------------------------------------------------------------------------- Debian LTS Advisory DLA-3909-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost October 03, 2024 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : zabbix Version : 1:5.0.44+dfsg-1+deb11u1 CVE ID : CVE-2022-23132 CVE-2022-23133 CVE-2022-24349 CVE-2022-24917 CVE-2022-24918 CVE-2022-24919 CVE-2022-35229 CVE-2022-35230 CVE-2022-43515 CVE-2023-29449 CVE-2023-29450 CVE-2023-29454 CVE-2023-29455 CVE-2023-29456 CVE-2023-29457 CVE-2023-29458 CVE-2023-32721 CVE-2023-32722 CVE-2023-32724 CVE-2023-32726 CVE-2023-32727 CVE-2024-22114 CVE-2024-22116 CVE-2024-22119 CVE-2024-22122 CVE-2024-22123 CVE-2024-36460 CVE-2024-36461 Debian Bug : 1014992 1014994 1026847 1053877 1055175 1078553 Several security vulnerabilities have been discovered in zabbix, a network monitoring solution, potentially among other effects allowing XSS, Code Execution, information disclosure, remote code execution, impersonation or session hijacking. As the version uploaded is a new upstrea maintainance version, there a a few minor new features and behavioural changes with this version. Please see below for further information. CVE-2022-23132 During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is in use to access PID files in [/var/run/zabbix] folder. In this case, Zabbix Proxy or Server processes can bypass file read, write and execute permissions check on the file system level CVE-2022-23133 An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. When XSS is stored by an authenticated malicious actor and other users try to search for groups during new host creation, the XSS payload will fire and the actor can steal session cookies and perform session hijacking to impersonate users or take over their accounts. CVE-2022-24349 An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. When XSS is stored by an authenticated malicious actor and other users try to search for groups during new host creation, the XSS payload will fire and the actor can steal session cookies and perform session hijacking to impersonate users or take over their accounts. CVE-2022-24917 An authenticated user can create a link with reflected Javascript code inside it for services’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. CVE-2022-24918 An authenticated user can create a link with reflected Javascript code inside it for items’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. CVE-2022-24919 An authenticated user can create a link with reflected Javascript code inside it for graphs’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. CVE-2022-35229 An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. CVE-2022-35230 An authenticated user can create a link with reflected Javascript code inside it for the graphs page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. CVE-2022-43515 Zabbix Frontend provides a feature that allows admins to maintain the installation and ensure that only certain IP addresses can access it. In this way, any user will not be able to access the Zabbix Frontend while it is being maintained and possible sensitive data will be prevented from being disclosed. An attacker can bypass this protection and access the instance using IP address not listed in the defined range. CVE-2023-29449 JavaScript preprocessing, webhooks and global scripts can cause uncontrolled CPU, memory, and disk I/O utilization. Preprocessing/webhook/global script configuration and testing are only available to Administrative roles (Admin and Superadmin). Administrative privileges should be typically granted to users who need to perform tasks that require more control over the system. The security risk is limited because not all users have this level of access. CVE-2023-29450 JavaScript pre-processing can be used by the attacker to gain access to the file system (read-only access on behalf of user "zabbix") on the Zabbix Server or Zabbix Proxy, potentially leading to unauthorized access to sensitive data. CVE-2023-29454 A Stored or persistent cross-site scripting (XSS) vulnerability was found on “Users” section in “Media” tab in “Send to” form field. When new media is created with malicious code included into field “Send to” then it will execute when editing the same media. CVE-2023-29455 A Reflected XSS attacks, also known as non-persistent attacks, was found where an attacker can pass malicious code as GET request to graph.php and system will save it and will execute when current graph page is opened. CVE-2023-29456 URL validation scheme receives input from a user and then parses it to identify its various components. The validation scheme can ensure that all URL components comply with internet standards. CVE-2023-29457 A Reflected XSS attacks, also known as non-persistent attacks, was found where XSS session cookies could be revealed, enabling a perpetrator to impersonate valid users and abuse their private accounts. CVE-2023-29458 Duktape is an 3rd-party embeddable JavaScript engine, with a focus on portability and compact footprint. When adding too many values in valstack JavaScript will crash. This issue occurs due to bug in Duktape 2.6 which is an 3rd-party solution that we use. CVE-2023-32721 A stored XSS has been found in the Zabbix web application in the Maps element if a URL field is set with spaces before URL. CVE-2023-32722 The zabbix/src/libs/zbxjson module is vulnerable to a buffer overflow when parsing JSON files via zbx_json_open. CVE-2023-32724 Memory pointer is in a property of the Ducktape object. This leads to multiple vulnerabilities related to direct memory access and manipulation. CVE-2023-32726 Possible buffer overread from reading DNS responses. CVE-2023-32727 An attacker who has the privilege to configure Zabbix items can use function icmpping() with additional malicious command inside it to execute arbitrary code on the current Zabbix server. CVE-2024-22114 A user with no permission to any of the Hosts can access and view host count & other statistics through System Information Widget in Global View Dashboard. CVE-2024-22116 An administrator with restricted permissions can exploit the script execution functionality within the Monitoring Hosts section. The lack of default escaping for script parameters enabled this user ability to execute arbitrary code via the Ping script, thereby compromising infrastructure. CVE-2024-22119 Stored XSS in graph items select form CVE-2024-22122 Zabbix allows to configure SMS notifications. AT command injection occurs on "Zabbix Server" because there is no validation of "Number" field on Web nor on Zabbix server side. Attacker can run test of SMS providing specially crafted phone number and execute additional AT commands on the modem. CVE-2024-22123 Setting SMS media allows to set GSM modem file. Later this file is used as Linux device. But due everything is a file for Linux, it is possible to set another file, e.g. log file and zabbix_server will try to communicate with it as modem. As a result, log file will be broken with AT commands and small part for log file content will be leaked to UI. CVE-2024-36460 The front-end audit log allows viewing of unprotected plaintext passwords, where the passwords are displayed in plain text. CVE-2024-36461 Direct access to memory pointers within the JS engine for modification. This vulnerability allows users with access to a single item configuration (limited role) to compromise the whole infrastructure of the monitoring solution by remote code execution. For Debian 11 bullseye, these problems have been fixed in version 1:5.0.44+dfsg-1+deb11u1. We recommend that you upgrade your zabbix packages. For the detailed security status of zabbix please refer to its security tracker page at: https://security-tracker.debian.org/tracker/zabbix Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS As stated above, this version is a new upstream maintaince release. Upstream's "upgrade notes" lists the following changes: (Changes not relevant for Debian bullseye have been omitted.) Upgrade notes for 5.0.11 VMware event collector - The behavior of VMware event collector has been changed to fix a memory overload issue. Upgrade notes for 5.0.31 Improved performance of history syncers The performance of history syncers has been improved by introducing a new read-write lock. This reduces locking between history syncers, trappers and proxy pollers by using a shared read lock while accessing the configuration cache. The new lock can be write locked only by the configuration syncer performing a configuration cache reload. Upgrade notes for 5.0.32 The following limits for JavaScript objects in preprocessing have been introduced: The total size of all messages that can be logged with the Log() method has been limited to 8 MB per script execution. The initialization of multiple CurlHttpRequest objects has been limited to 10 per script execution. The total length of header fields that can be added to a single CurlHttpRequest object with the AddHeader() method has been limited to 128 Kbytes (special characters and header names included).
Attachment:
signature.asc
Description: PGP signature