CVE-2024-57378
📋 TL;DR
CVE-2024-57378 is a broken access control vulnerability in Wazuh SIEM 4.8.2 that allows unauthorized creation of internal users without proper role assignment. This can lead to privilege escalation and unauthorized access to sensitive security data. Organizations running affected Wazuh versions are vulnerable.
💻 Affected Systems
- Wazuh SIEM
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers create administrative users, gain full control over the SIEM system, access all security logs and alerts, and potentially pivot to other systems.
Likely Case
Unauthorized users are created with limited privileges, allowing access to sensitive security monitoring data and potentially modifying alert rules.
If Mitigated
With proper network segmentation and authentication controls, impact is limited to the Wazuh management interface only.
🎯 Exploit Status
Exploitation requires access to the Wazuh API/interface but doesn't require authentication for the user creation endpoint. Technical details are available in the GitHub reference.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.8.3 or later
Vendor Advisory: https://github.com/wazuh/wazuh/releases
Restart Required: No
Instructions:
1. Backup current configuration. 2. Update Wazuh to version 4.8.3 or later using package manager. 3. Verify the update completed successfully. 4. Test user creation functionality.
🔧 Temporary Workarounds
Restrict API Access
allImplement network access controls to restrict access to Wazuh API endpoints, particularly user management endpoints.
iptables -A INPUT -p tcp --dport 55000 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 55000 -j DROP
Disable Unnecessary User Creation
allTemporarily disable user creation functionality via configuration changes.
Edit /var/ossec/etc/ossec.conf and restrict user management permissions
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Wazuh management interface
- Enable detailed audit logging for all user creation attempts and monitor for anomalies
🔍 How to Verify
Check if Vulnerable:
Check Wazuh version: cat /etc/ossec-init.conf | grep VERSION. If version is 4.8.2, system is vulnerable.Check Version:
cat /etc/ossec-init.conf | grep VERSIONVerify Fix Applied:
After update, verify version is 4.8.3 or later and test that unauthorized user creation is blocked.📡 Detection & Monitoring
Log Indicators:
- Unauthorized POST requests to /security/user/ endpoints
- New user creation events without proper authentication logs
- Failed authentication attempts followed by successful user creation
Network Indicators:
- Unusual API calls to user management endpoints from unexpected sources
- Traffic to Wazuh API port (default 55000) from unauthorized IPs
SIEM Query:
source="wazuh" AND (event_type="user_creation" OR api_endpoint="/security/user/") AND NOT user="authenticated_admin"