CVE-2024-35177
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in Wazuh Windows agent where improper ACLs on non-default installation directories allow local attackers to place malicious DLLs or replace the service executable. Exploitation enables low-privileged users to execute code as SYSTEM. Only Windows installations using non-default paths are affected.
💻 Affected Systems
- Wazuh Windows Agent
📦 What is this software?
Wazuh by Wazuh
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full SYSTEM privileges, enabling complete host compromise, persistence, lateral movement, and data exfiltration.
Likely Case
Local user with basic privileges escalates to SYSTEM to install malware, steal credentials, or disable security controls.
If Mitigated
With proper access controls and monitoring, exploitation attempts would be detected and blocked before successful privilege escalation.
🎯 Exploit Status
Requires local access and knowledge of missing DLLs that the agent attempts to load. Attacker needs to create properly crafted malicious DLLs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.9.0
Vendor Advisory: https://github.com/wazuh/wazuh/security/advisories/GHSA-pmr2-2r83-h3cv
Restart Required: No
Instructions:
1. Download Wazuh agent version 4.9.0 or later from official sources. 2. Run the installer on affected Windows systems. 3. The installer will automatically apply proper ACLs to the installation directory.
🔧 Temporary Workarounds
Manual ACL Hardening
windowsManually set restrictive ACLs on the Wazuh installation directory to prevent unauthorized write access
icacls "C:\wazuh" /inheritance:r
icacls "C:\wazuh" /grant "SYSTEM:(OI)(CI)F"
icacls "C:\wazuh" /grant "Administrators:(OI)(CI)F"
icacls "C:\wazuh" /remove "Users"
icacls "C:\wazuh" /remove "Authenticated Users"
🧯 If You Can't Patch
- Move installation to default Program Files directory where proper ACLs are enforced
- Implement strict file integrity monitoring on the Wazuh installation directory
🔍 How to Verify
Check if Vulnerable:
Check if Wazuh is installed in non-default directory (not under Program Files) and version is below 4.9.0Check Version:
wmic product where "name like 'Wazuh%'" get versionVerify Fix Applied:
Verify Wazuh agent version is 4.9.0+ and check ACLs on installation directory show only SYSTEM and Administrators have write access📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing unexpected DLL loads from Wazuh directory
- File creation/modification events in Wazuh installation directory by non-admin users
- Process creation events for unexpected executables from Wazuh directory
Network Indicators:
- Unusual outbound connections from wazuh-agent.exe process
SIEM Query:
source="windows" (event_id=4688 OR event_id=4663) AND (process_path="*\\wazuh\\*" OR file_path="*\\wazuh\\*") AND user!="SYSTEM" AND user!="*Administrator*"