Scanning Windows applications using CPE Helper

The Vulnerability Detector relies on the National Vulnerability Database to report vulnerabilities that affect the applications installed on Windows endpoints. The Vulnerability Detector uses an auxiliary dictionary to translate the gathered application names into the NVD format called CPE (Common Platform Enumeration).

Users must add the applications installed on Windows endpoints to this dictionary to enable the Vulnerability Detector module to scan the applications.

CPE Helper Schema

The CPE helper dictionary is located at /var/ossec/queue/vulnerabilities/dictionaries/cpe_helper.json and has the following basic fields:

  • version: The version of the CPE helper.

  • version_format: The version of the CPE helper format. If it differs from the CPE helper version, you must upgrade the Wazuh central components to the latest version to process the dictionary.

  • update_date: The date the dictionary was updated.

  • dictionary: Dictionary containing the translation entries.

  • license: License of the dictionary.

You can see a sample of the dictionary below:

{
    "version": "1.0",
    "version_format": "1.0",
    "update_date": "2019-05-14T00:00Z",
    "dictionary": [
        "..."
    ],
    "license": {
      "title": "Dictionary of CPEs to analyze system vulnerabilities.",
      "copyright": "Copyright (C) 2015-2019, Wazuh Inc.",
      "date": "March 6, 2019.",
      "type" : "GPLv2"
    }
}

Dictionary schema

Each dictionary entry has the following fields to describe the application that the user wants to add:

  • target: Operating system of the application you want to add. Currently, Wazuh only uses the CPE helper dictionary for applications installed on Windows endpoints.

  • source: Parameters of the application you want to translate. The allowed sections are the following:

    • vendor: Array of one or more vendor fields that match the dictionary entry. You can use a regular expression. For example, ^Oracle.

    • product: Array of one or more product fields that match the dictionary entry. You can use a regular expression. For example, ^Oracle.*VirtualBox [0-9].

    • version (optional): Array of one or more version fields that match the dictionary entry. You can also define a pattern to match the software version using regular expressions. For example ^Microsoft Office.*([0-9]{4}).

    • target_hw (optional): This field defines the target hardware of the application. It can also be a regular expression. For example, ^Python [0-9]+\.*[0-9]\.*[0-9]* \(([6432]{2}-bit)\)*.

    • update (optional): Pattern to extract the update field. Example: ^Microsoft Exchange Server\.*Update \(([0-9]+)\).

  • translation: Section to specify the CPE translation. The allowed sections are the following:

    • vendor: Array of one or more vendor fields that match the CPE translation of the dictionary entry.

    • product: Array of one or more product fields that match the CPE translation of the application you want to add to the dictionary.

    • version (optional): Array of one or more version fields that match the CPE translation of the application you want to add to the dictionary.

    • update (optional): Array of one or more update fields that can form the CPE of the input program. You can also use variables to complete this string. Example: cumulative_update_$(UPDATE).

    • msu_name (optional): This field is for Microsoft products. You can find the name of the application in the Microsoft Security Guide. You can also use variables to complete this string. For example, Microsoft Office $(VERSION).

  • action: Array of actions to apply on the entry.

You can find a template for a dictionary entry below:

{
    "target": "target OS",
    "source": {
        "vendor": [
            "..."
        ],
        "product": [
            "..."
        ],
        "version": [
            "..."
        ],
        "target_hw": [
            "..."
        ],
        "update": [
            "..."
        ]
    },
    "translation": {
        "vendor": [
            "..."
        ],
        "product": [
            "..."
        ],
        "version": [
            "..."
        ],
        "sw_edition": [
            "..."
        ],
        "update": [
            "..."
        ],
        "msu_name": [
            "..."
        ]
    },
    "action": [
        "..."
    ]
}

Translation types

The Vulnerability Detector module converts the dictionary entries to the CPE format based on the flags used in the action section. The possible flags are:

Option

Description

ignore

Ignore the dictionary entry.

replace_vendor

Convert the vendor to the indicated one if the pattern matches.

replace_product

Convert the product to the indicated one if the pattern matches.

replace_vendor_if_matches

Used when there is more than one vendor for a dictionary entry. It uses a vendor that is similar to the one matching the pattern.

replace_product_if_matches

Used when there is more than one product for a dictionary entry. It uses a product that is similar to the one that matches the pattern.

set_version_if_matches

Sets the application version to the version extracted from the version field pattern if the pattern matches successfully.

replace_sw_edition_if_product_matches

Used with the sections sw_edition and version. It uses the sw_edition field similar to the matching version.

check_hotfix

Used to indicate those software products where the vulnerability range is unknown, and there is a need to validate a hotfix. These are usually Microsoft products.

replace_msu_name_if_version_matches

Used with the sections msu_name and version. It indicates the name taken by the application in the Microsoft Security Guide. You must use it with check_hotfix and Microsoft products.

replace_msu_name

Used with msu_name. It indicates the name taken by the program in the Microsoft Security Guide. You must use it with check_hotfix and Microsoft products.

set_version_if_product_matches

Sets the software version if the Vulnerability Detector can find the product name using the regular expression expressed in the version section.

set_targethw_if_product_matches

Sets the software architecture if the Vulnerability Detector can find the product name using the regular expression expressed in the target_hw section.

set_update_if_product_matches

Sets the update if it can be found in the product name through a regular expression set in the update section.

set_version_only_if_product_matches

Sets the software version if the Vulnerability Detector can find the product name using the regular expression expressed in the version section. The Vulnerability Detector will not generate the CPE if there is no match.

set_targethw_only_if_product_matches

Sets the software architecture if the Vulnerability Detector can find the product name using the regular expression expressed in the target_hw section. The Vulnerability Detector will not generate the CPE if there is no match.

set_update_only_if_product_matches

Sets the update if it can be found in the product name through a regular expression set in the update section. If it does not match, the CPE will not be generated.

How to translate a Windows program to CPE format

To include a Windows program in the CPE helper dictionary, it's necessary to know the vendor, product name, and program version present in the Wazuh software inventory. After this, it's necessary to look for the CPE that is suitable for the program to configure the dictionary entry with the appropriate values.

  1. Get the agent programs.

    You can get a list of the programs installed on an agent by using the Wazuh API endpoint GET /syscollector/{agent_id}/packages:

    curl -k -X GET "https://localhost:55000/syscollector/001/packages?pretty=true&offset=10&sort=-name" -H  "Authorization: Bearer $TOKEN"
    

    In this use case, you configure the CPE for Wireshark. The output below is the data returned by Syscollector for an endpoint with Wireshark:

    {
        "data": {
            "affected_items": [
                {
                    "scan": {"id": 27266015, "time": "2019/05/21 16:25:21"},
                    "version": "2.4.5",
                    "name": "Wireshark 2.4.5 64-bit",
                    "format": "win",
                    "vendor": "The Wireshark developer community, https://www.wireshark.org",
                    "location": "C:\\Program Files\\Wireshark",
                    "architecture": "i686",
                    "agent_id": "001",
                }
            ],
            "total_affected_items": 1,
            "total_failed_items": 0,
            "failed_items": [],
        },
        "message": "All specified syscollector information was returned",
        "error": 0,
    }
    
  2. Find the CPE program.

    To find the CPE translation of the program, you can use NVD's CPEs search engine.

    Select the least generic CPE. In this case, take the first one.

    You're only interested in the vendor and product fields of this CPE since the version that comes from the agent inventory is valid. You can find out by checking if it follows the same format as the CPEs we found (2.4.5 ~= 0.99.2).

    The entry only has to replace a vendor and a product, so we need to use the replace_vendor and replace_product actions. Take into account that the source patterns are regular expressions. The table below summarizes the goals you need to achieve using the CPE helper:

    CPE part

    Syscollector name

    Source pattern

    Translation

    Action

    Vendor

    The Wireshark developer community, https://www.wireshark.org

    www.wireshark.org

    wireshark

    replace_vendor

    Product name

    Wireshark 2.4.5 64-bit

    Wireshark

    wireshark

    replace_product

    Therefore, we can add the following entry to the CPE helper dictionary at /var/ossec/queue/vulnerabilities/dictionaries/cpe_helper.json:

    {
        "target": "windows",
        "source": {
            "vendor": [
                "www\\.wireshark\\.org"
            ],
            "product": [
                "Wireshark"
            ],
            "version": []
        },
        "translation": {
            "vendor": [
                "wireshark"
            ],
            "product": [
                "wireshark"
            ],
            "version": []
        },
        "action": [
            "replace_vendor",
            "replace_product"
        ]
    }
    

Combine several programs in a dictionary entry

An application can have several CPEs associated depending on its vendor, version, or the syntax of its name. This section will explain how to create an entry to include all possible translations of a program collected by Syscollector.

In this guide, we generate dictionary entries for Skype and Skype for Business as an example.

  1. Get the agent programs.

    You can get a list of the programs installed on the agent by using the Wazuh API endpoint GET /syscollector/{agent_id}/packages:

    curl -k -X GET "https://localhost:55000/syscollector/001/packages?pretty=true&offset=10&sort=-name" -H  "Authorization: Bearer $TOKEN"
    

    If you have Skype and Skype for Business installed, you get the result shown below:

    {
        "data": {
            "affected_items": [
                {
                    "scan": {"id": 908227078, "time": "2019/05/22 10:05:24"},
                    "format": "win",
                    "version": "16.0.11425.20244",
                    "location": "C:\\Program Files (x86)\\Microsoft Office",
                    "name": "Skype for Business Basic 2016 - en-us",
                    "vendor": "Microsoft Corporation",
                    "architecture": "x86_64",
                    "agent_id": "001",
                },
                {
                    "scan": {"id": 908227078, "time": "2019/05/22 10:05:24"},
                    "format": "win",
                    "version": "8.42",
                    "install_time": "20190329",
                    "location": "C:\\Program Files (x86)\\Microsoft\\Skype for Desktop\\",
                    "name": "Skype version 8.42",
                    "vendor": "Skype Technologies S.A.",
                    "architecture": "i686",
                    "agent_id": "001",
                },
            ],
            "total_affected_items": 2,
            "total_failed_items": 0,
            "failed_items": [],
        },
        "message": "All specified syscollector information was returned",
        "error": 0,
    }
    
  2. Find the CPE program.

    To find the CPE translation of the program, use NVD's CPEs search engine.

    There are various combinations of vendor and product fields for the products in the search results. This use case doesn’t include Skype for Business Server in this use case, but users can translate the program using the same techniques described in this section.

    Like the example in the previous section, you're interested in the vendor and product fields of this CPE. You can find out by checking if it follows the same format as the CPEs we found (8.42 ~= 8.35).

    Therefore, you need to add an entry to replace the vendor and product of the two applications, so use the actions replace_vendor_if_match and replace_product_if_match. The table below summarizes the goals you need to achieve using the CPE helper:

    Generated input

    Syscollector name

    Source pattern

    Translation

    Action

    Vendor

    Microsoft Corporation

    ^Microsoft

    microsoft

    replace_vendor_if_matches

    Skype Technologies S.A.

    ^Skype

    skype

    Product name

    Skype for Business Basic 2016 - en-us

    ^Microsoft

    skype_for_business

    replace_product_if_matches

    Skype version 8.42

    ^Skype

    skype

    Therefore, you can add the following dictionary entry to the CPE helper dictionary at /var/ossec/queue/vulnerabilities/dictionaries/cpe_helper.json:

    {
        "target": "windows",
        "source": {
            "vendor": [
                "^Skype",
                "^Microsoft"
            ],
            "product": [
                "^Skype for Business",
                "^Skype"
            ],
            "version": []
        },
        "translation": {
            "vendor": [
                "skype",
                "microsoft"
            ],
            "product": [
                "skype_for_business",
                "skype"
            ],
            "version": []
        },
        "action": [
            "replace_vendor_if_matches",
            "replace_product_if_matches"
        ]
    }
    

    Note

    The product Skype for Business Basic 2016 - en-us matches both ^Skype for Business and ^Skype patterns. However, the Vulnerability Detector uses the first because it sorts the entries by priority from top to bottom.

Products whose version does not change between updates

For some software products, generally from Microsoft, users cannot confirm vulnerabilities by consulting the National Vulnerability Database. These products do not change their visible version between updates, so the Vulnerability Detector cannot tell when the products are no longer vulnerable.

For example, if you consult the CVE-2019-0671 vulnerability for Microsoft Office 2016 in the National Vulnerability Database, you find the following:

As seen in the output, the CPEs only specify that the vulnerability affects the 2016 version. This information is not enough because your program may not be affected by the vulnerability if you have applied the patch that fixes it.

In this case, you can check the Microsoft Security Update Guide to verify if Microsoft Office 2016 fixes the vulnerability in any update.

The Vulnerability Detector can automate this search using the CPE Helper and the check_hotfix action. To illustrate the process, follow the same procedure as in the previous use cases.

  1. Get the agent programs.

    You can get a list of the programs installed on the agent by using the Wazuh API endpoint GET /syscollector/{agent_id}/packages:

    curl -k -X GET "https://localhost:55000/syscollector/001/packages?pretty=true&offset=10&sort=-name" -H  "Authorization: Bearer $TOKEN"
    

    If you have Microsoft Office 2016 and Office 16 Click-to-Run installed, you get results similar to the following:

    {
        "data": {
            "affected_items": [
                {
                    "scan": {"id": 214307089, "time": "2019/05/22 11:53:07"},
                    "vendor": "Microsoft Corporation",
                    "name": "Office 16 Click-to-Run Extensibility Component 64-bit Registration",
                    "install_time": "20190429",
                    "architecture": "x86_64",
                    "format": "win",
                    "version": "16.0.11425.20244",
                    "agent_id": "001",
                },
                {
                    "scan": {"id": 214307089, "time": "2019/05/22 11:53:07"},
                    "version": "16.0.11425.20244",
                    "location": "C:\\Program Files (x86)\\Microsoft Office",
                    "vendor": "Microsoft Corporation",
                    "architecture": "x86_64",
                    "format": "win",
                    "name": "Microsoft Office Professional Plus 2016 - en-us",
                    "agent_id": "001",
                },
            ],
            "total_affected_items": 2,
            "total_failed_items": 0,
            "failed_items": [],
        },
        "message": "All specified syscollector information was returned",
        "error": 0,
    }
    
  2. Find the CPE program.

    Use the information obtained earlier on the CPEs affected by CVE-2019-0671 to extract the CPEs from the program. From that source, you can see the CPEs that the vulnerability directly affects. These are:

    • cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:*:*

    • cpe:2.3:a:microsoft:office:2016:*:*:*:click-to-run:*:*:*

    The two target programs only differ in the field sw_edition (click-to-run). If the sw_edition field was present in this case, you might use the replace_sw_edition_if_product_match option to add the sw_edition field. However, the vulnerabilities in Microsoft Office do not include this parameter.

    The package version that Syscollector has (16.0.11425.20244) is not valid for this use case, so we need to extract the version from the product name to create the CPE. To do this, use the set_version_only_if_product_matches option, which does not generate the CPE if the Vulnerability Detector cannot decode the version.

    Finally, indicate the name of these programs in the Microsoft Security Update Guide using their version variable as a reference. To do this, use the replace_msu_name action and the msu_name section. To evaluate the hotfixes installed on a Windows computer, include the action check_hotfixes.

    Generated input

    Syscollector name

    Source pattern

    Translation

    Action

    Vendor

    Microsoft Corporation

    ^Microsoft Corporation

    microsoft

    replace_vendor

    Product name

    Microsoft Office Professional Plus 2016 - en-us

    ^Microsoft Office

    office

    replace_product

    Office 16 Click-to-Run Extensibility Component 64-bit Registration

    Office % Click-to-Run Extensibility Component%

    Version

    16.0.11425.20244

    ^Microsoft Office.*([0-9]{4})

    2016

    set_version_only_if_product_matches

    MSU name

    Microsoft Office $(VERSION)

    Microsoft Office 2016

    replace_msu_name

    The resulting dictionary entry, which also includes more versions of Microsoft Office:

    {
        "target": "windows",
        "source": {
            "vendor": [
                "^Microsoft Corporation"
            ],
            "product": [
                "^Microsoft Office"
            ],
            "version": [
                "^Microsoft Office.*([0-9]{4})"
            ]
        },
        "translation": {
            "vendor": [
                "microsoft"
            ],
            "product": [
                "office"
            ],
            "version": [],
            "msu_name": [
                "Microsoft Office $(VERSION)"
            ]
        },
        "action": [
            "replace_vendor",
            "replace_product",
            "set_version_only_if_product_matches",
            "replace_msu_name",
            "check_hotfix"
        ]
    }
    

    Alert example using this dictionary entry:

    {
        "vulnerability":{
            "cve":"CVE-2019-0671",
            "title":"A remote code execution vulnerability exists when the Microsoft Office Access Connectivity Engine improperly handles objects in memory, aka 'Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0672, CVE-2019-0673, CVE-2019-0674, CVE-2019-0675.",
            "severity":"High",
            "published":"2019-03-05T23:29Z",
            "updated":"2019-03-06T15:53Z",
            "state":"Fixed",
            "cvss":{
                "cvss2":{
                    "vector":{
                        "attack_vector":"network",
                        "access_complexity":"medium ",
                        "authentication":"none",
                        "integrity_impact":"complete",
                        "availability":"complete"
                    },
                    "base_score":"9.300000"
                },
                "cvss3":{
                    "vector":{
                        "attack_vector":"local",
                        "access_complexity":"low",
                        "confidentiality_impact":"low",
                        "availability":"high",
                        "privileges_required":"none",
                        "user_interaction":"required ",
                        "scope":"unchanged"
                    },
                    "base_score":"7.800000"
                }
            },
            "package":{
                "name":"Microsoft Office Professional Plus 2016 - en-us",
                "version":"16.0.11425.20244",
                "generated_cpe":"a:microsoft:office:2016::::::x86_64:",
                "architecture":"x86_64"
            },
            "condition":"4018294 patch is not installed.",
            "cwe_reference":"CWE-119",
            "reference":"http://www.securityfocus.com/bid/106928"
        }
    }
    

Products with update field

Often, the product version isn't enough to decide if a specific CVE affects a program. In some cases, you also need to consider the update component of the CPE name. This section presents a use case for the CVE-2022-23277 vulnerability affecting Microsoft Exchange Server.

If you check the CVE-2022-23277 vulnerability in the National Vulnerability Database (NVD), you find the following CPEs.

In the NVD details, the update component shows every cumulative update that CVE-2022-23277 affects. For example cumulative_update_22.

Besides this knowledge, when assessing vulnerabilities of Microsoft products you must also consider that an external security patch can solve the problem. It's necessary then to find out the Microsoft Exchange Server patches that fix CVE-2022-23277 in the Microsoft Security Update Guide.

Thus, similarly to the previous use case, you have to include the check_hotfix action to automate this search.

Follow the same guide used for the previous use case.

  1. Get the agent programs and look for Microsoft Exchange Server.

    You can query the programs installed in the agent using the Wazuh API endpoint GET /syscollector/{agent_id}/packages.

    curl -k -X GET "https://localhost:55000/syscollector/001/packages?pretty=true&offset=10&sort=-name" -H  "Authorization: Bearer $TOKEN"
    

    With the Microsoft Exchange Server package installed, you get an output like this:

    {
       "data": {
             "affected_items": [
                {
                   "scan": {
                   "id": 1655979702,
                   "time": "2022-05-13T12:15:52+00:00"
                   },
                   "architecture": "x86_64",
                   "location": "C:\\Program Files\\Microsoft\\Exchange Server\\V15\\",
                   "name": "Microsoft Exchange Server 2016 Cumulative Update 22",
                   "format": "win",
                   "version": "15.1.2375.7",
                   "vendor": "Microsoft Corporation",
                   "agent_id": "001"
                },
             ],
             "total_affected_items": 1,
             "total_failed_items": 0,
             "failed_items": [],
       },
       "message": "All specified syscollector information was returned",
       "error": 0,
    }
    
  2. Find the CPE.

    Add the set_update_if_product_match action to include the update field in the CPE. The vulnerability affects packages for specific cumulative updates as reported in the NVD. The previous information about CPEs for CVE-2022-23277 shows the following CPEs that confirm the product as vulnerable.

    • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_21:*:*:*:*:*:*

    • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_22:*:*:*:*:*:* (The package in the example would match this CPE)

    You can see that the two target programs differ in the update component (cumulative_update_<#>).

    Use the set_version_only_if_product_matches option. This option doesn't generate the CPE if it can't decode the product version from the name. The 15.1.2375.7 package version that Syscollector extracted in this use case isn't valid. You need to extract the version from the product name to create the CPE.

    Also, use the replace_msu_name action and the msu_name field to set the name of these programs from the Microsoft Security Update Guide using their version variable as a reference. Include the check_hotfixes action to check the hotfixes installed on a Windows computer.

Generated input

Syscollector name

Source pattern

Translation

Action

Vendor

Microsoft Corporation

^Microsoft Corporation

microsoft

replace_vendor

Product name

Microsoft Exchange Server 2016 Cumulative Update 22

^Microsoft Exchange Server

exchange_server

replace_product

Version

15.1.2375.7

^Microsoft Exchange Server ([0-9]{4})

2016

set_version_only_if_product_matches

Update

^Microsoft Exchange Server.*Update ([0-9]+)

cumulative_update_$(UPDATE) = cumulative_update_22

set_update_if_product_matches

MSU name

Microsoft Exchange Server $(VERSION) Cumulative Update $(UPDATE)

Microsoft Exchange Server 2016 Cumulative Update 22

replace_msu_name

Here you have the CPE helper entry needed to detect vulnerabilities of the Microsoft Exchange Server program:

{
    "target": "windows",
    "source": {
        "vendor": [
            "^Microsoft Corporation"
        ],
        "product": [
            "^Microsoft Exchange Server"
        ],
        "version": [
            "^Microsoft Exchange Server ([0-9]{4})"
        ],
        "update":[
            "^Microsoft Exchange Server.*Update ([0-9]+)"
        ]
    },
    "translation": {
        "vendor": [
            "microsoft"
        ],
        "product": [
            "exchange_server"
        ],
        "version": [],
        "update":[
            "cumulative_update_$(UPDATE)"
        ],
        "msu_name": [
            "Microsoft Exchange Server $(VERSION) Cumulative Update $(UPDATE)"
        ]
    },
    "action": [
        "replace_vendor",
        "replace_product",
        "set_version_if_product_matches",
        "set_update_if_product_matches",
        "replace_msu_name",
        "check_hotfix"
    ]
}

Once applied the entry in the CPE helper and the scanner detects it, the module reports the vulnerabilities:

{
    "vulnerability":{
        "package":{
            "name":"Microsoft Exchange Server 2016 Cumulative Update 22",
            "version":"15.1.2375.7","architecture":"x64",
            "condition":"KB5012698 patch is not installed"
        },
        "cvss":{
            "cvss2":{
                "vector":{
                    "attack_vector":"network",
                    "access_complexity":"low",
                    "authentication":"single",
                    "confidentiality_impact":"partial",
                    "integrity_impact":"partial",
                    "availability":"partial"
                },
                "base_score":"6.500000"
            },
            "cvss3":{
                "vector":{
                    "attack_vector":"network",
                    "access_complexity":"low",
                    "privileges_required":"low",
                    "user_interaction":"none",
                    "scope":"unchanged",
                    "confidentiality_impact":"high",
                    "integrity_impact":"high",
                    "availability":"high"
                },
                "base_score":"8.800000"
            }
        },
        "cve":"CVE-2022-23277",
        "title":"CVE-2022-23277 affects Microsoft Exchange Server 2016 Cumulative Update 22",
        "rationale":"Microsoft Exchange Server Remote Code Execution Vulnerability.",
        "severity":"High","published":"2022-03-09","updated":"2022-03-14",
        "cwe_reference":"NVD-CWE-noinfo",
        "status":"Active",
        "type":"PACKAGE",
        "references":["https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-23277","https://nvd.nist.gov/vuln/detail/CVE-2022-23277"],
        "assigner":"secure@microsoft.com",
        "cve_version":"4.0"
    }
}