Missing Debian 9 Stretch vulnerabilities
68 views
Skip to first unread message
Mateusz Tyborski
Jul 18, 2022, 12:23:32 PM7/18/22
to Wazuh mailing list
Hi,
In ossec.log it looks db is updated:
2022/07/18 18:03:02 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Debian Stretch' database update.
2022/07/18 18:03:03 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Debian Stretch' feed finished successfully.
2022/07/18 18:03:03 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Debian Stretch' feed finished successfully.
But in db there is no Stretch vulnerabilities:
sqlite3 /var/ossec/queue/vulnerabilities/cve.db
SQLite version 3.7.17 2013-05-20 00:56:22
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> select target,count (*) from VULNERABILITIES group by TARGET;
BIONIC|42489
BULLSEYE|26765
BUSTER|26690
FOCAL|30200
RHEL5|24936
RHEL6|78981
RHEL7|92261
RHEL8|87095
TRUSTY|49711
XENIAL|42369
SQLite version 3.7.17 2013-05-20 00:56:22
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> select target,count (*) from VULNERABILITIES group by TARGET;
BIONIC|42489
BULLSEYE|26765
BUSTER|26690
FOCAL|30200
RHEL5|24936
RHEL6|78981
RHEL7|92261
RHEL8|87095
TRUSTY|49711
XENIAL|42369
And during scan in ossec.log:
WARNING: (5575): Unavailable vulnerability data for the agent '254' OS. Skipping it.
What could be an issue here?
Regards
Mateusz
Chema Martinez
Jul 18, 2022, 1:35:46 PM7/18/22
to Wazuh mailing list
Hi Mateusz,
I have reviewed this issue and reproduced it in my environment.
It seems Debian has stopped maintaining Stretch since June, 30th.
Unfortunately, when talking about Debian it means they don't provide the vulnerabilities affecting that version anymore (unlike Canonical or Redhat who keeps the vulnerabilities public even they are not updating them). In this case, the Vulnerability Detector module gathers the Debian vulnerabilities from https://security-tracker.debian.org/tracker/data/json, where the information about vulnerable packages in Debian Stretch has disappeared.
This already happened before with Debian Wheezy and Jessie which were deprecated by us in the scanner (https://github.com/wazuh/wazuh/issues/5659).
I recommend you to upgrade your Debian Stretch hosts to a newer version such as Buster or Bullseye. From our side, we will open a new issue to deprecate Debian Stretch.
We are sorry for the inconvenience.
Best regards,
Chema.
Mateusz Tyborski
Jul 19, 2022, 3:01:48 AM7/19/22
to Wazuh mailing list
Hi Chema,
thank you for clarification.
I was afraid this would be the reason.
Pity there is no archive (static, but still) for old Debian systems.
But as you wrote, old system should be upgraded :)
Last question is it possible to configure Wazuh to scan old Debian against NVD only?
Thanks again
Mateusz
Chema Martinez
Jul 19, 2022, 8:01:53 AM7/19/22
to Wazuh mailing list
Hi Mateusz,
I already opened the issue to deprecate Debian Stretch, https://github.com/wazuh/wazuh/issues/14354, thank you for your feedback here!
On the other hand, right now it is not possible to scan Linux agents against the NVD because we are pretty sure results are not reliable. It throws a lot of false positives since the NVD is a global database that doesn't take into account the version lineage each package follows in the vendors' repositories, such as Debian.
Don't hesitate if you have further questions!
Best regards,
Chema.
Reply all
Reply to author
Forward
0 new messages