Wazuh API Denial-of-Service Vulnerability in Authentication Middleware

A denial-of-service vulnerability has been identified in the Wazuh API authentication middleware, affecting versions 4.3.0 prior to 4.14.3. The issue arises because the application, which uses an asynchronous event loop, calls a synchronous function that performs blocking disk I/O on every request with a Bearer token. This vulnerability can be exploited by an unauthenticated remote attacker who floods the API with requests containing invalid Bearer tokens. The blocking I/O operations cause the single-threaded event loop to pause repeatedly for file read operations, consuming CPU resources and potentially disrupting the processing of legitimate connections.

Impact

Exploitation of this vulnerability can lead to a significant increase in CPU usage, causing the Wazuh API to hang and timeout legitimate requests. This disruption can prevent the application from processing valid connections, effectively causing a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending concurrent HTTP requests to the Wazuh API with invalid Bearer tokens. This can be done using a Python script that utilizes the aiohttp library to open multiple connections, effectively flooding the server with requests. The script can be configured to use aggressive timeouts, allowing it to saturate the server's request queue and cause the event loop to block on file reads, thereby verifying the denial-of-service condition.

Remediation

Users can upgrade to Wazuh version 4.14.3 or later, where this vulnerability has been fixed.