Wazuh Heap Use-After-Free Vulnerability in Event Logging Function

A heap use-after-free vulnerability has been identified in Wazuh versions prior to 4.11.0. The issue arises in the function 'w_copy_event_for_log()', which improperly references memory that has already been freed. This vulnerability can be exploited by a compromised agent sending a crafted message to the Wazuh manager, potentially leading to corruption of application data. The vulnerability is rooted in the mishandling of memory allocation and deallocation, where 'lf->dec_timestamp' points to a location in 'lf->full_log' that has been freed, causing a crash when accessed.

Impact

Exploitation of this vulnerability can lead to a heap-use-after-free condition, causing a crash and potentially allowing for memory corruption that could be exploited in other ways.

Reproduction

The vulnerability can be reproduced by sending a specially crafted message from a compromised Wazuh agent to the Wazuh manager. This message should be designed to trigger the use of freed memory in the event logging process, which can be done by manipulating the event data to include references to memory that has already been deallocated.

Remediation

Users can upgrade to Wazuh version 4.11.0 or later to address this vulnerability.