Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability Detector : Multiple similar false positives on Ubuntu 20.04.6 LTS packages #23184

Closed
FOXDIE-Epsilon opened this issue Apr 29, 2024 · 3 comments
Closed

Vulnerability Detector : Multiple similar false positives on Ubuntu 20.04.6 LTS packages #23184

FOXDIE-Epsilon opened this issue Apr 29, 2024 · 3 comments
Assignees
@MiguelazoDS
Labels
level/task reporter/community type/research

Comments

@FOXDIE-Epsilon
Copy link

FOXDIE-Epsilon commented Apr 29, 2024
edited

| Wazuh Dashboard App version 4.7.3 revision 02 ; Wazuh agent v4.6.0 | Vulnerability Detector | Virtual Machine | Manual install | Ubuntu 20.04.6 LTS |

BUG number 1

OS: Ubuntu 20.04.6 LTS (amd64)
Linux Package: bsdutils

Bug:
Wazuh reports incorrect version leading to false positive (refer to attached screenshot below):
image

BUG number 2

OS: Ubuntu 20.04.6 LTS (amd64)
Linux Package: grub-efi-amd64-signed

Bug:
Wazuh reports incorrect version leading to false positive (refer to attached screenshot below):
image
@FOXDIE-Epsilon FOXDIE-Epsilon changed the title Vulnerability Detector : Multiple similar false positives on Ubuntu 20.04 LTS packages Vulnerability Detector : Multiple similar false positives on Ubuntu 20.04.6 LTS packages Apr 29, 2024
@bscarbrough
Copy link

bscarbrough commented Apr 30, 2024
edited

I am seeing the exact same thing on Wazuh 4.7.4 with Ubuntu 22.04 with the packages reported by @FOXDIE-Epsilon and also seeing this with the libpbf0 package.

OS: Ubuntu 22.04 LTS (amd64)
Linux Package: libbpf0

Bug:
Wazuh reports incorrect version leading to false positive (refer to attached screenshot below):
image

@sebasfalcone sebasfalcone removed their assignment May 2, 2024
@MiguelazoDS MiguelazoDS self-assigned this May 3, 2024
@MiguelazoDS
Copy link
Member

MiguelazoDS commented May 3, 2024
edited

Testing

Ubuntu Jammy

For 4.8.0 there are no vulnerabilities for package libbpf0

        <title>CVE-2022-3534 on Ubuntu 22.04 LTS (jammy) - medium</title>
        <description>A vulnerability classified as critical has been found in Linux Kernel.Affected is the function btf_dump_name_dups of the filetools/lib/bpf/btf_dump.c of the component libbpf. The manipulation leads touse after free. It is recommended to apply a patch to fix this issue. Theidentifier of this vulnerability is VDB-211032.

    Update Instructions:

    Run `sudo pro fix CVE-2022-3534` to fix the vulnerability. The problem can be corrected
    by updating your system to the following package versions:

libbpf0 - 1:0.5.0-1ubuntu22.04.1
  {
    "scan_id": 0,
    "scan_time": "2024/05/03 18:33:26",
    "format": "deb",
    "name": "libbpf0",
    "priority": "important",
    "section": "libs",
    "size": 344,
    "vendor": "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
    "install_time": " ",
    "version": "1:0.5.0-1ubuntu22.04.1",
    "architecture": "amd64",
    "multiarch": "same",
    "source": "libbpf (0.5.0-1ubuntu22.04.1)",
    "description": "eBPF helper library (shared library)",
    "location": " ",
    "cpe": null,
    "msu_name": null,
    "checksum": "6662c84896da953d736c1e5c046d69043ee46469",
    "item_id": "5d6d0c306f3560b3cd7cf81a5d13d46d468d1fa8"
  }

