New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability Detector W10 & W11 #17178
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mateocervilla
previously approved these changes
May 19, 2023
MarcelKemp
added
type/bug
Something isn't working
module/vulnerability detector
platform/windows
labels
May 22, 2023
MarcelKemp
requested changes
May 22, 2023
Co-authored-by: Marcel Kemp Muñoz <marcel.kemp@wazuh.com>
MarcelKemp
approved these changes
May 23, 2023
This was referenced Jun 6, 2023
This was referenced Jun 7, 2023
This was referenced Jun 13, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
The issue originates from the change in the CPE format that has been applied in NVD, as previously the Windows 11 CPE was:
This has been deprecated and the format is:
This resulted in a mismatch with the corresponding vulnerability and therefore it was not reported.
Examples:
The "product_name" build chain for Windows 10 and Windows 11 has been updated adding the
wm_vuldet_build_product_name
function, with it the CVE structure is generated for each agent,the rest was to update the code to detect well the vulnerabilities of the systems:
Among the most important changes we have removed the if in which it entered when the generated CPE had a valid version and then it would scan all the vulnerabilities that did not have version (
-
) in the CPE or the version was generic (*
) in order not to cause false positives, in the functionwm_vuldet_get_vuln_vulnvd_cpe
:The following CPEs were discarded so as not to generate false positives:
Accepting only:
Now it is not necessary, because the
CPE
product already includes the version, so we can accept all 3 CPEs:An example of this issue here
Logs/Alerts example
Windows 11 22h2 patched
Windows 11 21h2 patched
Tests