Ignoring CVE-2019-20367 on Debian GNU/Linux buster

Bonjour,

CVE-2019-20367 is found in Debian GNU/Linux buster. There is security bug report about it that is ignored because it is considered minor. There exists a backport in Ubuntu and it was fixed in bullseye.

It would be useful for wazuh to check the Debian GNU/Linux page for CVE-2019-20367 when setting the alert level because nothing can be done about it.

An alert is sent about this every 6h by wazuh :sweat_smile: @Pimthepoi do you know of a way to tell it: “that’s ok, I know, I know, forget about it” ?

We can add

<rule id="100010" level="0">
  <if_sid>23503,23504,23505,23506</if_sid>
  <field name="vulnerability.cve">CVE-2019-20367</field>
  <description>Vulnerable non-upgradeable packages</description>
</rule>

in

/var/ossec/etc/rules/local_rules.xml
Or if we have multiple:

<rule id="100010" level="0">
  <if_sid>23503,23504,23505,23506</if_sid>
  <field name="vulnerability.cve">^CVE-2019-20367$|^CVE-????-????$</field>
  <description>Vulnerable non-upgradeable packages</description>
</rule>

I understand they think vulnerabilities will be fixed as soon as they are found, but reminding them every 6 hours seems like too much, this tool is really useful but feels unpolished…

1 Like

That solution would be a good short term workaround. Could it be implemented in wazuh itself? I mean, the code logic should know what to do with CVE that are deliberately ignored. Maybe it’s something to discuss with the wazuh authors and/or submit a bug report/feature request about it?

Here is how /var/ossec/etc/rules/local_rules.xml is set now (manually until we figure out how to do that properly):

<!-- Local rules -->
<group name="vulnerability-detector">
  <rule id="100010" level="0">
    <if_sid>23506</if_sid>
    <field name="vulnerability.cve">CVE-2019-20367</field>
    <description>Vulnerable non-upgradeable packages</description>
  </rule>
</group>

The following blog post suggests a slightly different way to do it:

1 Like

Yes I will create a feature request on the wazuh github.

1 Like

For the record, the proposed change was merged in Enough.