CVE-2024-35177

Name of the Vulnerable Software and Affected Versions: Wazuh versions prior to 4.9.0

Description: The issue is related to improper access control in the Wazuh agent for Windows, allowing a local malicious user to potentially exploit this vulnerability by placing a specially crafted DLL file in the installation folder or by replacing the service executable binary itself with a malicious one. This can lead to privilege escalation from a low-privileged user and obtain code execution under the context of NT AUTHORITYSYSTEM. Many DLLs are loaded from the installation folder, and by creating a malicious DLL that exports the functions of a legitimate one, it is possible to escalate privileges.

Recommendations: For versions prior to 4.9.0, upgrade to version 4.9.0 to address the issue. As a temporary workaround, consider restricting access to the installation folder to minimize the risk of exploitation. Avoid using non-default installation paths, and ensure proper ACL is applied to the installation folder.