Wazuh 3.6 vulnerability scanner still picking up kernel false positives - config problem on my end?

[lu...@kuhlu.com]

Hi All,

I've upgraded to 3.6 after having some false positives being reported in the vulnerability detector because it wasn't checking system architecture. 3.5 was released to fix this and from the communities reaction, it has fixed the problem. However, I'm still getting the same false positives and could use some help. 

I'm using the standard rules for Wazuh. No custom rules to ignore kernel warnings. 

Here is my manager wodle config: 

        <wodle name="vulnerability-detector">

                <disabled>no</disabled>

                <interval>1m</interval>

                <run_on_start>yes</run_on_start>

                        <feed name="ubuntu-16">

                         <disabled>no</disabled>

                         <update_interval>45m</update_interval>

                        </feed>

                        <feed name="ubuntu-14">

                         <disabled>no</disabled>

                         <update_interval>45m</update_interval>

                        </feed>

                        <feed name="redhat-7">

                          <disabled>no</disabled>

                          <update_interval>1h</update_interval>

                        </feed>

                        <feed name="redhat-6">

                          <disabled>no</disabled>

                          <update_interval>1h</update_interval>

                        </feed>

                        <feed name="debian-9">

                          <disabled>no</disabled>

                          <update_interval>1h</update_interval>

                        </feed>

        </wodle>

Agent config:

  <wodle name="syscollector">

    <disabled>no</disabled>

    <interval>1h</interval>

    <packages>yes</packages>

  </wodle>

This is the only reference to vulnerability scanner if see in the Wazuh logs on restart: 

2018/09/06 10:36:27 wazuh-modulesd:vulnerability-detector: INFO: (5461): Starting Ubuntu Xenial database update...

My Ubuntu Xenial servers do not report any kernel vulnerabilities, but I don't think they were before upgrading from 3.2 to 3.5 and then to 3.6. However, All the Centos and RHEL server are reporting kernel vulnerabilities, even though all their kernels are updated. 

What am I missing? I have a sinking feeling it's something obvious....... :) 

Thanks!

[Cristóbal López]

Hi luke,

The possibilities for Wazuh to report false positives are as follows:

• If you are using CentOS, and you see vulnerabilities in packages that you can not update anymore (such as kernel), it is probably because you actually have those vulnerabilities, but the patches Red Hat has released haven't reached CentOS yet.

• Red Hat's OVAL may have been generated with errors. You can see an example where the architecture check has been badly generated in this in this thread.
  

• Another type of issue of which we have no record.

Can you share any of the alerts you mention?

Best regards,
Cristobal Lopez.

[lu...@kuhlu.com]

Hi Cristobal,

On a newly installed, completely updated RHEL 7.5 server, I get 107 vulnerability warnings. Here is one which clearly should not apply: 

{

  "_index": "wazuh-alerts-3.x-2018.09.08",

  "_type": "wazuh",

  "_id": "ZETCuWUBXyiT_SHuWG3r",

  "_version": 1,

  "_score": null,

  "_source": {

    "data": {

      "vulnerability": {

        "severity": "Medium",

        "state": "Fixed",

        "updated": "2017-11-06",

        "reference": "https://access.redhat.com/security/cve/CVE-2017-15306",

        "package": {

          "patch": "RHSA-2018:0654-01",

          "cvss3": "6.2/CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",

          "name": "kernel-headers",

          "condition": "less than 0:4.14.0-49.el7a",

          "cvss2": "4.9/AV:L/AC:L/Au:N/C:N/I:N/A:C",

          "version": "3.10.0-862.11.6.el7"

        },

        "published": "2017-11-06",

        "title": "RHSA-2018:0654: kernel-alt security, bug fix, and enhancement update (Important)",

        "cve": "CVE-2017-15306"

      }

    },

    "path": "/var/ossec/logs/alerts/alerts.json",

    "rule": {

      "description": "RHSA-2018:0654: kernel-alt security, bug fix, and enhancement update (Important)",

      "gdpr": [

        "IV_35.7.d"

      ],

      "id": "23504",

      "level": 7,

      "firedtimes": 40,

      "groups": [

        "vulnerability-detector"

      ],

      "mail": false

    },

    "manager": {

      "name": "removed-name"

    },

    "id": "1536419845.30276063",

    "decoder": {

      "name": "json"

    },

    "location": "vulnerability-detector",

    "@timestamp": "2018-09-08T15:17:25.820Z",

    "agent": {

      "id": "033",

      "name": "removed-name"

    }

  },

  "fields": {

    "data.vulnerability.published": [

      "2017-11-06T00:00:00.000Z"

    ],

    "@timestamp": [

      "2018-09-08T15:17:25.820Z"

    ],

    "data.vulnerability.updated": [

      "2017-11-06T00:00:00.000Z"

    ]

  },

  "sort": [

    1536419845820

  ]

}

I can't figure out if the problem is in the OVAL or somewhere else. 

Thanks,

[Cristóbal López]

Hi luke,

Sorry for the late response. We found the reason for the false positive thanks to the information you provided. The packages are being reported as vulnerable because they have not been updated with a patch that fixes some CVEs that your system does have. In your case, RHSA-2018:0654.

It is a issue that only affects detections in Red Hat (patch definitions) because the syntax of its OVAL is different from Ubuntu and Debian (vulnerability definitions). We have opened an issue to fix it an upcoming release.

We appreciate your feedback.

Best regards,
Cristobal Lopez.

[Luke Salsich]

Hi Cristobal,

Thanks for looking into this. i appreciate it and look forward to a patch.

Sincerely,

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/y-ws0EbA7M0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/21fba693-5931-4245-a7c6-28412d6cfe1e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Luke Salsich
Technology Director
Kuhlu LLC
lu...@kuhlu.com
(774) 224-0860