Wazuh Heap Buffer Overflow Vulnerability in Windows EventChannel Message Parsing

A heap buffer overflow vulnerability has been identified in Wazuh versions 3.8.0 prior to 4.11.0. The issue arises in the 'wazuh-analysisd' component when it processes XML elements from Windows EventChannel messages. This vulnerability can lead to a denial-of-service condition and an out-of-bounds read, causing the application to crash.

Impact

Exploitation of this vulnerability causes a segmentation fault, leading to a denial-of-service condition. The AddressSanitizer report indicates a heap buffer overflow, which is a common vulnerability type that can be exploited to execute arbitrary code or cause a crash.

Reproduction

The vulnerability can be reproduced by starting the 'wazuh-analysisd' service with the '-f' flag, which runs the service in the foreground. After the service is running, a crafted XML input file can be sent through the Unix domain socket used by Wazuh to queue event messages. This input triggers the heap buffer overflow, causing 'wazuh-analysisd' to crash with a segmentation fault.

Remediation

Users can upgrade to Wazuh version 4.11.0 or later, where this vulnerability has been patched.