CVE-2024-1243
BaseFortify
Publication date: 2025-06-11
Last updated on: 2025-10-01
Assigner: Pentraze
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wazuh | wazuh | to 4.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2024-1243 is a critical vulnerability in Wazuh Windows agents prior to version 4.8.0. It arises from improper input validation of the <localfile> configuration option, which does not restrict the use of UNC paths such as SMB shares or named pipes. An attacker who controls the Wazuh server or has access to an agent's private key can configure the agent to connect to a malicious UNC path. This causes the agent to leak the machine account's NetNTLMv2 hash, which can be intercepted and used to forge certificates or impersonate the SYSTEM account, enabling remote code execution and privilege escalation. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to severe impacts including remote code execution (RCE) and local privilege escalation (LPE) with SYSTEM-level privileges on affected machines. Attackers can intercept NetNTLMv2 hashes and use them to forge certificates via Active Directory Certificate Services, allowing them to authenticate and execute arbitrary code anywhere in the network. Additional attacks such as NTLM relay, DCSync, and Kerberos relay are also possible, potentially compromising the confidentiality, integrity, and availability of systems. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves checking if any Wazuh Windows agents are running versions prior to 4.8.0 and if their configuration uses the <localfile> option pointing to UNC paths. You can verify the Wazuh agent version by running the command: 'wazuh-agent.exe -v' on the Windows agent machines. Additionally, inspect the agent configuration files (agent.conf) for any <localfile> entries that reference UNC paths (e.g., \\attacker-controlled-server\share). Network monitoring tools can be used to detect connections from Wazuh agents to suspicious SMB UNC paths. Commands such as 'netstat -an' or PowerShell's 'Get-SmbConnection' can help identify active SMB connections. Monitoring for unexpected SMB traffic from Wazuh agents may indicate exploitation attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade all Wazuh Windows agents to version 4.8.0 or later, where this vulnerability is patched. Additionally, restrict or monitor the use of UNC paths in the <localfile> configuration option to prevent agents from connecting to attacker-controlled SMB shares or named pipes. Ensure that the Wazuh server and agent private keys are securely managed to prevent unauthorized access. Network segmentation and monitoring for unusual SMB traffic from Wazuh agents can also help reduce risk until the patch is applied. [2]