How it works

To detect vulnerabilities, Wazuh agents collect a list of installed applications from monitored endpoints and send it periodically to the Wazuh server. Local SQLite databases in the Wazuh server store this list. Within the Wazuh server, the Vulnerability Detection module correlates the software inventory data with vulnerability content documents to detect vulnerable software on the monitored endpoint. These documents are Common Vulnerabilities and Exposures (CVE) records that are available in our Cyber Threat Intelligence (CTI) platform.

On the CTI platform, we aggregate vulnerability data from diverse sources like operating system vendors and vulnerability databases, consolidating it into a unified, reliable repository. The process involves standardizing the varied formats into a common structure using the CVE JSON 5 format.

We maintain the integrity of our vulnerability data by doing the following additional tasks.

  • Rectifying format inconsistencies like version errors and typos.

  • Completing missing information.

  • Incorporating new cybersecurity vulnerabilities.

Subsequently, we merge this content, uploading the compiled documents to a cloud server. And finally, we publish these documents to our CTI API.

To update the vulnerability information on the Wazuh server, the vulnerability detection module queries the CTI API or an offline local repository. It retrieves new documents and compares them to the existing ones to identify any differences.

Next, the module scans the software inventory of the endpoints using the latest available vulnerability information. The detection process looks for vulnerable packages in the inventory databases. These inventories are unique to each agent.

A package is marked as vulnerable when its version falls within the affected range of a CVE. The module generates alerts to display the results, and the findings are stored in a general vulnerability inventory. This inventory is filterable by agent and contains only unresolved vulnerabilities. Users can query the inventory to review alerts and details about vulnerabilities.

For Microsoft Windows systems and certain Microsoft products, the Vulnerability Detection module includes the hotfixes option in the Wazuh agent's Syscollector settings. Enabling this option allows the module to detect packages that users have patched. When a patch is detected, the module uses information provided by Microsoft to verify whether the patch resolves the relevant CVEs. If it does, the module removes those vulnerabilities from the list.

Alert generation

The Vulnerability Detection module generates alerts when it detects new vulnerabilities or when a vulnerability is fixed due to a package update, removal, or system upgrade. However, to enhance the reliability of the Wazuh platform, the conditions mentioned above are necessary but not enough for alert generation. An alert indicates that something has just happened, but that isn't always the case:

  • OS alerts: These are not generated during the initial scan but in subsequent scans. If the agent is syncing with the manager for the first time, it does not register that the OS version has changed or that a patch was recently applied.

  • Package alerts: Alerts are triggered when the installation or removal of a package results in a change in the vulnerability inventory. However, this occurs only when the agent detects the event during a regular Syscollector scan. Changes made while the agent is stopped or forced to be reported through a restart do not generate alerts.

Other factors to consider regarding alert generation include:

  • Cluster environment: If an agent switches to a different node, its inventory syncs with the new node, but no alerts are generated during this initial sync.

  • Content update: When content changes, all agents are re-scanned to ensure results are up to date, but no alerts are generated during this initial sync.

You can refer to the diagram below for a visual representation of this workflow.

Vulnerability detection workflow

Considering all possible situations, the most reliable way to determine the current vulnerabilities in the environment is to query the vulnerability inventory.

Compatibility Matrix

We continuously expand our compatibility list to include new operating systems. The following table highlights the operating systems officially supported by the Vulnerability Detection module. While other systems are also supported, we don't guarantee full detection.

Vulnerability Information Provider

Operating Systems and Versions

Canonical

  • Ubuntu 24.04 LTS (Noble Numbat)

  • Ubuntu 22.04.4 LTS (Jammy Jellyfish)

  • Ubuntu 20.04.6 LTS (Focal Fossa)

  • Ubuntu 18.04 LTS (Bionic Beaver)

  • Ubuntu 16.04 LTS (Xenial Xerus)

  • Ubuntu 14.04 LTS (Trusty Tahr)

Debian

  • Debian 12 (Bookworm)

  • Debian 11 (Bullseye)

  • Debian 10 (Buster)

ALAS

  • Amazon Linux 2023

  • Amazon Linux 2

  • Amazon Linux 1

RHEL

  • RedHat 9 (Plow)

  • RedHat 8 (Ootpa)

  • RedHat 7 (Maipo)

  • RedHat 6 (Santiago)

  • RedHat 5 (Tikanga)

  • CentOS 9

  • CentOS 8

  • CentOS 7

  • CentOS 6

  • CentOS 5

AlmaLinux

  • AlmaLinux 9

  • AlmaLinux 8

NVD + MSU

  • Windows Server 2022

  • Windows Server 2019

  • Windows Server 2016

  • Windows Server 2012

  • Windows 11

  • Windows 10

  • Windows 7

  • Windows Vista

  • Windows XP

NVD

  • macOS 10.12 (Sierra)

  • macOS 10.13 (High Sierra)

  • macOS 10.14 (Mojave)

  • macOS 10.15 (Catalina)

  • macOS 11 (Big Sur)

  • macOS 12 (Monterey)

  • macOS 13 (Ventura)

  • macOS 14 (Sonoma)

SUSE

  • SLED 15

  • SLED 12

  • SLED 11

  • SLES 15

  • SLES 12

  • SLES 11

ARCH

  • Arch Linux Rolling release