CVE-2022-40497 Wazuh v3.6.1 - v3.13.5, v4.0.0 - v4.2.7, and v4.3.0 - v4.3.7 had an authenticated RCE vulnerability on the Active Response endpoint.
This issue could be exploited by taking advantage of the fact that the Web interface of Wazuh is accessible via a web browser. In order to exploit this issue, attackers would only need an unsuspecting victim, who happens to have admin rights on their device. Since Wazuh 3.13.5, the Active Response endpoint has been disabled by default. If you are running vulnerable version and would like to enable Active Response, please follow the instructions available here. As soon as the Active Response feature is enabled, all Wazuh users should update their software to the latest version as soon as possible. This is the best practice to protect your device from possible threats. Wazuh users are advised to update their software as soon as possible to prevent any possible malicious activity.
Wazuh 3.13.11 and earlier versions are also affected
Wazuh 3.13.11 and earlier versions are also affected by this vulnerability. If you use these versions, please upgrade to the latest available version as soon as possible and make sure that Active Response feature is enabled.
How to check if you are vulnerable?
To check if you are vulnerable, please follow the instructions below:
1) Open Wazuh in a web browser
2) Navigate to the Active Response tab in Settings (button in top right corner)
3) Check if "Active Response is enabled"
4) If the Active Response feature is disabled or not enabled, please update your software to the latest version immediately.
Timeline
Published on: 09/28/2022 00:15:00 UTC
Last modified on: 09/29/2022 15:19:00 UTC