Wazuh Stack-Based Buffer Overflow Vulnerability in Security Configuration Assessment Decoder Allowing Denial-of-Service and Potential Remote Code Execution

A stack-based buffer overflow vulnerability has been identified in Wazuh versions 3.9.0 prior to 4.14.3. The issue arises in the Security Configuration Assessment (SCA) decoder within the 'wazuh-analysisd' component. The vulnerability is caused by the use of 'sprintf' with a floating-point format specifier on a fixed-size 128-byte buffer, allowing remote attackers to overflow the stack. This overflow can be triggered by a specially crafted JSON event, leading to a crash or potentially allowing remote code execution on the Wazuh manager.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can lead to a crash of the Wazuh manager or potentially allow remote code execution.

Reproduction

The vulnerability can be reproduced by sending a JSON event containing a floating-point number with a large exponent, such as '1.0e150', to the Wazuh manager. The 'wazuh-analysisd' component will process the event using the vulnerable 'sprintf' call, overflowing the stack buffer and causing a crash or allowing code execution.

Remediation

Users can upgrade to Wazuh version 4.14.3 or later to address this vulnerability.