Wazuh Agent and Manager Shell Injection Vulnerability Allowing Remote Code Execution

A vulnerability allowing shell injection has been identified in Wazuh's logcollector, maild, and Kaspersky AR script components, in both the Wazuh agent and manager, versions 2.1.0 prior to 4.8.0. This vulnerability allows attackers to execute arbitrary commands by injecting malicious scripts through configuration files, SMTP server settings, and custom flags, leading to remote code execution on the affected system.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected system, potentially leading to full system compromise.

Reproduction

The vulnerability can be reproduced by injecting malicious commands into Wazuh's configuration files or through the SMTP server settings when maild is running in local server mode. For example, after configuring maild to execute commands via the SMTP server tag, Wazuh can be restarted to trigger the command execution. Similarly, the Kaspersky AR script vulnerability can be exploited by injecting commands through the 'extra_args' parameter with the '--custom_flags' flag.

Remediation

Users are advised to update Wazuh to version 4.8.0 or later.