Login Sign Up

CVE-2021-44079

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2021-44079 is a command injection vulnerability in Wazuh's wazuh-slack active response script that allows remote code execution by passing untrusted user agents to curl commands. This affects Wazuh 4.2.x installations before version 4.2.5. Attackers can execute arbitrary commands with the privileges of the Wazuh process.

💻 Affected Systems

Products:
  • Wazuh
Versions: 4.2.x before 4.2.5
Operating Systems: Linux, Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires active response feature enabled with Slack integration configured.

📦 What is this software?

Wazuh by Wazuh

View all CVEs affecting Wazuh →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root-level code execution, data exfiltration, and lateral movement across the network.

🟠

Likely Case

Remote code execution leading to malware deployment, credential theft, and persistence establishment.

🟢

If Mitigated

Limited impact with proper network segmentation and least privilege configurations.

🌐 Internet-Facing: HIGH - Exploitable remotely if Wazuh management interface is exposed.
🏢 Internal Only: HIGH - Exploitable from any compromised internal system that can reach Wazuh.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to trigger active responses, typically via authenticated alerts.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.2.5

Vendor Advisory: https://github.com/wazuh/wazuh/issues/10858

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Update Wazuh to version 4.2.5 or later. 3. Restart Wazuh services. 4. Verify active response functionality.

🔧 Temporary Workarounds

Disable Slack Active Response

linux

Temporarily disable the vulnerable wazuh-slack active response script

mv /var/ossec/active-response/bin/wazuh-slack /var/ossec/active-response/bin/wazuh-slack.disabled
systemctl restart wazuh-manager

Restrict Active Response Triggers

all

Modify active-response configuration to limit which alerts trigger Slack responses

Edit /var/ossec/etc/ossec.conf and restrict <active-response> rules for Slack

🧯 If You Can't Patch

  • Disable all active response features in Wazuh configuration
  • Implement strict network segmentation to isolate Wazuh management interface

🔍 How to Verify

Check if Vulnerable:

Check Wazuh version: if version starts with '4.2.' and is less than '4.2.5', system is vulnerable

Check Version:

/var/ossec/bin/wazuh-control info | grep 'WAZUH_VERSION'

Verify Fix Applied:

Verify version is 4.2.5 or higher and test active response functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual curl commands in active response logs
  • Suspicious process execution from wazuh-slack script

Network Indicators:

  • Unexpected outbound connections from Wazuh server
  • Slack API calls with unusual user-agent strings

SIEM Query:

source="wazuh" AND "active-response" AND "wazuh-slack" AND (curl OR command)

📊 Metadata

CVE ID: CVE-2021-44079
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
Published: November 22, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44079, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)