu/drm/radeon/radeon_display.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. NOTE: A third-party software maintainer states that the work queue allocation is happening during device initialization, which for a graphics card occurs during boot. It is not attacker controllable and OOM at that time is highly unlikely","Medium","CVE-2019-16230"
    "linux-image-6.1.0-25-arm64","6.1.106-3","drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.","Medium","CVE-2019-16231"
    "linux-image-6.1.0-25-arm64","6.1.106-3","drivers/net/wireless/marvell/libertas/if_sdio.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.","Medium","CVE-2019-16232"
    "linux-image-6.1.0-25-arm64","6.1.106-3","drivers/scsi/qla2xxx/qla_os.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.","Medium","CVE-2019-16233"
    "linux-image-6.1.0-25-arm64","6.1.106-3","drivers/net/wireless/intel/iwlwifi/pcie/trans.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.","Medium","CVE-2019-16234"
    "linux-image-6.1.0-25-arm64","6.1.106-3","A memory leak in the spi_gpio_probe() function in drivers/spi/spi-gpio.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering devm_add_action_or_reset() failures, aka CID-d3b0ffa1d75d. NOTE: third parties dispute the relevance of this because the system must have already been out of memory before the probe began","High","CVE-2019-19070"
    "linux-image-6.1.0-25-arm64","6.1.106-3","In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image can lead to slab-out-of-bounds write access in index_rbio_pages in fs/btrfs/raid56.c.","Medium","CVE-2019-19378"
    "linux-image-6.1.0-25-arm64","6.1.106-3","snd_ctl_elem_add in sound/core/control.c in the Linux kernel through 5.6.3 has a count=info->owner line, which later affects a private_size*count multiplication for unspecified ""interesting side effects."" NOTE: kernel engineers dispute this finding, because it could be relevant only if new callers were added that were unfamiliar with the misuse of the info->owner field to represent data unrelated to the ""owner"" concept. The existing callers, SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE, have been designed to misuse the info->owner field in a safe way","Medium","CVE-2020-11725"
    "linux-image-6.1.0-25-arm64","6.1.106-3","A flaw was found in the Linux kernels implementation of audit rules, where a syscall can unexpectedly not be correctly not be logged by the audit subsystem","Low","CVE-2020-35501"
    "linux-image-6.1.0-25-arm64","6.1.106-3","An issue was discovered in netfilter in the Linux kernel before 5.10. There can be a use-after-free in the packet processing context, because the per-CPU sequence count is mishandled during concurrent iptables rules replacement. This could be exploited with the CAP_NET_ADMIN capability in an unprivileged namespace. NOTE: cc00bca was reverted in 5.12.","Medium","CVE-2020-36694"
    "linux-image-6.1.0-25-arm64","6.1.106-3","An issue was discovered in the Linux kernel 4.18 through 5.10.16, as used by Xen. The backend allocation (aka be-alloc) mode of the drm_xen_front drivers was not meant to be a supported configuration, but this wasn't stated accordingly in its support status entry.","Medium","CVE-2021-26934"
    "linux-image-6.1.0-25-arm64","6.1.106-3","A flaw was found in the Linux kernels memory deduplication mechanism. Previous work has shown that memory deduplication can be attacked via a local exploitation mechanism. The same technique can be used if an attacker can upload page sized files and detect the change in access time from a networked service to determine if the page has been merged.","Medium","CVE-2021-3714"
    "linux-image-6.1.0-25-arm64","6.1.106-3","An unauthorized access to the execution of the setuid file with capabilities flaw in the Linux kernel OverlayFS subsystem was found in the way user copying a capable file from a nosuid mount into another mount. A local user could use this flaw to escalate their privileges on the system.","High","CVE-2021-3847"
    "linux-image-6.1.0-25-arm64","6.1.106-3","A flaw was found in the way the dumpable flag setting was handled when certain SUID binaries executed its descendants. The prerequisite is a SUID binary that sets real UID equal to effective UID, and real GID equal to effective GID. The descendant will then have a dumpable value set to 1. As a result, if the descendant process crashes and core_pattern is set to a relative value, its core dump is stored in the current directory with uid:gid permissions. An unprivileged local user with eligible root SUID binary could use this flaw to place core dumps into root-owned directories, potentially resulting in escalation of privileges.","High","CVE-2021-3864"
    "linux-image-6.1.0-25-arm64","6.1.106-3","An out-of-bounds read vulnerability was discovered in linux kernel in the smc protocol stack, causing remote dos.","High","CVE-2022-0400"
    "linux-image-6.1.0-25-arm64","6.1.106-3","An issue found in linux-kernel that leads to a race condition in rose_connect(). The rose driver uses rose_neigh->use to represent how many objects are using the rose_neigh. When a user wants to delete a rose_route via rose_ioctl(), the rose driver calls rose_del_node() and removes neighbours only if their “count” and “use” are zero.","High","CVE-2022-1247"
    "linux-image-6.1.0-25-arm64","6.1.106-3","In the Linux kernel through 5.16.10, certain binary files may have the exec-all attribute if they were built in approximately 2003 (e.g., with GCC 3.2.2 and Linux kernel 2.4.20). This can cause execution of bytes located in supposedly non-executable regions of a file.","Medium","CVE-2022-25265"
    "linux-image-6.1.0-25-arm64","6.1.106-3","A use-after-free flaw was found in the Linux kernel’s PLP Rose functionality in the way a user triggers a race condition by calling bind while simultaneously triggering the rose_bind() function. This flaw allows a local user to crash or potentially escalate their privileges on the system.","High","CVE-2022-2961"
    "linux-image-6.1.0-25-arm64","6.1.106-3","A double-free flaw was found in the Linux kernel’s NTFS3 subsystem in how a user triggers remount and umount simultaneously. This flaw allows a local user to crash or potentially escalate their privileges on the system.","High","CVE-2022-3238"
    "linux-image-6.1.0-25-arm64","6.1.106-3","drivers/char/pcmcia/synclink_cs.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling ioctl, aka a race condition between mgslpc_ioctl and mgslpc_detach.","Medium","CVE-2022-41848"
    "linux-image-6.1.0-25-arm64","6.1.106-3","An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4000_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cmm_open() and cm4000_detach().","Medium","CVE-2022-44032"
    "linux-image-6.1.0-25-arm64","6.1.106-3","An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4040_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cm4040_open() and reader_detach().","Medium","CVE-2022-44033"
    "linux-image-6.1.0-25-arm64","6.1.106-3","An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/scr24x_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between scr24x_open() and scr24x_remove().","Medium","CVE-2022-44034"
    "linux-image-6.1.0-25-arm64","6.1.106-3","An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvbdev.c has a use-after-free, related to dvb_register_device dynamically allocating fops.","High","CVE-2022-45884"
    "linux-image-6.1.0-25-arm64","6.1.106-3","An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_frontend.c has a race condition that can cause a use-after-free when a device is disconnected.","High","CVE-2022-45885"
    "linux-image-6.1.0-25-arm64","6.1.106-3","An issue was discovered in the Linux kernel through 6.0.9. drivers/char/xillybus/xillyusb.c has a race condition and use-after-free during physical removal of a USB device.","Medium","CVE-2022-45888"
    "linux-image-6.1.0-25-arm64","6.1.106-3","A deadlock flaw was found in the Linux kernel’s BPF subsystem. This flaw allows a local user to potentially crash the system.","Medium","CVE-2023-0160"
    "linux-image-6.1.0-25-arm64","6.1.106-3","A flaw possibility of memory leak in the Linux kernel cpu_entry_area mapping of X86 CPU data to memory was found in the way user can guess location of exception stack(s) or other important data. A local user could use this flaw to get access to some important data with expected location in memory.","Medium","CVE-2023-0597"
    "linux-image-6.1.0-25-arm64","6.1.106-3","In multiple functions of mem_protect.c, there is a possible way to access hypervisor memory due to a memory access check in the wrong place. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.","Medium","CVE-2023-21264"
    "linux-image-6.1.0-25-arm64","6.1.106-3","In the Linux kernel before 6.2, mm/memory-tiers.c misinterprets the alloc_memory_type return value (expects it to be NULL in the error case, whereas it is actually an error pointer). NOTE: this is disputed by third parties because there are no realistic cases in which a user can cause the alloc_memory_type error case to be reached.","Medium","CVE-2023-23005"
    "linux-image-6.1.0-25-arm64","6.1.106-3","An issue was discovered in the Linux kernel through 6.2.0-rc2. drivers/tty/vcc.c has a race condition and resultant use-after-free if a physically proximate attacker removes a VCC device while calling open(), aka a race condition between vcc_open() and vcc_remove().","Medium","CVE-2023-23039"
    "linux-image-6.1.0-25-arm64","6.1.106-3","afu_mmio_region_get_by_offset in drivers/fpga/dfl-afu-region.c in the Linux kernel through 6.1.12 has an integer overflow.","High","CVE-2023-26242"
    "linux-image-6.1.0-25-arm64","6.1.106-3","An issue was discovered in drivers/media/test-drivers/vidtv/vidtv_bridge.c in the Linux kernel 6.2. There is a NULL pointer dereference in vidtv_mux_stop_thread. In vidtv_stop_streaming, after dvb->mux=NULL occurs, it executes vidtv_mux_stop_thread(dvb->mux).","Medium","CVE-2023-31081"
    "linux-image-6.1.0-25-arm64","6.1.106-3","An issue was discovered in drivers/tty/n_gsm.c in the Linux kernel 6.2. There is a sleeping function called from an invalid context in gsmld_write, which will block the kernel. Note: This has been disputed by 3rd parties as not a valid vulnerability.","Medium","CVE-2023-31082"
    "linux-image-6.1.0-25-arm64","6.1.106-3","An issue was discovered in drivers/mtd/ubi/cdev.c in the Linux kernel 6.2. There is a divide-by-zero error in do_div(sz,mtd->erasesize), used indirectly by ctrl_cdev_ioctl, when mtd->erasesize is 0.","Medium","CVE-2023-31085"
    "linux-image-6.1.0-25-arm64","6.1.106-3","A race condition occurred between the functions lmLogClose and txEnd in JFS, in the Linux Kernel, executed in different threads. This flaw allows a local attacker with normal user privileges to crash the system or leak internal kernel information.","Medium","CVE-2023-3397"
    "linux-image-6.1.0-25-arm64","6.1.106-3","A possible unauthorized memory access flaw was found in the Linux kernel's cpu_entry_area mapping of X86 CPU data to memory, where a user may guess the location of exception stacks or other important data. Based on the previous CVE-2023-0597, the 'Randomize per-cpu entry area' feature was implemented in /arch/x86/mm/cpu_entry_area.c, which works through the init_cea_offsets() function when KASLR is enabled. However, despite this feature, there is still a risk of per-cpu entry area leaks. This issue could allow a local user to gain access to some important data with memory in an expected location and potentially escalate their privileges on the system.","High","CVE-2023-3640"
    "linux-image-6.1.0-25-arm64","6.1.106-3","An issue was discovered in the Linux kernel through 6.4.2. A crafted UDF filesystem image causes a use-after-free write operation in the udf_put_super and udf_close_lvid functions in fs/udf/super.c. NOTE: the suse.com reference has a different perspective about this.","Medium","CVE-2023-37454"
    "linux-image-6.1.0-25-arm64","6.1.106-3","An improper input validation flaw was found in the eBPF subsystem in the Linux kernel. The issue occurs due to a lack of proper validation of dynamic pointers within user-supplied eBPF programs prior to executing them. This may allow an attacker with CAP_BPF privileges to escalate privileges and execute arbitrary code in the context of the kernel.","High","CVE-2023-39191"
