VULNERABILITY DETECTOR - WINDOWS OS

[Daniel Hinojo]

Good morning Dear, recently I have activated the vulnerability detector in my Wazuh 4.1 and in the Windows agents I observe the following:

 I have a fully updated agent from windows update with the latest patches and the wazuh tells me that there are several vulnerabilities between critical and others, reviewing the CVE-2019-0736 I see that it is due to an update of the year 2019 (KB4512517) that is not installed on your computer, reviewing the windows doc at https://support.microsoft.com/es-es/topic/13-de-agosto-de-2019-kb4512517-compilaci%C3%B3n-del-so-14393- 3144-3fb291ba-06c9-6128-36fb-33de8ec12109, I see that these updates are cumulative, it should be within the last update which is February 9, 2021 — KB4601318 (OS Build 14393.4225) so does that mean it is a false positive? if this is how it could be handled with Wazuh in these cases? Please if you could help me. Thank you.  

[Miguel E. Sanchez]

Hi Daniel,

 

Thanks for contacting us.

 

In order to troubleshoot this a little further we would need you to provide us the alerts.json file that contains the event you are referencing to.

 

This fil is placed within the /var/ossec/logs/alerts/ directory.

 

Additionally, I provide you the documentation on how the Vulnerability Detection feature works.

https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how_it_works.html

 

Awaiting your response.

 

Miguel E. Sanchez

Wazuh, Inc.

 

 

[Davide Bozzelli]

I can confirm this issue.

Seems that windows vuln manager is not able to resolve the patch deps (aka: old patches were merged in newest one)

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/068D68FE-1694-4DB2-824C-C51674E34E5C%40hxcore.ol.

--

Got problems with Windows? - ReBooT
Got problems with Linux? - Be RooT

[Daniel Hinojo]

Good morning, then is it a vuln manage problem? In that case, what could I do in the wazuh so that those false positives do not appear to me because there are several and most of them start with CVE-2019 ...

 I have that doubt because I still have several computers with vulnerabilities according to Wazuh but they are patched with the latest updates, what I have noticed is that they are old patches that are no longer available in the windows update catalog because they have already been replaced by other more current ones and that these updates more current if they are installed in those computers. Please if you could help me. 

 Attached the configuration of the ossec.conf of the manager

 

Do you still need to attach the alerts.json file ???  

  <vulnerability-detector>

    <enabled>yes</enabled>

    <interval>5m</interval>

    <ignore_time>6h</ignore_time>

    <run_on_start>yes</run_on_start>

    <!-- Ubuntu OS vulnerabilities -->

    <provider name="canonical">

      <enabled>yes</enabled>

      <os>trusty</os>

      <os>xenial</os>

      <os>bionic</os>

      <os>focal</os>

      <update_interval>1h</update_interval>

    </provider>

    <!-- Debian OS vulnerabilities -->

    <provider name="debian">

      <enabled>yes</enabled>

      <os>stretch</os>

      <os>buster</os>

      <update_interval>1h</update_interval>

    </provider>

    <!-- RedHat OS vulnerabilities -->

    <provider name="redhat">

      <enabled>yes</enabled>

      <os>5</os>

      <os>6</os>

      <os>7</os>

      <os>8</os>

      <update_interval>1h</update_interval>

    </provider>

    <!-- Windows OS vulnerabilities -->

    <provider name="msu">

      <enabled>yes</enabled>

      <update_interval>1h</update_interval>

    </provider>

    <!-- Aggregate vulnerabilities -->

    <provider name="nvd">

      <enabled>yes</enabled>

      <update_from_year>2010</update_from_year>

      <update_interval>1h</update_interval>

    </provider>

  </vulnerability-detector>

[Miguel Eduardo Sanchez]

Hi Daniel,

I have investigated this internally and it seems to a known problem that has been identified and we are working to fix it.

The problem seems to be the KB4512517 patch, because it is not available in the Catalog and we cannot currently associate it directly with other patches due to lack of information from our providers (Catalog and Microsoft API).

However, after a little investigation about the case, I have noticed that there are patches in the Catalog that are supersedences of KB4512517. Some examples are the following: KB4565511, KB4561616, KB4571694...

Therefore, in order to solve this case, we have to implement a backward recursion search.
The good news is that this improvement is on our roadmap and we are working on it.

Hope you find this information handy.

Thanks for contacting us.

[Daniel Hinojo]

Thanks, I understand that this is an improvement option for when another version of Wazuh is updated. 

 As well as that KB there are also others that the same thing happens in windows. For that, then, could you create a rule so that those false positives do not appear? 

 Another query As I have filled with vulnerability alerts of type 13,12,10, is there a way to massively eliminate those alerts that have reached me on the server? I say it because every month I present a report and I do not want those false positives appear on the console. Please if you could guide me with these two questions. 

Thanks  

[Kpex]

Hello Guys,

i've a similar problem with this CU:  KB4593226 that was replaced by KB5000803 that i've installed, but Wazuh (vulnerability-detector) told me that i haven't got installed the patch.

How can i resolve?

Thanks in advance

[Gen]

Hi,

I have a similar same issue. I have 1 host that is showing a vulnerability for the missing patch: KB320663 (2016 update).

According to Microsoft (https://www.catalog.update.microsoft.com/Search.aspx?q=KB3206632) this is replaced by the following (amongst others):

KB4565511
KB4598243
KB4541329

All 3 of these are installed on the device that this vulnerability is being found for. When I look at inventory data for this host, I can see KB4565511 (7/13/2020 update) as installed (but not the other two).

It looks like the "replaced by" patches are not being considered properly for vulnerabilities existing in previous patches.

Any idea when this will be addressed?

Let me know if you need any further info.

Thanks,

Gen.

[Miguel Eduardo Sanchez]

Hi Gen,

Indeed, with the MSU we currently have certain problems that cause it to be generated incomplete or out of date, causing false positives in Windows agents when doing a scan. Mainly they are the following two:

Microsoft periodically releases patches that contain other existing patches, if these newer patches are not collected in the MSU it causes false positives to be generated. This is solved by updating the MSU that we have online at feed.wazuh.com periodically and automatically, today we just update it since February 3, which was the last time, so many of those false positives must have disappeared.
The problem is that the process of updating the MSU is still manual, the roadmap is to automate this process to be able to upload the one we generate daily.

The other problem is that the MSU generation itself contains a bug that causes missing patches to be added. We are working on this as well.

Unfortunately, we cannot provide a release date for the fix until an official announcement is made.

Hope this information helps you.

Thanks for contacting us.

Miguel E. Sanchez

Wazuh Inc.

[Gen]

Hi,

Is there any update on the above? Where can I follow the progress of these problems?

Thanks,

Gen.

[Marcel Kemp]

Hi Gen,

The issue discussed in this thread was resolved in the following issue:

https://github.com/wazuh/wazuh/issues/6996

Where backward recursion has been implemented and has resolved the old and new patches that previously did not have supersedence in our feed.

In the case of KB3206632, with an updated feed, it already has all its supersedence and this alert should not appear if the agent contains any of those patches (for example the 3 patches you mentioned above, or even one of the new accumulative patches that contain said patch, such as KB5001633).

To check if you have the updated MSU feed, you can run the following command in the manager:

sqlite3 /var/ossec/queue/vulnerabilities/cve.db "select sha256 from metadata;"

If the output shows you the following hash, then it is up to date:

c2587088ec16707f20631af1d7fbeb318cbd28c1e4044ae5baaac3cdcb38ab2b

And if this is the case, it should not show any of the previous cases if you have the agent update with these patches (note that as of version 4.0, the MSU feed is automatically updated. Therefore, if you contain an old version of Wazuh is necessary to update it, and I also recommend that it be to the latest available version 4.1.5 due to the fact that vulnerability detector has been improved a lot).

If you still get false positives, then I recommend that you check the following issues for any of them:

- Inconsistency Catalog and MSRC (CVE-2019-1316): Inconsistency between the Catalog and Microsoft API patches for Windows Servers #8232

- Microsoft Office Packages: Adding the capability to correlate Microsoft software with the MSU patches #6871

If it is not any of the above cases then, could you send me the false positives that your agent contains?

If you have any questions, do not hesitate to ask.

Marcel

[Gen]

Hi Marcel,

Thanks for the detailed update.

It wasn't anything specific, I just wanted to confirm whether the issue was fixed and it looks like it has.

I checked the MSU update feed and have the latest hash. Also Wazuh running 4.1.5 so looks all good!

Thanks!

Gen.