Wazuh Windows agent gaping security hole!

[jakko10]

Hi!

Looks like Security Onion still uses the old Wazuh agent version 3.13.1-1 that has an (in my personal opinion) critical level security hole in it.
The ossec.conf file permissions are incorrect. The Everyone user group has read and write permissions. The latter is the critical one.
Due to this bug, any user who is not an administrator could easily elevate to administrator/system asses rights.
Why and how:
The why: Wazuh agent service rus as local system account.
The how: If one adds a script wodle to Wazuh agent conf (ossec.conf) the script will run in the system context and can do pretty much anything. After the next reboot, the script gets loaded and magic happens.

[dougburks]

Hi @jakko10,

We've tested this on a few different machines and here are our findings.

We downloaded the Wazuh agent:

and verified the hash:

We then installed the agent and verified that the permissions on ossec.conf allowed all users to write:

We then ran the Wazuh Agent Manager:

and configured the agent to connect to the Wazuh server. Saving the configuration locks down the permissions on ossec.conf:

Can you confirm that saving the configuration locks down the permissions on ossec.conf for you?

[jakko10]

Aha ok, so, yes, different installation methods produce different results.
If you deploy the Wazuh agent in scale let's say with Ansible (Wazuh has written the Ansible roles to automate the agent registration) then even if the agent is registered and all that, the permissions still stay so that "Everyone" users group is still present with the read/write permissions.
There are multiple ways to install it programmatically, producing the same result leaving ossec.conf vulnerable.
I did report this a while back to Wazuh too, they have fixed this in the new versions so that ossec.conf always has the correct permissions.

[dougburks]

I've added the following warning to https://docs.securityonion.net/en/2.3/wazuh.html#adding-agents:

In the future, if you need to report security issues to us, please follow our Vulnerability Disclosure steps at:
https://docs.securityonion.net/en/2.3/security.html#vulnerability-disclosure

Thanks!

[jakko10]

I actually did alert you guys regarding this issue about 4 years ago... yep that hole has been there for this long. I alerted Wazuh too back then and ended up testing the agent with them for quite some time. Probably should have created a CVE.
I guess the note is a good start.
However, I don't think most users would configure Wazuh using Wazuh Agent Manager, I mean, small companies with 10-20 PC's probably would, but as you scale up. You really don't want to go from PC to PC manually configuring things, you'd want to do things remotely and automatically.

[dougburks]

I've also published a blog post:
https://blog.securityonion.net/2022/12/potential-security-issue-in-windows.html