Cyber Resilience

CVE-2023-50260

HighPublic PoCRCE

Published: 19 April 2024

Published
19 April 2024
Modified
09 January 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1066 93.5th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-50260 is a high-severity Code Injection (CWE-94) vulnerability in Wazuh Wazuh. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 6.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Wazuh is a free and open source platform for threat prevention, detection, and response. The vulnerability is an improper input validation flaw (CWE-94) in the host_deny active-response script that permits an attacker to write arbitrary strings into the /etc/hosts.deny file. This occurs because the script, which is invoked to add IP addresses via TCP wrappers, lacks sufficient sanitization and can be abused through the spawn directive to inject commands. The issue affects the active-response feature that is restricted by default to executables under /var/ossec/active-response/bin; the flaw is fixed in version 4.7.2.

An attacker with the ability to write events to the local execd queue on the server or the ar queue that forwards events to agents can trigger the host_deny script. Successful exploitation results in arbitrary command execution, enabling local privilege escalation to root on the server and remote code execution as root on agents.

The official Wazuh security advisory recommends upgrading to 4.7.2. The EPSS score rose from a low baseline to a peak of 0.1522 (current value 0.1066), indicating that exploitation interest increased after public disclosure.

EU & UK References

Vulnerability details

Wazuh is a free and open source platform used for threat prevention, detection, and response. A wrong validation in the `host_deny` script allows to write any string in the `hosts.deny` file, which can end in an arbitrary command execution on…

more

the target system. This vulnerability is part of the active response feature, which can automatically triggers actions in response to alerts. By default, active responses are limited to a set of pre defined executables. This is enforced by only allowing executables stored under `/var/ossec/active-response/bin` to be run as an active response. However, the `/var/ossec/active-response/bin/host_deny` can be exploited. `host_deny` is used to add IP address to the `/etc/hosts.deny` file to block incoming connections on a service level by using TCP wrappers. Attacker can inject arbitrary command into the `/etc/hosts.deny` file and execute arbitrary command by using the spawn directive. The active response can be triggered by writing events either to the local `execd` queue on server or to the `ar` queue which forwards the events to agents. So, it can leads to LPE on server as root and RCE on agent as root. This vulnerability is fixed in 4.7.2.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

wazuh
wazuh
4.2.0 — 4.7.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References