vulnerability databases out of date

[Grant Baxter]

Hello,

So setup the Wazuh server locally about a week ago and I originally thought systems didn't report the vulnerabilities when actually its working to a point. I have tested this mainly on windows by installing a very old version of python which as expected is flagged almost instantly which is great. However, the database which is used to identify these vulnerabilities is so out of date.

As an example I use Microsoft defenders vulnerability scanner which isn't great hence trying Wazuh. This platform as of today reports all windows 10 systems being vulnerabile with a high CVS for a security update, however Wazuh still hasn't identified it.

Is there a way or a misconfiguration I need to change to ensure all vulnerabilities are retrieved say from the NVD site?

To be clear, I have the vulnerability scanner setup via the global configuration, all devices report an inventory fine. It seems its just the actual external database which seems to be incorrect.

Thanks

Grant

[Javier Medeot]

Hello Grant.

What security update are you referring to? What vendor, product, and product version?

Wazuh uses the CPE helper to scan Windows applications. This dictionary defines translations for the reported applications and a corresponding NVD's CPE reference. You can check this dictionary definitions in the cpe_helper.json file located within the Wazuh server as mentioned in that linked documentation.

So we need to know what security update you are referring to in order to check if it's getting translated appropriately or if it is totally untranslated. As you can learn from the above document, some products need to activate the check_hotfix setting in the CPE helper configuration file because they keep the version numbers unchanged between updates.

So let me know the specific details from your inventory and about any changes you might have done to the CPE helper dictionary file. Also, tell me please what Wazuh version are you running just in case there were a related issue in older Wazuh versions.

Thank you.

Javier

[Grant Baxter]

Hi Javier,

so some of the programs which are vulnerable are listed below, I have included some screenshots which hopefully might make more sense. Or maybe not, basically it seems its detecting some stuff, I have also included screenshots from NVD showing the vulnerabilities are logged, I can also see in the logs these databases are updating something.

You will see from the Wazuh page, it now reports one kind of vulnerability.

From the image  Microsoft Defender, you will see the device has multiple vulnerabilities showing one for example being QT with a CVSS code of CVE-2023-32763 this hasn't been detected on Wazuh nor has it been updated yet.

You will also see from the final screenshot NVD shows the above vulnerability.

Im not sure why its not reporting, some systems do report Windows updates for windows 10\11 however others with the same pending updates don't. Whilst I have compared the inventory I believe they should in theory show up?

Hopefully you can help resolve this issue, I have setup a replicate system which does the same thing.

Thanks

[Grant Baxter]

I've just noticed something actually, the program QT doesn't show up in the inventory and I believe that's because the the vulnerability is highlighted in the Registry. I will find another device in question anyway, is there a way to enable to Registry to be checked also for vulnerabilities?

Thanks

On Wednesday 14 February 2024 at 13:52:34 UTC Javier Medeot wrote:

[Javier Medeot]

Hello Grant.

For Windows registry configuration assessment you need to look into the  Wazuh SCA capability and appropriate SCA policies.

To alert about known vulnerabilities for your Qt packages you need to make sure inventory collection is enabled in your endpoint by checking C:\Program Files (x86)\ossec-agent\ossec.conf (or the shared agent config file agent.conf if it were the case). You can also check https://documentation.wazuh.com/current/user-manual/capabilities/system-inventory/configuration.html on how to do this. Restart your Wazuh agent to make sure changes are applied immediately on restart.

Your package should be reported like this:

You also need to enable vulnerability detection in the Wazuh server by editing /var/ossec/etc/ossec.conf. You'll need to configure something like this:

<vulnerability-detector>

  <enabled>yes</enabled>

  ...

    <!-- Windows OS vulnerabilities -->
    <provider name="msu">
      <enabled>yes</enabled>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Aggregate vulnerabilities -->
    <provider name="nvd">
      <enabled>yes</enabled>
      <update_interval>1h</update_interval>
    </provider>

  </vulnerability-detector>

To configure vulnerability detection of specific packages edit /var/ossec/queue/vulnerabilities/dictionaries/cpe_helper.json in the Wazuh server. For example:

        ...

            ]
        },
        {
            "target": "windows",
            "source": {
                "vendor": [
                    "^The Qt Company Ltd"
                ],
                "product": [
                    "^Qt.*"
                ],
                "version": []
            },
            "translation": {
                "vendor": [
                    "qt"
                ],
                "product": [
                    "qt"
                ],
                "version": []
            },
            "action": [
                "replace_vendor",
                "replace_product"
            ]
        }

After restart Wazuh you should get alerted about the specific vulnerabilities for your package.

Please make sure you've enabled all these settings. Let me know how it goes. Thank you.

Javier