EUVD-2025-209102
GHSA-36r3-mw6j-7ffc
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Description
Wazuh Manager authd service in wazuh-manager packages through version 4.7.3 contains an improper restriction of client-initiated SSL/TLS renegotiation vulnerability that allows remote attackers to cause a denial of service by sending excessive renegotiation requests. Attackers can exploit the lack of renegotiation limits to consume CPU resources and render the authd service unavailable.
Analysis
Wazuh Manager authd service through version 4.7.3 fails to properly restrict client-initiated SSL/TLS renegotiation requests, allowing unauthenticated remote attackers to trigger excessive renegotiations that consume CPU resources and cause denial of service. The vulnerability affects the authentication daemon across all Wazuh Manager deployments running vulnerable versions, enabling attackers to render the authd service unavailable with no authentication required and minimal attack complexity.
Technical Context
The vulnerability resides in the Wazuh Manager's authd (authentication daemon) service, which handles SSL/TLS connections for agent authentication and enrollment. The root cause is classified under CWE-276 (Improper Restriction of Rendered UI Layers or Frames), though the manifestation is an improper restriction of client-initiated SSL/TLS renegotiation. TLS renegotiation is a legitimate protocol feature allowing clients and servers to establish fresh cipher suites and keys mid-connection; however, unrestricted renegotiation can be abused as a denial-of-service vector. When a server fails to implement rate limiting or connection-level renegotiation caps, an attacker can send rapid renegotiation requests (CLIENT_HELLO messages with renegotiation indication) forcing the server to perform expensive cryptographic operations repeatedly. The affected product (cpe:2.3:a:wazuh:wazuh-manager) implements the TLS stack without adequate safeguards, allowing a single attacker to exhaust authd CPU resources and prevent legitimate agents from authenticating.
Affected Products
Wazuh Manager in versions through 4.7.3 is affected, as confirmed by the CPE identifier cpe:2.3:a:wazuh:wazuh-manager. The vulnerability impacts all deployments running wazuh-manager package versions 4.7.3 and earlier; no minimum affected version is specified in the available intelligence, suggesting vulnerability may extend to earlier major versions. The vendor security advisory is located at https://github.com/wazuh/wazuh/security/advisories/GHSA-rr83-v9v7-jjhp and cross-referenced via VulnCheck at https://www.vulncheck.com/advisories/ssl-tls-renegotiation-dos-in-wazuh-manager-authd-service.
Remediation
Upgrade Wazuh Manager to a version released after 4.7.3 as indicated by the vendor security advisory (https://github.com/wazuh/wazuh/security/advisories/GHSA-rr83-v9v7-jjhp); consult the advisory for the exact patched version number. Until patching is feasible, implement network-level mitigations: restrict authd service network exposure to a firewall rule allowing only known agent IP ranges or subnets, disable TLS renegotiation at the reverse proxy or load balancer level (most reverse proxies support 'SSLRenegotiate none' or equivalent), and implement rate limiting on TLS connection establishment per source IP. Monitor authd process CPU utilization and set alerts for sustained high usage as an early indicator of renegotiation-based attack. If authd is exposed to untrusted networks, implement a WAF or DDoS mitigation service that can detect and throttle excessive renegotiation requests.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today