Wazuh is a free and open source platform used for threat prevention, detection, and response. There is a buffer overflow hazard in wazuh-analysisd when handling Unicode characters from Windows Eventchannel messages. It impacts Wazuh Manager 3.8.0 and above. This vulnerability is fixed in Wazuh Manager 4.7.2.
An attacker can deliver crafted Windows Eventchannel messages containing Unicode characters that are incorrectly handled by the wazuh-analysisd component. As a result, a heap-based buffer overflow occurs (CWE-122, CWE-787) — data is written beyond the boundaries of the allocated buffer on the heap. The vulnerability is remotely accessible without requiring authentication or user interaction, making it particularly dangerous.
Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code remotely (RCE) on the Wazuh Manager server, and consequently achieve full system takeover, including violation of data confidentiality, integrity, and availability.
Wazuh Manager should be updated to version 4.7.2, in which the vulnerability has been fixed. Detailed information is available in the official security advisory from the vendor at the address indicated in the references.
Wazuh Manager in versions 3.8.0 through 4.7.1 inclusive.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HWazuh
APPWazuh3.8.0 – 4.7.2 (bez)
Related vulnerabilities
Wazuh: RCE przez niebezpieczną deserializację w DistributedAPI
Path Traversal w Wazuh umożliwiający RCE poprzez synchronizację klastra
RCE przez Deserialization w Wazuh — podatność klastra master/worker
Wazuh: privilege escalation do root przez cluster protocol (RCE)
Wazuh Agent (Windows): wyciek hash NetNTLMv2 umożliwiający RCE i privilege escalation