Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 3.9.0 and prior to version 4.14.3, multiple stack-based buffer overflows exist in the Security Configuration Assessment (SCA) decoder (wazuh-analysisd). The use of sprintf with a floating-point (%lf) format specifier on a fixed-size 128-byte buffer allows a remote attacker to overflow the stack.

A specially crafted JSON event can trigger this overflow, leading to a denial of service (crash) or potential RCE on the Wazuh manager. The vulnerability is located in /src/analysisd/decoders/security_configuration_assessment.c, within the FillScanInfo and FillCheckEventInfo functions. In multiple locations, a 128-byte buffer (char value[OS_SIZE_128];) is allocated on the stack to hold the string representation of a number from a JSON event.

The code checks if the number is an integer or a double. If it's a double, it uses sprintf(value, "%lf", ...) to perform the conversion. This sprintf call is unbounded.

If a floating-point number with a large exponent (e.g., 1.0e150) is provided, sprintf will attempt to write its full string representation (a "1" followed by 150 zeros), which is larger than the 128-byte buffer, corrupting the stack. Version 4.14.3 patches the issue.