CVE-2024-32038 ‒ Heap-based Buffer Overflow in Event Decoder
Description
Wazuh is a “Open Source Security Platform” that provides agent based security monitoring for Unix and Windows clients. This vulnerability is a heap-based buffer overflow in the event decoder of the “Analysis Engine”, a component of the management server. It could allow unauthenticated attackers to execute arbitrary commands on the Wazuh management server.
Vulnerability
The specific flaw existed within the Analysis Engine service, which listens on TCP port 1514 by default.
Whenever the analysis engine receives a Windows event from an agent, it invokes the Windows decoder. If Windows event messages contain unprintable characters, the winevent decoder escapes those unprintable characters by adding the escape sequence \u00.
returned_event = cJSON_PrintUnformatted(final_event);
if (returned_event){
lf->full_log[strlen(returned_event)] = '\0';
memcpy(lf->full_log, returned_event, strlen(returned_event));
} else {
lf->full_log = NULL;
}If the escaped string returned_event exceeded the size of the heap buffer lf->full_log, then copying it there would overflow the buffer.
The sender can control both the content and size of the overflowing buffer.
By default, new agents can enrol themselves, which does not require authentication nor acceptance by an administrator. This allows an unauthenticated attacker to register a malicious agent to send malicious event packets.
Mitigations
- Update Wazuh (patched version: 4.7.2)
- Apply additional security options
Additional Details
Timeline
| Date | Action |
|---|---|
| 23.10.2023 | Vulnerability reported to ZDI |
| 21.11.2023 | Vulnerability accepted by ZDI |
| 28.11.2023 | Vulnerability reported to vendor |
| 25.04.2024 | Coordinated public release of advisory |
| 01.07.2024 | Advisory updated |