CVE-2024-47770
📋 TL;DR
This vulnerability in Wazuh allows attackers with no privilege access to view the agent list on the Wazuh dashboard, potentially enabling privilege escalation through information disclosure. All Wazuh users running versions before 4.9.1 are affected. The vulnerability stems from weak privilege access controls in the dashboard.
💻 Affected Systems
- Wazuh
📦 What is this software?
Wazuh by Wazuh
⚠️ Risk & Real-World Impact
Worst Case
Attackers could use the exposed agent information to identify vulnerable systems, map the environment, and chain with other vulnerabilities for full system compromise and lateral movement.
Likely Case
Unauthorized users gain visibility into the Wazuh deployment, learning about managed agents, their status, and potentially identifying targets for further attacks.
If Mitigated
With proper network segmentation and access controls, the impact is limited to information disclosure about the monitoring infrastructure.
🎯 Exploit Status
Exploitation requires some level of access to the Wazuh dashboard but no specific privileges; the advisory suggests the vulnerability is straightforward to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.9.1
Vendor Advisory: https://github.com/wazuh/wazuh/security/advisories/GHSA-648q-8m78-5cwv
Restart Required: Yes
Instructions:
1. Backup your Wazuh configuration and data. 2. Stop Wazuh services. 3. Upgrade to Wazuh 4.9.1 using your package manager or installation method. 4. Restart Wazuh services. 5. Verify the dashboard functions correctly.
🧯 If You Can't Patch
- Implement strict network access controls to limit Wazuh dashboard access to authorized users only.
- Monitor dashboard access logs for unauthorized viewing of agent lists and implement alerting.
🔍 How to Verify
Check if Vulnerable:
Check your Wazuh version; if it's below 4.9.1, you are vulnerable. Attempt to access the agent list on the dashboard with a low-privilege user account.Check Version:
wazuh-manager -VVerify Fix Applied:
After upgrading to 4.9.1, verify that low-privilege users cannot view the agent list on the dashboard without proper authorization.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to Wazuh dashboard endpoints related to agent listing.
- Log entries showing agent list queries from unexpected user accounts.
Network Indicators:
- Unusual HTTP requests to Wazuh dashboard API endpoints for agent information from unauthorized IPs.
SIEM Query:
source="wazuh-dashboard" AND (uri_path="/agents" OR uri_path="/api/agents") AND user_role="low_privilege"