Windows build number not detected properly

[andonovski]

Wazuh version	Component	Install type	Install method	Platform
4.7.4	Vulnerability scanner	Manager	Docker	Ubuntu 22.04

Wazuh version 4.74 is installed using docker on Ubuntu server 22.04 LTS.
The issue is in Vulnerabilities for Windows Server 2022 22H2, build is 20348. Selecting any Windows Server 2022 22H2 shows CVE-2023-36046. Link for this CVE is https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36046, further going to KB link https://support.microsoft.com/en-us/topic/november-14-2023-kb5032202-os-build-25398-531-e1ee8019-47f8-4314-be67-32d4e48ac140.

As it can be seen, this CVE is only for Windows Server 2022 23H2, not for 22H2.

Now, my question is, is this a bug not properly detecting Windows build? Or is it just working this way, not detecting build number at all? Maybe something is wrong with my Wazuh configuration?

[pereyra-m]

Hello @andonovski !

It happens that the NVD isn't specific about the Windows Server 2022 version affected

https://nvd.nist.gov/vuln/detail/CVE-2023-36046

So the scanner considers that unless KB5032202 (or any equivalent update) is installed, all Windows Server 2022 systems are vulnerable. The Wazuh agent collects properly the 22H2 version field but the vulnerability content has to be fixed.

Soon, the new Wazuh v4.8.0 will be released (see issue #14156) and the vulnerability detector module will be able to handle this type of situations

[andonovski]

Hello, Thanks for the reply. So, works as intended, I didn't check the NVD link, I just checked es MS one. Could have saved you a bit of time if I checked. Good to know that future version will be able to handle these kind of things. Best regards, Marjan

…

On Mon, May 6, 2024, 17:00 Matias Pereyra ***@***.***> wrote: Hello @andonovski <https://github.com/andonovski> ! It happens that the NVD isn't specific about the Windows Server 2022 version affected https://nvd.nist.gov/vuln/detail/CVE-2023-36046 2024-05-06_10-01.png (view on web) <https://github.com/wazuh/wazuh/assets/65046601/14045e22-83e4-4988-8a46-543e657ebdd4> So the scanner considers that unless KB5032202 (or any equivalent update) is installed, all Windows Server 2022 systems are vulnerable. The Wazuh agent collects properly the 22H2 version field but the vulnerability content has to be fixed. Soon, the new Wazuh v4.8.0 will be released (see issue #14156 <#14156>) and the vulnerability detector module will be able to handle this type of situations — Reply to this email directly, view it on GitHub <#23275 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ASPGAGTIN4L4UOVUM4CCYEDZA6LJDAVCNFSM6AAAAABHH5CJ62VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJWGI2DEOBQGQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[pereyra-m]

Thanks to you!
The reports from the community help to improve Wazuh.

Regards.