Wazuh

Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.0.0 to before version 4.14.4, multiple heap-based out-of-bounds WRITE vulnerabilities exist in parse_uname_string() (remoted_op.c). This function processes OS identification data from agents and contains a dangerous code pattern that appears in 4 locations within the same function: writing to strlen(ptr) - 1 without checking for empty strings. When the string is empty, strlen() returns 0, and 0 - 1 wraps to SIZE_MAX due to unsigned integer underflow. Due to pointer arithmetic wrapping, SIZE_MAX effectively becomes -1, causing a write exactly 1 byte before the allocated buffer. This corrupts heap metadata (e.g., the chunk size field in glibc malloc), leading to heap corruption. This issue has been patched in version 4.14.4.

Wazuh Manager (4.4.0 through 4.14.3) contains a path traversal vulnerability in the cluster synchronization routine that allows an authenticated cluster peer to write arbitrary files outside the intended extraction directory on other cluster nodes. Writing to sensitive locations such as cron directories or Python module paths leads to remote code execution. CVSS 9.0 Critical (network-accessible, high privilege required, scope changed). Patch available in v4.14.4; no active exploitation identified.

Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.8.0 to before version 4.14.4, a stack-based buffer overflow exists in print_hex_string() in wazuh-remoted. The bug is triggered when formatting attacker-controlled bytes using sprintf(dst_buf + 2*i, "%.2x", src_buf[i]) on platforms where char is treated as signed and the compiled code sign-extends bytes before the variadic call. For input bytes such as 0xFF, the formatting can emit "ffffffff" (8 chars) instead of "ff" (2 chars), causing an out-of-bounds write past a fixed 2049-byte stack buffer. The vulnerable path is reachable remotely prior to any agent authentication/registration logic via TCP/1514 when an oversized length prefix causes the “unexpected message (hex)” diagnostic path to run. Additionally, the same unauthenticated oversized-message diagnostic path logs an attacker-controlled hex dump to /var/ossec/logs/ossec.log for each trigger, allowing remote log amplification that can degrade monitoring fidelity and consume disk/I/O. This log amplification is reachable even without triggering the sign-extension overflow (e.g., using bytes < 0x80). This issue has been patched in version 4.14.4.

Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.0.0 to before version 4.14.4, Wazuh's server API brute-force protection for POST /security/user/authenticate can be bypassed by sending concurrent authentication requests. Although the configured threshold (max_login_attempts, default 50) is enforced correctly for sequential requests, a parallel burst allows significantly more failed login attempts to be processed before the IP block is applied. This enables an attacker to perform more password guesses than the configured policy intends (e.g., 100 attempts processed where 50 should be allowed). This issue has been patched in version 4.14.4.

Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 1.0.0 to before version 4.14.4, a heap-based out-of-bounds WRITE occurs in GetAlertData, resulting in writing a NULL byte exactly 1 byte before the start of the buffer allocated by strdup. Due to unsigned integer underflow and pointer arithmetic wrapping, the write lands at offset -1 from the buffer, corrupting heap metadata. A malicious actor can potentially leverage this issue through a compromised agent to cause denial of service or heap corruption by injecting a specially crafted alert into the alerts log file monitored by wazuh-logcollector. This issue has been patched in version 4.14.4.

Wazuh Manager authd service through version 4.7.3 fails to properly restrict client-initiated SSL/TLS renegotiation, enabling remote attackers to trigger denial of service by flooding the service with excessive renegotiation requests that exhaust CPU resources and render the authentication daemon unavailable. The vulnerability affects all Wazuh Manager installations up to and including version 4.7.3, requires no authentication or user interaction, and can be exploited over the network by any remote actor. No public exploit code or active exploitation has been confirmed at this time, though the straightforward nature of renegotiation-based DoS attacks and moderate CVSS score of 6.9 indicate practical exploitability.

Wazuh authd daemon contains a heap-buffer overflow vulnerability (CWE-125) triggered by specially crafted input from authenticated remote users, causing memory corruption and denial of service to the authentication daemon. The vulnerability affects all versions of Wazuh (CPE: cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*) and requires authenticated network access to exploit; no public exploit code or active exploitation has been confirmed at this time.

Stack-based buffer overflow in Wazuh manager versions 3.9.0 through 4.14.3 allows remote attackers with high privileges to crash the `wazuh-analysisd` service via malformed JSON events, resulting in denial of service. The vulnerability stems from unsafe use of sprintf with floating-point format specifiers in the Security Configuration Assessment decoder, and may potentially enable remote code execution on affected Wazuh installations.

Stack-based buffer overflow in Wazuh 4.4.0 through 4.14.2 allows authenticated remote attackers with high privileges to trigger an integer underflow in the database synchronization module, causing denial of service or potential code execution. The vulnerability exists in SQL query construction logic within wdb_delta_event.c where improper size calculations on buffers exceeding 2048 bytes can corrupt the stack. A patch is available in version 4.14.3.

Denial of service in Wazuh 4.3.0 through 4.14.2 allows unauthenticated attackers to exhaust API resources by sending crafted Bearer token requests that trigger blocking disk I/O operations in the authentication middleware, preventing the single-threaded event loop from processing legitimate connections. The vulnerability exists because synchronous file operations are called on every API request without proper resource constraints, enabling attackers to starve the application of CPU availability with relatively low request volumes. No patch is currently available.

Privilege escalation in Wazuh Manager versions 3.9.0 through 4.14.2 allows authenticated cluster nodes to achieve unauthenticated root code execution by exploiting insecure file permissions in the cluster synchronization protocol. An attacker with cluster node access can overwrite the manager's configuration file to inject malicious commands that are subsequently executed with root privileges by the logcollector service. This vulnerability affects multi-node Wazuh deployments and has no available patch.

A critical deserialization vulnerability in Wazuh's cluster mode allows attackers with access to any worker node to achieve remote code execution with root privileges on the master node. The vulnerability affects Wazuh versions 4.0.0 through 4.14.2 and poses severe risk to organizations using Wazuh in distributed deployments, as compromise of any single worker node can lead to full cluster takeover. While no active exploitation has been reported (not in KEV), proof-of-concept materials are publicly available via the Google Drive link in the advisory.

Wazuh is a free and open source platform used for threat prevention, detection, and response. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Wazuh is a free and open source platform used for threat prevention, detection, and response. Rated low severity (CVSS 1.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Wazuh is a free and open source platform used for threat prevention, detection, and response. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable. Public exploit code available.

Wazuh is a free and open source platform used for threat prevention, detection, and response. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CVE-2024-1243 is an improper input validation vulnerability in Wazuh agent for Windows (versions prior to 4.8.0) that allows attackers with control over the Wazuh server or possession of agent keys to redirect agents to malicious UNC paths, resulting in NetNTLMv2 hash leakage. The leaked hash can be relayed for remote code execution or abused for privilege escalation to SYSTEM level via AD CS certificate forging. This vulnerability represents a critical supply-chain/credential-leakage risk for Windows environments using Wazuh, though exploitation requires elevated privileges (high PR requirement) and knowledge of agent keys or server compromise.

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI that allows remote code execution on Wazuh management servers.

Wazuh is a free and open source platform used for threat prevention, detection, and response. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Wazuh is a free and open source platform used for threat prevention, detection, and response. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.