Vulnerability Detector: Test Windows vulnerabilities with different cpe settings

[DFolchA]

Version	Component	Core issue	Core development branch	Notes
4.5	VD	wazuh/wazuh#13434	wazuh/wazuh#14356	Added for packages with no version available.

Description

The goal of this issue is to check if the Windows alerts appear when the vulnerability CPE contains different files instead of using * that matches with everything, for example, setting architecture x86_64 should only report a vulnerability for x86_64 packages.

The fields that we have to test are:

• VENDOR
• PRODUCT
• VERSION
• UPDATED
• EDITION
• LANGUAGE
• SW_EDITION
• TARGET_SW
• TARGET_HW
• OTHER

These have to be set in the CPE section of the NVD feed and in the package inserted in the database.

Configuration and considerations

• The following configuration should be applied:

  <vulnerability-detector>
    <enabled>yes</enabled>
    <interval>5m</interval>
    <min_full_scan_interval>6h</min_full_scan_interval>
    <run_on_start>yes</run_on_start>

    <!-- Windows OS vulnerabilities -->
    <provider name="msu">
      <enabled>yes</enabled>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Aggregate vulnerabilities -->
    <provider name="nvd">
      <enabled>yes</enabled>
      <update_from_year>2010</update_from_year>
      <update_interval>1h</update_interval>
    </provider>

  </vulnerability-detector>

Note that by default the fix is not tested (as it was producing false positives), so it is necessary to add the PoC or similar input to test it.

Use Cases

For the following test cases, verify that no issue (memory leaks, service down...) appears during the feed parsing, and the vulnerability database (cve.db) is properly filled with the vulnerabilities from the feeds.

• Run Vulnerability Detector with a connected Windows agent that has a Tomcat 7 package.
  • An old Tomcat 7 package (which has neither vendor nor version), such as Tomcat 7.0.27.

  For this case it will be necessary to add the PoC explained in the PR.

  • A recent Tomcat 7 package with vulnerabilities, such as Tomcat 7.0.103.
• Test that the CPE Helper fix works correctly.
  • Test mock package without version and vendor (adding its corresponding translation) to find its respective vulnerabilities.
  • Add translation to the CPE Helper as explained in the PR PoC and test that it shows the corresponding vulnerabilities.
  • Add translation to the CPE Helper of a package without version without specifying the action set_version_if_product_matches, so that it shows the new Debug message.

Development stage

• In research
• In development
  • Windows
• In testing phase
  • Linux (Only to check that nothing is broken)
  • Windows
• In Review
• Completed

[fedepacher]

Update 2023/01/09

In the process of research.
At this point, I am trying to reproduce the steps of the issue.

[fedepacher]

Update 2023/01/11

Working on a simulated agent that inserts in the database the following package:

INSERT into sys_programs(scan_id, scan_time, format, name, architecture, location, triaged, checksum, item_id) VALUES ("1655979708", "2022/08/09 12:15:52", "win", "MOCK PACKAGE 8.9-22 (MOCKED PACKAGE)", "x86_64", "C:\Program Files\Apache\Tomcat\", 0, "legacy", "e19cab0360ed7a0ca629ace0888bcee89a321500");

So, the query will get the following:

SELECT * FROM sys_programs where name like '%MOCK%'; scan_id|scan_time|format|name|priority|section|size|vendor|install_time|version|architecture|multiarch|source|description|location|triaged|cpe|msu_name|checksum|item_id
1655979708|2022/08/09 12:15:52|win|MOCK PACKAGE 8.9-22 (MOCKED PACKAGE)|||||||x86_64||||C:\Program Files\Apache\Tomcat\|0|||legacy|e19cab0360ed7a0ca629ace0888bcee89a321500

The purpose of this is to get the following log in the ossec.log file

2023/01/11 19:38:52 wazuh-modulesd:vulnerability-detector[177865] wm_vuln_detector_nvd.c:3268 at wm_vuldet_add_dic_cpe(): DEBUG: (5446): The CPE 'a:MOCK_VENDOR:MOCK_PACKAGE:8.9-22::::::x64:' from the agent '001' was indexed.

[fedepacher]

Update 2023/01/13

After analyzing the instert_package function of the agent_db.py file it has concluded that in order to insert a package with some text field empty it must be passed as an argument in the following way:

vendor='NULL'

So, the function call will be something like this:

agent_db.insert_package(name=package['name'], format=package['format'], architecture=package['architecture'],
                                         agent_id=mock_agent_with_custom_system, vendor='NULL')