Issue with superseded Windows patches (vulnerability-detector)

89 views
Skip to first unread message

Soren

unread,
Jul 14, 2020, 4:33:05 AM7/14/20
to Wazuh mailing list

Hello,


I have encountered an issue with Wazuh where the vulnerability detector module reports missing Windows updates, even though updates that superseded the missing ones are already installed on the host.


For example:

 

Wazuh reported the missing update 'KB4074590'. This update was later superseded by 'KB4509475'.

In turn, 'KB4509475' was superseded by the most recent servicing stack update (SSU) 'KB4503537'.

 

A PowerShell query returns that the SSU KB4503537 is installed on the host:

 


PS C:\Windows\system32> Get-HotFix KB4503537

Source        Description      HotFixID      InstalledBy          InstalledOn

------        -----------      --------      -----------          -----------

[redacted]  Security Update  KB4503537     NT AUTHORITY\SYSTEM  25.06.2019 00:00:00



Is there a solution to this issue that does not involve manually blacklisting superseded Windows updates?


Please let me know if you require any additional information.


Wazuh-manager package: v3.13.0

Wazuh client: v3.13.0

Host OS: Windows Server 2016 Version 1607 (OS Build 14393.3750)

 


Best regards,

Soren

Juan Cabrera

unread,
Jul 14, 2020, 5:08:45 AM7/14/20
to Wazuh mailing list
Hello Soren:

Each Wazuh version stores information about all the packages who were publicly available until the day said wazuh version was released.

The MSU file is the result of the correlation between the information provided by the Windows API and the Microsoft Update Catalog. It takes some time for Microsoft to release this information. We want to make sure that all the data we give about your vulnerabilities is correct, that's why we generate and update this file only when a new version of Wazuh is released. You will continue to see those vulnerabilities until we update that file in a future release.

We will soon have our own online feed and the manager will automatically keep this information up to date.

Thank you for your understanding, a greeting:
Juan Cabrera

Soren

unread,
Jul 14, 2020, 6:10:02 AM7/14/20
to Wazuh mailing list
Hello Juan,

thank you for your quick reply.

Are the feed/automatic updates planned for a specific release, or is it best if I periodically check the release notes of new Wazuh releases?


Best regards
Soren

Juan Cabrera

unread,
Jul 14, 2020, 6:37:16 AM7/14/20
to Wazuh mailing list
Hello Soren,

Currently, there is no specific release in which it will be available. We've already started working on this.

We will notify the community when this new option is available.

Best regards,
Juan
Reply all
Reply to author
Forward
0 new messages