Wazuh Remote Code Execution Vulnerability via Unsafe Deserialization

A remote code execution vulnerability has been identified in Wazuh servers, affecting versions 4.4.0 prior to 4.9.1. The issue arises from an unsafe deserialization of DistributedAPI parameters, which are serialized as JSON and deserialized using the 'as_wazuh_object' method. An attacker can inject an unsanitized dictionary into DAPI request or response, allowing them to forge an unhandled exception that evaluates arbitrary Python code. This vulnerability can be exploited by anyone with API access, or in some cases, by a compromised agent.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the Wazuh server.

Reproduction

The vulnerability can be reproduced by sending a 'run_as' request through the server API. This request can include a crafted JSON payload that exploits the deserialization vulnerability. If the 'getconfig' request is responded to with a malicious JSON object by a compromised agent, the vulnerability can also be triggered on the server that initiated the request.

Remediation

Users can upgrade to Wazuh version 4.9.1 or later, where this vulnerability has been fixed.