Thursday, December 15, 2022

Potential Security Issue in Windows Wazuh agent 3.13

This is a notification of a potential security issue in the Wazuh Windows agent. If you do not use Wazuh, then you can disregard this notification.

Summary

Version 3.13 of the Windows Wazuh agent installs with incorrect permissions on ossec.conf which could allow users to escalate privileges. However, most users configure that Wazuh agent using the Wazuh Agent Manager utility which then sets the permissions correctly. If you don't use the Wazuh Agent Manager utility for configuration, then you may need to manually fix the permissions on ossec.conf. For more information, please see https://github.com/Security-Onion-Solutions/securityonion/discussions/9390. Thanks to jakko10 for notifying us of this issue.

Discussion

First, it's important to note that Wazuh is an optional component of Security Onion and does not have to be enabled. Furthermore, the issue exists in the Windows agent itself and not the Wazuh server that runs on the Security Onion node. Finally, most users configure the Wazuh agent using the Wazuh Agent Manager which sets the permissions correctly.

If you are using Wazuh and have deployed the agent to Windows machines without using the Wazuh Agent Manager, then you may want to manually change the permissions on the ossec.conf file.

Unrelated to this issue, we plan to remove Wazuh in Security Onion 2.4. Therefore, you may want to take this opportunity to switch to a different endpoint agent like Winlogbeat:
https://docs.securityonion.net/en/2.3/beats.html 

Questions

If you have any questions, please start a new discussion at https://securityonion.net/discuss.

No comments:

Search This Blog

Featured Post

Did You Know Security Onion Scales to the Enterprise?

Did you know Security Onion scales to the enterprise? Security Onion is designed to scale from simple standalone deployments all the way up ...

Popular Posts

Blog Archive