Wazuh Insecure Transport Vulnerability in Provisioning Scripts and Dockerfiles Allowing Man-in-the-Middle Attacks and Remote Code Execution

A vulnerability exists in Wazuh provisioning scripts and Dockerfiles, where curl is used with the -k/--insecure flag. This practice disables SSL/TLS certificate validation, exposing the build process to man-in-the-middle (MITM) attacks. Attackers with network access can intercept and modify downloaded dependencies or code, leading to remote code execution and supply chain compromise. The vulnerability affects Wazuh versions 4.1.3 prior to 4.14.0.

Impact

Exploitation of this vulnerability allows for arbitrary code execution during the package build process, potentially compromising all users of the affected packages.

Reproduction

The vulnerability can be reproduced by creating a Wazuh package using the affected provisioning scripts or Dockerfiles. The build process will download dependencies from the internet without verifying the authenticity of the SSL certificates. This can be done by setting up a transparent proxy or using ARP spoofing to intercept the HTTPS requests. When the build system downloads the files, it will do so without any certificate validation, allowing an attacker to inject malicious content.

Remediation

Users are advised to remove the -k/--insecure flag from curl commands in the Wazuh provisioning scripts and Dockerfiles. Ensure that all downloads are made with proper certificate validation to protect the integrity of build dependencies.