[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 3909-1] zabbix security update



-------------------------------------------------------------------------
Debian LTS Advisory DLA-3909-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                         Tobias Frost
October 03, 2024                              https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : zabbix
Version        : 1:5.0.44+dfsg-1+deb11u1
CVE ID         : CVE-2022-23132 CVE-2022-23133 CVE-2022-24349 CVE-2022-24917 
                 CVE-2022-24918 CVE-2022-24919 CVE-2022-35229 CVE-2022-35230 
                 CVE-2022-43515 CVE-2023-29449 CVE-2023-29450 CVE-2023-29454 
                 CVE-2023-29455 CVE-2023-29456 CVE-2023-29457 CVE-2023-29458 
                 CVE-2023-32721 CVE-2023-32722 CVE-2023-32724 CVE-2023-32726 
                 CVE-2023-32727 CVE-2024-22114 CVE-2024-22116 CVE-2024-22119 
                 CVE-2024-22122 CVE-2024-22123 CVE-2024-36460 CVE-2024-36461
Debian Bug     : 1014992 1014994 1026847 1053877 1055175 1078553

Several security vulnerabilities have been discovered in zabbix, a network
monitoring solution, potentially among other effects allowing XSS, Code
Execution, information disclosure, remote code execution, impersonation or
session hijacking.

As the version uploaded is a new upstrea maintainance version, there a a
few minor new features and behavioural changes with this version. Please
see below for further information.

CVE-2022-23132

    During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is
    in use to access PID files in [/var/run/zabbix] folder. In this case,
    Zabbix Proxy or Server processes can bypass file read, write and execute
    permissions check on the file system level

CVE-2022-23133

    An authenticated user can create a hosts group from the configuration
    with XSS payload, which will be available for other users. When XSS is
    stored by an authenticated malicious actor and other users try to search
    for groups during new host creation, the XSS payload will fire and the
    actor can steal session cookies and perform session hijacking to
    impersonate users or take over their accounts.

CVE-2022-24349

    An authenticated user can create a hosts group from the configuration
    with XSS payload, which will be available for other users. When XSS is
    stored by an authenticated malicious actor and other users try to search
    for groups during new host creation, the XSS payload will fire and the
    actor can steal session cookies and perform session hijacking to
    impersonate users or take over their accounts.

CVE-2022-24917

    An authenticated user can create a link with reflected Javascript code
    inside it for services’ page and send it to other users. The payload can
    be executed only with a known CSRF token value of the victim, which is
    changed periodically and is difficult to predict. Malicious code has
    access to all the same objects as the rest of the web page and can make
    arbitrary modifications to the contents of the page being displayed to a
    victim during social engineering attacks.

CVE-2022-24918

    An authenticated user can create a link with reflected Javascript code
    inside it for items’ page and send it to other users. The payload can be
    executed only with a known CSRF token value of the victim, which is
    changed periodically and is difficult to predict. Malicious code has
    access to all the same objects as the rest of the web page and can make
    arbitrary modifications to the contents of the page being displayed to a
    victim during social engineering attacks.

CVE-2022-24919

    An authenticated user can create a link with reflected Javascript code
    inside it for graphs’ page and send it to other users. The payload can
    be executed only with a known CSRF token value of the victim, which is
    changed periodically and is difficult to predict. Malicious code has
    access to all the same objects as the rest of the web page and can make
    arbitrary modifications to the contents of the page being displayed to a
    victim during social engineering attacks.

CVE-2022-35229

    An authenticated user can create a link with reflected Javascript code
    inside it for the discovery page and send it to other users. The payload
    can be executed only with a known CSRF token value of the victim, which
    is changed periodically and is difficult to predict.

CVE-2022-35230

    An authenticated user can create a link with reflected Javascript code
    inside it for the graphs page and send it to other users. The payload
    can be executed only with a known CSRF token value of the victim, which
    is changed periodically and is difficult to predict.

CVE-2022-43515

    Zabbix Frontend provides a feature that allows admins to maintain the
    installation and ensure that only certain IP addresses can access it. In
    this way, any user will not be able to access the Zabbix Frontend while
    it is being maintained and possible sensitive data will be prevented
    from being disclosed.  An attacker can bypass this protection and access
    the instance using IP address not listed in the defined range.

CVE-2023-29449

    JavaScript preprocessing, webhooks and global scripts can cause
    uncontrolled CPU, memory, and disk I/O utilization.
    Preprocessing/webhook/global script configuration and testing are only
    available to Administrative roles (Admin and Superadmin). Administrative
    privileges should be typically granted to users who need to perform
    tasks that require more control over the system. The security risk is
    limited because not all users have this level of access. 

