4.3.5 unable to execute SQL Query for Windows CIS Benchmark View

[sempervictus]

Wazuh	Elastic	Rev	Security
4.3.5	7.10.2	4xxx	Basic

Browser
Chrome

Description
Attempting to view the CIS security baseline data for a 2019 server results in two errors:

Error

The filter contains invalid characters

013 - Error in wazuhdb request: Cannot execute SQL query
Error: 3013 - Error in wazuhdb request: Cannot execute SQL query
    at createError (https://elk-host.fqdn/36136/bundles/plugin/wazuh/wazuh.plugin.js:2:31654)
    at settle (https://elk-host.fqdn/36136/bundles/plugin/wazuh/wazuh.plugin.js:8:15184)
    at XMLHttpRequest.onloadend (https://elk-host.fqdn/36136/bundles/plugin/wazuh/wazuh.plugin.js:2:29447)

and

TypeError

Cannot read properties of undefined (reading 'some')

TypeError: Cannot read properties of undefined (reading 'some')
    at SuggestHandler.someItem (https://elk-host.fqdn/36136/bundles/plugin/wazuh/wazuh.chunk.9.js:5:2045799)
    at _callee$ (https://elk-host.fqdn/36136/bundles/plugin/wazuh/wazuh.chunk.9.js:5:2048891)
    at l (https://elk-host.fqdn/36136/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:380:982071)
    at Generator._invoke (https://elk-host.fqdn/36136/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:380:981824)
    at forEach.e.<computed> [as next] (https://elk-host.fqdn/36136/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:380:982428)
    at suggest_handler_asyncGeneratorStep (https://elk-host.fqdn/36136/bundles/plugin/wazuh/wazuh.chunk.9.js:5:2040653)
    at _next (https://elk-host.fqdn/36136/bundles/plugin/wazuh/wazuh.chunk.9.js:5:2040979)
    at https://elk-host.fqdn/36136/bundles/plugin/wazuh/wazuh.chunk.9.js:5:2041161
    at new Promise (<anonymous>)
    at https://elk-host.fqdn/36136/bundles/plugin/wazuh/wazuh.chunk.9.js:5:2040891


Close

Expected Result

1. Presentation of CIS benchmark view with brows-able details

Actual Result

1. Error 3013

Additional context
This was originally deployed as 4.2.7 and upgraded to 4.3.5 in-place.
The Windows Baseline audit is accessible and works fine

[AlexRuiz7]

Hello @sempervictus

Could you provide some steps about how to reproduce this error?? Like, which filter you were trying to apply, screenshots, and so on.

Our bug template has a Steps to reproduce section which you seem to have omitted, but this info is key for us to identify where the problem is.

Please, share this info with us, so we solve this issue and help you.

Steps to reproduce

1. Navigate to '...'
2. Click on '....'
3. Scroll down to '....'

Regards,
Alex

[sempervictus]

@AlexRuiz7 - persists with 4.3.6, procedure is:

• navigate to SCA module
• select agent
• observe errors and see no results

[AlexRuiz7]

Thanks, @sempervictus

We do have a related issue: #4347

We'll address this issue together with that one.

Thanks for the report!

Regards,
Alex

[Machi3mfl]

Hi @sempervictus.
I was testing the search bar functionally on SCA inventory on 4.3.6 and the error doesn't happen.
I leave a short video with the cases I've tested.

Screen.Recording.2022-08-01.at.09.06.32.mov

[sempervictus]

@Machi3mfl the video shows you searching through the agent view - try doing that inside the CIS status view for an agent.

[Machi3mfl]

@sempervictus Sorry, I uploaded the wrong video. I updated the comment below.

[sempervictus]

Thanks @Machi3mfl - that is exactly what i would expect to see in our views too. For some reason i'm getting the broken view in the lab and two production deployments. We have venerable/well-tested Chef code deploying all of the server-side components for us, including some Nokogiri magic to deal with the config XML format and i'm wondering if something changed as relating to SCA/CIS configuration which could cause this though i'm not seeing it skimming through the docs. Was there some significant change between 4.2.x & 4.3.6 relating to CIS?

[Machi3mfl]

I'm glad to hear that. I don't know specifically all the changes related to CIS. But I suggest you read the release notes in our web. I leave you the link here: https://documentation.wazuh.com/current/release-notes/release-4-3-6.html
@sempervictus thanks for your feedback.
Best regards

[sempervictus]

@Machi3mfl - the issue isn't resolved, i still cannot access CIS benchmarks in any of the three environments running 4.3.6.
I'm seeing an error about invalid characters:

which is a yellow->red flag when dealing with SQL: might mean you have an injectable surface in your database.
That error is generated simply by clicking on the host's findings and there are findings, so CIS is being run:

... we just can't access them.
Do you guys run injection tests against your app? Fuzzing the stack might yield some interesting stuff if SQL queries can be impacted from the contents of Kibana's presentation layer since those are potentially user-controlled (from the DOM).

[Machi3mfl]

Hi @sempervictus, Can you tell me the specific query are you trying to do? If you can upload a short video with the use cases could be great. Thank you

[sempervictus]

None, i am simply clicking on the CIS benchmark row in the page and getting those errors (2nd screenshot).

[Machi3mfl]

Hi @sempervictus, I was researching your use case and I see that when you enter into the "CIS Benchmark for Windows Server 2019 RTM" details table you don't have items to show ("No found items") (In both screenshots). This means that the request to the /sca API endpoint with the policy selected (CIS Windows Server) is falling. This can bring problems when you are trying to use the search bar and filter the results.
If you want, you can check your browser console and check the request details to try to find out why the request for the sca policy is falling.
The request should look like the below screenshot. You will find in the tab Payload the request params and in the Preview/Response the returned data.

This is important to get more context about your environment because all the environments are different and can have different kinds of errors.

[sempervictus]

Unfortunately the issue persists in 4.3.9.
Back-end logs from Kibana say:

Dec 06 20:25:08 host node[3136382]: {"type":"error","@timestamp":"2022-12-06T20:25:08Z","tags":[],"pid":3136382,"level":"error","error":{"message":"Internal Server Error","name":"Error","stack":"Error: Internal Server Error\n    at HapiResponseAdapter.toError (/usr/share/kibana/src/core/server/http/router/response_adapter.js:132:19)\n    at HapiResponseAdapter.toHapiResponse (/usr/share/kibana/src/core/server/http/router/response_adapter.js:86:19)\n    at HapiResponseAdapter.handle (/usr/share/kibana/src/core/server/http/router/response_adapter.js:81:17)\n    at Router.handle (/usr/share/kibana/src/core/server/http/router/router.js:164:34)\n    at process._tickCallback (internal/process/next_tick.js:68:7)"},"url":{"protocol":null,"slashes":null,"auth":null,"host":null,"port":null,"hostname":null,"hash":null,"search":null,"query":{},"pathname":"/api/request","path":"/api/request","href":"/api/request"},"message":"Internal Server Error"}
Dec 06 20:25:08 host node[3136382]: {"type":"response","@timestamp":"2022-12-06T20:25:08Z","tags":[],"pid":3136382,"method":"post","statusCode":500,"req":{"url":"/api/request","method":"post","headers":{"host":"127.0.0.1:5601","connection":"close","content-length":"78","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0","accept":"application/json, text/plain, */*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br","content-type":"application/json","kbn-xsrf":"kibana","origin":"https://host.fqdn.local","dnt":"1","referer":"https://host.fqdn.local/app/wazuh","sec-fetch-dest":"empty","sec-fetch-mode":"cors","sec-fetch-site":"same-origin"},"remoteAddress":"127.0.0.1","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0","referer":"https://host.fqdn.local/app/wazuh"},"res":{"statusCode":500,"responseTime":71,"contentLength":9},"message":"POST /api/request 500 71ms - 9.0B"}

The browser console just shows a 500 error but the endpoint is /api/request not /sca as suggested:

Ping @AlexRuiz7 - could you please reopen this as it is persistent?

[rneto12]

I have the same issue with the CIS Benchmark for Windows 10 21H2 on wazuh 4.3.10.

This error appears only in "Inventory" tab, If I change to "Events" I can find all data.

[sempervictus]

@AlexRuiz7 - could this get some love please? It seems to have something to do with how Kibana passes data to sqlite3 query for the agents DB...