-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The refactored vulnerability scanner should consider the generic CPEs for "running on" configurations from NVD #23149
Comments
I didn't analyze them all, but I have some logs that may help you with this issue. |
Thanks, @MiguelazoDS ! It's really help. I'm trying to finish the design solution proposal, I found a little block with the target branch, @sebasfalcone , if this issue is for I'm suffering a little block with the design, I'm trying to fix it ASAP. Fortunately, the content is sanitized so a big part of the work is done. |
@GabrielEValenzuela Moved to 4.9.0 |
Design Proposal: Add CPE for Generic OS and Platform (v1.0.2)1. IntroductionThis proposal outlines the plan to integrate Common Platform Enumeration (CPE) for generic operating systems and platforms within our system. The objective is to enhance the capability of our system to accurately identify and categorize different OS and platform configurations, especially in cases where vulnerabilities have a generic Windows CPE as a condition. 2. BackgroundThe legacy vulnerability detector did not account for cases where a CVE had a generic Windows CPE, resulting in inaccurate vulnerability detection. This issue arises because the current CPE generation process is a 1:1 transformation from OS data, which doesn't handle generic cases. For example, vulnerabilities like Common Platform Enumeration (CPE) is a standardized method used for identifying classes of applications, operating systems, and hardware devices present in an organization's computing environment. By incorporating CPE, we aim to improve our system's efficiency in managing and tracking these components. Known Affected Software ConfigurationsThis section of the vulnerability detail page shows what software or combinations of software are considered vulnerable at the time of analysis. The NVD uses the CPE 2.3 specification when creating these applicability statements and the matching CPE Name(s). Applicability statements communicate which products are vulnerable in a relatively flexible syntax, primarily designed for machine processing. Configurations:
CPE Structure: cpe:<cpe_version>:<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>:<sw_edition>:<target_sw>:<target_hw>:<other>
3. Proposal3.1 Design DetailsThe new CPE module will:
3.2 Expected Benefits
4. Impact Analysis4.1 Technical Impact
5. DiagramsSequence DiagramsequenceDiagram
participant User as Manager
participant platformVerify
participant callbackData
participant ScannerHelper
participant contextData
User->>platformVerify: platformVerify(cnaName, package, callbackData, contextData)
platformVerify->>callbackData: check if platforms() is not empty
alt platforms() not empty
loop for each platform in platforms()
platformVerify->>ScannerHelper: isCPE(platformValue)
alt platform is CPE
platformVerify->>ScannerHelper: parseCPE(platformValue)
ScannerHelper-->>platformVerify: return cpe
platformVerify->>ScannerHelper: parseCPE(contextData->osCPEName().data())
ScannerHelper-->>platformVerify: return osCPE
platformVerify->>ScannerHelper: compareCPE(cpe, osCPE)
alt CPEs match
platformVerify-->>User: return true (match found)
end
else platform is not CPE
platformVerify->>contextData: compare platformValue with contextData->osCodeName()
alt platformValue matches osCodeName
platformVerify-->>User: return true (match found)
end
end
end
note over platformVerify: New proposal, not return false
platformVerify->>ScannerHelper: build new CPE with vendor, product, and platform (Generic/Runing on)
ScannerHelper-->>platformVerify: return newCPE
platformVerify->>ScannerHelper: parseCPE(newCPE)
ScannerHelper-->>platformVerify: return parsedNewCPE
platformVerify->>ScannerHelper: compareCPE(parsedNewCPE, osCPE)
alt new CPEs match
platformVerify-->>User: return true (new match found)
else new CPEs don't match
platformVerify-->>User: return false (no match found)
end
else platforms() is empty
platformVerify-->>User: return true
end
6. Changes differencesThe logic was modified to adapt the main flow of instructions, data, and errors to the current code. The result is not 100% as described in the sequence diagram, but the essence is the same. 7. ConclusionImplementing CPE for generic OS and platforms will significantly enhance our system's accuracy and efficiency in managing and tracking various configurations. This proposal details the design and expected benefits to ensure a smooth integration process. 7. Approval and FeedbackPlease review the proposed design and provide feedback or approval. Your input is crucial for refining and finalizing this implementation.
Update HistoryHistory
|
Update
|
Issue blockedAwaiting for changes from 4.8.0 to be merged in 4.9.0 |
Update
|
Update
|
Issue blockedAwaiting for content to be updated for QA efficacy tests to pass in GA |
Issue unblocked@GabrielEValenzuela Please cherry-pick the following commit to fix the QA tests f179e6d |
Update
|
We need talk about this, I need to know if it is the correct design, I want to avoid cpe comparisons as much as possible. |
ConclusionWe decide to fix this problematic from the generated content and not on the scanner. This will make the fix available for all user that are using 4.8.0 |
Description
The legacy vulnerability detector didn't consider the case when the CVE had a generic Windows CPE as a condition for a vulnerability. There is an open epic that wasn't implemented: #10633.
For example: https://nvd.nist.gov/vuln/detail/CVE-2012-4142
Here any OS (Windows 10, Windows 11, Windows Server, etc.) will match because the CPE generation from the OS data is a 1:1 transformation that doesn't consider this generic case.
The new module should solve this issue.
It is considered that the CPE is wrong, because according to the CPE structure
We shouldn't say that
windows
is the product name affected but the platform (edition
,sw_edition
, ortarget_sw
).Related issue: https://github.com/wazuh/intelligence-platform/issues/1472
Proposal
A possible solution would be making the scanner aware of the
platform
field from OS info (windows
) orformat
from packages (win
) and use it to compare against the platform reported in the CPE. This requires two things:DoD
The text was updated successfully, but these errors were encountered: