-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add protection for untrusted libraries load #15327
Comments
UpdateAfter the tests performed in wazuh/wazuh-qa#3612, some issues were found:
The last conclusion is the most crucial because trying to protect the system from a side load attack we could cause a host to become completely unprotected. The required certificates aren't distributed with the agent and aren't validated in the host during the installation/upgrade. The agent could stop working in many situations. For example, if the Windows host hasn't got an active internet connection or its automatic root CA update system is disabled, the agent won't be able to download/update the required certificates to verify the agent files' signatures. Also, it could happen that the required certificate isn't present in the Windows Trusted Root Program, making the auto-update not possible for the Windows agent (see the complete list here). These potential issues should be addressed before introducing this feature. |
@Dwordcito @pereyra-m great job! Thanks for the update, let me give you some feedback:
Cheers! |
Description
This issue aims to add protections, to prevent the loading of libraries that are not trusted.
This purpose is due to the fact that a library that proxy the system ones can be loaded in the process and execute code, for which Wazuh is not intended.
The main idea is that we only load libraries that are trusted by a CA,
This is done by hooking LdrInitDll, which is responsible for making the actual load. At that point, we carry out the verification and give the loading approval.
The text was updated successfully, but these errors were encountered: