Lots of False Positive CVE reports by Wazuh

[agoerl]

Hello,

after setting up Wazuh vulnerability scanning, I am getting lots of False Positives.

I am scanning Ubuntu Servers but get lots of alerts for CVEs affecting other distros like Debian or Fedora. This happens at a scale making it barely useful. But i think it should be able to work correctly, so I am wondering I missing something in the setup.

This is my setup:

• SO installation using 2.3.190.
• CVE feed downloads enable for NIST and Canonical:

 <vulnerability-detector>
    <enabled>yes</enabled>
    <interval>6h</interval>
    <run_on_start>yes</run_on_start>

    <!-- Ubuntu OS vulnerabilities -->
    <provider name="canonical">
      <enabled>yes</enabled>
      <os>focal</os>
      <update_interval>1h</update_interval>
    </provider>
    <!-- Must be disabled. See: https://github.com/wazuh/wazuh-kibana-app/issues/2194 -->
    <provider name="redhat">
      <enabled>no</enabled>
    </provider>
    <! -- Must be enabled. Otherwise linux agents wont work -->
    <provider name="nvd">
      <enabled>yes</enabled>
      <path>/var/ossec/data/var/nvd/nvd-feed.*json$</path>
      <update_interval>1h</update_interval>
    </provider>
  </vulnerability-detector>

• Syscollector is enable in configuration on local agents and reporting fields like

wazuh.data.os.codename: Focal Fossa
wazuh.data.os.major: 20

• Alerts coming in for e.g. CVE-2021-3973 which is a heap overflow in vim. The affected version is <8.2.3611 in this feed:

    "cpe_match" : [ {
         "vulnerable" : true,
         "cpe23Uri" : "cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*",
         "versionEndExcluding" : "8.2.3611",
         "cpe_name" : [ ]
       } ]
  
  
  

But Ubuntu fixed this in earlier versions with respect to their own versioning. The Canoncial CVE DB also reflects this and does not match.

• When I examine the NVD feed it state that this CVE is applicable for Fedora 34 and 35 and Debian 9.0. See this shortened snipplet from the feed:

{
        "operator" : "OR",
        "children" : [ ],
        "cpe_match" : [ {
          "vulnerable" : true,
          "cpe23Uri" : "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
          "cpe_name" : [ ]
        }, {
          "vulnerable" : true,
          "cpe23Uri" : "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
          "cpe_name" : [ ]
        } ]
      }, {
        "operator" : "OR",
        "children" : [ ],
        "cpe_match" : [ {
          "vulnerable" : true,
          "cpe23Uri" : "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
          "cpe_name" : [ ]
        } ]
      } ]
    },

So, this should not match. But it does and produces an alert as well as other CVEs.

In case of a single False Positive I would not bother and just put it in a list to be ignored. This is easy enough with Wazuh. But I have lots of such cases and therefore expect more in the future with new CVEs. I need a general solution and think this is built already into Wazuh and just does not work in my setup.

I would appreciate any thoughts regarding possible solutions to this.

[cm-ops]

These kinds of issues can happen with the vulnerability scanning in Wazuh and that's why we don't enable that feature by default.