Wazuh Heap-Based Buffer Underflow Vulnerability in Alert Processing

A heap-based out-of-bounds write vulnerability has been identified in Wazuh versions 1.0.0 prior to 4.14.4. The issue occurs in the 'GetAlertData' function, where a NULL byte is written one byte before the allocated buffer, due to unsigned integer underflow and pointer arithmetic wrapping. This misalignment corrupts heap metadata, creating a potential for heap corruption or denial-of-service conditions. The vulnerability can be exploited by injecting a specially crafted alert into the alerts log file monitored by 'wazuh-logcollector', particularly through a compromised agent.

Impact

Exploitation of this vulnerability can lead to heap corruption, causing the 'wazuh-logcollector' daemon to crash. However, the corrupted heap can potentially be manipulated for further exploitation, depending on the heap's state after the corruption.

Reproduction

The vulnerability can be reproduced by building 'wazuh-logcollector' with AddressSanitizer (ASAN) enabled, which will detect memory corruption issues. After starting the 'wazuh-logcollector' with ASAN, inject a malicious alert into the monitored alerts.log file. This alert must include the string 'Integrity checksum changed for: '' with no filename between the quotes, triggering the vulnerability by causing a heap-based NULL write buffer underflow.

Remediation

Users can upgrade to Wazuh version 4.14.4 or later, where this vulnerability has been patched.