EUVD-2024-17008
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
Improper input validation in the Wazuh agent for Windows prior to version 4.8.0 allows an attacker with control over the Wazuh server or agent key to configure the agent to connect to a malicious UNC path. This results in the leakage of the machine account NetNTLMv2 hash, which can be relayed for remote code execution or used to escalate privileges to SYSTEM via AD CS certificate forging and other similar attacks.
Analysis
CVE-2024-1243 is an improper input validation vulnerability in Wazuh agent for Windows (versions prior to 4.8.0) that allows attackers with control over the Wazuh server or possession of agent keys to redirect agents to malicious UNC paths, resulting in NetNTLMv2 hash leakage. The leaked hash can be relayed for remote code execution or abused for privilege escalation to SYSTEM level via AD CS certificate forging. This vulnerability represents a critical supply-chain/credential-leakage risk for Windows environments using Wazuh, though exploitation requires elevated privileges (high PR requirement) and knowledge of agent keys or server compromise.
Technical Context
The vulnerability stems from CWE-20 (Improper Input Validation) in the Wazuh Windows agent's UNC path handling mechanism. Wazuh agents communicate with Wazuh servers for configuration management and log collection; the agent accepts configuration directives that may include file paths for log ingestion or output destinations. The vulnerability occurs because the agent fails to properly validate UNC paths (\\\\hostname\\share format) before initiating SMB connections. When an attacker-controlled UNC path is configured, Windows automatically attempts SMB authentication using the machine account (SYSTEM context), exposing the NetNTLMv2 hash in the SMB protocol exchange. This hash can then be captured via network sniffing or relay attacks (e.g., via ntlmrelayx) to compromise other systems or escalate privileges via AD CS HTTP endpoints. The root cause is the trust placed in agent configuration without cryptographic path validation or domain pinning.
Affected Products
Product: Wazuh Agent for Windows; Affected Versions: all versions prior to 4.8.0 (inclusive range: 4.0.0–4.7.x); Fixed Version: 4.8.0 and later. CPE estimate: cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:windows:*:* (versions <4.8.0). Impacted configurations: Windows Wazuh agents configured to connect to Wazuh manager instances where the manager is compromised, or where agent enrollment keys are exposed. Secondary risk: Wazuh managers (any version) if they push malicious configurations to agents. Organizations running Wazuh on Windows Server 2016, 2019, 2022, or Windows 10/11 endpoints are affected. Wazuh agent for Linux/macOS is NOT affected (Windows-specific SMB/UNC behavior).
Remediation
Immediate: Upgrade Wazuh Windows agent to version 4.8.0 or later (released per CVE-2024-1243 disclosure). Vendor advisory: Check Wazuh official security advisories at https://wazuh.com/security-advisories/ for patch links and detailed upgrade guidance. Interim mitigations (if upgrade is delayed): (1) Restrict Wazuh manager network access via firewall; authenticate manager-to-agent communication with mutual TLS and certificate pinning; (2) Monitor SMB traffic (port 445) from Wazuh agent processes for outbound connections to non-whitelisted UNC paths; (3) Implement network segmentation to isolate Wazuh agents from untrusted UNC shares; (4) Review Wazuh agent configuration files (ossec.conf) for suspicious file path directives and validate against approved baselines; (5) Enforce strong agent key management (rotate keys, store in secure key management systems). Workaround (defensive): Disable or remove any file output/ingestion features in agent config that reference UNC paths until patching is complete.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today