Setting up wazuh vulnerability detector
Due to it’s high performance cost the vulnerability detector is disabled by default on Wazuh installs. To enable it we will modify the config file.
NVD local copy
The vulnerability detector module is broken on the version installed on enough. We need to either update it, or to use an offline version of the NVD database. A script to download an offline copy of the database is available here.
You have to run all commands as super user.
We create a folder for the national vunerability database.
$ cd /var/ossec/
$ mkdir nvm-database
$ cd nvm-database
We download the provided script that copies the database.
$ wget https://raw.githubusercontent.com/wazuh/wazuh/v3.13.2/tools/vulnerability-detector/nvd-generator.sh
$ chmod +x nv-generator.sh
Let us run it and extract the results.
$ ./nvd-generator.sh 2002 . # The first argument is the starting date of the cves, 2002 is the oldest.
$ gzip -d *.gz
Good we should have our local version of the nvm database.
We should probably automate this task in the future.
Having an offline version of the database reduces the cost of the scan operation and we could configure it to operate at night where less bandwith is needed.
Configuration
We will need to do some modifications to the vulnerability detector configuration:
- enable the syscollector:
<wodle name="syscollector">
<disabled>no</disabled>
- switch to the non deprecated version of the detector and activate it:
<vulnerability-detector>
<enabled>yes</enabled>
</vulnerability-detector>
- Add support for debian buster:
<provider name="debian">
<enabled>yes</enabled>
<os>buster</os>
<update_interval>1h</update_interval>
</provider>
- Add support for our local NVD copy:
<provider name="nvd">
<enabled>yes</enabled>
<path>/var/ossec/nvm-database/nvd-feed.*json$</path>
<update_interval>1h</update_interval>
</provider>
To modify the config file use:
$ vim /var/ossec/etc/ossec.conf
Or any other editor. (I’m kidding use vim)
Search for System inventory and delete the System inventory section and replace it by our modified version below.
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<ignore_time>6h</ignore_time>
<run_on_start>yes</run_on_start>
<provider name="debian">
<enabled>yes</enabled>
<os>buster</os>
<update_interval>1h</update_interval>
</provider>
<provider name="nvd">
<enabled>yes</enabled>
<path>/var/ossec/nvm-database/nvd-feed.*json$</path>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
We now restart the service.
$ service wazuh-manager restart
And check the alert logs to see if we detect some vulnerabilities
$ tail -1000 /var/ossec/logs/alerts/alerts.log | grep -i “vuln” -A 30
** Alert 1607084451.1353695: - vulnerability-detector,gdpr_IV_35.7.d,pci_dss_11.2.1,pci_dss_11.2.3,tsc_CC7.1,tsc_CC7.2,
2020 Dec 04 12:20:51 (wazuh-host.the.re) 127.0.0.1->vulnerability-detector
Rule: 23504 (level 7) -> 'CVE-2019-20446 affects librsvg2-common'
{"vulnerability":{"package":{"name":"librsvg2-common","source":"librsvg","version":"2.44.10-2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":4.3},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":6.5}},"cve":"CVE-2019-20446","title":"CVE-2019-20446","rationale":"In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.","severity":"Medium","published":"2020-02-02","updated":"2020-07-28","cwe_reference":"CWE-400","references":["http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00024.html","https://gitlab.gnome.org/GNOME/librsvg/issues/515","https://lists.debian.org/debian-lts-announce/2020/07/msg00016.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X3B5RWJQD5LA45MYLLR55KZJOJ5NVZGP/","https://usn.ubuntu.com/4436-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-20446","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20446"],"assigner":"cve@mitre.org","cve_version":"4.0"}}
vulnerability.package.name: librsvg2-common
vulnerability.package.source: librsvg
vulnerability.package.version: 2.44.10-2.1
vulnerability.package.architecture: amd64
vulnerability.package.condition: Package unfixed
vulnerability.cvss.cvss2.vector.attack_vector: network
vulnerability.cvss.cvss2.vector.access_complexity: medium
vulnerability.cvss.cvss2.vector.authentication: none
vulnerability.cvss.cvss2.vector.confidentiality_impact: none
vulnerability.cvss.cvss2.vector.integrity_impact: none
vulnerability.cvss.cvss2.vector.availability: partial
vulnerability.cvss.cvss2.base_score: 4.300000
vulnerability.cvss.cvss3.vector.attack_vector: network
vulnerability.cvss.cvss3.vector.access_complexity: low
vulnerability.cvss.cvss3.vector.privileges_required: none
vulnerability.cvss.cvss3.vector.user_interaction: required
vulnerability.cvss.cvss3.vector.scope: unchanged
vulnerability.cvss.cvss3.vector.confidentiality_impact: none
vulnerability.cvss.cvss3.vector.integrity_impact: none
vulnerability.cvss.cvss3.vector.availability: high
vulnerability.cvss.cvss3.base_score: 6.500000
vulnerability.cve: CVE-2019-20446
vulnerability.title: CVE-2019-20446
vulnerability.rationale: In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.
vulnerability.severity: Medium
vulnerability.published: 2020-02-02
vulnerability.updated: 2020-07-28
Great we get an alert !
Next step is to get it working on an app in a docker container, next next step is to try to reduce the heavy workload of this operation.
Debugging
By putting wazuh_modules.debug=2 in /var/ossec/etc/local_internal_options.conf and restarting the service we can get debug logs which are very helpful.