A critical security flaw has been identified in Wazuh Manager, an open-source security information and event management (SIEM) platform, which could enable remote attackers to manipulate security alerts, delete forensic evidence, and alter SIEM data across various environments. This vulnerability has been assigned a maximum CVSS score of 10.0, underscoring its severity and the ease with which it can be exploited.
The issue affects Wazuh Manager version 5.0.0-beta1 and originates from an NDJSON injection flaw within the newly introduced inventory_sync subsystem. Specifically, the vulnerability arises from improper handling of the DataValue.index field, which is appended without validation or filtering, allowing malicious agents to inject arbitrary OpenSearch bulk operations.
By exploiting this flaw, attackers can inject additional operations such as delete, index, or update into the request payload. For instance, by embedding specially crafted newline characters and JSON fragments into the index field, an attacker can smuggle unauthorized bulk actions into the index. These malicious operations are executed under the Wazuh indexer credentials, which, by default, often possess administrative privileges with full access.
The attack does not require authentication due to insecure default configurations in wazuh-authd that permit anonymous agent enrollment. Once enrolled, an attacker can:
- Delete arbitrary documents from Wazuh indices, effectively erasing alerts and logs.
- Modify vulnerability and inventory data for other agents.
- Inject malicious content into Kibana dashboards for persistence or to target analysts.
- Perform cross-tenant data manipulation in shared environments.
Researchers have demonstrated a full end-to-end exploit over standard Wazuh communication channels (TCP ports 1514 and 1515), confirming that injected delete operations successfully removed targeted records from the backend.
The vulnerability is primarily categorized under CWE-74 (Injection), along with CWE-93 (CRLF Injection) and CWE-863 (Incorrect Authorization). The root cause lies in the lack of input validation and improper neutralization of special characters in the DataValue.index field. Since Wazuh Manager utilizes high-privileged OpenSearch credentials stored in its keystore, this flaw effectively grants attackers administrative control over the security data it indexes.
According to the GitHub advisory GHSA-ff9g-85jq-r3g3, the issue has been addressed in Wazuh version 5.0.0-beta3. Users are strongly advised to upgrade immediately to mitigate potential risks.
Recommended Mitigations
- Implement strict validation for index names based on OpenSearch rules.
- Escape all user-controlled input before constructing bulk requests.
- Avoid using high-privilege roles, such as
admin, for indexer operations. - Disable anonymous agent enrollment and enforce secure authentication.
This vulnerability highlights the critical importance of input validation and secure default configurations in security platforms. Organizations relying on Wazuh for their security monitoring should prioritize updating to the patched version and reviewing their system configurations to prevent unauthorized access and data manipulation.
