-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Research the detection for vulnerabilities that require a specific OS version to match #23967
Comments
UpdateI begin with the analysis of the translations and the required manual tests to verify the behavior. |
AnalysisThe As @sebasfalcone points out, the entry in the global CPE map for
This simple change would allow to improve the detection when the Proposal: update the map with the new entry. But the naming problem is different, and it affects the OS scan.
There is also an old OS X Server that we don't need to consider. The problem is that some candidates in the NVD don't follow this structure, and use a name that doesn't correspond to the version. For example:
These are false negatives, because the agents installed in v10.12 and above will report an OS CPE with Proposal: create a rule in the migration tool that automatically replaces Another issue found can be seen at
Proposal: create a rule in the migration tool that inserts a generic Really similar to
Proposal: we can't change the behavior of the CPE comparison. We must sanitize all platforms that contain a The most complex situations that were found
Proposal: manually decompose the range in a detailed list of CPEs with single affected versions for each platform that has this condition. |
ConclusionWe can divide the analysis into three distinct parts Wrong CPEs for macOSWe can fix this without altering the inner workings of the scanner. To do so, we can make use of some sort of dictionary (taking inspiration from here) CC: @wazuh/devel-cppserver-div2
|
@sebasfalcone please update this issue with the definitions talked the last tuesday. |
Action itemsInterpretation of - fields in the CPEsFor Windows systems, the proposed solution can be found here: Further investigation is needed to see if the same solution applies to macOS:
|
Hi @sebasfalcone , these are the CPEs of the content we are migrating from the NVD where the |
From the provided list, I've filtered out using the following criteria:
Tier 1AppleEntries that should match with a CPE from CPE
MicrosoftEntries that should match with the generic CPE
Entries that should match with a CPE from this list
LinuxEntries that should match with the generic CPE
Entries that should match with a CPE from this list
Note There may not be a specific CPE entire for that OS. If so, we should analyze the case and create it Tier 2
Tier 3
No tier
MapingAll the items listed above should be mapped using a similar logic to: |
This comment has been minimized.
This comment has been minimized.
ETA movedDue re-definitions the ETA will be delayed |
Conclusion
|
Description
During the analysis of #23747, some sanitizations were requested. For example:
Nevertheless, after setting the specific affected versions for macOS, it's still required to make sure the detection occurs as expected.
DoD
The text was updated successfully, but these errors were encountered: