Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability Detector W10 & W11 #17178

Merged
merged 12 commits into from Jun 2, 2023
Merged

Vulnerability Detector W10 & W11 #17178

merged 12 commits into from Jun 2, 2023

Conversation

lsayanes
Copy link
Contributor

@lsayanes lsayanes commented May 19, 2023
edited by MarcelKemp

Related issue
#15160

Description

The issue originates from the change in the CPE format that has been applied in NVD, as previously the Windows 11 CPE was:

This has been deprecated and the format is:

This resulted in a mismatch with the corresponding vulnerability and therefore it was not reported.
Examples:

Old CPE: https://nvd.nist.gov/vuln/detail/CVE-2022-44698#vulnConfigurationsArea
New CPE: https://nvd.nist.gov/vuln/detail/CVE-2023-28250#vulnConfigurationsArea

The "product_name" build chain for Windows 10 and Windows 11 has been updated adding the wm_vuldet_build_product_name function, with it the CVE structure is generated for each agent,
the rest was to update the code to detect well the vulnerabilities of the systems:

W11 21H2 & W11 22H2
W10 22H2 & W10 1809

Among the most important changes we have removed the if in which it entered when the generated CPE had a valid version and then it would scan all the vulnerabilities that did not have version (-) in the CPE or the version was generic (*) in order not to cause false positives, in the function wm_vuldet_get_vuln_vulnvd_cpe:

            // For a WIN10 O.S product with a valid product version, discard those
            // CPE's that matched using '-' or '*'.
            if (agent_cpe->part && (agent_cpe->part[0] == 'o') && cpe_version &&
                agent_cpe->vendor && strcmp(cpe_version, agent_cpe->version) &&
                (agent->dist_ver == FEED_W10 || agent->dist_ver == FEED_W11) {
                continue;
            }

The following CPEs were discarded so as not to generate false positives:

  • o:microsoft:windows_10:*
  • o:microsoft:windows_10:-

Accepting only:

  • o:microsoft:windows_10:

Now it is not necessary, because the CPE product already includes the version, so we can accept all 3 CPEs:

  • microsoft:windows_10_:os_version
  • microsoft:windows_10_:*
  • microsoft:windows_10_:-

An example of this issue here

Logs/Alerts example

Windows 11 22h2 patched

[...]
2023/05/17 19:00:45 wazuh-modulesd:vulnerability-detector[225176] wm_vuln_detector.c:2804 at wm_vuldet_check_agent_vulnerabilities(): DEBUG: (5438): A full scan will be run on agent '004'
2023/05/17 19:00:45 wazuh-modulesd:vulnerability-detector[225176] wm_vuln_detector.c:5682 at wm_vuldet_collect_agent_software(): DEBUG: (5437): Collecting agent '004' software.
2023/05/17 19:00:45 wazuh-modulesd:vulnerability-detector[225176] wm_vuln_detector.c:6974 at wm_vuldet_insert_agent_data(): DEBUG: (5446): The CPE 'o:microsoft:windows_11_22h2:10.0.22621.1702::::::x64:' from the agent '004' was indexed.
2023/05/17 19:00:45 wazuh-modulesd:vulnerability-detector[225176] wm_vuln_detector_nvd.c:3272 at wm_vuldet_add_dic_cpe(): DEBUG: (5446): The CPE 'a:wazuh:wazuh:4.4.1::::::x86:' from the agent '004' was indexed.
2023/05/17 19:00:45 wazuh-modulesd:vulnerability-detector[225176] wm_vuln_detector.c:2827 at wm_vuldet_check_agent_vulnerabilities(): INFO: (5450): Analyzing agent '004' vulnerabilities.
2023/05/17 19:00:45 wazuh-modulesd:vulnerability-detector[225176] wm_vuln_detector_nvd.c:1859 at wm_vuldet_win_nvd_vulnerabilities(): DEBUG: (5451): Analyzing NVD vulnerabilities for agent '004'
2023/05/17 19:00:45 wazuh-modulesd:vulnerability-detector[225176] wm_vuln_detector_nvd.c:1871 at wm_vuldet_win_nvd_vulnerabilities(): DEBUG: (5470): It took '0' seconds to 'find NVD' vulnerabilities in agent '004'
2023/05/17 19:00:45 wazuh-modulesd:vulnerability-detector[225176] wm_vuln_detector_nvd.c:1873 at wm_vuldet_win_nvd_vulnerabilities(): DEBUG: (5466): Sending vulnerabilities report for agent '004'
2023/05/17 19:00:45 wazuh-modulesd:vulnerability-detector[225176] wm_vuln_detector_nvd.c:1883 at wm_vuldet_win_nvd_vulnerabilities(): DEBUG: (5470): It took '0' seconds to 'report' vulnerabilities in agent '004'
2023/05/17 19:00:45 wazuh-modulesd:vulnerability-detector[225176] wm_vuln_detector.c:2846 at wm_vuldet_check_agent_vulnerabilities(): INFO: (5471): Finished vulnerability assessment for agent '004'
2023/05/17 19:00:45 wazuh-modulesd:vulnerability-detector[225176] wm_vuln_detector.c:2847 at wm_vuldet_check_agent_vulnerabilities(): DEBUG: (5470): It took '0' seconds to 'scan' vulnerabilities in agent '004'

