MSU Database for vulnerability detection in windows

[Mohd Imran]

Hi

i'm currently using wazuh version 4.3.6. i have some question

a)for the MSU provider, does it automatically download the latest version or do i need to update it manually?

b) is there  a way to check the version of the msu database in wazuh

c) when enable the vulnerability detection, it detects the below KB on one of my server as below

KB4516044 patch is not installed
KB4512517 patch is not installed
KB4507460 patch is not installed
KB4503267 patch is not installed
KB4489882 patch is not installed
KB4487026 patch is not installed
KB4480961 patch is not installed
KB4053579 patch is not installed
KB4471321 patch is not installed
KB4457131 patch is not installed
KB4343887 patch is not installed
KB4345418 patch is not installed
KB4284880 patch is not installed
KB4088787 patch is not installed
KB4074590 patch is not installed
KB4056890 patch is not installed
KB3200970 patch is not installed

but upon checking to the windows server it shows all are up to date. is this considered false positive or the msu feed is not update

many thanks

[Marcel Kemp]

Hi imraneuf,

I will answer the questions in order:

a) If you have configured the MSU provider within Vulnerability Detector, as shown in the example configuration in the documentation, then it will automatically perform both the check and the download if necessary.

b) Yes, a couple of ways to check that you have the latest feed are as follows:

• Check the logs for a message similar to the following:

wazuh-modulesd:vulnerability-detector[7936] wm_vuln_detector.c:6821 at wm_vuldet_check_feed_metadata(): DEBUG: (5406): The feed 'Microsoft Security Update' is in its latest version.

• Check inside the manager database for the date it was last updated (timestamp) or check that the checksum (sha256) is equal to 5be3225ba12a09784654506e2cf80cff774687f6f6f7f7c4611d3132c9a7d68baa86:
  • sqlite3 /var/ossec/queue/vulnerabilities/cve.db "select timestamp from metadata where target='MSU';" 
  • sqlite3 /var/ossec/queue/vulnerabilities/cve.db "select sha256 from metadata where target='MSU';"

c) There seems to be a lack of information in the Catalog (Microsoft's official source used to correlate the supersedence of patches), where some recent hotfixes do not appear to be superseded by older hotfixes that should be superseded.

This is currently under researching and upon completion, if we can confirm it is a lack of information, but they are indeed related, then we will try to apply a fix by correcting the hotfixes to prevent these vulnerabilities from appearing:

• https://github.com/wazuh/wazuh/issues/14134

If you have any questions, don't hesitate to ask.

[Chris Herrmann]

Thanks @marcel.kemp for the github link, that's exactly what we're experiencing.

This appears to be getting worse. I started a thread several weeks ago reporting this issue, and based upon the feedback, successfully setup some manual exclusions (changing the severity of MS CVE-YYYY-12345 to 0). Initially it appeared to impact only 1 x agent with a limited number of CVEs. The number of CVEs that are being false positive reported is now in the hundreds, and we've had to put in place a blanket rule to reevaluate everything Microsoft related from 2016,2017,2018,2019 etc to a score of zero - and we need to apply it for all machines.

It's generating copious quantities of work chasing down false positives, reducing confidence in this aspect of the system.

I'm wondering - did something change in the data feeds that the vuln engine is evaluating? This wasn't a problem (or certainly not so much of a problem) a few months ago... I couldn't tell you when I first noticed it, but it definitely used to be manageable. It's no longer manageable.

We have a list of false-positive CVEs that we've identified - is this of any use to the team? And / or is there any information that would be helpful that we can provide? If so... please let us know what you need, and how best to provide it.

Lastly - how are other people managing this?

Thanks,

Chris