Wazuh NULL Pointer Dereference Vulnerability in Analysis Daemon

A NULL pointer dereference vulnerability has been identified in Wazuh versions prior to 4.11.0. The issue arises in the 'fim_fetch_attributes_state()' function, where the implementation fails to verify if 'time_string' is NULL before applying 'strlen()'. This flaw can be exploited by a compromised agent that sends a specially crafted message to the Wazuh manager, leading to a crash of the 'analysisd' process and causing unavailability of the service.

Impact

Exploitation of this vulnerability causes the 'analysisd' process to crash, disrupting its availability. The vulnerability can be exploited by sending a crafted message from a compromised Wazuh agent to the manager.

Reproduction

The vulnerability can be reproduced by sending a message from a Wazuh agent that includes a specific payload designed to trigger the NULL pointer dereference. This can be done by enrolling a new agent (if agent enrollment is open) or by compromising an existing agent. Once the crafted message is sent to the Wazuh manager, the 'analysisd' process will crash, demonstrating the vulnerability.

Remediation

Users can upgrade to Wazuh version 4.11.0 or later, where this vulnerability has been fixed.