Описание
Wazuh's File Integrity Monitoring (FIM), when configured with automatic threat removal, contains a time-of-check/time-of-use (TOCTOU) race condition that can allow a local, low-privileged attacker to cause the Wazuh service (running as NT AUTHORITY\SYSTEM) to delete attacker-controlled files or paths. The root cause is insufficient synchronization and lack of robust final-path validation in the threat-removal workflow: the agent records an active-response action and proceeds to perform deletion without guaranteeing the deletion target is the originally intended file. This can result in SYSTEM-level arbitrary file or folder deletion and consequent local privilege escalation. Wazuh made an attempted fix via pull request 8697 on 2025-07-10, but that change was incomplete.
Wazuh's File Integrity Monitoring (FIM), when configured with automatic threat removal, contains a time-of-check/time-of-use (TOCTOU) race condition that can allow a local, low-privileged attacker to cause the Wazuh service (running as NT AUTHORITY\SYSTEM) to delete attacker-controlled files or paths. The root cause is insufficient synchronization and lack of robust final-path validation in the threat-removal workflow: the agent records an active-response action and proceeds to perform deletion without guaranteeing the deletion target is the originally intended file. This can result in SYSTEM-level arbitrary file or folder deletion and consequent local privilege escalation. Wazuh made an attempted fix via pull request 8697 on 2025-07-10, but that change was incomplete.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2025-34294
- https://github.com/wazuh/wazuh-documentation/pull/8697
- https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html
- https://wazuh.com/blog/detecting-and-responding-to-malicious-files-using-cdb-lists-and-active-response
- https://www.vulncheck.com/advisories/wazuh-file-integrity-monitoring-and-active-response-arbitrary-file-deletion-as-system
Связанные уязвимости
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as the behavior originates from a documentation-published Active Response example script. Please refer to this advisory ( https://github.com/wazuh/wazuh-documentation/security/advisories/GHSA-46r5-xp98-fpgg ) for further information.
Уязвимость системы обнаружения и предотвращения вторжений Wazuh, связанная с ошибками синхронизации при использовании общего ресурса («Ситуация гонки»), позволяющая нарушителю повысить свои привилегии