Windows OVAL Definition for CVE-2021-41338 False Positive Issue

[l4s09]

Hello,

This is regarding Windows OVAL Definition for CVE-2021-41338 - Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability.

Microsoft indicates that this firewallAPI.dll has two binary versions depending on the location, System32 or WoW64. The issue is that OVAL checks only the version number regardless of its location.

For example:

Microsoft indicates that Windows Server 2016 is vulnerable if:

The firewallapi.dll version in the “%WinDir%\System32” directory is less than 10.0.14393.4169.
OR
The firewallapi.dll version in the “%WinDir%\sysWoW64” directory is less than 10.0.14393.4704.

However, Windows OVAL Definition simply indicates that Windows Server 2016 is vulnerable if the firewallAPI.dll version is less than 10.0.14393.4704. Therefore, it marks a server running Windows Server 2016 as vulnerable to this CVE-2021-41338 because the firewallapi.dll version in the “%WinDir%\System32” directory is less than 10.0.14393.4704.

I’ve attached the section of the Windows OVAL Definition containing this vulnerability for your reference.

Can someone please provide me with a way to remediate this?

Your help will be much appreciated.

Thank you.

CVE-2021-41338.txt

[JanCooper]

Hi @l4s09 ,
The OVAL repo is updated predominantly through cooperation within the OVAL Community, and CIS relies on contributors with appropriate expertise to manage vulnerabilities such as CVE-2021-41338. The repo's main Windows Vulnerability contributor has not has the opportunity to make updates recently, but my understanding is they do intend to resume making submissions. Unfortunately, I am unsure of the timeframe in which that can happen.

Please see the Contributing README, if you would like to contribute yourself. Another option is to submit your concerns to the OVAL Repository Mailing List. It is possible someone on that list can provide the necessary updates.

I hope this information is helpful.

Jan