wazuh-qa
wazuh-qa copied to clipboard
Published
20 hours ago •
wazuh
wazuh
Upgrade macOS package cases for Vulnerability Scanner E2E are not properly configured
Description
The recent replacement of Vulnerability Detection End-to-End (E2E) test cases for the macOS agent in PR #5174 introduced an issue where upgrade cases lack the necessary setup steps to install the specified package, leading to test failures on macOS endpoints.
Issue
In case such as upgrade_package_nonvulnerable_to_vulnerable, the goal is to confirm that the luxon-2.5.2 version does not present any vulnerability and that the new vulnerability associated with the updated version, luxon-3.0.0, emerge. However, the current upgrade package structure only installs the package specified in the to field, assuming it is already present on the host system. This approach was likely implemented to avoid redundant package installations.
- case: 'Upgrade: Non vulnerable to vulnerable package'
id: upgrade_package_nonvulnerable_to_vulnerable
description: |
Upgrade to non vulnerable package to vulnerable
body:
operation: update_package
package:
from:
centos:
amd64: grafana-9.5.13-1
arm64v8: grafana-9.5.13-1
ubuntu:
amd64: grafana-9.5.13
arm64v8: grafana-9.5.13
windows:
amd64: node-v18.20.2
macos:
amd64: luxon-2.5.2
arm64v8: luxon-2.5.2
to:
centos:
amd64: grafana-10.0.0-1
arm64v8: grafana-10.0.0-1
ubuntu:
amd64: grafana-10.0.0
arm64v8: grafana-10.0.0
windows:
amd64: node-v20.5.1
macos:
amd64: luxon-3.0.0
arm64v8: luxon-3.0.0
After a meeting with @wazuh/devel-qa-div2, change issue description to coordinate with the implementation of this issue.
Changes made in the branch: fix/5312-macos-fix-upgrade-case
In this PR: https://github.com/wazuh/wazuh-qa/pull/5334
Update
Changes made, still to be checked by launching the new VD test.
Update
Time of the VD test with only one macOS agent ≈ 1h 30min
After launching the test with the changes it still fails. Further investigation will be carried out to check the case and the package.
Update
Time of the VD test with only one macOS agent and only the issue's VD case ≈ 50min
After launching the test with only the issue's VD case it still fails. A manual test will be carried out.
Manual test (upgrade_package_nonvulnerable_to_vulnerable) :green_circle:
Install luxon 2.5.2 (no vulnerabilities)
macOS agent
sh-3.2# npm install -g [email protected]
added 1 package in 298ms
sh-3.2# npm list -g
/usr/local/lib
├── [email protected]
├── [email protected]
└── [email protected]
sh-3.2#
Manager
{"timestamp":"2024-05-07T14:56:26.872+0000","rule":{"level":3,"description":"Wazuh server started.","id":"502","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"000","name":"ip-172-31-15-154"},"manager":{"name":"ip-172-31-15-154"},"id":"1715093786.2812802","cluster":{"name":"wazuh","node":"master"},"full_log":"ossec: Manager started.","decoder":{"name":"ossec"},"location":"wazuh-monitord"}
{"timestamp":"2024-05-07T14:57:46.251+0000","rule":{"level":3,"description":"Wazuh agent started.","id":"503","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"001","name":"agent1"},"manager":{"name":"ip-172-31-15-154"},"id":"1715093866.2813060","cluster":{"name":"wazuh","node":"master"},"full_log":"ossec: Agent started: 'agent1->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"agent1->any"},"location":"wazuh-agent"}
Upgrade to luxon 3.0.0 (new vulnerability)
macOS agent
sh-3.2# npm install -g [email protected]
changed 1 package in 133ms
sh-3.2# npm list -g
/usr/local/lib
├── [email protected]
├── [email protected]
└── [email protected]
Manager
{"timestamp":"2024-05-07T14:56:26.872+0000","rule":{"level":3,"description":"Wazuh server started.","id":"502","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"000","name":"ip-172-31-15-154"},"manager":{"name":"ip-172-31-15-154"},"id":"1715093786.2812802","cluster":{"name":"wazuh","node":"master"},"full_log":"ossec: Manager started.","decoder":{"name":"ossec"},"location":"wazuh-monitord"}
{"timestamp":"2024-05-07T14:57:46.251+0000","rule":{"level":3,"description":"Wazuh agent started.","id":"503","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"001","name":"agent1"},"manager":{"name":"ip-172-31-15-154"},"id":"1715093866.2813060","cluster":{"name":"wazuh","node":"master"},"full_log":"ossec: Agent started: 'agent1->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"agent1->any"},"location":"wazuh-agent"}
{"timestamp":"2024-05-07T15:02:18.205+0000","rule":{"level":7,"description":"Listened ports status (netstat) changed (new port opened or closed).","id":"533","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.2.7","10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AU.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"ip-172-31-15-154"},"manager":{"name":"ip-172-31-15-154"},"id":"1715094138.2813383","cluster":{"name":"wazuh","node":"master"},"previous_output":"Previous output:\nossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* /usr\ntcp6 :::22 :::* /usr\ntcp 127.0.0.53:53 0.0.0.0:* 495/systemd-resolve\nudp 127.0.0.53:53 0.0.0.0:* 495/systemd-resolve\nudp 172.31.15.154:68 0.0.0.0:* 493/systemd-network\ntcp 0.0.0.0:443 0.0.0.0:* 82210/node\ntcp 0.0.0.0:1514 0.0.0.0:* 105914/wazuh-remote\ntcp 0.0.0.0:1515 0.0.0.0:* 105777/wazuh-authd\ntcp6 172.31.15.154:9200 :::* 13222/java\ntcp6 172.31.15.154:9300 :::* 13222/java\ntcp 0.0.0.0:55000 0.0.0.0:* 105729/python3","full_log":"ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* /usr\ntcp6 :::22 :::* /usr\ntcp 127.0.0.53:53 0.0.0.0:* 495/systemd-resolve\nudp 127.0.0.53:53 0.0.0.0:* 495/systemd-resolve\nudp 172.31.15.154:68 0.0.0.0:* 493/systemd-network\ntcp 0.0.0.0:443 0.0.0.0:* 82210/node\ntcp 0.0.0.0:1514 0.0.0.0:* 105914/wazuh-remote\ntcp 0.0.0.0:1515 0.0.0.0:* 105777/wazuh-authd\ntcp 0.0.0.0:1516 0.0.0.0:* 106354/python3\ntcp6 172.31.15.154:9200 :::* 13222/java\ntcp6 172.31.15.154:9300 :::* 13222/java\ntcp 0.0.0.0:55000 0.0.0.0:* 105729/python3","decoder":{"name":"ossec"},"previous_log":"ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* /usr\ntcp6 :::22 :::* /usr\ntcp 127.0.0.53:53 0.0.0.0:* 495/systemd-resolve\nudp 127.0.0.53:53 0.0.0.0:* 495/systemd-resolve\nudp 172.31.15.154:68 0.0.0.0:* 493/systemd-network\ntcp 0.0.0.0:443 0.0.0.0:* 82210/node\ntcp 0.0.0.0:1514 0.0.0.0:* 105914/wazuh-remote\ntcp 0.0.0.0:1515 0.0.0.0:* 105777/wazuh-authd\ntcp6 172.31.15.154:9200 :::* 13222/java\ntcp6 172.31.15.154:9300 :::* 13222/java\ntcp 0.0.0.0:55000 0.0.0.0:* 105729/python3","location":"netstat listening ports"}
{"timestamp":"2024-05-07T15:04:17.784+0000","rule":{"level":7,"description":"CVE-2022-31129 affects luxon","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"agent1","ip":"192.168.64.7"},"manager":{"name":"ip-172-31-15-154"},"id":"1715094257.2814761","cluster":{"name":"wazuh","node":"master"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"GitHub_M","cve":"CVE-2022-31129","cvss":{"cvss2":{"base_score":"5","vector":{"access_complexity":"LOW","authentication":"NONE","availability":"PARTIAL","confidentiality_impact":"NONE","integrity_impact":"NONE"}}},"cwe_reference":"CWE-1333","enumeration":"CVE","package":{"architecture":" ","condition":"Package less than 3.2.1","name":"luxon","source":" ","version":"3.0.0"},"published":"2022-07-06T18:15:19Z","rationale":"moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.","reference":"https://github.com/moment/moment/pull/6015#issuecomment-1152961973, https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/, https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g, https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html, https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3, https://security.netapp.com/advisory/ntap-20221014-0003/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/","severity":"Medium","status":"Active","title":"CVE-2022-31129 affects luxon","type":"Packages","updated":"2023-11-07T03:47:32Z"}},"location":"vulnerability-detector"}
Having checked that it is correct manually and looking at the report we can see the following:
-
Check setup_operation_results succeededthis check verifies that the installation of the package has been successful. -
alerts_found_in_indexwe get that the alert has been found. - The test fails due to a known issue: https://github.com/wazuh/wazuh-qa/issues/5321 which will be corrected in the next stage.
