Vulnerability detection

Software vulnerabilities are weaknesses in code that can allow attackers to gain access to or manipulate the behavior of an application. Vulnerable software applications are commonly targeted by attackers to compromise endpoints and gain a persistent presence on targeted networks.

Vulnerability detection is the process of identifying these flaws before they are discovered and exploited by attackers. The goal of vulnerability detection is to identify vulnerabilities so that remediation can be carried out to prevent successful attacks.

The Wazuh agent collects the software inventory data from a monitored endpoint periodically and sends it to the Wazuh server. The Wazuh Vulnerability Detector module correlates the software inventory data with vulnerability feeds to detect vulnerable software on a monitored endpoint. Wazuh identifies vulnerable applications and produces risk reports using the information collected from the different operating system vendors and vulnerability databases. The Vulnerability Detector module uses a database of Common Vulnerabilities and Exposures (CVEs) created automatically by processing data pulled from several sources including Wazuh feeds.

This variety of sources ensures that the Vulnerability Detector module provides coverage for a variety of operating systems and applications. The module supports Windows, CentOS, Red Hat Enterprise Linux, Ubuntu, Debian, Amazon Linux, Arch Linux, and macOS operating systems.

Achieve comprehensive visibility

The Vulnerability Detector module scans and generates alerts for vulnerabilities discovered on the operating system and applications installed on the monitored endpoint. It correlates the software inventory collected by the Wazuh agent with the vulnerability database and displays the alert generated on the Wazuh dashboard. This provides a clear and comprehensive view of vulnerabilities identified in all monitored endpoints, allowing you to view, analyze and fix vulnerabilities.

On the Wazuh dashboard, the vulnerabilities discovered are grouped into severity levels and a summary is provided based on the application name, CVE, and CVSS3 score. This allows analysts to direct their focus appropriately.

Vulnerabilities inventory

The Vulnerability Detector module is configured to run scans at intervals. We can view the alerts generated on the dashboard when new vulnerabilities are discovered.

Vulnerability alerts

The alerts generated on the dashboard could also be a result of remediation activities. The image below shows alerts generated after an upgrade or an uninstallation of a package resolved a vulnerability.

Resolved vulnerability alerts

Obtain actionable intelligence from vulnerability alerts

Wazuh vulnerability alerts contain relevant information about the identified vulnerability which can help users understand and decide on remediation steps. You can see an example of a vulnerability detection alert below:

Vulnerability alert example
{
  "agent": {
    "ip": "192.168.229.142",
    "name": "CentOS",
    "id": "001"
  },
  "manager": {
    "name": "wazuh-server"
  },
  "data": {
    "vulnerability": {
      "severity": "Critical",
      "package": {
        "condition": "Package less than 78.4.1-1.el7_9",
        "name": "firefox",
        "version": "68.10.0-1.el7.centos",
        "architecture": "x86_64"
      },
      "references": [
        "https://bugzilla.mozilla.org/show_bug.cgi?id=1675905",
        "https://www.mozilla.org/security/advisories/mfsa2020-49/",
        "http://packetstormsecurity.com/files/166175/Firefox-MCallGetProperty-Write-Side-Effects-Use-After-Free.html",
        "https://nvd.nist.gov/vuln/detail/CVE-2020-26950",
        "https://access.redhat.com/security/cve/CVE-2020-26950"
      ],
      "cve_version": "4.0",
      "assigner": "security@mozilla.org",
      "published": "2020-12-09",
      "cwe_reference": "CWE-416",
      "title": "CVE-2020-26950 affects firefox",
      "type": "PACKAGE",
      "rationale": "In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This vulnerability affects Firefox < 82.0.3, Firefox ESR < 78.4.1, and Thunderbird < 78.4.2.",
      "advisories_ids": [
        "RHSA-2020:5099",
        "RHSA-2020:5100",
        "RHSA-2020:5104",
        "RHSA-2020:5135",
        "RHSA-2020:5138",
        "RHSA-2020:5139",
      ],
      "cve": "CVE-2020-26950",
      "bugzilla_references": [
        "https://bugzilla.redhat.com/show_bug.cgi?id=1896306"
      ],
      "cvss": {
        "cvss2": {
          "base_score": "9.300000",
          "vector": {
            "integrity_impact": "complete",
            "confidentiality_impact": "complete",
            "availability": "complete",
            "attack_vector": "network",
            "access_complexity": "medium",
            "authentication": "none"
          }
        },
...

As you can see above, the alert contains key information about the detected vulnerability. This information includes the CVE information, reference links for further research, and a title that provides a concise description of the vulnerability.

Track vulnerability remediation

The Wazuh Vulnerability Detector module also allows you to confirm when a vulnerability has been remediated. This feature detects when a patch or software upgrade resolves a previously detected vulnerability. The feature is enabled using the hotfixes option and is available for Windows endpoints.

Windows vulnerability resolved alert

Use vulnerability reports to identify critical security issues

Wazuh provides users with the ability to download a report that contains security events related to discovered and resolved vulnerabilities. This feature allows users to identify endpoints with unresolved vulnerabilities and keep track of remediation activities.

Vulnerability detection report generation