Wazuh Buffer Over-Read Vulnerability in Winevt Decoder Allowing Sensitive Data Exposure

A buffer over-read vulnerability has been identified in Wazuh versions prior to 4.10.2. The issue occurs in the 'DecodeWinevt()' function, where an incorrect index leads to accessing out-of-bounds memory. This vulnerability allows a compromised agent to read beyond the allocated buffer, potentially exposing sensitive information. The over-read is triggered while processing agent messages, particularly when the 'analysisd.debug=2' option is enabled, which facilitates the data leak.

Impact

Exploitation of this vulnerability can result in a heap-based buffer over-read, causing a read operation beyond the allocated memory buffer. This flaw can be exploited to access sensitive information, especially when the Wazuh analysis daemon is running with debug level 2.

Reproduction

The vulnerability can be reproduced by sending a specially crafted message from a Wazuh agent to the Wazuh manager. This message should be designed to exploit the incorrect indexing in the 'DecodeWinevt()' function, causing a buffer over-read. The Wazuh analysis daemon must be configured with 'analysisd.debug=2' to facilitate the data leak.

Remediation

Users can upgrade to Wazuh version 4.10.2 or later to address this vulnerability.