    "linux-image-6.1.0-25-arm64","6.1.106-3","A flaw was found in the USB Host Controller Driver framework in the Linux kernel. The usb_giveback_urb function has a logic loophole in its implementation. Due to the inappropriate judgment condition of the goto statement, the function cannot return under the input of a specific malformed descriptor file, so it falls into an endless loop, resulting in a denial of service.","Medium","CVE-2023-4010"
    "linux-image-6.1.0-25-arm64","6.1.106-3","A use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This flaw allows a local user to crash the system, causing a denial of service condition.","Medium","CVE-2023-4133"
    "linux-image-6.1.0-25-arm64","6.1.106-3","ntfs3 in the Linux kernel through 6.8.0 allows a physically proximate attacker to read kernel memory by mounting a filesystem (e.g., if a Linux distribution is configured to allow unprivileged mounts of removable media) and then leveraging local access to trigger an out-of-bounds read. A length value can be larger than the amount of memory allocated. NOTE: the supplier's perspective is that there is no vulnerability when an attack requires an attacker-modified filesystem image.","High","CVE-2023-45896"
    "linux-image-6.1.0-25-arm64","6.1.106-3","In the Linux kernel, the following vulnerability has been resolved:  bpf: Fix accesses to uninit stack slots  Privileged programs are supposed to be able to read uninitialized stack memory (ever since 6715df8d5) but, before this patch, these accesses were permitted inconsistently. In particular, accesses were permitted above state->allocated_stack, but not below it. In other words, if the stack was already ""large enough"", the access was permitted, but otherwise the access was rejected instead of being allowed to ""grow the stack"". This undesired rejection was happening in two places: - in check_stack_slot_within_bounds() - in check_stack_range_initialized() This patch arranges for these accesses to be permitted. A bunch of tests that were relying on the old rejection had to change; all of them were changed to add also run unprivileged, in which case the old behavior persists. One tests couldn't be updated - global_func16 - because it can't run unprivileged for other reasons.  This patch also fixes the tracking of the stack size for variable-offset reads. This second fix is bundled in the same commit as the first one because they're inter-related. Before this patch, writes to the stack using registers containing a variable offset (as opposed to registers with fixed, known values) were not properly contributing to the function's needed stack size. As a result, it was possible for a program to verify, but then to attempt to read out-of-bounds data at runtime because a too small stack had been allocated for it.  Each function tracks the size of the stack it needs in bpf_subprog_info.stack_depth, which is maintained by update_stack_depth(). For regular memory accesses, check_mem_access() was calling update_state_depth() but it was passing in only the fixed part of the offset register, ignoring the variable offset. This was incorrect; the minimum possible value of that register should be used instead.  This tracking is now fixed by centralizing the tracking of stack size in grow_stack_state(), and by lifting the calls to grow_stack_state() to check_stack_access_within_bounds() as suggested by Andrii. The code is now simpler and more convincingly tracks the correct maximum stack size. check_stack_range_initialized() can now rely on enough stack having been allocated for the access; this helps with the fix for the first issue.  A few tests were changed to also check the stack depth computation. The one that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.","High","CVE-2023-52452"
    "linux-image-6.1.0-25-arm64","6.1.106-3","In the Linux kernel, the following vulnerability has been resolved:  drm/amd/display: Wake DMCUB before sending a command  [Why] We can hang in place trying to send commands when the DMCUB isn't powered on.  [How] For functions that execute within a DC context or DC lock we can wrap the direct calls to dm_execute_dmub_cmd/list with code that exits idle power optimizations and reallows once we're done with the command submission on success.  For DM direct submissions the DM will need to manage the enter/exit sequencing manually.  We cannot invoke a DMCUB command directly within the DM execution helper or we can deadlock.","","CVE-2023-52485"
    "linux-image-6.1.0-25-arm64","6.1.106-3","In the Linux kernel, the following vulnerability has been resolved:  drm/msm/dpu: Add mutex lock in control vblank irq  Add a mutex lock to control vblank irq to synchronize vblank enable/disable operations happening from different threads to prevent race conditions while registering/unregistering the vblank irq callback.  v4: -Removed vblank_ctl_lock from dpu_encoder_virt, so it is only a     parameter of dpu_encoder_phys.     -Switch from atomic refcnt to a simple int counter as mutex has     now been added v3: Mistakenly did not change wording in last version. It is done now. v2: Slightly changed wording of commit message  Patchwork: https://patchwork.freedesktop.org/patch/571854/","","CVE-2023-52586"
    "linux-image-6.1.0-25-arm64","6.1.106-3","In the Linux kernel, the following vulnerability has been resolved:  ocfs2: Avoid touching renamed directory if parent does not change  The VFS will not be locking moved directory if its parent does not change. Change ocfs2 rename code to avoid touching renamed directory if its parent does not change as without locking that can corrupt the filesystem.","","CVE-2023-52590"
  • Operating System name
    For the docker single-node with dashbaord, indexer and manager:
     Debian GNU/Linux 12 (bookworm) (x64)
  • Operating System version of the Wazuh Agent
    For the affected agent:
    Debian GNU/Linux 12 (bookworm) (arm64)
Thank you in advance.
SM

