Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check detection of CVE-2024-6387 #24395

Open
4 tasks done
Dwordcito opened this issue Jul 2, 2024 · 4 comments · May be fixed by #24424
Open
4 tasks done

Check detection of CVE-2024-6387 #24395

Dwordcito opened this issue Jul 2, 2024 · 4 comments · May be fixed by #24424
Assignees
@MiguelazoDS
Labels
level/task type/research

Comments

@Dwordcito
Copy link
Member

Dwordcito commented Jul 2, 2024
edited by MiguelazoDS
Loading

Description

Given the impact that CVE-2024-6387 has on the community, it is necessary to confirm that it is within the vulnerability detection capabilities of detector 4.8.

this must be done on all tier 1 platforms

DoD

  • Validate CVE5 informaton.
  • Add efficacy tests for the CVEs proposed (and more if found)
  • Validate that the vulnerability is identified.
  • Generated issues to sanitize or add translations.
@sebasfalcone
Copy link
Member

Issue blocked

Since this CVE is awaiting analysis by the NVD, we must generate the baseline content ourselves. This will be addressed at:

Once this CVE is migrated we are going to proceed with this issue

@Dwordcito
Copy link
Member Author

Commit released, moved to on-hold

@MiguelazoDS
Copy link
Member

MiguelazoDS commented Jul 4, 2024
edited
Loading

Analysis

Detection

Note

The scanner is able to detect the vulnerability.

  • Examples for Centos9 and ArchLinux
2024/07/04 16:06:36 wazuh-modulesd:vulnerability-scanner[36225] packageScanner.hpp:477 at versionMatch(): DEBUG: Match found, the package 'openssh-server', is vulnerable to 'CVE-2024-6387'. Current version: '8.7p1-34.el9' (less than '0:8.7p1-38.el9_4.1' or equal to ''). - Agent 'centos9' (ID: '002', Version: 'v4.7.3').
2024/07/04 16:07:17 wazuh-modulesd:vulnerability-scanner[36225] packageScanner.hpp:477 at versionMatch(): DEBUG: Match found, the package 'openssh', is vulnerable to 'CVE-2024-6387'. Current version: '8.7p1-34.el9' (less than '0:8.7p1-38.el9_4.1' or equal to ''). - Agent 'centos9' (ID: '002', Version: 'v4.7.3').
2024/07/04 16:07:44 wazuh-modulesd:vulnerability-scanner[36225] packageScanner.hpp:477 at versionMatch(): DEBUG: Match found, the package 'openssh-clients', is vulnerable to 'CVE-2024-6387'. Current version: '8.7p1-34.el9' (less than '0:8.7p1-38.el9_4.1' or equal to ''). - Agent 'centos9' (ID: '002', Version: 'v4.7.3').
2024/07/04 16:15:40 wazuh-modulesd:vulnerability-scanner[37329] packageScanner.hpp:477 at versionMatch(): DEBUG: Match found, the package 'openssh', is vulnerable to 'CVE-2024-6387'. Current version: '9.7p1-2' (less than '9.8p1-1' or equal to ''). - Agent 'archlinux' (ID: '001', Version: 'v4.7.4').

According to ArchLinux feed package, version 9.7p1-2 is vulnerable
https://security.archlinux.org/CVE-2024-6387
According to RedHat feed package affects version 9 of the operating system.
https://access.redhat.com/security/cve/cve-2024-6387

Both cases were proved above.

According to Ubuntu feed, the package was fixed in 8.9p1
https://ubuntu.com/security/CVE-2024-6387

Vulnerability candidates

RedHat 9

openssh_CVE-2024-6387 ==> {
  "candidates": [
    {
      "cveId": "CVE-2024-6387",
      "defaultStatus": "unaffected",
      "platforms": [
        "cpe:/a:redhat:enterprise_linux:9",
        "cpe:/a:redhat:enterprise_linux:9::appstream",
        "cpe:/a:redhat:enterprise_linux:9::crb",
        "cpe:/a:redhat:enterprise_linux:9::highavailability",
        "cpe:/a:redhat:enterprise_linux:9::nfv",
        "cpe:/a:redhat:enterprise_linux:9::realtime",
        "cpe:/a:redhat:enterprise_linux:9::resilientstorage",
        "cpe:/a:redhat:enterprise_linux:9::sap",
        "cpe:/a:redhat:enterprise_linux:9::sap_hana",
        "cpe:/a:redhat:enterprise_linux:9::supplementary",
        "cpe:/o:redhat:enterprise_linux:9",
        "cpe:/o:redhat:enterprise_linux:9::baseos"
      ],
      "versions": [
        {
          "version": "0",
          "lessThan": "0:8.7p1-38.el9_4.1",
          "versionType": "rpm"
        }
      ]
    }
  ]
}

