Critical Remote Code Execution Vulnerability in Wazuh SIEM

Technical Details

The vulnerability arises from unsafe deserialization in the DistributedAPI (DAPI) component. Parameters are serialized as JSON and deserialized using the as_wazuh_object function located in framework/wazuh/core/cluster/common.py. Attackers can exploit this by crafting a malicious JSON payload containing a dictionary with the __unhandled_exc__ key, leading to the execution of arbitrary system commands.

Exploitation Conditions

For successful exploitation, the following conditions must be met:

• The Wazuh server must be running a vulnerable version (4.4.0 to 4.9.0).
• The Wazuh server API must be accessible to the attacker, typically over the internet.
• The attacker must have valid administrator-level API credentials, typically obtained through credential theft, default passwords, or poor security practices.

These conditions make exploitation possible but also highlight the importance of securing API access and following best practices.

Mitigation

Wazuh has addressed this vulnerability in version 4.9.1 by replacing the unsafe eval() function with the secure ast.literal_eval() function, which safely evaluates a string containing Python literals without executing arbitrary code.

Organizations running affected versions are strongly urged to update to version 4.9.1 immediately. For those unable to update promptly, it’s recommended to implement the following mitigations:

• Restrict API access to trusted IP addresses.
• Use network segmentation to limit exposure.
• Monitor API traffic for unusual activity.
• Employ Web Application Firewalls (WAFs) to detect and block malicious requests.

By taking these steps, organizations can reduce the risk of exploitation and enhance the security of their Wazuh deployments.