Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability Detector - False positive: Grafana - CVE-2023-4822 #24952

Closed
2 tasks done
sebasfalcone opened this issue Jul 26, 2024 · 5 comments
Closed
2 tasks done

Vulnerability Detector - False positive: Grafana - CVE-2023-4822 #24952

sebasfalcone opened this issue Jul 26, 2024 · 5 comments
Assignees
@sebasfalcone
Labels
level/task request/operational type/bug Something isn't working

Comments

@sebasfalcone
Copy link
Member

sebasfalcone commented Jul 26, 2024
edited
Loading

Description

Currently, we are identifying Grafana as vulnerable to the CVE-2023-4822 in Ubuntu and RedHat systems

DoD

  • Perform a RCA
  • Propose a solution
@sebasfalcone sebasfalcone self-assigned this Jul 26, 2024
@sebasfalcone
Copy link
Member Author

sebasfalcone commented Jul 26, 2024
edited
Loading

RCA

Why this is a false positive?

If we take a look at the CVE for each vendor:

  • RedHat 8
          {
            "defaultStatus": "unaffected",
            "platforms": [
              "cpe:/a:redhat:enterprise_linux:8",
              "cpe:/a:redhat:enterprise_linux:8::appstream",
              "cpe:/a:redhat:enterprise_linux:8::crb",
              "cpe:/a:redhat:enterprise_linux:8::highavailability",
              "cpe:/a:redhat:enterprise_linux:8::nfv",
              "cpe:/a:redhat:enterprise_linux:8::realtime",
              "cpe:/a:redhat:enterprise_linux:8::resilientstorage",
              "cpe:/a:redhat:enterprise_linux:8::sap",
              "cpe:/a:redhat:enterprise_linux:8::sap_hana",
              "cpe:/a:redhat:enterprise_linux:8::supplementary",
              "cpe:/o:redhat:enterprise_linux:8",
              "cpe:/o:redhat:enterprise_linux:8::baseos"
            ],
            "product": "grafana",
            "vendor": "redhat"
          }
  • Ubuntu
          {
            "defaultStatus": "unknown",
            "platforms": [
              "bionic",
              "trusty",
              "xenial"
            ],
            "product": "grafana",
            "vendor": "canonical"
          }
  • NVD
        {
          "cpes": [
            "cpe:2.3:a:grafana:grafana-enterprise:*:*:*:*:enterprise:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "grafana-enterprise",
          "vendor": "contact@grafana.com",
          "versions": [
            {
              "lessThan": "10.0.7",
              "status": "affected",
              "version": "10.0.0",
              "versionType": "custom"
            },
            {
              "lessThan": "10.1.3",
              "status": "affected",
              "version": "10.1.0",
              "versionType": "custom"
            },
            {
              "lessThan": "9.4.16",
              "status": "affected",
              "version": "8.0.0",
              "versionType": "custom"
            },
            {
              "lessThan": "9.5.11",
              "status": "affected",
              "version": "9.5.0",
              "versionType": "custom"
            }
          ]
        }

Both Ubuntu and RedHat identify Grafana as not vulnerable

Why is matching?

If we follow the analysis performed here:

We see that the checks are against version 9.4.16, one of the versions described by the NVD

The reason why the NVD is selected as the corresponding CNA is because the vendor for Grafana packages is contact@grafana.com, the getCNA logic identifies no feed for this information but the NVD

Why is matching

Seems like this sanitization didn't impact the content yet:

./rocks_db_query_testtool -d ~/Documents/work/development/wazuh-master/src/queue/vd/feed/ -c nvd -f /home/sebas/Documents/work/development/wazuh-master/src/wazuh_modules/vu
lnerability_scanner/schemas/vulnerabilityCandidate.fbs -k grafana_CVE-2023-4822
grafana_CVE-2023-4822 ==> {
  "candidates": [
    {
      "cveId": "CVE-2023-4822",
      "defaultStatus": "unaffected",
      "versions": [
        {
          "version": "10.0.0",
          "lessThan": "10.0.7",
          "versionType": "custom"
        },
        {
          "version": "10.1.0",
          "lessThan": "10.1.3",
          "versionType": "custom"
        },
        {
          "version": "8.0.0",
          "lessThan": "9.4.16",
          "versionType": "custom"
        },
        {
          "version": "9.5.0",
          "lessThan": "9.5.11",
          "versionType": "custom"
        }
      ],
      "vendor": "grafana"
    }
  ]
}

I asked the team to see if CTI contains or not the sanitization (because I don't have this access)

Main issue

On the other hand, the NVD is wrongly used in this scenario, I will attempt to propose a solution

@GabrielEValenzuela GabrielEValenzuela mentioned this issue Jul 29, 2024
Closed
@sebasfalcone sebasfalcone mentioned this issue Jul 29, 2024
Merged
@sebasfalcone
Copy link
Member Author

Update

I updated the content via offsets. The old Grafana CVE disappeared from the NVD as expected

./rocks_db_query_testtool -d ~/Documents/work/development/wazuh-master/src/queue/vd/feed/ -c nvd -f /home/sebas/Documents/work/development/wazuh-master/src/wazuh_modules/vulnerability_scanner/schemas/vulnerabilityCandidate.fbs -k grafana-enterise_CVE-2023-4822

Unable to find resource.
./rocks_db_query_testtool -d ~/Documents/work/development/wazuh-master/src/queue/vd/feed/ -c nvd -f /home/sebas/Documents/work/development/wazuh-master/src/wazuh_modules/vulnerability_scanner/schemas/vulnerabilityCandidate.fbs -k grafana-enterprise_CVE-2023-4822
grafana-enterprise_CVE-2023-4822 ==> {
  "candidates": [
    {
      "cveId": "CVE-2023-4822",
      "defaultStatus": "unaffected",
      "versions": [
        {
          "version": "10.0.0",
          "lessThan": "10.0.7",
          "versionType": "custom"
        },
        {
          "version": "10.1.0",
          "lessThan": "10.1.3",
          "versionType": "custom"
        },
        {
          "version": "8.0.0",
          "lessThan": "9.4.16",
          "versionType": "custom"
        },
        {
          "version": "9.5.0",
          "lessThan": "9.5.11",
          "versionType": "custom"
        }
      ],
      "vendor": "contact@grafana.com"
    }
  ]
}

And if we re-run the false positive efficacy tests, they now are passing:

================================================================== 2 passed, 23 skipped in 124.13s (0:02:04) ==================================================================

@sebasfalcone
Copy link
Member Author

Conclusion

This immediate issue will be solved once the content is updated

To fix this behaviour we need to re-think the way we determine the CNA for a given package

@sebasfalcone sebasfalcone mentioned this issue Aug 7, 2024
Open
3 tasks
@sebasfalcone
Copy link
Member Author

Proposed solution

The proposed solution can be found here

@Dwordcito
Copy link
Member

Analysis understood, this does not mean that we will address it with what is proposed in: #25096

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sebasfalcone sebasfalcone

Labels
level/task request/operational type/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Dwordcito @sebasfalcone