ArchLinux

openssh_CVE-2024-6387 ==> {
  "candidates": [
    {
      "cveId": "CVE-2024-6387",
      "defaultStatus": "unaffected",
      "versions": [
        {
          "version": "9.7p1-2",
          "lessThan": "9.8p1-1",
          "versionType": "custom"
        }
      ]
    }
  ]
}

canonical

openssh-server_CVE-2024-6387 ==> {
  "candidates": [
    {
      "cveId": "CVE-2024-6387",
      "defaultStatus": "unaffected",
      "platforms": [
        "jammy"
      ],
      "versions": [
        {
          "version": "0",
          "lessThan": "1:8.9p1-3ubuntu0.10",
          "versionType": "custom"
        }
      ]
    },
    {
      "cveId": "CVE-2024-6387",
      "defaultStatus": "unaffected",
      "platforms": [
        "mantic"
      ],
      "versions": [
        {
          "version": "0",
          "lessThan": "1:9.3p1-1ubuntu3.6",
          "versionType": "custom"
        }
      ]
    },
    {
      "cveId": "CVE-2024-6387",
      "defaultStatus": "unaffected",
      "platforms": [
        "noble"
      ],
      "versions": [
        {
          "version": "0",
          "lessThan": "1:9.6p1-3ubuntu13.3",
          "versionType": "custom"
        }
      ]
    }
  ]
}

Note

I'm not getting

2024/07/04 17:41:36 wazuh-modulesd:vulnerability-scanner[63237] packageScanner.hpp:415 at versionMatch(): DEBUG: Scanning package - 'openssh-sftp-server' (Installed Version: 1:8.9p1-3ubuntu0.10, Security Vulnerability: CVE-2024-6387). Identified vulnerability: Version: 0. Required Version Threshold: 1:8.9p1-3ubuntu0.10. Required Version Threshold (or Equal): .

in qa efficacy tests, the content may be outdated.

Update (7/5/2024)

The tar.xz file is outdated, but the information with offset: 756338 is up to date.

wazuh-modulesd:vulnerability-scanner:databaseFeedManager.hpp:227 processMessage : Processing line: 239001
wazuh-modulesd:content-updater:action.hpp:177 runActionOnDemand : Starting on-demand action for 'vulnerability_feed_manager'
wazuh-modulesd:content-updater:action.hpp:210 runAction : Action for 'vulnerability_feed_manager' started
wazuh-modulesd:content-updater:actionOrchestrator.hpp:208 runOffsetUpdate : Running 'vulnerability_feed_manager' offset update
wazuh-modulesd:content-updater:factoryOffsetUpdater.hpp:41 create : FactoryOffsetUpdater - Starting process
wazuh-modulesd:content-updater:updateCtiApiOffset.hpp:70 handleRequest : UpdateCtiApiOffset - Starting process
wazuh-modulesd:content-updater:updateCtiApiOffset.hpp:42 update : Updating offset with value: 756338
wazuh-modulesd:content-updater:action.hpp:221 runAction : Action for 'vulnerability_feed_manager' finished
wazuh-modulesd:vulnerability-scanner:databaseFeedManager.hpp:349 operator() : Feed update process completed
wazuh-modulesd:content-updater:onDemandManager.cpp:169 stopServer : Server stopped
wazuh-modulesd:content-updater:action.hpp:138 stopActionScheduler : Scheduler stopped for 'vulnerability_feed_manager'
Error removing FD from interface.

@MiguelazoDS MiguelazoDS linked a pull request Jul 4, 2024 that will close this issue
Open
@MiguelazoDS MiguelazoDS linked a pull request Jul 4, 2024 that will close this issue
Implemented efficacy tests for openssh vulnerability #24424
Open
@sebasfalcone
Copy link
Member

Issue blocked

  • Awaiting for the new content to be generated to merge this PR
  • Local execution verified the tests

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MiguelazoDS MiguelazoDS

Labels
level/task type/research
Projects
Release 4.10.0
Status: Blocked
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Implemented efficacy tests for openssh vulnerability wazuh/wazuh
3 participants
@MiguelazoDS @Dwordcito @sebasfalcone