CVE-2021-44079: 
Wazuh Agent vulnerability analysis and mitigation

A critical vulnerability was discovered in Wazuh versions 4.2.x before 4.2.5, identified as CVE-2021-44079. The vulnerability exists in the wazuh-slack active response script where untrusted user agents are passed to a curl command line without proper sanitization, potentially resulting in remote code execution (NVD, MITRE).

The vulnerability stems from a command injection bug in the active-response script wazuh-slack. The alert JSON data is put in the shell command line as POST body for curl using the snprintf function. The raw log line, which could be partially controlled by an attacker, is included in the JSON data without proper escaping of single quotes. This allows an attacker to truncate the command using single quotes in the JSON data (GitHub Issue).

The vulnerability allows remote attackers to execute arbitrary code on affected systems through specially crafted inputs. Given the CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), this indicates a severe impact on system confidentiality, integrity, and availability (NVD).

The vulnerability was fixed in Wazuh version 4.2.5. The fix includes replacing system() function calls with wpopenv(), which executes subprocesses without a shell, and sanitizing the Active Response payload for agents between 4.2.0 and 4.2.4. Special characters are converted to their hexadecimal notation to prevent command injection (GitHub PR).