Wazuh Stack-Based Buffer Overflow Vulnerability in Database Synchronization Module Allowing Denial-of-Service and Potential Remote Code Execution

A stack-based buffer overflow vulnerability has been identified in the Wazuh Database synchronization module, specifically in versions 4.4.0 prior to 4.14.3. The vulnerability arises from the SQL query construction logic, which allows for an integer underflow when calculating the remaining buffer size. This issue occurs because the code improperly aggregates the return value of 'snprintf'. When a database synchronization payload exceeds the query buffer size of 2048 bytes, the size calculation wraps around to a large integer, effectively removing bounds checking for subsequent writes. As a result, an attacker can corrupt the stack, leading to a denial-of-service condition or potentially allowing remote code execution.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can corrupt the stack and lead to a denial-of-service condition or potentially allow remote code execution.

Reproduction

The vulnerability can be reproduced by compiling a test program that replicates the 'snprintf' loop logic used in the vulnerable Wazuh Database synchronization functions. This test program should be compiled with AddressSanitizer enabled, which will detect the stack-buffer-overflow caused by the unbounded write. The AddressSanitizer logs will confirm the successful exploitation of the vulnerability by showing the stack-buffer-overflow error, including details about the memory access that caused the overflow.

Remediation

Users can upgrade to Wazuh version 4.14.3 or later to address this vulnerability.