CVE-2024-57378: Wazuh SIEM 4.8.2 Broken Access Control Vulnerability Allowing Unauthorized Internal User Creation and Potential Privilege Escalation

A broken access control vulnerability has been discovered in Wazuh SIEM version 4.8.2, which can potentially lead to privilege escalation or unauthorized access to sensitive resources. This vulnerability (CVE-2024-57378) allows malicious users to create internal users without assigning any existing user roles, thereby bypassing the intended security measures. This article highlights the exploit details, affected versions, potential impact, and solutions to mitigate the risk. Moreover, code snippets and original references are provided for a better understanding of the vulnerability.

Affected Versions

Wazuh SIEM version 4.8.2 is affected by this vulnerability. Earlier versions prior to 4.8.3 are not vulnerable.

Exploit Details

Broken access control vulnerabilities generally occur when software fails to enforce appropriate restrictions on user actions, resulting in unauthorized access or resources exposure. In the case of CVE-2024-57378, the vulnerability exists within the user management API of Wazuh SIEM 4.8.2. This flaw allows internal users to be created with no assigned user role, which can potentially lead to unauthorized access to sensitive resources or even privilege escalation if higher-level permissions can be acquired.

The following code snippet demonstrates creating a new user without assigning any roles

import requests

url = "https://<WAZUH API URL>/users"
payload = {
    "username": "malicious_user",
    "password": "strongpassword"
}
response = requests.post(url, json=payload, verify=False)

print(response.text)

Executing this code snippet will result in a new user with no assigned roles being added to the Wazuh SIEM system, bypassing the intended access control mechanisms.

Impact

The potential consequences of exploiting this vulnerability depend on the permissions and privileges that the malicious user can acquire. Unauthorized access to sensitive resources may lead to data theft, tampering, or complete system compromise if administrative privileges are acquired.

Solution

To address this vulnerability, Wazuh SIEM version 4.8.3 includes a fix that enforces role assignment while creating new internal users. In addition, it is recommended to:

Update Wazuh SIEM to version 4.8.3 or higher.

- Review existing internal users' roles and permissions, ensuring they align with the intended access control policy.

Original References

1. Wazuh SIEM Release Notes (v4.8.3)
2. Wazuh SIEM User Management API Documentation

Conclusion

CVE-2024-57378 is a broken access control vulnerability in Wazuh SIEM 4.8.2 which may expose sensitive resources and enable potential privilege escalation. By updating to Wazuh SIEM version 4.8.3 and ensuring proper role assignment for all internal users, organizations can mitigate this risk and ensure that their security information and event management (SIEM) system remains protected.

Timeline

Published on: 02/13/2025 22:15:11 UTC
Last modified on: 03/17/2025 19:15:24 UTC