Wazuh Privilege Escalation Vulnerability in Cluster Synchronization Protocol Allowing Root Remote Code Execution

A privilege escalation vulnerability has been identified in Wazuh Manager versions 3.9.0 prior to 4.14.3. The issue arises in the cluster synchronization protocol, where the 'wazuh-clusterd' service permits authenticated nodes to write arbitrary files to the manager's file system with the 'wazuh' system user's permissions. Insecure default file permissions grant the 'wazuh' user write access to the main configuration file, '/var/ossec/etc/ossec.conf'. By exploiting the cluster protocol to overwrite 'ossec.conf', an attacker can inject a malicious '<localfile>' command block. The 'wazuh-logcollector' service, which operates with root privileges, parses this configuration and executes the injected command. This vulnerability allows an attacker with cluster credentials to achieve full root remote code execution, bypassing the intended security model and violating the principle of least privilege.

Impact

Exploitation of this vulnerability leads to unauthorized modification of the Wazuh configuration file, allowing execution of arbitrary commands as the root user. This results in a complete compromise of the system.

Reproduction

To reproduce this vulnerability, an authenticated node must send a crafted 'file_upd' packet via the Wazuh Cluster Protocol (TCP port 1516) to the Wazuh Manager. The packet must include a relative file path targeting '/etc/ossec.conf', along with a payload that injects a malicious command into the configuration. Once the 'ossec.conf' file is overwritten, the 'wazuh-logcollector' service will execute the injected command as root, resulting in a root reverse shell.

Remediation

Users are advised to update Wazuh Manager to version 4.14.3 or later. Additionally, file permissions for 'ossec.conf' should be tightened to prevent write access by the 'wazuh' user or group. It is also recommended to isolate cluster write operations by modifying 'wazuh-clusterd' to enforce a strict chroot or allowlist, restricting file writes to specific non-executable data directories.