Wazuh NULL Pointer Dereference Vulnerability in fim_alert Function

A NULL pointer dereference vulnerability has been identified in Wazuh versions prior to 4.11.0. The issue arises in the fim_alert() function, where the return value of ctime_r is not properly checked before being passed to strdup(). This flaw can be exploited by a compromised agent that sends a specially crafted message to the Wazuh manager, causing the analysisd process to crash and become unavailable.

Impact

Exploitation of this vulnerability leads to a crash of the analysisd process, causing it to become unavailable. This disruption can be leveraged by an attacker to create a denial-of-service condition on the Wazuh manager.

Reproduction

The vulnerability can be reproduced by sending a crafted message from a Wazuh agent to the manager. The message must be designed to trigger the NULL return value from ctime_r, which occurs when the modification time exceeds the maximum value that ctime_r can handle. This can be done by manipulating the 'mtime' value in the message to create a scenario where the fim_alert() function attempts to process an invalid time, leading to a NULL pointer dereference.

Remediation

Users can upgrade to Wazuh version 4.11.0 or later to address this vulnerability.