Windows 11 21h2 patched

[...]
2023/05/17 19:00:46 wazuh-modulesd:vulnerability-detector[225176] wm_vuln_detector.c:2799 at wm_vuldet_check_agent_vulnerabilities(): DEBUG: (5491): A baseline scan will be run on agent '006'
2023/05/17 19:00:46 wazuh-modulesd:vulnerability-detector[225176] wm_vuln_detector.c:5682 at wm_vuldet_collect_agent_software(): DEBUG: (5437): Collecting agent '006' software.
2023/05/17 19:00:46 wazuh-modulesd:vulnerability-detector[225176] wm_vuln_detector.c:6974 at wm_vuldet_insert_agent_data(): DEBUG: (5446): The CPE 'o:microsoft:windows_11_21h2:10.0.22000.318::::::x64:' from the agent '006' was indexed.
2023/05/17 19:00:46 wazuh-modulesd:vulnerability-detector[225176] wm_vuln_detector_nvd.c:3272 at wm_vuldet_add_dic_cpe(): DEBUG: (5446): The CPE 'a:wazuh:wazuh:4.4.1::::::x86:' from the agent '006' was indexed.
2023/05/17 19:00:46 wazuh-modulesd:vulnerability-detector[225176] wm_vuln_detector.c:2827 at wm_vuldet_check_agent_vulnerabilities(): INFO: (5450): Analyzing agent '006' vulnerabilities.
2023/05/17 19:00:46 wazuh-modulesd:vulnerability-detector[225176] wm_vuln_detector_nvd.c:1859 at wm_vuldet_win_nvd_vulnerabilities(): DEBUG: (5451): Analyzing NVD vulnerabilities for agent '006'
2023/05/17 19:00:46 wazuh-modulesd:vulnerability-detector[225176] wm_vuln_detector_nvd.c:1871 at wm_vuldet_win_nvd_vulnerabilities(): DEBUG: (5470): It took '0' seconds to 'find NVD' vulnerabilities in agent '006'
2023/05/17 19:00:46 wazuh-modulesd:vulnerability-detector[225176] wm_vuln_detector_nvd.c:1873 at wm_vuldet_win_nvd_vulnerabilities(): DEBUG: (5466): Sending vulnerabilities report for agent '006'
2023/05/17 19:00:46 wazuh-modulesd:vulnerability-detector[225176] wm_vuln_detector_nvd.c:1883 at wm_vuldet_win_nvd_vulnerabilities(): DEBUG: (5470): It took '0' seconds to 'report' vulnerabilities in agent '006'
2023/05/17 19:00:46 wazuh-modulesd:vulnerability-detector[225176] wm_vuln_detector.c:2846 at wm_vuldet_check_agent_vulnerabilities(): INFO: (5471): Finished vulnerability assessment for agent '006'
2023/05/17 19:00:46 wazuh-modulesd:vulnerability-detector[225176] wm_vuln_detector.c:2847 at wm_vuldet_check_agent_vulnerabilities(): DEBUG: (5470): It took '0' seconds to 'scan' vulnerabilities in agent '006'

Tests

  • Compilation without warnings in every supported platform
    • Linux
  • Source installation
  • Package installation
  • Source upgrade
  • Package upgrade
  • Review logs syntax and correct language
  • QA templates contemplate the added capabilities
  • Memory tests for Linux
    • Scan-build report
    • Coverity
    • Valgrind (memcheck and descriptor leaks check)
    • AddressSanitizer

@mateocervilla mateocervilla changed the base branch from master to 4.4 May 19, 2023 18:04
mateocervilla

This comment was marked as resolved.

Sign in to view

mateocervilla
mateocervilla previously approved these changes May 19, 2023
View reviewed changes
@MarcelKemp MarcelKemp linked an issue May 22, 2023 that may be closed by this pull request
Vulnerability Scanner Shows 399 Vulnerabilities on a fully patched Windows 11 system #15160
Closed
@mateocervilla @MarcelKemp
Add wm_vuldet_generate_msu_request() Doxygen doc
c69f048 
Co-authored-by: Marcel Kemp Muñoz <marcel.kemp@wazuh.com>
@MiguelazoDS MiguelazoDS mentioned this pull request May 22, 2023
Closed
@MarcelKemp MarcelKemp mentioned this pull request May 24, 2023
Closed
@vikman90 vikman90 changed the base branch from 4.4 to 4.4.4 June 2, 2023 06:26
@vikman90 vikman90 merged commit 635b63b into 4.4.4 Jun 2, 2023
45 checks passed
@vikman90 vikman90 deleted the 15160_Vulnerabilities_patched_Win11 branch June 2, 2023 06:30
This was referenced Jun 6, 2023
Merged
Closed
@MarcelKemp MarcelKemp mentioned this pull request Jun 6, 2023
Closed
This was referenced Jun 7, 2023
Merged
Closed
This was referenced Jun 13, 2023
Open
Closed
@MarcelKemp MarcelKemp mentioned this pull request Jun 27, 2023
Closed
@MarcelKemp MarcelKemp mentioned this pull request Aug 22, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MarcelKemp MarcelKemp MarcelKemp approved these changes

@mateocervilla mateocervilla mateocervilla left review comments

Assignees
No one assigned
Labels
module/vulnerability detector platform/windows type/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Vulnerability Scanner Shows 399 Vulnerabilities on a fully patched Windows 11 system
4 participants
@lsayanes @MarcelKemp @mateocervilla @vikman90