Critical vulnerabilities in Windows Server 2019

[Tech Master]

Hello,
yesterday afternoon I upgraded Wazuh Docker single node from v4.3.5 to v4.3.7.
I was looking at the various agents and I noticed that it is detecting anomalous vulnerabilities on VMs with Windows Server 2019.
They are always up to date, yet I see various critical alerts like this one: CVE-2019-1226.
It is obviously a very old vulnerability that is no longer present.

[Chema Martinez]

Hi Tech Master,

Thank you for using Wazuh and reporting this behavior to us.

We are currently aware of a very similar problem in the vulnerability scanner with the Microsoft patches that solve this vulnerability. Please, see this analysis for more details:

https://github.com/wazuh/wazuh/issues/14724#issuecomment-1228483884

The Vulnerability Detector for Windows uses its own feed called MSU, which contains the relationship between the Microsoft Updates that solve all the indexed vulnerabilities. We have a lack of depth in the correlation of those Microsoft patches which may cause false positives in cases like the CVE-2019-1226.

We are currently working on issue #14523 to solve this correlation. Once it is solved, the online MSU will be updated and the issue will be solved without the need of upgrading the manager or the agents.

To verify this is the case that you are suffering, you can share with us the full list of installed Microsoft patches located in the Inventory tab in the UI for that agent. That way we could verify you have installed the fix of the mentioned vulnerability.

Best regards,

Chema.