EUVD-2024-17008Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionCVE.org
Improper input validation in the Wazuh agent for Windows prior to version 4.8.0 allows an attacker with control over the Wazuh server or agent key to configure the agent to connect to a malicious UNC path. This results in the leakage of the machine account NetNTLMv2 hash, which can be relayed for remote code execution or used to escalate privileges to SYSTEM via AD CS certificate forging and other similar attacks.
AnalysisAI
CVE-2024-1243 is an improper input validation vulnerability in Wazuh agent for Windows (versions prior to 4.8.0) that allows attackers with control over the Wazuh server or possession of agent keys to redirect agents to malicious UNC paths, resulting in NetNTLMv2 hash leakage. The leaked hash can be relayed for remote code execution or abused for privilege escalation to SYSTEM level via AD CS certificate forging. This vulnerability represents a critical supply-chain/credential-leakage risk for Windows environments using Wazuh, though exploitation requires elevated privileges (high PR requirement) and knowledge of agent keys or server compromise.
Technical ContextAI
The vulnerability stems from CWE-20 (Improper Input Validation) in the Wazuh Windows agent's UNC path handling mechanism. Wazuh agents communicate with Wazuh servers for configuration management and log collection; the agent accepts configuration directives that may include file paths for log ingestion or output destinations. The vulnerability occurs because the agent fails to properly validate UNC paths (\\\\hostname\\share format) before initiating SMB connections. When an attacker-controlled UNC path is configured, Windows automatically attempts SMB authentication using the machine account (SYSTEM context), exposing the NetNTLMv2 hash in the SMB protocol exchange. This hash can then be captured via network sniffing or relay attacks (e.g., via ntlmrelayx) to compromise other systems or escalate privileges via AD CS HTTP endpoints. The root cause is the trust placed in agent configuration without cryptographic path validation or domain pinning.
RemediationAI
Immediate: Upgrade Wazuh Windows agent to version 4.8.0 or later (released per CVE-2024-1243 disclosure). Vendor advisory: Check Wazuh official security advisories at https://wazuh.com/security-advisories/ for patch links and detailed upgrade guidance. Interim mitigations (if upgrade is delayed): (1) Restrict Wazuh manager network access via firewall; authenticate manager-to-agent communication with mutual TLS and certificate pinning; (2) Monitor SMB traffic (port 445) from Wazuh agent processes for outbound connections to non-whitelisted UNC paths; (3) Implement network segmentation to isolate Wazuh agents from untrusted UNC shares; (4) Review Wazuh agent configuration files (ossec.conf) for suspicious file path directives and validate against approved baselines; (5) Enforce strong agent key management (rotate keys, store in secure key management systems). Workaround (defensive): Disable or remove any file output/ingestion features in agent config that reference UNC paths until patching is complete.
More from same product – last 7 days
Use after free in DigitalCredentials in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to po
Heap buffer overflow in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to execute
Use after free in WebShare in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker who had comprom
Use after free in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to perform OS-
Out of bounds read in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to obtain pot
Share
External POC / Exploit Code
Leaving vuln.today