Querying the vulnerability database
You can find the vulnerability database at /var/ossec/queue/vulnerabilities/cve.db
on the Wazuh server and query it using SQLite
. SQLite
provides an interface that you can use to interact with SQL databases.
Perform the following steps to query the vulnerability database using SQLite.
Start
SQLite
and open the vulnerability database using the following command:# sqlite3 /var/ossec/queue/vulnerabilities/cve.db
List the tables in the database using the following command:
sqlite> .tables
Retrieve all the data in a table by running the following command:
sqlite> SELECT * from <TABLE>;
Replace <TABLE>
with the name of the table you are interested in.
Warning
Don’t make changes to the database. It can lead to issues when the Vulnerability Detector module is running a scan.
Use Case: Find all KBs that patch a specified CVE for Windows endpoints
In this example, you will see how to find all Windows Knowledge Base (KB) updates that patch a specific vulnerability on Windows endpoints from the vulnerability database. You can achieve this using SQLite
on the Wazuh server.
Start
SQLite
and open the vulnerability database using the following command:# sqlite3 /var/ossec/queue/vulnerabilities/cve.db
Run
.mode line
in the SQLite prompt to configure the SQLite output format.Run the following command to view all the details of the chosen CVE and operating system:
sqlite> SELECT * FROM msu WHERE cveid = "<CVE_ID>" AND PRODUCT LIKE "%<OS_IDENTIFIER>%";
Where:
<OS_IDENTIFIER>
is a string from the operating system name. It displays result for only the specified operating system.<CVE_ID>
is the identifier for the CVE.
You can see an example below:
sqlite> SELECT * FROM msu WHERE cveid = "CVE-2023-21524" AND PRODUCT LIKE "%Server 2022%";
CVEID = CVE-2023-21524 PRODUCT = Windows Server 2022 (Server Core installation) PATCH = 5022291 TITLE = Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability URL = https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5022291 SUBTYPE = Security Update RESTART_REQUIRED = Yes CHECK_TYPE = 1 CVEID = CVE-2023-21524 PRODUCT = Windows Server 2022 PATCH = 5022291 TITLE = Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability URL = https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5022291 SUBTYPE = Security Update RESTART_REQUIRED = Yes CHECK_TYPE = 1
Run the command below to list all the KBs that patch
KB5022291
replaces. This will be a list of patches that are no longer necessary to install once a user installsKB5022291
.sqlite> SELECT patch FROM msu_supersedence WHERE super = "5022291";
PATCH = 5010796 PATCH = 5022291 PATCH = 5022553 PATCH = 5021656 PATCH = 5021249 PATCH = 5020436 PATCH = 5020032 ...
Run the command below to get a list of all the patches that replaced
KB5022291
. This list contains all the patches that resolve the same vulnerabilities asKB5022291
when installed.sqlite> SELECT super FROM msu_supersedence WHERE patch = "5022291";
SUPER = 5022291 SUPER = 5022842 SUPER = 5023705 SUPER = 5025230 SUPER = 5026370