Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

macOS vulnerability alerts are not correctly collected #5321

Closed
Rebits opened this issue Apr 30, 2024 · 3 comments · Fixed by #5337
Closed

macOS vulnerability alerts are not correctly collected #5321

Rebits opened this issue Apr 30, 2024 · 3 comments · Fixed by #5337
Assignees
@Rebits
Labels
level/task Task issue type/bug

Comments

@Rebits
Copy link
Member

Rebits commented Apr 30, 2024
edited
Loading

Description

It has been detected Additional Vulnerability Detection End-to-End that vulnerability alerts for macOS agents are not correctly collected.
If we check the evidence we can see in the manager alerts file and in the indexed vulnerabilities that the alerts indeed appear. However the validator is ignoring it

Note

Report is provided here #5287
@Rebits Rebits mentioned this issue Apr 30, 2024
Closed
@wazuhci wazuhci moved this to Triage in Release 4.8.0 Apr 30, 2024
@wazuhci wazuhci moved this from Triage to Backlog in Release 4.8.0 May 2, 2024
@Rebits Rebits self-assigned this May 3, 2024
@wazuhci wazuhci moved this from Backlog to In progress in Release 4.8.0 May 3, 2024
@Rebits
Copy link
Member Author

Rebits commented May 3, 2024

To streamline the troubleshooting process for this issue, we've devised a straightforward script to replicate failing cases. This approach simplifies the debugging of current parsing vulnerability methods, eliminating the need to run the entire test suite.

parse_macos_vuln.py 
import os
import json

from wazuh_testing.end_to_end.vulnerability_detector import get_vulnerability_detector_alerts, \
    parse_vulnerabilities_from_alerts
from wazuh_testing.end_to_end.remote_operations_handler import get_expected_alerts
from wazuh_testing.end_to_end.check_validators import compare_expected_found_vulnerabilities_alerts

from wazuh_testing.tools.system import HostManager


host_manager = HostManager("<INVPATH>")

package_data = {
    'centos': {
        'amd64': 'grafana-8.5.5-1',
        'arm64v8': 'grafana-8.5.5-1'
    },
    'ubuntu': {
        'amd64': 'grafana-8.5.5',
        'arm64v8': 'grafana-8.5.5'
    },
    'windows': {
        'amd64': 'node-v17.0.1'
    },
    'macos': {
        'amd64': 'http-proxy-0.5.9',
        'arm64v8': 'http-proxy-0.5.9'
    }
}

if __name__ == "__main__":
    vulnerabilities_alerts = []
    with open("alerts.json", "r") as f:
        vulnerabilities_alerts = json.load(f)

    alerts = get_vulnerability_detector_alerts(vulnerabilities_alerts)
    parsed_vulnerabilities_mitigated = parse_vulnerabilities_from_alerts(alerts['mitigated'])
    parsed_vulnerabilities_affected = parse_vulnerabilities_from_alerts(alerts['affected'])

    expected_alerts = get_expected_alerts(host_manager, ['agent6'], 'install_package', package_data)

    alerts = {"affected": {"agent6": parsed_vulnerabilities_affected}}

    result_alert = compare_expected_found_vulnerabilities_alerts(alerts, expected_alerts)
    print(result_alert)

In addition we are going to use the following alert index to simulate real information collected from the wazuh-indexer

http-proxy Alert Index Example 
[
{
  "_index": "wazuh-alerts-4.x-2024.04.22",
  "_id": "YqpJBY8BJodbzcVedMR2",
  "_score": 4.6972857,
  "_source": {
    "cluster": {
      "node": "master",
      "name": "wazuh"
    },
    "agent": {
      "ip": "192.168.64.5",
      "name": "agent6",
      "id": "006"
    },
    "manager": {
      "name": "ip-172-31-7-224"
    },
    "data": {
      "vulnerability": {
        "severity": "Medium",
        "package": {
          "condition": "Package less than 0.7.0",
          "name": "http-proxy",
          "source": " ",
          "version": "0.5.9",
          "architecture": " "
        },
        "assigner": "hackerone",
        "cwe_reference": "CWE-388",
        "published": "2018-06-04T19:29:00Z",
        "title": "CVE-2017-16014 affects http-proxy",
        "type": "Packages",
        "rationale": "Http-proxy is a proxying library. Because of the way errors are handled in versions before 0.7.0, an attacker that forces an error can crash the server, causing a denial of service.",
        "reference": "https://github.com/nodejitsu/node-http-proxy/pull/101, https://nodesecurity.io/advisories/323",
        "cve": "CVE-2017-16014",
        "enumeration": "CVE",
        "cvss": {
          "cvss2": {
            "base_score": "5",
            "vector": {
              "integrity_impact": "NONE",
              "availability": "PARTIAL",
              "confidentiality_impact": "NONE",
              "access_complexity": "LOW",
              "authentication": "NONE"
            }
          }
        },
        "updated": "2019-10-09T23:24:36Z",
        "status": "Active"
      }
    },
    "rule": {
      "firedtimes": 13,
      "mail": false,
      "level": 7,
      "pci_dss": ["11.2.1", "11.2.3"],
      "tsc": ["CC7.1", "CC7.2"],
      "description": "CVE-2017-16014 affects http-proxy",
      "groups": ["vulnerability-detector"],
      "id": "23504",
      "gdpr": ["IV_35.7.d"]
    },
    "decoder": {
      "name": "json"
    },
    "input": {
      "type": "log"
    },
    "@timestamp": "2024-04-22T10:10:45.737Z",
    "location": "vulnerability-detector",
    "id": "1713780645.2742706",
    "timestamp": "2024-04-22T10:10:45.737+0000"
  }
}
]

Currently, we can see, that it is not detecting expected vulnerability:

{'vulnerabilities_affected_not_found': {'agent6': [Vulnerability(cve='CVE-2017-16014', package_name='http-proxy', package_version='0.5.9', architecture='')]}, 'vulnerabilities_mitigated_not_found': {}, 'failed_agents': ['agent6'], 'result': False}

However, if we check the currently detected vulnerability, we see that it is expecting a vulnerability with as architecture instead of ``:

{'agent6': [Vulnerability(cve='CVE-2017-16014', package_name='http-proxy', package_version='0.5.9', architecture=' ')]}

We need to stript collected vulnerability fields in the parse_vulnerabilities_from_alerts and get_vulnerabilities_from_states functions

@Rebits Rebits linked a pull request May 3, 2024 that will close this issue
Fix macOS alert collection for E2E Vulnerability Detection tests #5337
Merged
@wazuhci wazuhci moved this from In progress to Pending review in Release 4.8.0 May 6, 2024
@wazuhci wazuhci moved this from Pending review to In review in Release 4.8.0 May 6, 2024
@rafabailon
Copy link
Member

LGTM

@wazuhci wazuhci moved this from In review to Pending final review in Release 4.8.0 May 6, 2024
@davidjiglesias
Copy link
Member

LGTM

@wazuhci wazuhci moved this from Pending final review to Done in Release 4.8.0 May 7, 2024
@santipadilla santipadilla mentioned this issue May 8, 2024
Closed
@MARCOSD4 MARCOSD4 mentioned this issue May 8, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Rebits Rebits

Labels
level/task Task issue type/bug
Projects
No open projects
Release 4.8.0
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix macOS alert collection for E2E Vulnerability Detection tests wazuh/wazuh-qa
3 participants
@Rebits @davidjiglesias @rafabailon