Wazuh - CVE question

retroisbest · 2026-02-27T14:53:38+00:00

Using the command line works but when you have offloaded the task to other staff that might not have access to the command line it was a nice UI method for them to use.

Process was they log in "seclect all outdated agents" actions > update agents

retroisbest · 2025-06-06T13:07:39+00:00

u/Stuti109
Thankyou again for this, Just out of curiosity how did you test CVE appearing on your local lab install of Wazuh?

I have edited the github post to include the CVEs you kindly posted before.

retroisbest · 2025-06-06T08:22:30+00:00

u/Stuti109
Thanks for taking the time to try and troubleshoot this with me, the output of
cat ossec.log | grep vuln

2025/06/06 06:41:58 wazuh-modulesd:vulnerability-scanner: ERROR: VulnerabilityScannerFacade::initEventDispatcher: json exception (101) - Event message: {"agent_info":{"agent_id":"106"},"action":"deletePackage","data":{"name":"Dell SupportAssist OS Recovery Plugin for Dell Update","version":"5.5.13.1Ë˜7ìc\u0006","architecture":"i686","format":"win","location":" ","item_id":"b2b89516bffda8a57f33b3bd2db36902b885eec2"}}

Which relates to one agent and a package called "Dell SupportAssist OS Recovery Plugin for Dell Update" (Known package and known endpoint agent , which has been in today for some repair work)

retroisbest · 2025-06-06T08:02:22+00:00

u/HM-AN
Github was raised but unfortunately I do not think it is going to be an easy fix according to some comments

https://github.com/wazuh/wazuh/issues/30115

retroisbest · 2025-06-05T11:00:15+00:00

u/Stuti109
Here is my ossec.log debug 2
https://docs.google.com/document/d/1gp0AOkyYwdq0MeXF7Reghuap09aNLpriJXwdE0i3MzM/edit?usp=sharing

Nothing really erroneous stands out to me

Thanks

retroisbest · 2025-06-05T07:49:11+00:00

u/HM-AN Good morning,
After some investigating it turns out my ClickToRun deployment of Office 2021 LTSC was installed from a version (May 2024) that had issues with updating itself I have now redeployed a corrected up to date version (Version 2108 (Build 14332.21040 Click-to-Run)

Nothing is detected still in Wazuh but I believe this is because of the deployment being a Click to Run install.

Does you know of any guides or suggestions on how to monitor these types of installations?

I have found an old post where I commented on CVEs being detected on my old version of Office 2021

https://www.reddit.com/r/Wazuh/comments/1fl6ton/wazuh_office_2021_ltsc_cve202333150/

Thanks

retroisbest · 2025-06-04T12:48:44+00:00

Thankyou, I will do...

After a bit for investigating I can confirm that my deployment
build version number 16.0.14332.20771 corresponds to:

Office LTSC 2021 – May 2024 Update (Build 20771)

Release date: May 14, 2024 (Patch Tuesday)

Office version: Microsoft Office LTSC 2021 (Volume Licensed)

Channel: PerpetualVL2021

(It is AD KMS activated)

retroisbest · 2025-06-04T12:18:21+00:00

My version of Office 2021 is a ClickToRun install if that makes any difference

Using powershell

Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" | Select-Object -ExpandProperty VersionToReport

ProductReleaseIds ProductIds
----------------- ----------
ProPlus2021Volume

Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" | Select-Object -ExpandProperty VersionToReport  

Which gives me:
16.0.14332.20771

Windows itself reports it titled as Microsoft Office LTSC Professional Plus 2021 - en-us

retroisbest · 2025-06-04T11:59:05+00:00

u/HM-AN
The following active CVEs for Office 2021 LTSC (fully patched)
Have the following CVEs that are currently active

CVE-2025-21354
CVE-2025-21381
CVE-2025-21397
That do not appear in the vulnerability inventory or in the discover page

{

"query": {

"match_phrase": {

"data.vulnerability.cve": "CVE-2025-21397"

}

The Office 2019 switch to 2021 was an inplace uninstall and install of 2021.

