CVE-2023-50260 – This vulnerability in Wazuh's host

Q: What is the severity of CVE-2023-50260?

CVE-2023-50260 has a CVSS score of 8.8 (HIGH). This vulnerability in Wazuh's host_deny script allows attackers to inject arbitrary commands into the /etc/hosts.deny file, leading to arbitrary command execution. It affects Wazuh servers and agents, potentially enabling local privilege escalation on servers and remote code execution on agents as root.

📋 TL;DR

This vulnerability in Wazuh's host_deny script allows attackers to inject arbitrary commands into the /etc/hosts.deny file, leading to arbitrary command execution. It affects Wazuh servers and agents, potentially enabling local privilege escalation on servers and remote code execution on agents as root.

💻 Affected Systems

Products:

Wazuh

Versions: Versions before 4.7.2

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Requires active response feature enabled (default in many configurations).

📦 What is this software?

Wazuh by Wazuh

View all CVEs affecting Wazuh →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root privileges on both Wazuh servers and agents, allowing complete control over monitored systems.

🟠

Likely Case

Privilege escalation on Wazuh servers and code execution on agents, potentially leading to lateral movement within the network.

🟢

If Mitigated

Limited impact if active response features are disabled or proper input validation is implemented.

🌐 Internet-Facing: MEDIUM - Requires triggering active response via events, which may be possible through network interactions.

🏢 Internal Only: HIGH - Internal attackers or compromised systems can trigger the vulnerability through event injection.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to write events to execd or ar queues, which may be accessible to authenticated users or through other vulnerabilities.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.7.2

Vendor Advisory: https://github.com/wazuh/wazuh/security/advisories/GHSA-mjq2-xf8g-68vw

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Update Wazuh to version 4.7.2 or later using package manager. 3. Restart Wazuh services. 4. Verify update completed successfully.

🔧 Temporary Workarounds

Disable host_deny active response

linux

Temporarily disable the vulnerable host_deny script from active response configuration

Edit /var/ossec/etc/ossec.conf and remove or comment out host_deny from <active-response> section
Restart Wazuh manager: systemctl restart wazuh-manager

Disable all active responses

linux

Completely disable active response feature as temporary mitigation

Set <active-response><disabled>yes</disabled></active-response> in /var/ossec/etc/ossec.conf
Restart Wazuh manager: systemctl restart wazuh-manager

🧯 If You Can't Patch

Disable active response feature entirely in configuration
Implement strict access controls to prevent unauthorized event injection to execd and ar queues

🔍 How to Verify

Check if Vulnerable:

Check Wazuh version: /var/ossec/bin/wazuh-logtest -V | grep 'Wazuh v'

Check Version:

/var/ossec/bin/wazuh-logtest -V | grep 'Wazuh v'

Verify Fix Applied:

Verify version is 4.7.2 or higher: /var/ossec/bin/wazuh-logtest -V | grep 'Wazuh v'

📡 Detection & Monitoring

Log Indicators:

Unusual entries in /etc/hosts.deny file
Suspicious commands in Wazuh active response logs
Unexpected process execution from Wazuh context

Network Indicators:

Unusual network connections originating from Wazuh servers/agents
Suspicious outbound traffic patterns

SIEM Query:

source="wazuh" AND (event_type="active-response" OR process_name="host_deny") AND command!=""

📊 Metadata

CVE ID: CVE-2023-50260

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: April 19, 2024

Last Updated: January 9, 2025

🔗 References

https://github.com/wazuh/wazuh/security/advisories/GHSA-mjq2-xf8g-68vw Exploit,Vendor Advisory
https://github.com/wazuh/wazuh/security/advisories/GHSA-mjq2-xf8g-68vw Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-50260, you might also want to check these: