Wazuh NULL Pointer Dereference Vulnerability in fim_alert Function

A NULL pointer dereference vulnerability has been identified in Wazuh versions 3.7.0 prior to 4.12.0. The issue arises in the fim_alert() function, where the implementation fails to verify whether oldsum->md5 is NULL before dereferencing it. This flaw can be exploited by a compromised agent to send a specially crafted message to the Wazuh manager, causing a crash in the analysisd process. The vulnerability requires a compromised Wazuh database that returns a NULL MD5 sum, which can then be exploited to trigger the crash.

Impact

Exploitation of this vulnerability leads to a crash of the analysisd process, causing a temporary denial of service on the Wazuh manager.

Reproduction

The vulnerability can be reproduced by sending a crafted message from a compromised Wazuh agent to the manager. This message must be designed to exploit the NULL pointer dereference in the fim_alert() function. The Wazuh database must also be compromised to return a NULL MD5 sum, enabling the exploitation of the vulnerability.

Remediation

Users can upgrade to Wazuh version 4.12.0 or later, where this vulnerability has been patched.