CVE-2023-50260

Name of the Vulnerable Software and Affected Versions Wazuh versions prior to 4.7.2

Description The issue is related to the host deny script in Wazuh's active response feature, which allows for the execution of arbitrary commands on the target system due to improper input validation. This can be exploited by injecting arbitrary commands into the /etc/hosts.deny file using the spawn directive. The vulnerability can lead to local privilege escalation (LPE) on the server as root and remote code execution (RCE) on the agent as root.

Recommendations For versions prior to 4.7.2, update to version 4.7.2 or later to fix the vulnerability. As a temporary workaround, consider restricting access to the /var/ossec/active-response/bin/host deny script to minimize the risk of exploitation. Avoid using the host deny script until the issue is resolved.