Wazuh Buffer Over-Read Vulnerability in Expression Matching Component

A buffer over-read vulnerability has been identified in Wazuh versions through 4.11.2. The issue arises in the 'w_expression_match()' function, where the 'str_test' parameter is not properly NULL-terminated during allocation. This flaw allows a compromised agent to send a crafted message to the Wazuh manager, causing a read operation that exceeds the allocated buffer's end and potentially exposing sensitive information. The vulnerability is fixed in Wazuh version 4.12.0.

Impact

Exploitation of this vulnerability leads to a heap-based buffer over-read, allowing attackers to read beyond the allocated memory buffer and potentially access sensitive data. This over-read can be exploited by sending specially crafted messages from a compromised Wazuh agent to the Wazuh manager.

Reproduction

The vulnerability can be reproduced by sending a specially crafted message from a Wazuh agent to the Wazuh manager. The message must be designed to exploit the lack of proper NULL termination in the 'str_test' parameter of the 'w_expression_match()' function. This can be done by enrolling a new agent (if agent enrollment is open) or by compromising an existing agent.

Remediation

Users can upgrade to Wazuh version 4.12.0 or later to address this vulnerability.