CVE-2021-28040
📋 TL;DR
This vulnerability allows attackers to cause a denial of service (DoS) in OSSEC HIDS by sending specially crafted XML with excessive nested tags, triggering uncontrolled recursion that leads to a segmentation fault and crashes the service. It affects all systems running OSSEC 3.6.0. The vulnerability is exploitable remotely if OSSEC is configured to process XML from untrusted sources.
💻 Affected Systems
- OSSEC HIDS
📦 What is this software?
Ossec by Ossec
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption of OSSEC HIDS, disabling security monitoring and alerting capabilities across the protected infrastructure.
Likely Case
Temporary DoS affecting OSSEC's XML parsing functionality, potentially causing missed security events until service restart.
If Mitigated
Minimal impact if XML input validation is implemented or if OSSEC only processes trusted XML sources.
🎯 Exploit Status
Proof of concept involves sending XML with deeply nested tags. No authentication required if attacker can submit XML to vulnerable parser.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.6.1 and later
Vendor Advisory: https://github.com/ossec/ossec-hids/releases/tag/3.6.1
Restart Required: Yes
Instructions:
1. Backup current OSSEC configuration. 2. Download OSSEC 3.6.1 or later from official repository. 3. Stop OSSEC service. 4. Install/upgrade to patched version. 5. Restart OSSEC service.
🔧 Temporary Workarounds
XML Input Validation
allImplement XML validation to reject documents with excessive nesting depth before they reach OSSEC parser.
# Use XML validation tool or custom script to check nesting depth
# Example: xmlstarlet val --err --maxdepth 50 input.xml
Process Isolation
linuxRun OSSEC XML parsing in isolated container/process with memory limits to contain crashes.
# Use systemd resource limits
MemoryLimit=100M
Restart=on-failure
🧯 If You Can't Patch
- Implement network segmentation to restrict XML sources to trusted internal systems only.
- Deploy monitoring to detect and alert on OSSEC service crashes with automatic restart mechanisms.
🔍 How to Verify
Check if Vulnerable:
Check OSSEC version: cat /etc/ossec-init.conf | grep VERSION or /var/ossec/bin/ossec-control --versionCheck Version:
/var/ossec/bin/ossec-control --version | grep 'OSSEC HIDS'Verify Fix Applied:
Confirm version is 3.6.1 or later and test with sample XML containing deeply nested tags (use caution).📡 Detection & Monitoring
Log Indicators:
- OSSEC service crash logs
- Segmentation fault errors in system logs
- OSSEC process termination without normal shutdown
Network Indicators:
- Unusual XML traffic to OSSEC ports
- Multiple XML submissions with similar structure
SIEM Query:
source="ossec" AND ("segmentation fault" OR "crash" OR "SIGSEGV")