'Bony V John' via Wazuh | Mailing List <wa...@googlegroups.com> escreveu (segunda, 3/02/2025 à(s) 11:47):
Hi,

Could you please share the CVE IDs related to this issue?

Additionally, provide the following details:

  • Wazuh Manager version
  • Wazuh Agent version
  • Package names and their versions
  • Operating System name
  • Operating System version of the Wazuh Agent

Also, share a screenshot of the vulnerability inventory related to this issue for further analysis.

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/QWD0EJ9lZeE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/ddbfe833-bf95-4696-9eaa-85092ee2ab8fn%40googlegroups.com.


--
Cumprimentos,
    Sérgio Machado

Bony V John

unread,
Feb 12, 2025, 11:28:01 PM2/12/25
to Wazuh | Mailing List
Hi,

Apologies for the late response. If the vulnerability database inventory is still showing packages that are no longer available on the monitored device, you can try the steps below. These steps will delete the old wazuh-states-vulnerabilities index, which will then be automatically recreated with updated vulnerability data.  

  • In the Wazuh dashboard, click on the Hamburger icon in the top left corner.
  • Navigate to Index Management > Indexes.
  • Select the wazuh-states-vulnerabilities index.
  • Click on Action (top right) and delete the index.

After deleting the index, restart the Wazuh indexer and manager services:
systemctl restart wazuh-indexer
systemctl restart wazuh-manager

This will automatically recreate the vulnerability index, but it may take some time for the updated vulnerability data to be processed and displayed.  
Reply all
Reply to author
Forward
0 new messages