Add protection for untrusted libraries load

[Dwordcito]

Wazuh version	Component	Install type	Install method	Platform
4.4.0-rev	Main process	Agent	Packages/Sources	Windows

Description

This issue aims to add protections, to prevent the loading of libraries that are not trusted.

This purpose is due to the fact that a library that proxy the system ones can be loaded in the process and execute code, for which Wazuh is not intended.

The main idea is that we only load libraries that are trusted by a CA,

This is done by hooking LdrInitDll, which is responsible for making the actual load. At that point, we carry out the verification and give the loading approval.

[pereyra-m]

Update

After the tests performed in wazuh/wazuh-qa#3612, some issues were found:

• The upgrade wasn't replacing the new files properly and this will be solved in Windows msi upgrade does not replace modified libraries files #15496
• The error messages weren't completely descriptive and they might appear even when the files were trusted. This was solved by the recent commits in https://github.com/wazuh/wazuh/pull/15404/commits
• The verification process relies on some methods that aren't available for older Windows systems. The feature will work only from Windows Vista and above and this was also fixed in recent commits https://github.com/wazuh/wazuh/pull/15404/commits
• This feature could cause the agent to stop working after an upgrade, or during a fresh installation in some specific hosts. It wasn't solved yet.

The last conclusion is the most crucial because trying to protect the system from a side load attack we could cause a host to become completely unprotected. The required certificates aren't distributed with the agent and aren't validated in the host during the installation/upgrade.

The agent could stop working in many situations. For example, if the Windows host hasn't got an active internet connection or its automatic root CA update system is disabled, the agent won't be able to download/update the required certificates to verify the agent files' signatures.

Also, it could happen that the required certificate isn't present in the Windows Trusted Root Program, making the auto-update not possible for the Windows agent (see the complete list here).

These potential issues should be addressed before introducing this feature.

[vikman90]

@Dwordcito @pereyra-m great job!

Thanks for the update, let me give you some feedback:

• Windows msi upgrade does not replace modified libraries files #15496 should block this issue.
• In addition to disabling DLL verification on Windows XP and Server 2003 (under Vista), and in view of the problems with the presence of valid CAs on some systems, we propose to divide this development into two phases:
  • The first would only alert that the binaries could not be verified.
  • In a second phase, we would add enforcement to such verification.
• We expect the DLL verification to be enabled by default (when supported). Maybe we can define IMAGE_TRUST_CHECKS this way:

IMAGE_TRUST_CHECKS	Default	Description
0 or undefined		Verification disabled.
1	✅	Check binaries and warn if verification fails.
2		Enforce binary check. Stop the agent service if verification fails.

Cheers!