Vulnerability.severity is Critical while Debian tracker says "unimportant"
250 views
Skip to first unread message
Progeth
Mar 24, 2021, 4:08:25 AM3/24/21
to Wazuh mailing list
Hi,
We're running wazuh 4.1.2 on Debian 10/buster.
We're seeing some CVE events (below is an example JSON) with level 13 via rule id 23506. Event JSON says severity is Critical, but debian tracker says "unimportant" (e.g. https://security-tracker.debian.org/tracker/CVE-2017-12762, I included the tracker JSON and rule at the bottom).
I found a merge request https://github.com/wazuh/wazuh/pull/5304 with commit https://github.com/wazuh/wazuh/pull/5304/commits/3537db52b3e35ff3a3745503ef3b2a4a7b024f6c "Ignore unimportant vulnerabilities for Debian" which seems to be included into Wazuh 4.1.2.
As far as I understand it the idea would be that the example CVE would have been ignored, but somehow it picks "Critical" severity for it and sets event level to 13. I'm wondering if it reads and uses the severity from another feed (NVD?) instead of Debian tracker JSON?
I guess my question is if I misunderstood that commit and it's not intended to ignore "unimportant" CVEs, or if I could maybe configure Wazuh to ignore or flag the unimportant CVEs somehow? I was trying to think of a rule, but as the severity-field is "Critical" I couldn't think of one, afaik the raw json from debian tracker isn't available for the rule? So far the only thing I can think of is to compile a blacklist and use that for a rule to ignore specific CVEs, but that seems like unnecessary work if there is a way to take advantage of the "unimportant"-flag somehow.
This is not anything major, just would be nice to be able to take advantage of the urgency-status of a CVE given by Debian security team somehow.
-----
Vuln json (from alert):
"vulnerability": {
"severity": "Critical",
"package": {
"condition": "Package less than 4.13.4-1",
"name": "linux-headers-4.9.0-15-common",
"source": "linux",
"version": "4.9.258-1",
"architecture": "all"
},
"cve": "CVE-2017-12762",
"references": [
],
"cve_version": "4.0",
"assigner": "c...@mitre.org",
"published": "2017-08-09",
"cwe_reference": "CWE-119",
"title": "CVE-2017-12762 affects linux-headers-4.9.0-15-common",
"cvss": {
"cvss2": {
"base_score": "10",
"vector": {
"integrity_impact": "complete",
"confidentiality_impact": "complete",
"availability": "complete",
"attack_vector": "network",
"access_complexity": "low",
"authentication": "none"
}
},
"cvss3": {
"base_score": "9.800000",
"vector": {
"user_interaction": "none",
"integrity_impact": "high",
"scope": "unchanged",
"confidentiality_impact": "high",
"availability": "high",
"attack_vector": "network",
"access_complexity": "low",
"privileges_required": "none"
}
}
},
"rationale": "In /drivers/isdn/i4l/isdn_net.c: A user-controlled buffer is copied into a local buffer of constant size using strcpy without a length check which can cause a buffer overflow. This affects the Linux kernel 4.9-stable tree, 4.12-stable tree, 3.18-stable tree, and 4.4-stable tree.",
"updated": "2018-04-06"
}
Debian tracker json:
"CVE-2017-12762": {
"description": "In /drivers/isdn/i4l/isdn_net.c: A user-controlled buffer is copied into a local buffer of constant size using strcpy without a length check which can cause a buffer overflow. This affects the Linux kernel 4.9-stable tree, 4.12-stable tree, 3.18-stable tree, and 4.4-stable tree.",
"scope": "local",
"releases": {
"bullseye": {
"status": "resolved",
"repositories": {
"bullseye": "5.10.19-1"
},
"fixed_version": "4.13.4-1",
"urgency": "unimportant"
},
"buster": {
"status": "resolved",
"repositories": {
"buster": "4.19.171-2",
"buster-security": "4.19.171-2"
},
"fixed_version": "4.13.4-1",
"urgency": "unimportant"
},
"sid": {
"status": "resolved",
"repositories": {
"sid": "5.10.24-1"
},
"fixed_version": "4.13.4-1",
"urgency": "unimportant"
},
"stretch": {
"status": "open",
"repositories": {
"stretch": "4.9.228-1",
"stretch-security": "4.9.258-1"
},
"urgency": "unimportant"
}
}
}
Rule:
<rule id="23506" level="13">
<if_sid>23501</if_sid>
<options>no_full_log</options>
<field name="vulnerability.severity">Critical</field>
<description>$(vulnerability.cve) affects $(vulnerability.package.name)</description>
</rule>
Br,
Progeth
Marcel Kemp
Mar 24, 2021, 6:59:42 AM3/24/21
to Wazuh mailing list
Hi Progeth,
As you well have guessed, it is reading and using the information from the NVD feed, rather than the Debian OVAL. This is done to avoid NULL severity for some vulnerabilities (the only case where we trust the severity of the vendor feed, is for RHEL/CentOS).
Here I link you the line where this check is made: https://github.com/wazuh/wazuh/blob/master/src/wazuh_modules/vulnerability_detector/wm_vuln_detector.c#L1123
And according to the question of creating a rule that ignores this particular CVE ... it is not possible, since we cannot obtain that "unimportant" flag because as I have commented, the NVD has precedence to obtain the severity and the impact score.
This is an unusual case, since normally the severities between OVAL and NVD do not differ so much (at least the reliability of the cases is quite high).
And as you say, a possible workaround would be to create a blacklist with the CVEs that you want to ignore and use them in a rule.
I hope it has clarified your doubts.
Feel free to ask anything.
Proge
Mar 25, 2021, 2:39:44 PM3/25/21
to Marcel Kemp, Wazuh mailing list
Hi,
This clarifies it and I understand that a trusted source needs to be used for the severity.
Thanks for the quick reply,
Progeth
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/gLHgJg9ACDo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/59ef4919-6db2-496b-9a82-a09d8ef17ebcn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages