Wazuh SIEM Broken Access Control Vulnerability Allowing Unauthorized User Creation in Version 4.8.2

A broken access control vulnerability has been identified in Wazuh SIEM version 4.8.2. This vulnerability allows for the unauthorized creation of internal users without assigning a valid user role, which could lead to privilege escalation or unauthorized access to sensitive resources. The issue arises because the system fails to properly validate user roles during the internal user creation process.

Impact

Exploitation of this vulnerability could result in unauthorized user accounts being created, potentially leading to privilege escalation or unauthorized access to sensitive resources within the Wazuh SIEM environment.

Reproduction

To reproduce this vulnerability, log into the Wazuh SIEM server and navigate to the Indexer Management page. From there, go to the Security section to create an internal user. Click on 'Create Internal User' and attempt to assign a non-existent or invalid role. The system will bypass the role validation, allowing the creation of a user with an invalid role. Once the user is created, it will have unauthorized access, exploiting the broken access control.

Remediation

To address this vulnerability, implement proper role validation to ensure that only valid roles are assigned to users. Strengthen access control checks to prevent unauthorized users from creating internal users with invalid roles. Additionally, ensure that user roles adhere to the principle of least privilege to limit access rights.