Surface macOS and Windows OS vulnerabilities

[GuillaumeRoss]

Goal

User story
As a vulnerability management engineer integrating w/ the Fleet,
I want to see macOS and Windows versions installed and which of those are vulnerable across my hosts
so that I can know which versions of macOS and Windows have vulns.

Changes

Product

• Vulnerability changes: Detect vulnerabilities (CVEs) for the software inventory Fleet collects on macOS 13 and 14, Windows 10 and 11, and Windows Server 2012, 2016, 2019, and 2022
• UI changes: Figma
• Vulnerability automation changes:
  • Create Jira and Zendesk tickets for OS vulnerabilities (CVE). The title, description, content of the tickets are the same as the content used for software vulnerabilities.
  • Fire webhooks for OS vulnerabilities. The webhook payload looks like this:

{
  "timestamp": "0000-00-00T00:00:00Z",
  "vulnerability": {
    "cve": "CVE-2014-9471",
    "details_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-36913",
    "epss_probability": 0.7,
    "cvss_score": 5.7,
    "cisa_known_exploit": true,
    "cve_published": "2014-10-10T00:00:00Z",
    "hosts_affected": [
      {
        "id": 1,
        "display_name": "DELL-123",
        "url": "https://fleet.example.com/hosts/1",
      },
      {
        "id": 2,
        "display_name": "DELL-223",
        "url": "https://fleet.example.com/hosts/2"
      }
    ]
  }
}

• REST API changes: Draft PR
• Outdated documentation changes:
  • REST API docs (see PR linked above)
  • Vulnerability processing docs
• Changes to paid features or tiers:
  • Premium users have access to all OS vulnerability data
  • Free users get the CVE ID for each OS vulnerability

Engineering

• Database schema migrations: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

Context

• Requestor(s): _________________________

QA

Risk assessment

• Requires load testing: Yes. Check resource impacts during vulnerability scanning. Possibly more load on database due to adding OS Vulns.
• Risk level: Low / High TODO
• Risk description: In addition to testing OS Vulnerabilities, this feature may affect existing Software Vulnerability scanning

Manual testing steps

OS Vulns: Windows 10+, Windows Server 2012+, macOS 13+

Test Software Vulnerabilities for regressions.

Testing notes

Detailed Test Plan: https://docs.google.com/document/d/1v5-r2TJXLkv2U1hMxLNDi-dzJuXIdq2Ptm_WQS1y-aE/edit?usp=sharing

Confirmation

1. Engineer (@____): Added comment to user story confirming succesful completion of QA.
2. QA (@____): Added comment to user story confirming succesful completion of QA.

[noahtalerman]

Mike McNeil: Currently, I can see I’m on Mac 11.5.2, but unclear whether there’s a new version available that I should/could be on

[noahtalerman]

Notify these folks when this issue makes it into a planned release or is de-prioritized:

• @tguada

This improvement was prioritized (committed to release in the next 6 weeks) during 🗣 Product office hours on 2022-05-10.

[noahtalerman]

@tgauda heads up, this improvement is being de-prioritized. Please feel free to bring this issue a future Product office hours to discuss reprioritizing.

The "Expansion of host vitals" epic (#397) will likely fill interface capacity for the next 6 weeks.

[benatsb]

That is unfortunate, but is there a chance it'll be picked back up after the next 6 weeks?

I'm very interested in OSQuery/Fleet and what you're doing with vulnerability management checking. A huge pieces for us though has been missing in Windows hotfix/OS information in that category.

[noahtalerman]

is there a chance it'll be picked back up after the next 6 weeks?

Yes, it's very possible this improvement is prioritized 6 weeks down the road.

A huge pieces for us though has been missing in Windows hotfix/OS

@benatsb a related "See unsupported Windows versions" issue will be addressed in the next 6 weeks: #6428

Will this expansion of Windows versions achieve the use case you're thinking of? This expansion includes the ability to see the number of hosts with a specific Windows version for example "Windows 10 Pro, version 21H2".

[benatsb]

Will this expansion of Windows versions achieve the use case you're thinking of? This expansion includes the ability to see the number of hosts with a specific Windows version for example "Windows 10 Pro, version 21H2".

@noahtalerman, no, but enhanced vital statistics will always be helpful.

I just tried to lookup a more specific example, but the CPE 2.3 information for windows_10 didn't have specific versions/hotfix references. They only referenced a major OS version (ie 20H2). However, the primary information I'm looking for would be any Windows entity that has an operating system vulnerability to show in the same vuln pane/endpoint as applications. That vuln value would be based on windows major OS version or KB patch on that system. The CPE data lookup in the CVE information, what I'm assuming is happening to find vulnerabilities, looks for major OS or minor version, I think. If that information could be exposed the same way application vulns are that would be ideal. Without having to wrap more logic on top of osquery ourselves.

[noahtalerman]

any Windows entity that has an operating system vulnerability

@benatsb I think I understand.

It would be valuable if "Windows 10 Pro, version 21H2" (example) shows up as vulnerable in Fleet. Is this correct?

[benatsb]

@noahtalerman , kind of.. but possibly much more. I think an example might be better. Recently we had a CVE, CVE-2022-30190, disclosed. If there was a way to determine which Windows endpoints were affected and when they are not/have been remediated. That's the end goal. How you get there I'm not 100% sure..

The NIST site shows CPE statements affecting all Windows versions major or minor. Not sure if a CPE line are what are used to identify vulns.
https://nvd.nist.gov/vuln/detail/CVE-2022-30190

In contrast, the MS guidance shows remediation hotfixes KB numbers. So, if a hotfix is found, we can know that the remediation was installed, even though, apparently, the Major OS version is affected.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190

I'm not sure how the CPE definitions work, or if there is more work associated to determining if a Windows OS version is vulnerable. I know if you're doing it by manually, you're looking at Major OS and Minor OS version first. Then you look at a KB/Hotfix installation that matches the remediation for the vuln. Then you will know if the vuln affects your endpoints.

Our current vuln scanning product is able to parse the OS version and hotfixes to determine if an operating system is vulnerable to a CVE.

[benatsb]

With that being said, knowing the hotfixes installed, as well as the windows Major and Minor versions would helpful of course.

At the end of the day for a vuln scanning tool, you don't necessarily want to write custom queries in association to well known vuln for Windows each time a new vuln is disclosed. Ideally the scanning tool can pickup a new CVE and be able to identify systems that are affect and un-remediated.

Of course, the power of OSQuery/Fleet is making that information query-able to a large extend across all endpoints.

[noahtalerman]

@benatsb thanks a ton for this feedback and pointing us to the example CVE. This makes a lot of sense.

Of course, the power of OSQuery/Fleet is making that information query-able to a large extend across all endpoints.

Agreed.

[noahtalerman]

Feature fest: This story is almost a duplicate of the macOS vulns story here: #14072

I preferred if we close this story in favor of the above. Take a small bite (macOS) first and then do more OS's later.

[noahtalerman]

Rachael, can you please take a look at the webhook payload, Jira tickets, and Zendesk tickets to see if we need to make any changes for OS vulnerabilities?

@rachaelshaw and @mostlikelee I took a look at this. For OS vulnerabilities, we don't want to include software_installed_paths in the webhook payload. The Jira and Zendesk tickets should be identical to the tickets created for software vulnerabilities.

I updated the issue description to reflect this.

I removed the issue from the drafting board now that we have clarity.

[noahtalerman]

FYI @sharon-fdm on updates to the changes we're making as part of this story^^

[noahtalerman]

Hey @mostlikelee and @lucasmrod I think let's go w/ the solution where we group different architectures into the same "OS item" unless we see evidence of unique CVEs for a specific architecture.

This means Windows 10, Version X.Y.Z for x64 and Windows 10, Version X.Y.Z for ARM will be represented in the Fleet UI and API as 1 item: Windows 10, Version X.Y.Z.

In Fleet, Windows 10, Version X.Y.Z will have the CVEs for Windows 10, Version X.Y.Z for x64 and Windows 10, Version X.Y.Z for ARM

If you think we should go the other direction, and have these by unique OS items in Fleet, let's hop on a call.

cc @xpkoala

[rachaelshaw]

C&C: @rachaelshaw fix conflicts & merge #15492

@Patagonia121 this was shipped in 4.44

[fleet-release]

Vulnerabilities,
Windows, macOS, become clear.
Fleet's light guides us through.