Vulnerability detection

Software vulnerabilities are weaknesses in code that can allow attackers to gain access to or manipulate the behavior of an application. Vulnerable software applications are commonly targeted by attackers to compromise endpoints and gain a persistent presence on targeted networks.

Vulnerability detection is the process of identifying these flaws before they are discovered and exploited by attackers. The goal of vulnerability detection is to identify vulnerabilities so that remediation can be carried out to prevent successful attacks.

The Wazuh agent uses the Syscollector module to collect inventory details from the monitored endpoint. It sends the collected data to the Wazuh server. Within the Wazuh server, the Vulnerability Detection module correlates the software inventory data with vulnerability content documents to detect vulnerable software on the monitored endpoint.

Wazuh detects vulnerable applications, generating risk reports, using our Cyber Threat Intelligence (CTI) platform. In this platform, we aggregate vulnerability data from diverse sources like operating system vendors and vulnerability databases, consolidating it into a unified, reliable repository. The process involves standardizing the varied formats into a common structure. Additionally, we maintain the integrity of our vulnerability data by doing the following.

Rectifying format inconsistencies like version errors and typos.
Completing missing information.
Incorporating new cybersecurity vulnerabilities.

Subsequently, we merge this content, uploading the compiled documents to a cloud server. Finally, we publish these documents to our CTI API.

Relying on the Wazuh CTI, the Vulnerability Detection module supports a variety of operating systems, such as Windows, CentOS, Red Hat Enterprise Linux, Ubuntu, Debian, Amazon Linux, Arch Linux, and macOS operating systems, and applications.

Achieve comprehensive visibility

The Vulnerability Detection module generates alerts for vulnerabilities discovered on the operating system and applications installed on the monitored endpoint. It correlates the software inventory collected by the Wazuh agent with the vulnerability content documents and displays the alert generated on the Wazuh dashboard. This provides a clear and comprehensive view of vulnerabilities identified in all monitored endpoints, allowing you to view, analyze and fix vulnerabilities.

The vulnerability detection dashboard shows the frequency of occurrences in different categories such as package name, operating system, agent name, vulnerability ID, and alert severity. This allows analysts to direct their focus appropriately.

You can view the alerts generated on the dashboard when new vulnerabilities are discovered.

The alerts generated on the dashboard could also be a result of remediation activities. The image below shows alerts generated after an upgrade or an uninstallation of a package resolved a vulnerability.

Obtain actionable intelligence from vulnerability alerts

Wazuh vulnerability alerts contain relevant information about the identified vulnerability which can help users understand and decide on remediation steps. You can see an example of a vulnerability detection alert below:

{
 "_index": "wazuh-alerts-4.x-sample-threat-detection",
 "_id": "e2ffSY8Be9PWdpLhA_nt",
 "_version": 1,
 "_score": null,
 "_source": {
   "predecoder": {},
   "cluster": {
     "name": "wazuh"
   },
   "agent": {
     "ip": "197.17.1.4",
     "name": "Centos",
     "id": "005"
   },
   "manager": {
     "name": "wazuh-server"
   },
   "data": {
     "vulnerability": {
       "severity": "Medium",
       "package": {
         "condition": "Package less or equal than 2.1.7.3-2",
         "name": "cryptsetup",
         "version": "2:1.6.6-5ubuntu2.1",
         "architecture": "amd64"
       },
       "references": [
         "http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html",
         "http://www.openwall.com/lists/oss-security/2016/11/14/13",
         "http://www.openwall.com/lists/oss-security/2016/11/15/1",
         "http://www.openwall.com/lists/oss-security/2016/11/15/4",
         "http://www.openwall.com/lists/oss-security/2016/11/16/6",
         "http://www.securityfocus.com/bid/94315",
         "https://gitlab.com/cryptsetup/cryptsetup/commit/ef8a7d82d8d3716ae9b58179590f7908981fa0cb",
         "https://nvd.nist.gov/vuln/detail/CVE-2016-4484",
         "http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4484.html",
         "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484"
       ],
       "cve_version": "4.0",
       "assigner": "cve@mitre.org",
       "published": "2017-01-23",
       "cwe_reference": "CWE-287",
       "title": "CVE-2016-4484 on Ubuntu 16.04 LTS (xenial) - low.",
       "rationale": "The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password.",
       "cve": "CVE-2016-4484",
       "state": "Fixed",
       "bugzilla_references": [
         "https://launchpad.net/bugs/1660701"
       ],
       "cvss": {
         "cvss2": {
           "base_score": "7.200000",
           "vector": {
             "integrity_impact": "complete",
             "confidentiality_impact": "complete",
             "availability": "complete",
             "attack_vector": "local",
             "access_complexity": "low",
             "authentication": "none"
           }
         },
         "cvss3": {
           "base_score": "6.800000",
           "vector": {
             "user_interaction": "none",
             "integrity_impact": "high",
             "scope": "unchanged",
             "confidentiality_impact": "high",
             "availability": "high",
             "attack_vector": "physical",
             "access_complexity": "low",
             "privileges_required": "none"
           }
         }
       },
       "updated": "2017-01-26"
     }
   },
   "@sampledata": true,
   "rule": {
     "firedtimes": 290,
     "mail": false,
     "level": 7,
     "pci_dss": [
       "11.2.1",
       "11.2.3"
     ],
     "tsc": [
       "CC7.1",
       "CC7.2"
     ],
     "description": "CVE-2016-4484 affects cryptsetup",
     "groups": [
       "vulnerability-detector"
     ],
     "id": "23504",
     "gdpr": [
       "IV_35.7.d"
     ]
   },
   "location": "vulnerability-detector",
   "id": "1580123327.49031",
   "decoder": {
     "name": "json"
   },
   "timestamp": "2024-05-05T17:44:08.518+0000"
 },
 "fields": {
   "data.vulnerability.published": [
     "2017-01-23T00:00:00.000Z"
   ],
   "data.vulnerability.updated": [
     "2017-01-26T00:00:00.000Z"
   ],
   "timestamp": [
     "2024-05-05T17:44:08.518Z"
   ]
 },
 "highlight": {
   "manager.name": [
     "@opensearch-dashboards-highlighted-field@wazuh-server@/opensearch-dashboards-highlighted-field@"
   ],
   "rule.groups": [
     "@opensearch-dashboards-highlighted-field@vulnerability-detector@/opensearch-dashboards-highlighted-field@"
   ]
 },
 "sort": [
   1714931048518
 ]
}

As you can see above, the alert contains key information about the detected vulnerability. This information includes the CVE information, reference links for further research, and a description that provides a concise explanation of the vulnerability.

Track vulnerability remediation

The Wazuh Vulnerability Detection module also allows you to confirm when a vulnerability has been remediated. This feature detects when a patch or software upgrade resolves a previously detected vulnerability. The feature is enabled using the hotfixes option and is available for Windows endpoints.

Use vulnerability reports to identify critical security issues

Wazuh provides users with the ability to download a report that contains security events related to discovered and resolved vulnerabilities. This feature allows users to identify endpoints with unresolved vulnerabilities and keep track of remediation activities.

Vulnerability Detection report generation