D0Ntrash

**Name of the Vulnerable Software and Affected Versions** Wazuh versions prior to 4.7.1 **Description** A NULL pointer dereference was detected in the analysis engine of Wazuh, a free and open source platform used for threat prevention, detection, and response. This issue occurs when the `analysisd` receives a syscollector message with the `hotfix` `msg type` but lacking a `timestamp`. The `cJSON GetObjectItem()` function is used to get the `timestamp` object item, which is then dereferenced without checking for a `NULL` value. This allows malicious clients to perform a Denial of Service (DoS) attack on the analysis engine. **Recommendations** For versions prior to 4.7.1, update to version 4.7.1 to resolve the issue. As a temporary workaround, consider restricting access to the `analysisd` component to minimize the risk of exploitation. Avoid sending syscollector messages with the `hotfix` `msg type` but lacking a `timestamp` until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Wazuh versions prior to 4.7.2 **Description** The issue is related to the `host deny` script in Wazuh's active response feature, which allows for the execution of arbitrary commands on the target system due to improper input validation. This can be exploited by injecting arbitrary commands into the `/etc/hosts.deny` file using the `spawn` directive. The vulnerability can lead to local privilege escalation (LPE) on the server as root and remote code execution (RCE) on the agent as root. **Recommendations** For versions prior to 4.7.2, update to version 4.7.2 or later to fix the vulnerability. As a temporary workaround, consider restricting access to the `/var/ossec/active-response/bin/host deny` script to minimize the risk of exploitation. Avoid using the `host deny` script until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Wazuh Manager versions 3.8.0 through 4.7.1 **Description** The issue is related to a buffer overflow hazard in the wazuh-analysisd service when handling Unicode characters from Windows Eventchannel messages. This can be exploited by a remote attacker to execute arbitrary code. The vulnerability is associated with the incorrect handling of XML files containing Unicode characters by the cJSON PrintUnformatted() function. **Recommendations** For Wazuh Manager versions 3.8.0 through 4.7.1, update to Wazuh Manager 4.7.2 to resolve the issue. As a temporary workaround, consider restricting the handling of Unicode characters from Windows Eventchannel messages in the wazuh-analysisd service until a patch is applied.