Vulnerability Scan not picking up vulnerable software.

146 views
Skip to first unread message

Matty Matt

unread,
May 3, 2024, 12:47:38 AM5/3/24
to Wazuh | Mailing List

Can't figure out what i am doing wrong, to be able to detect vulnerable versions of Foxit PhantomPDF.

GET /syscollector/010/packages

Picture1.png

A computer code with green text Description automatically generated

Added to /var/ossec/queue/vulnerabilities/dictionaries/cpe_helper.json

Picture2.png

A screen shot of a computer program Description automatically generated

Modified the update_date in cpe_helper.json

systemctl stop wazuh-manager

sqlite3 /var/ossec/queue/vulnerabilities/cve.db "DELETE FROM METADATA WHERE TARGET='CPEW';"

sqlite3 /var/ossec/queue/db/010.db "UPDATE vuln_metadata SET LAST_FULL_SCAN = 0;"

systemctl start wazuh-manager

Wait for Scan to finish

GET /vulnerability/010

 Picture3.png

A screenshot of a computer code Description automatically generated

I can see various entries for foxit in the /var/ossec/queue/vulnerabilities/cve.db

 Picture4.png

Picture5.png

Just can't seem to get Wazuh to detect it. Just missing a step or are my additions to cpe_helper.json not correct. Any help would be appreciated.

Thanks

John E

unread,
May 3, 2024, 5:22:11 AM5/3/24
to Wazuh | Mailing List
Hello Matty,

Your entry for  /var/ossec/queue/vulnerabilities/dictionaries/cpe_helper.json should be something like the below.

{
    "target": "windows",
    "source": {
        "vendor": [
            "Foxit Software Inc."
        ],
        "product": [
            "Foxit PhantomPDF"
        ],
        "version": []
    },
    "translation": {
        "vendor": [
            "foxitsoftware"
        ],
        "product": [
            "phantompdf"
        ],
        "version": []
    },
    "action": [
        "replace_vendor",
        "replace_product"
    ]
}

Matty Matt

unread,
May 6, 2024, 12:16:00 AM5/6/24
to Wazuh | Mailing List
Hi John E,

I struggled with mapping the NVD to the CPE file for a while now, even after reading the documentation several times, i just couldn't get it to work.

I finally understand it now, thanks to your example.

Many thanks

Matty

Matty Matt

unread,
May 6, 2024, 6:17:59 AM5/6/24
to Wazuh | Mailing List
Foxit-NVD.pngHi John E,

I may have jumped the gun - i am trying to add Foxit Version 12.1, this is what i have at the moment

foxit-12-a.png

Which if i search the NVD database for a match i get this
Foxit-NVD.png
So i modify the cpe_helper.json file to the following

Foxit-12.png

Searching the cve.db I can see Foxit PDF Editor.

foxit_cve.png

But if i query the agent for vulnerabilities, i get no vulnerabilities found.

I've looked at the cpe_helper.json file, and i don't see an example where there is one Vendor name that goes to two vendor translations, I've tried replace_vendor, replace_vendor_if matches (like the skype example)

I am i still doing something wrong?

Again, any pointers you can provide are greatly appreciated.

Thanks
Matty

John E

unread,
May 7, 2024, 1:27:43 AM5/7/24
to Wazuh | Mailing List
Hello Matty,

Looking to this, will provide a response shortly.

John E

unread,
May 7, 2024, 5:30:11 AM5/7/24
to Wazuh | Mailing List
Hello Matty,

Alright so i tried to replicate this, although i was only able to install Foxit PDF Editor.
Something to note is that the format of the CPE reported by NVD must match the name and version in the system inventory.
The version reported for your Foxit PDF Editor is 12.1.3.15356, and this does not match explicitly any vulnerable version in the NVD database.
the summary shows that the issue was fixed in 12.1.2. And you have a newer version.
Reply all
Reply to author
Forward
0 new messages