Wazuh Remote Code Execution Vulnerability in Cluster Mode

A remote code execution vulnerability has been identified in Wazuh versions 4.0.0 through 4.14.2. This issue arises from insecure deserialization of untrusted data, allowing an attacker with access to a compromised worker node in a cluster deployment to execute arbitrary code on the master node with root privileges. The vulnerability is located in the 'as_wazuh_object()' function within 'framework/wazuh/core/cluster/common.py', where user-controlled input is processed without proper validation, enabling unauthorized module imports and function executions.

Impact

Exploitation of this vulnerability allows for remote code execution on the Wazuh master node with root privileges, compromising the entire security monitoring infrastructure. This includes access to all security logs and sensitive data, the ability to modify alerts and security configurations, and potential disruption of monitoring services.

Reproduction

The vulnerability can be reproduced by deploying a Wazuh cluster with a compromised worker node. After the cluster is initialized, the 'LocalClient.execute()' method can be used to send a malicious DAPI request to the master node. This request should include a payload that exploits the deserialization vulnerability by referencing a callable function from a user-controlled module, such as 'subprocess.getoutput'. Once the payload is processed by the master, the specified command will be executed with root privileges, demonstrating the remote code execution flaw.

Remediation

Users can upgrade to Wazuh version 4.14.3 or later to address this vulnerability.