CVE-2023-29450

    JavaScript pre-processing can be used by the attacker to gain access to
    the file system (read-only access on behalf of user "zabbix") on the
    Zabbix Server or Zabbix Proxy, potentially leading to unauthorized
    access to sensitive data.

CVE-2023-29454

    A Stored or persistent cross-site scripting (XSS) vulnerability was
    found on “Users” section in “Media” tab in “Send to” form field.  When
    new media is created with malicious code included into field “Send to”
    then it will execute when editing the same media.

CVE-2023-29455

    A Reflected XSS attacks, also known as non-persistent attacks, was found
    where an attacker can pass malicious code as GET request to graph.php
    and system will save it and will execute when current graph page is
    opened.

CVE-2023-29456

    URL validation scheme receives input from a user and then parses it to
    identify its various components. The validation scheme can ensure that
    all URL components comply with internet standards.

CVE-2023-29457

    A Reflected XSS attacks, also known as non-persistent attacks, was found
    where XSS session cookies could be revealed, enabling a perpetrator to
    impersonate valid users and abuse their private accounts.

CVE-2023-29458

    Duktape is an 3rd-party embeddable JavaScript engine, with a focus on
    portability and compact footprint. When adding too many values in
    valstack JavaScript will crash. This issue occurs due to bug in Duktape
    2.6 which is an 3rd-party solution that we use.

CVE-2023-32721

    A stored XSS has been found in the Zabbix web application in the Maps
    element if a URL field is set with spaces before URL.

CVE-2023-32722

    The zabbix/src/libs/zbxjson module is vulnerable to a buffer overflow
    when parsing JSON files via zbx_json_open.

CVE-2023-32724

    Memory pointer is in a property of the Ducktape object. This leads to
    multiple vulnerabilities related to direct memory access and
    manipulation.

CVE-2023-32726

    Possible buffer overread from reading DNS responses.

CVE-2023-32727

    An attacker who has the privilege to configure Zabbix items can use
    function icmpping() with additional malicious command inside it to
    execute arbitrary code on the current Zabbix server.

CVE-2024-22114

    A user with no permission to any of the Hosts can access and view host
    count & other statistics through System Information Widget in Global
    View Dashboard.

CVE-2024-22116

    An administrator with restricted permissions can exploit the script
    execution functionality within the Monitoring Hosts section. The lack of
    default escaping for script parameters enabled this user ability to
    execute arbitrary code via the Ping script, thereby compromising
    infrastructure.

CVE-2024-22119

    Stored XSS in graph items select form

CVE-2024-22122

    Zabbix allows to configure SMS notifications. AT command injection
    occurs on "Zabbix Server" because there is no validation of "Number"
    field on Web nor on Zabbix server side. Attacker can run test of SMS
    providing specially crafted phone number and execute additional AT
    commands on the modem.

CVE-2024-22123

    Setting SMS media allows to set GSM modem file. Later this file is used
    as Linux device. But due everything is a file for Linux, it is possible
    to set another file, e.g. log file and zabbix_server will try to
    communicate with it as modem. As a result, log file will be broken with
    AT commands and small part for log file content will be leaked to UI.

CVE-2024-36460

    The front-end audit log allows viewing of unprotected plaintext
    passwords, where the passwords are displayed in plain text.

CVE-2024-36461

    Direct access to memory pointers within the JS engine for modification.
    This vulnerability allows users with access to a single item
    configuration (limited role) to compromise the whole infrastructure of
    the monitoring solution by remote code execution.

For Debian 11 bullseye, these problems have been fixed in version
1:5.0.44+dfsg-1+deb11u1.

We recommend that you upgrade your zabbix packages.

For the detailed security status of zabbix please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/zabbix

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

As stated above, this version is a new upstream maintaince release. 
Upstream's "upgrade notes" lists the following changes:
(Changes not relevant for Debian bullseye have been omitted.)

Upgrade notes for 5.0.11

    VMware event collector - The behavior of VMware event collector has been
    changed to fix a memory overload issue.

Upgrade notes for 5.0.31

    Improved performance of history syncers
    
    The performance of history syncers has been improved by introducing a
    new read-write lock. This reduces locking between history syncers,
    trappers and proxy pollers by using a shared read lock while accessing
    the configuration cache. The new lock can be write  locked only by the
    configuration syncer performing a configuration cache reload.

Upgrade notes for 5.0.32

    The following limits for JavaScript objects in preprocessing have been
    introduced:
    
    The total size of all messages that can be logged with the Log() method
    has been limited to 8 MB per script execution.
    The initialization of multiple CurlHttpRequest objects has been limited
    to 10 per script execution.  The total length of header fields that can
    be added to a single CurlHttpRequest object with the AddHeader() method
    has been limited to 128 Kbytes (special characters and header names
    included).

Attachment: signature.asc
Description: PGP signature


Reply to: