New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability Detector : Multiple similar false positives on Ubuntu 20.04.6 LTS packages #23184
Comments
I am seeing the exact same thing on Wazuh 4.7.4 with Ubuntu 22.04 with the packages reported by @FOXDIE-Epsilon and also seeing this with the libpbf0 package. OS: Ubuntu 22.04 LTS (amd64) Bug: |
TestingUbuntu JammyFor 4.8.0 there are no vulnerabilities for package libbpf0 <title>CVE-2022-3534 on Ubuntu 22.04 LTS (jammy) - medium</title>
<description>A vulnerability classified as critical has been found in Linux Kernel.Affected is the function btf_dump_name_dups of the filetools/lib/bpf/btf_dump.c of the component libbpf. The manipulation leads touse after free. It is recommended to apply a patch to fix this issue. Theidentifier of this vulnerability is VDB-211032.
Update Instructions:
Run `sudo pro fix CVE-2022-3534` to fix the vulnerability. The problem can be corrected
by updating your system to the following package versions:
libbpf0 - 1:0.5.0-1ubuntu22.04.1 {
"scan_id": 0,
"scan_time": "2024/05/03 18:33:26",
"format": "deb",
"name": "libbpf0",
"priority": "important",
"section": "libs",
"size": 344,
"vendor": "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
"install_time": " ",
"version": "1:0.5.0-1ubuntu22.04.1",
"architecture": "amd64",
"multiarch": "same",
"source": "libbpf (0.5.0-1ubuntu22.04.1)",
"description": "eBPF helper library (shared library)",
"location": " ",
"cpe": null,
"msu_name": null,
"checksum": "6662c84896da953d736c1e5c046d69043ee46469",
"item_id": "5d6d0c306f3560b3cd7cf81a5d13d46d468d1fa8"
} Logs related to package 2024/05/03 15:33:26 wazuh-modulesd:syscollector[189018] logging_helper.c:40 at taggedLogFunction(): DEBUG: Sync sent: {"component":"syscollector_packages","data":{"attributes":{"architecture":"amd64","checksum":"6662c84896da953d736c1e5c046d69043ee46469","description":"eBPF helper library (shared library)","format":"deb","groups":"libs","install_time":" ","item_id":"5d6d0c306f3560b3cd7cf81a5d13d46d468d1fa8","location":" ","multiarch":"same","name":"libbpf0","priority":"important","scan_time":"2024/05/03 18:33:26","size":344,"source":"libbpf (0.5.0-1ubuntu22.04.1)","vendor":"Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>","version":"1:0.5.0-1ubuntu22.04.1"},"index":"5d6d0c306f3560b3cd7cf81a5d13d46d468d1fa8","timestamp":""},"type":"state"}
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:165 at scanPackageTranslation(): DEBUG: Translation for package 'libbpf0' in platform 'ubuntu' not found. Using provided packageName.
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:578 at handleRequest(): DEBUG: Initiating a vulnerability scan for package 'libbpf0' (deb) (ubuntu developers <ubuntu-devel-discuss@lists.ubuntu.com>) with CVE Numbering Authorities (CNA) 'canonical' on Agent 'jammy' (ID: '000', Version: 'v4.8.0').
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:310 at operator()(): DEBUG: The platform is in the list based on OS code name comparison for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1, CVE: CVE-2021-45940, Content OS code name: jammy, OS code name: jammy
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:547 at operator()(): DEBUG: No match due to default status for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1 while scanning for Vulnerability: CVE-2021-45940
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:327 at operator()(): DEBUG: The platform is not in the list for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1, CVE: CVE-2021-45940, OS CPE: , OS code name: jammy
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:310 at operator()(): DEBUG: The platform is in the list based on OS code name comparison for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1, CVE: CVE-2021-45941, Content OS code name: jammy, OS code name: jammy
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:547 at operator()(): DEBUG: No match due to default status for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1 while scanning for Vulnerability: CVE-2021-45941
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:327 at operator()(): DEBUG: The platform is not in the list for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1, CVE: CVE-2021-45941, OS CPE: , OS code name: jammy
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:310 at operator()(): DEBUG: The platform is in the list based on OS code name comparison for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1, CVE: CVE-2022-3533, Content OS code name: jammy, OS code name: jammy
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:547 at operator()(): DEBUG: No match due to default status for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1 while scanning for Vulnerability: CVE-2022-3533
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:327 at operator()(): DEBUG: The platform is not in the list for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1, CVE: CVE-2022-3533, OS CPE: , OS code name: jammy
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:327 at operator()(): DEBUG: The platform is not in the list for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1, CVE: CVE-2022-3534, OS CPE: , OS code name: jammy
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:310 at operator()(): DEBUG: The platform is in the list based on OS code name comparison for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1, CVE: CVE-2022-3534, Content OS code name: jammy, OS code name: jammy
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:394 at operator()(): DEBUG: Scanning package - 'libbpf0' (Installed Version: 1:0.5.0-1ubuntu22.04.1, Security Vulnerability: CVE-2022-3534). Identified vulnerability: Version: 0. Required Version Threshold: 1:0.5.0-1ubuntu22.04.1. Required Version Threshold (or Equal): .
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:547 at operator()(): DEBUG: No match due to default status for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1 while scanning for Vulnerability: CVE-2022-3534
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:327 at operator()(): DEBUG: The platform is not in the list for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1, CVE: CVE-2022-3534, OS CPE: , OS code name: jammy
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:327 at operator()(): DEBUG: The platform is not in the list for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1, CVE: CVE-2022-3606, OS CPE: , OS code name: jammy
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:310 at operator()(): DEBUG: The platform is in the list based on OS code name comparison for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1, CVE: CVE-2022-3606, Content OS code name: jammy, OS code name: jammy
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:394 at operator()(): DEBUG: Scanning package - 'libbpf0' (Installed Version: 1:0.5.0-1ubuntu22.04.1, Security Vulnerability: CVE-2022-3606). Identified vulnerability: Version: 0. Required Version Threshold: 1:0.5.0-1ubuntu22.04.1. Required Version Threshold (or Equal): .
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:547 at operator()(): DEBUG: No match due to default status for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1 while scanning for Vulnerability: CVE-2022-3606
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:327 at operator()(): DEBUG: The platform is not in the list for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1, CVE: CVE-2022-3606, OS CPE: , OS code name: jammy
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:609 at handleRequest(): DEBUG: Vulnerability scan for package 'libbpf0' on Agent '000' has completed. Ubuntu FocalFor 4.8.0 there are no vulnerabilities for packages bsdutils and grub-efi-amd64-signed. <title>CVE-2018-7738 on Ubuntu 20.04 LTS (focal) - negligible</title>
<description>In util-linux before 2.32-rc1, bash-completion/umount allows local users togain privileges by embedding shell commands in a mountpoint name, which ismishandled during a umount command (within Bash) by a different user, asdemonstrated by logging in as root and entering umount followed by a tabcharacter for autocompletion.
Update Instructions:
Run `sudo pro fix CVE-2018-7738` to fix the vulnerability. The problem can be corrected
by updating your system to the following package versions:
bsdutils - 1:2.34-0.1ubuntu2 <title>CVE-2023-4692 on Ubuntu 20.04 LTS (focal) - medium</title>
<description>An out-of-bounds write flaw was found in grub2's NTFS filesystem driver.This issue may allow an attacker to present a specially crafted NTFSfilesystem image, leading to grub's heap metadata corruption. In somecircumstances, the attack may also corrupt the UEFI firmware heap metadata.As a result, arbitrary code execution and secure boot protection bypass maybe achieved.
Update Instructions:
Run `sudo pro fix CVE-2023-4692` to fix the vulnerability. The problem can be corrected
by updating your system to the following package versions:
grub-efi-amd64 - 2.06-2ubuntu14.4
grub-efi-amd64-bin - 2.06-2ubuntu14.4
grub-efi-arm64 - 2.06-2ubuntu14.4
grub-efi-arm64-bin - 2.06-2ubuntu14.4
No subscription required
grub-efi-amd64-signed - 1.187.6~20.04.1+2.06-2ubuntu14.4
grub-efi-arm64-signed - 1.187.6~20.04.1+2.06-2ubuntu14.4 {
"scan_id": 0,
"scan_time": "2024/05/03 18:53:32",
"format": "deb",
"name": "bsdutils",
"priority": "required",
"section": "utils",
"size": 304,
"vendor": "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
"install_time": " ",
"version": "1:2.34-0.1ubuntu9.4",
"architecture": "amd64",
"multiarch": "foreign",
"source": "util-linux (2.34-0.1ubuntu9.4)",
"description": "basic utilities from 4.4BSD-Lite",
"location": " ",
"cpe": null,
"msu_name": null,
"checksum": "5828a3f0889ed696929da2c2d435476c55886725",
"item_id": "665a3c68b4b6c0ee33c176ed73c685eebc4c0120"
} {
"scan_id": 0,
"scan_time": "2024/05/03 18:53:34",
"format": "deb",
"name": "grub-efi-amd64-signed",
"priority": "optional",
"section": "utils",
"size": 7024,
"vendor": "Colin Watson <cjwatson@ubuntu.com>",
"install_time": " ",
"version": "1.187.6~20.04.1+2.06-2ubuntu14.4",
"architecture": "amd64",
"multiarch": null,
"source": "grub2-signed (1.187.6~20.04.1)",
"description": "GRand Unified Bootloader, version 2 (EFI-AMD64 version, signed)",
"location": " ",
"cpe": null,
"msu_name": null,
"checksum": "ff4eb451bc1fad247e46384648beaf7aab8988ca",
"item_id": "6f894b661f504f012ad457df25e81356c7368204"
} Logs related to package 2024/05/03 15:53:32 wazuh-remoted: INFO: MESSAGE RECEIVED: {"agent_info":{"agent_id":"001","agent_ip":"any","agent_name":"focal","agent_version":"v4.8.0","node_name":"node01"},"data_type":"state","data":{"attributes_type":"syscollector_packages","attributes":{"architecture":"amd64","checksum":"5828a3f0889ed696929da2c2d435476c55886725","description":"basic utilities from 4.4BSD-Lite","format":"deb","groups":"utils","install_time":" ","item_id":"665a3c68b4b6c0ee33c176ed73c685eebc4c0120","location":" ","multiarch":"foreign","name":"bsdutils","priority":"required","scan_time":"2024/05/03 18:53:32","size":304,"source":"util-linux (2.34-0.1ubuntu9.4)","vendor":"Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>","version":"1:2.34-0.1ubuntu9.4"},"index":"665a3c68b4b6c0ee33c176ed73c685eebc4c0120","timestamp":""}}
2024/05/03 15:53:32 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:165 at scanPackageTranslation(): DEBUG: Translation for package 'bsdutils' in platform 'ubuntu' not found. Using provided packageName.
2024/05/03 15:53:32 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:578 at handleRequest(): DEBUG: Initiating a vulnerability scan for package 'bsdutils' (deb) (ubuntu developers <ubuntu-devel-discuss@lists.ubuntu.com>) with CVE Numbering Authorities (CNA) 'canonical' on Agent 'focal' (ID: '001', Version: 'v4.8.0').
2024/05/03 15:53:32 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:327 at operator()(): DEBUG: The platform is not in the list for Package: bsdutils, Version: 1:2.34-0.1ubuntu9.4, CVE: CVE-2016-5011, OS CPE: , OS code name: focal
2024/05/03 15:53:32 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:327 at operator()(): DEBUG: The platform is not in the list for Package: bsdutils, Version: 1:2.34-0.1ubuntu9.4, CVE: CVE-2018-7738, OS CPE: , OS code name: focal
2024/05/03 15:53:32 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:310 at operator()(): DEBUG: The platform is in the list based on OS code name comparison for Package: bsdutils, Version: 1:2.34-0.1ubuntu9.4, CVE: CVE-2021-3995, Content OS code name: focal, OS code name: focal
2024/05/03 15:53:32 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:394 at operator()(): DEBUG: Scanning package - 'bsdutils' (Installed Version: 1:2.34-0.1ubuntu9.4, Security Vulnerability: CVE-2021-3995). Identified vulnerability: Version: 0. Required Version Threshold: 1:2.34-0.1ubuntu9.3. Required Version Threshold (or Equal): .
2024/05/03 15:53:32 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:547 at operator()(): DEBUG: No match due to default status for Package: bsdutils, Version: 1:2.34-0.1ubuntu9.4 while scanning for Vulnerability: CVE-2021-3995
2024/05/03 15:53:32 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:327 at operator()(): DEBUG: The platform is not in the list for Package: bsdutils, Version: 1:2.34-0.1ubuntu9.4, CVE: CVE-2021-3995, OS CPE: , OS code name: focal
2024/05/03 15:53:32 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:310 at operator()(): DEBUG: The platform is in the list based on OS code name comparison for Package: bsdutils, Version: 1:2.34-0.1ubuntu9.4, CVE: CVE-2021-3996, Content OS code name: focal, OS code name: focal
2024/05/03 15:53:32 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:394 at operator()(): DEBUG: Scanning package - 'bsdutils' (Installed Version: 1:2.34-0.1ubuntu9.4, Security Vulnerability: CVE-2021-3996). Identified vulnerability: Version: 0. Required Version Threshold: 1:2.34-0.1ubuntu9.3. Required Version Threshold (or Equal): .
2024/05/03 15:53:32 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:547 at operator()(): DEBUG: No match due to default status for Package: bsdutils, Version: 1:2.34-0.1ubuntu9.4 while scanning for Vulnerability: CVE-2021-3996
2024/05/03 15:53:32 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:327 at operator()(): DEBUG: The platform is not in the list for Package: bsdutils, Version: 1:2.34-0.1ubuntu9.4, CVE: CVE-2021-3996, OS CPE: , OS code name: focal
2024/05/03 15:53:32 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:609 at handleRequest(): DEBUG: Vulnerability scan for package 'bsdutils' on Agent '001' has completed. Logs related to package grub-efi-amd64-signed |
This problem is solved with the 4.8.0 implementation |
| Wazuh Dashboard App version 4.7.3 revision 02 ; Wazuh agent v4.6.0 | Vulnerability Detector | Virtual Machine | Manual install | Ubuntu 20.04.6 LTS |
BUG number 1
OS: Ubuntu 20.04.6 LTS (amd64)
Linux Package: bsdutils
Bug:
Wazuh reports incorrect version leading to false positive (refer to attached screenshot below):
BUG number 2
OS: Ubuntu 20.04.6 LTS (amd64)
Linux Package: grub-efi-amd64-signed
Bug:
Wazuh reports incorrect version leading to false positive (refer to attached screenshot below):
The text was updated successfully, but these errors were encountered: