Severe Wazuh Flaw Allows Critical Security Breaches

Severe Wazuh Flaw Allows Critical Security Breaches

Posted on By CWS

A newly identified vulnerability in Wazuh Manager poses a serious risk to security systems, allowing potential attackers to alter alerts, erase forensic data, and compromise SIEM data integrity across various environments.

The flaw has been assigned a maximum CVSS score of 10.0, indicating its critical nature and the simplicity with which it can be exploited.

Vulnerability Details

The issue affects Wazuh Manager version 5.0.0-beta1 and is attributed to an NDJSON injection flaw within the recently added inventory_sync subsystem.

Attackers can exploit this vulnerability by injecting arbitrary OpenSearch bulk operations using the DataValue.index field, a result of improper input handling and lack of sanitization.

Potential Impact and Exploitation

Wazuh Manager processes data from agents and forwards it to the OpenSearch _bulk API. However, unlike other fields such as _id, the _index field lacks proper validation, allowing attackers to introduce unauthorized operations like delete, index, or update into the request payload.

By embedding crafted payloads, attackers can execute unauthorized actions under Wazuh’s default high-privilege indexer credentials.

The exploitation requires no authentication due to insecure default configurations in wazuh-authd, facilitating anonymous agent enrollment.

Mitigation and Recommendations

Researchers successfully demonstrated a complete exploit using standard Wazuh channels, proving the deletion of targeted records from the backend.

The core issue relates to inadequate input validation and improper neutralization of special characters within the DataValue.index field.

To mitigate this risk, it’s recommended to strictly validate index names according to OpenSearch standards, escape all user-controlled inputs, and avoid using admin-level roles for indexing operations.

The vulnerability was rectified in Wazuh version 5.0.0-beta3, and users are urged to upgrade promptly to secure their systems.

This flaw poses a severe threat to organizations relying on Wazuh for threat detection by enabling covert data tampering and evidence removal, potentially allowing attackers to bypass security monitoring undetected.

Organizations must prioritize patching affected systems and review logs for any signs of unauthorized data modifications to ensure robust security.

Cyber Security News Tags:, , , , , , , , , , , , , ,

Related Posts

Malicious PyPI AI Tool Steals Data via Trojanized Proxy Malicious PyPI AI Tool Steals Data via Trojanized Proxy Cyber Security News
New Phishing Attack Mimic as Income Tax Department of India Delivers AsyncRAT New Phishing Attack Mimic as Income Tax Department of India Delivers AsyncRAT Cyber Security News
Canada Police Dismantles TradeOgre Platform That Stolen 56 Million Dollars in Cryptocurrency Canada Police Dismantles TradeOgre Platform That Stolen 56 Million Dollars in Cryptocurrency Cyber Security News
New MacSync Stealer Malware Attacking macOS Users Using Digitally Signed Apps New MacSync Stealer Malware Attacking macOS Users Using Digitally Signed Apps Cyber Security News
Windows Rust-based Kernel GDI Vulnerability Leads to Crash and Blue Screen of Death Error Windows Rust-based Kernel GDI Vulnerability Leads to Crash and Blue Screen of Death Error Cyber Security News
ShinyHunters Claims Data Theft from 200+ Companies via Salesforce Gainsight Breach ShinyHunters Claims Data Theft from 200+ Companies via Salesforce Gainsight Breach Cyber Security News