Wazuh Path Traversal Vulnerability in Cluster Synchronization Allows Arbitrary File Write and Code Execution

A path traversal vulnerability has been identified in Wazuh versions 4.4.0 prior to 4.14.4. This vulnerability exists in the cluster synchronization extraction routine, where an authenticated cluster peer can write arbitrary files outside the intended extraction directory on other cluster nodes. The issue arises because the 'decompress_files()' function in 'cluster.py' does not validate file paths, allowing for relative and absolute path traversal. Exploitation can lead to code execution in the context of the Wazuh service by overwriting Python modules used by Wazuh components. In environments where the cluster daemon has elevated privileges, this could result in a system-level compromise.

Impact

Exploitation of this vulnerability allows for arbitrary file writes to any location writable by the Wazuh user. It can also lead to a Wazuh-context compromise by overwriting Python modules in the Wazuh 'wodles' directory, which are executed by the Wazuh modules daemon. In Docker deployments where the Wazuh cluster daemon runs as root, this vulnerability could result in a full system compromise.

Reproduction

To reproduce this vulnerability, upload a crafted ZIP archive containing traversal payloads to a Wazuh manager node. The archive should include paths that exploit the traversal vulnerability by writing to arbitrary locations on the file system, such as the cron directory or the Wazuh 'wodles' directory. Once the archive is processed by the Wazuh cluster synchronization, the files will be written to the specified locations, demonstrating the exploitation of the path traversal vulnerability.

Remediation

Users can upgrade to Wazuh version 4.14.4 or later, where this vulnerability has been patched.