CVE-2024-1243: 
Wazuh Agent vulnerability analysis and mitigation

CVE-2024-1243 is a critical security vulnerability discovered in the Wazuh agent for Windows prior to version 4.8.0. The vulnerability was identified by Rilke Petrosky from Pentraze Cybersecurity and was disclosed in February 2024. The issue stems from improper input validation in the Wazuh Windows agent's configuration handling, specifically related to UNC path validation (Pentraze Report, GitHub Advisory).

The vulnerability arises from improper input validation in the Wazuh agent for Windows, where the agent configuration option fails to restrict the use of UNC paths (including SMB and Named pipes). The vulnerability has received a CVSS v4.0 base score of 9.5 (Critical) with the vector string CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. The vulnerability is tracked under CWE-73 (External Control of File Name or Path) and CWE-20 (Improper Input Validation) (NVD).

A successful exploitation of this vulnerability can lead to remote code execution (RCE) and Local Privilege Escalation under the scope of the NT AUTHORITY\System user. The attack can result in the leakage of the machine account NetNTLMv2 hash, which can be relayed for remote code execution or used to escalate privileges to SYSTEM via AD CS certificate forging and other similar attacks (GitHub Advisory).

The vulnerability has been patched in Wazuh agent version 4.8.0 and later. Organizations running affected versions should upgrade to version 4.8.0 or newer to mitigate this vulnerability (GitHub Advisory).