Wazuh Brute-Force Protection Bypass Vulnerability in Server API Authentication

A vulnerability exists in Wazuh's server API authentication endpoint, specifically in versions 4.0.0 prior to 4.14.4. The issue allows for a bypass of brute-force protection on the 'POST /security/user/authenticate' endpoint. While the system correctly enforces a login attempt limit for sequential requests, an attacker can exploit this by sending concurrent authentication requests. This parallel processing of requests can significantly increase the number of failed login attempts before an IP address is blocked, undermining the intended security measures.

Impact

Exploitation of this vulnerability allows an attacker to exceed the maximum allowed login attempts, increasing the risk of successful password guessing attacks against API users.

Reproduction

The vulnerability can be reproduced by sending concurrent authentication requests to the Wazuh server API while monitoring the response statuses. This can be done using a script that automates the process, such as one written in Python that uses the 'aiohttp' library to send parallel login attempts. After the burst of concurrent requests, a subsequent request can be sent to verify if the IP has been blocked, demonstrating the bypass of the brute-force protection.

Remediation

Users can upgrade to Wazuh version 4.14.4 or later, where this vulnerability has been patched.