image

Logs related to package

2024/05/03 15:33:26 wazuh-modulesd:syscollector[189018] logging_helper.c:40 at taggedLogFunction(): DEBUG: Sync sent: {"component":"syscollector_packages","data":{"attributes":{"architecture":"amd64","checksum":"6662c84896da953d736c1e5c046d69043ee46469","description":"eBPF helper library (shared library)","format":"deb","groups":"libs","install_time":" ","item_id":"5d6d0c306f3560b3cd7cf81a5d13d46d468d1fa8","location":" ","multiarch":"same","name":"libbpf0","priority":"important","scan_time":"2024/05/03 18:33:26","size":344,"source":"libbpf (0.5.0-1ubuntu22.04.1)","vendor":"Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>","version":"1:0.5.0-1ubuntu22.04.1"},"index":"5d6d0c306f3560b3cd7cf81a5d13d46d468d1fa8","timestamp":""},"type":"state"}
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:165 at scanPackageTranslation(): DEBUG: Translation for package 'libbpf0' in platform 'ubuntu' not found. Using provided packageName.
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:578 at handleRequest(): DEBUG: Initiating a vulnerability scan for package 'libbpf0' (deb) (ubuntu developers <ubuntu-devel-discuss@lists.ubuntu.com>) with CVE Numbering Authorities (CNA) 'canonical' on Agent 'jammy' (ID: '000', Version: 'v4.8.0').
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:310 at operator()(): DEBUG: The platform is in the list based on OS code name comparison for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1, CVE: CVE-2021-45940, Content OS code name: jammy, OS code name: jammy
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:547 at operator()(): DEBUG: No match due to default status for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1 while scanning for Vulnerability: CVE-2021-45940
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:327 at operator()(): DEBUG: The platform is not in the list for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1, CVE: CVE-2021-45940, OS CPE: , OS code name: jammy
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:310 at operator()(): DEBUG: The platform is in the list based on OS code name comparison for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1, CVE: CVE-2021-45941, Content OS code name: jammy, OS code name: jammy
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:547 at operator()(): DEBUG: No match due to default status for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1 while scanning for Vulnerability: CVE-2021-45941
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:327 at operator()(): DEBUG: The platform is not in the list for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1, CVE: CVE-2021-45941, OS CPE: , OS code name: jammy
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:310 at operator()(): DEBUG: The platform is in the list based on OS code name comparison for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1, CVE: CVE-2022-3533, Content OS code name: jammy, OS code name: jammy
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:547 at operator()(): DEBUG: No match due to default status for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1 while scanning for Vulnerability: CVE-2022-3533
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:327 at operator()(): DEBUG: The platform is not in the list for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1, CVE: CVE-2022-3533, OS CPE: , OS code name: jammy
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:327 at operator()(): DEBUG: The platform is not in the list for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1, CVE: CVE-2022-3534, OS CPE: , OS code name: jammy
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:310 at operator()(): DEBUG: The platform is in the list based on OS code name comparison for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1, CVE: CVE-2022-3534, Content OS code name: jammy, OS code name: jammy
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:394 at operator()(): DEBUG: Scanning package - 'libbpf0' (Installed Version: 1:0.5.0-1ubuntu22.04.1, Security Vulnerability: CVE-2022-3534). Identified vulnerability: Version: 0. Required Version Threshold: 1:0.5.0-1ubuntu22.04.1. Required Version Threshold (or Equal): .
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:547 at operator()(): DEBUG: No match due to default status for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1 while scanning for Vulnerability: CVE-2022-3534
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:327 at operator()(): DEBUG: The platform is not in the list for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1, CVE: CVE-2022-3534, OS CPE: , OS code name: jammy
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:327 at operator()(): DEBUG: The platform is not in the list for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1, CVE: CVE-2022-3606, OS CPE: , OS code name: jammy
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:310 at operator()(): DEBUG: The platform is in the list based on OS code name comparison for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1, CVE: CVE-2022-3606, Content OS code name: jammy, OS code name: jammy
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:394 at operator()(): DEBUG: Scanning package - 'libbpf0' (Installed Version: 1:0.5.0-1ubuntu22.04.1, Security Vulnerability: CVE-2022-3606). Identified vulnerability: Version: 0. Required Version Threshold: 1:0.5.0-1ubuntu22.04.1. Required Version Threshold (or Equal): .
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:547 at operator()(): DEBUG: No match due to default status for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1 while scanning for Vulnerability: CVE-2022-3606
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:327 at operator()(): DEBUG: The platform is not in the list for Package: libbpf0, Version: 1:0.5.0-1ubuntu22.04.1, CVE: CVE-2022-3606, OS CPE: , OS code name: jammy
2024/05/03 15:33:26 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:609 at handleRequest(): DEBUG: Vulnerability scan for package 'libbpf0' on Agent '000' has completed.