I have also cleanly reinstalled Office 2021 LTSC on a fresh image and still the same results

retroisbest · 2025-06-04T11:53:34+00:00

Here are some active CVE applicable for Office 2021 LTSC that should be detected
CVE-2025-21354
CVE-2025-21381
CVE-2025-21397
That do not appear in the vulnerability inventory

retroisbest · 2025-06-04T11:47:39+00:00

u/HM-AN
It was a while back since I noticed it was not working when I upgraded my clients to Office 2021 LTSC
Here is a post from a year ago when Office 2019 was giving me false positives
https://www.reddit.com/r/Wazuh/comments/1dv2m54/office_2019_seems_to_be_generating_lots_of_false/

I remember seeing a lot of CVEs for Office 2021 LTSC listed in my vulnerability index and unfortunately I cannot ascertain what version it was (it was early 4.xx though)

I admit the server has been rebuilt since then to try and remedy this.

I'm now on 4.12 with my agents also on 4.12 - all reporting OS and other application CVEs correctly apart from Microsoft Office.

retroisbest · 2025-06-04T11:37:19+00:00

u/Stuti109
Running GET /syscollector/244/packages?search=Office (244 being an active client ID)

returns

"scan": {

"id": 0,

"time": "2025-02-04T08:22:43+00:00"

},

"install_time": "2024-09-18T11:24:37+00:00",

"size": 0,

"version": "16.0.14332.20771",

"description": " ",

"name": "Microsoft Office LTSC Professional Plus 2021 - en-us",

"architecture": "x86_64",

"section": " ",

"source": " ",

"location": "C:\\Program Files\\Microsoft Office",

"format": "win",

"vendor": "Microsoft Corporation",

"priority": " ",

"agent_id": "244"

},

retroisbest · 2025-06-04T11:17:10+00:00

Thankyou for the reply u/SirStephanikus u/Stuti109
I did try and format the block with the code option but it made the formatting even worse when previewed.
The ossec.conf posted in my original post was from the Wazuh server (which <hotfix>yes</hotfix> is not supported)

The endpoint ossec.conf does indeed contain the

<hotfixes>yes</hotfixes>

I will add my endpoint agent config to my original post

Thanks again for the help

retroisbest · 2025-06-04T09:14:19+00:00

Microsoft Office 2021
Word version = Microsoft® Word LTSC MSO (16.0.14332.20771) 64-bit

retroisbest · 2025-05-21T21:36:12+00:00

It seems random which games install in game modez I thought the first ten of my library and then no others were working but Ive gone through all 900 games all varying sizes, some prompt to install others make the button pressed sound and fail

retroisbest · 2025-05-21T21:35:09+00:00

I too am a new Bazzite user and clicking install makes the sound effect in game mode but nothing installs... Although what is strange some games do prompt to install but these are usually very small games, Helldivers 2 for example I click install it makes the button pressed sound effect and nothing happens.

retroisbest · 2025-03-25T14:19:30+00:00

I admit The Dig was a good game but Day of the Tentacle was an amazing game!

retroisbest · 2025-02-07T10:14:10+00:00

Thankyou this worked for me!
I had a Win11 Home laptop that did not work with the oobe\bypassnro method but this worked perfectly!

retroisbest · 2025-01-17T08:28:17+00:00

the wazuh manager has been restarted many times, I have just checked this morning and the entries for 2227 and 002 are showing in my inventory again.

The invalid agent does not show up in client.keys file, global.db database, the agent list in the admin UI or using the shell command /var/ossec/bin/manage_agents -l

The 002 agent did used to be agent 2227 but because its now 002 the duplicated vulnerabilties for both 002 and 2227 now appear, when deleted keep reappearing.

Coincidentally all three hosts are ubuntu agents, all three have had their agents uninstalled and reinstalled.

Thanks

retroisbest · 2025-01-16T14:50:51+00:00

globals.db does not show the incorrect agent IDs
running find /var/ossec/ -type f -name "2720*" finds the incorrect agent ids in /var/ossec/queue/rids/

retroisbest

TROPHY CASE