Wazuh Heap-Based Out-of-Bounds Write Vulnerability in OS Identification Parsing

A heap-based out-of-bounds write vulnerability has been identified in Wazuh versions 4.0.0 prior to 4.14.4. The issue arises in the 'parse_uname_string' function within 'remoted_op.c', where the function processes operating system identification data from agents. The vulnerability stems from writing to 'strlen(ptr) - 1' without validating if the string is empty. This oversight allows for unsigned integer underflow, wrapping the value to 'SIZE_MAX', and causing a write just before the allocated buffer, corrupting heap metadata. Such corruption can lead to exploitation by manipulating heap operations.

Impact

Exploitation of this vulnerability causes a heap-buffer overflow, where a null byte is written before the allocated buffer, corrupting heap metadata. This corruption can disrupt memory management, potentially leading to further exploitation. The vulnerability also causes a denial-of-service condition by crashing the Wazuh manager's 'remoted' or 'analysisd' components, which handle agent communications and event processing.

Reproduction

The vulnerability can be reproduced by sending crafted OS identification data from a Wazuh agent to the manager. This can be done by simulating a compromised agent that sends encrypted keep-alive messages containing malformed uname strings that trigger the vulnerability. The Wazuh manager must be running with AddressSanitizer enabled to detect the heap-buffer overflow caused by the vulnerability.

Remediation

Users can upgrade to Wazuh version 4.14.4 or later, where this vulnerability has been patched.