Ubuntu Focal

For 4.8.0 there are no vulnerabilities for packages bsdutils and grub-efi-amd64-signed.

        <title>CVE-2018-7738 on Ubuntu 20.04 LTS (focal) - negligible</title>
        <description>In util-linux before 2.32-rc1, bash-completion/umount allows local users togain privileges by embedding shell commands in a mountpoint name, which ismishandled during a umount command (within Bash) by a different user, asdemonstrated by logging in as root and entering umount followed by a tabcharacter for autocompletion.

    Update Instructions:

    Run `sudo pro fix CVE-2018-7738` to fix the vulnerability. The problem can be corrected
    by updating your system to the following package versions:

bsdutils - 1:2.34-0.1ubuntu2
        <title>CVE-2023-4692 on Ubuntu 20.04 LTS (focal) - medium</title>
        <description>An out-of-bounds write flaw was found in grub2's NTFS filesystem driver.This issue may allow an attacker to present a specially crafted NTFSfilesystem image, leading to grub's heap metadata corruption. In somecircumstances, the attack may also corrupt the UEFI firmware heap metadata.As a result, arbitrary code execution and secure boot protection bypass maybe achieved.

    Update Instructions:

    Run `sudo pro fix CVE-2023-4692` to fix the vulnerability. The problem can be corrected
    by updating your system to the following package versions:

grub-efi-amd64 - 2.06-2ubuntu14.4
grub-efi-amd64-bin - 2.06-2ubuntu14.4
grub-efi-arm64 - 2.06-2ubuntu14.4
grub-efi-arm64-bin - 2.06-2ubuntu14.4
No subscription required

grub-efi-amd64-signed - 1.187.6~20.04.1+2.06-2ubuntu14.4
grub-efi-arm64-signed - 1.187.6~20.04.1+2.06-2ubuntu14.4
  {
    "scan_id": 0,
    "scan_time": "2024/05/03 18:53:32",
    "format": "deb",
    "name": "bsdutils",
    "priority": "required",
    "section": "utils",
    "size": 304,
    "vendor": "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
    "install_time": " ",
    "version": "1:2.34-0.1ubuntu9.4",
    "architecture": "amd64",
    "multiarch": "foreign",
    "source": "util-linux (2.34-0.1ubuntu9.4)",
    "description": "basic utilities from 4.4BSD-Lite",
    "location": " ",
    "cpe": null,
    "msu_name": null,
    "checksum": "5828a3f0889ed696929da2c2d435476c55886725",
    "item_id": "665a3c68b4b6c0ee33c176ed73c685eebc4c0120"
  }
  {
    "scan_id": 0,
    "scan_time": "2024/05/03 18:53:34",
    "format": "deb",
    "name": "grub-efi-amd64-signed",
    "priority": "optional",
    "section": "utils",
    "size": 7024,
    "vendor": "Colin Watson <cjwatson@ubuntu.com>",
    "install_time": " ",
    "version": "1.187.6~20.04.1+2.06-2ubuntu14.4",
    "architecture": "amd64",
    "multiarch": null,
    "source": "grub2-signed (1.187.6~20.04.1)",
    "description": "GRand Unified Bootloader, version 2 (EFI-AMD64 version, signed)",
    "location": " ",
    "cpe": null,
    "msu_name": null,
    "checksum": "ff4eb451bc1fad247e46384648beaf7aab8988ca",
    "item_id": "6f894b661f504f012ad457df25e81356c7368204"
  }

image

Logs related to package bsdutils

2024/05/03 15:53:32 wazuh-remoted: INFO: MESSAGE RECEIVED: {"agent_info":{"agent_id":"001","agent_ip":"any","agent_name":"focal","agent_version":"v4.8.0","node_name":"node01"},"data_type":"state","data":{"attributes_type":"syscollector_packages","attributes":{"architecture":"amd64","checksum":"5828a3f0889ed696929da2c2d435476c55886725","description":"basic utilities from 4.4BSD-Lite","format":"deb","groups":"utils","install_time":" ","item_id":"665a3c68b4b6c0ee33c176ed73c685eebc4c0120","location":" ","multiarch":"foreign","name":"bsdutils","priority":"required","scan_time":"2024/05/03 18:53:32","size":304,"source":"util-linux (2.34-0.1ubuntu9.4)","vendor":"Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>","version":"1:2.34-0.1ubuntu9.4"},"index":"665a3c68b4b6c0ee33c176ed73c685eebc4c0120","timestamp":""}}
2024/05/03 15:53:32 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:165 at scanPackageTranslation(): DEBUG: Translation for package 'bsdutils' in platform 'ubuntu' not found. Using provided packageName.
2024/05/03 15:53:32 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:578 at handleRequest(): DEBUG: Initiating a vulnerability scan for package 'bsdutils' (deb) (ubuntu developers <ubuntu-devel-discuss@lists.ubuntu.com>) with CVE Numbering Authorities (CNA) 'canonical' on Agent 'focal' (ID: '001', Version: 'v4.8.0').
2024/05/03 15:53:32 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:327 at operator()(): DEBUG: The platform is not in the list for Package: bsdutils, Version: 1:2.34-0.1ubuntu9.4, CVE: CVE-2016-5011, OS CPE: , OS code name: focal
2024/05/03 15:53:32 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:327 at operator()(): DEBUG: The platform is not in the list for Package: bsdutils, Version: 1:2.34-0.1ubuntu9.4, CVE: CVE-2018-7738, OS CPE: , OS code name: focal
2024/05/03 15:53:32 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:310 at operator()(): DEBUG: The platform is in the list based on OS code name comparison for Package: bsdutils, Version: 1:2.34-0.1ubuntu9.4, CVE: CVE-2021-3995, Content OS code name: focal, OS code name: focal
2024/05/03 15:53:32 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:394 at operator()(): DEBUG: Scanning package - 'bsdutils' (Installed Version: 1:2.34-0.1ubuntu9.4, Security Vulnerability: CVE-2021-3995). Identified vulnerability: Version: 0. Required Version Threshold: 1:2.34-0.1ubuntu9.3. Required Version Threshold (or Equal): .
2024/05/03 15:53:32 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:547 at operator()(): DEBUG: No match due to default status for Package: bsdutils, Version: 1:2.34-0.1ubuntu9.4 while scanning for Vulnerability: CVE-2021-3995
2024/05/03 15:53:32 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:327 at operator()(): DEBUG: The platform is not in the list for Package: bsdutils, Version: 1:2.34-0.1ubuntu9.4, CVE: CVE-2021-3995, OS CPE: , OS code name: focal
2024/05/03 15:53:32 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:310 at operator()(): DEBUG: The platform is in the list based on OS code name comparison for Package: bsdutils, Version: 1:2.34-0.1ubuntu9.4, CVE: CVE-2021-3996, Content OS code name: focal, OS code name: focal
2024/05/03 15:53:32 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:394 at operator()(): DEBUG: Scanning package - 'bsdutils' (Installed Version: 1:2.34-0.1ubuntu9.4, Security Vulnerability: CVE-2021-3996). Identified vulnerability: Version: 0. Required Version Threshold: 1:2.34-0.1ubuntu9.3. Required Version Threshold (or Equal): .
2024/05/03 15:53:32 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:547 at operator()(): DEBUG: No match due to default status for Package: bsdutils, Version: 1:2.34-0.1ubuntu9.4 while scanning for Vulnerability: CVE-2021-3996
2024/05/03 15:53:32 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:327 at operator()(): DEBUG: The platform is not in the list for Package: bsdutils, Version: 1:2.34-0.1ubuntu9.4, CVE: CVE-2021-3996, OS CPE: , OS code name: focal
2024/05/03 15:53:32 wazuh-modulesd:vulnerability-scanner[189018] packageScanner.hpp:609 at handleRequest(): DEBUG: Vulnerability scan for package 'bsdutils' on Agent '001' has completed.

Logs related to package grub-efi-amd64-signed

grub-efi-amd64-signed.log

@sebasfalcone
Copy link
Member

This problem is solved with the 4.8.0 implementation

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MiguelazoDS MiguelazoDS

Labels
level/task reporter/community type/research
Projects
Release 5.0.0
Status: Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@MiguelazoDS @sebasfalcone @bscarbrough @FOXDIE-Epsilon