Wazuh NULL Pointer Dereference Vulnerability in Analysis Daemon

A NULL pointer dereference vulnerability has been identified in Wazuh versions through 4.10.1. The issue arises in the 'fillData()' function, which fails to verify whether the 'value' parameter is NULL before passing it to 'os_strdup()'. This flaw can be exploited by a compromised agent that sends a specially crafted message to the Wazuh manager, causing the 'analysisd' process to crash and become unavailable.

Impact

Exploitation of this vulnerability leads to a crash of the 'analysisd' process, causing it to become unavailable. This disruption can be leveraged to create a denial-of-service condition on the Wazuh manager.

Reproduction

The vulnerability can be reproduced by sending a message from a Wazuh agent to the manager that includes a 'description' field interpreted as a number rather than a string. This can be achieved by crafting the agent message payload accordingly. Once the message is received, the 'analysisd' process will crash due to the NULL pointer dereference.

Remediation

Users can upgrade to Wazuh version 4.10.2 or later to address this vulnerability.