Thursday, December 15, 2022

Potential Security Issue in Windows Wazuh agent 3.13

This is a notification of a potential security issue in the Wazuh Windows agent. If you do not use Wazuh, then you can disregard this notification.


Version 3.13 of the Windows Wazuh agent installs with incorrect permissions on ossec.conf which could allow users to escalate privileges. However, most users configure that Wazuh agent using the Wazuh Agent Manager utility which then sets the permissions correctly. If you don't use the Wazuh Agent Manager utility for configuration, then you may need to manually fix the permissions on ossec.conf. For more information, please see Thanks to jakko10 for notifying us of this issue.


First, it's important to note that Wazuh is an optional component of Security Onion and does not have to be enabled. Furthermore, the issue exists in the Windows agent itself and not the Wazuh server that runs on the Security Onion node. Finally, most users configure the Wazuh agent using the Wazuh Agent Manager which sets the permissions correctly.

If you are using Wazuh and have deployed the agent to Windows machines without using the Wazuh Agent Manager, then you may want to manually change the permissions on the ossec.conf file.

Unrelated to this issue, we plan to remove Wazuh in Security Onion 2.4. Therefore, you may want to take this opportunity to switch to a different endpoint agent like Winlogbeat: 


If you have any questions, please start a new discussion at

No comments:

Search This Blog

Featured Post

Sneak Peek: New Detections Feature coming in Security Onion 2.4.70!

Our latest video is a sneak peek at a NEW feature coming to our FREE and OPEN Security Onion platform in the upcoming 2.4.70 release! This n...

Popular Posts

Blog Archive