[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DLA 3909-1] zabbix security update (updated information to previous announcement)



Update to the Debian LTS advisory DLA-3909:

Since the upload of 1:5.0.44+dfsg-1+deb11u1 information became available
that the uploaded version fixed the following vulnerabilties in addition
to the already communicated ones:

CVE-2024-22117 

    When a URL is added to the map element, it is recorded in the database
    with sequential IDs. Upon adding a new URL, the system retrieves the
    last sysmapelementurlid value and increments it by one. However, an
    issue arises when a user manually changes the sysmapelementurlid value
    by adding sysmapelementurlid + 1. This action prevents others from
    adding URLs to the map element.

CVE-2024-36463

    The implementation of atob in "Zabbix JS" allows to create a string with
    arbitrary content and use it to access internal properties of objects.

CVE-2024-36467

    An authenticated user with API access (e.g.: user with default User
    role), more specifically a user with access to the user.update API
    endpoint is enough to be able to add themselves to any group (e.g.:
    Zabbix Administrators), except to groups that are disabled or having
    restricted GUI access.


On Thu, Oct 03, 2024 at 08:05:58PM +0200, Tobias Frost wrote:
> -------------------------------------------------------------------------
> Debian LTS Advisory DLA-3909-1                debian-lts@lists.debian.org
> https://www.debian.org/lts/security/                         Tobias Frost
> October 03, 2024                              https://wiki.debian.org/LTS
> -------------------------------------------------------------------------
> 
> Package        : zabbix
> Version        : 1:5.0.44+dfsg-1+deb11u1
> CVE ID         : CVE-2022-23132 CVE-2022-23133 CVE-2022-24349 CVE-2022-24917 
>                  CVE-2022-24918 CVE-2022-24919 CVE-2022-35229 CVE-2022-35230 
>                  CVE-2022-43515 CVE-2023-29449 CVE-2023-29450 CVE-2023-29454 
>                  CVE-2023-29455 CVE-2023-29456 CVE-2023-29457 CVE-2023-29458 
>                  CVE-2023-32721 CVE-2023-32722 CVE-2023-32724 CVE-2023-32726 
>                  CVE-2023-32727 CVE-2024-22114 CVE-2024-22116 CVE-2024-22119 
>                  CVE-2024-22122 CVE-2024-22123 CVE-2024-36460 CVE-2024-36461
> Debian Bug     : 1014992 1014994 1026847 1053877 1055175 1078553
> 
> Several security vulnerabilities have been discovered in zabbix, a network
> monitoring solution, potentially among other effects allowing XSS, Code
> Execution, information disclosure, remote code execution, impersonation or
> session hijacking.
> 
> As the version uploaded is a new upstrea maintainance version, there a a
> few minor new features and behavioural changes with this version. Please
> see below for further information.
> 
> CVE-2022-23132
> 
>     During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is
>     in use to access PID files in [/var/run/zabbix] folder. In this case,
>     Zabbix Proxy or Server processes can bypass file read, write and execute
>     permissions check on the file system level
> 
> CVE-2022-23133
> 
>     An authenticated user can create a hosts group from the configuration
>     with XSS payload, which will be available for other users. When XSS is
>     stored by an authenticated malicious actor and other users try to search
>     for groups during new host creation, the XSS payload will fire and the
>     actor can steal session cookies and perform session hijacking to
>     impersonate users or take over their accounts.
> 
> CVE-2022-24349
> 
>     An authenticated user can create a hosts group from the configuration
>     with XSS payload, which will be available for other users. When XSS is
>     stored by an authenticated malicious actor and other users try to search
>     for groups during new host creation, the XSS payload will fire and the
>     actor can steal session cookies and perform session hijacking to
>     impersonate users or take over their accounts.
> 
> CVE-2022-24917
> 
>     An authenticated user can create a link with reflected Javascript code
>     inside it for services’ page and send it to other users. The payload can
>     be executed only with a known CSRF token value of the victim, which is
>     changed periodically and is difficult to predict. Malicious code has
>     access to all the same objects as the rest of the web page and can make
>     arbitrary modifications to the contents of the page being displayed to a
>     victim during social engineering attacks.
> 
> CVE-2022-24918
> 
>     An authenticated user can create a link with reflected Javascript code
>     inside it for items’ page and send it to other users. The payload can be
>     executed only with a known CSRF token value of the victim, which is
>     changed periodically and is difficult to predict. Malicious code has
>     access to all the same objects as the rest of the web page and can make
>     arbitrary modifications to the contents of the page being displayed to a
>     victim during social engineering attacks.
> 
> CVE-2022-24919
> 
>     An authenticated user can create a link with reflected Javascript code
>     inside it for graphs’ page and send it to other users. The payload can
>     be executed only with a known CSRF token value of the victim, which is
>     changed periodically and is difficult to predict. Malicious code has
>     access to all the same objects as the rest of the web page and can make
>     arbitrary modifications to the contents of the page being displayed to a
>     victim during social engineering attacks.
> 
> CVE-2022-35229
> 
>     An authenticated user can create a link with reflected Javascript code
>     inside it for the discovery page and send it to other users. The payload
>     can be executed only with a known CSRF token value of the victim, which
>     is changed periodically and is difficult to predict.
> 
> CVE-2022-35230
> 
>     An authenticated user can create a link with reflected Javascript code
>     inside it for the graphs page and send it to other users. The payload
>     can be executed only with a known CSRF token value of the victim, which
>     is changed periodically and is difficult to predict.
> 
> CVE-2022-43515
> 
>     Zabbix Frontend provides a feature that allows admins to maintain the
>     installation and ensure that only certain IP addresses can access it. In
>     this way, any user will not be able to access the Zabbix Frontend while
>     it is being maintained and possible sensitive data will be prevented
>     from being disclosed.  An attacker can bypass this protection and access
>     the instance using IP address not listed in the defined range.
> 
> CVE-2023-29449
> 
>     JavaScript preprocessing, webhooks and global scripts can cause
>     uncontrolled CPU, memory, and disk I/O utilization.
>     Preprocessing/webhook/global script configuration and testing are only
>     available to Administrative roles (Admin and Superadmin). Administrative
>     privileges should be typically granted to users who need to perform
>     tasks that require more control over the system. The security risk is
>     limited because not all users have this level of access. 
> 
> CVE-2023-29450
> 
>     JavaScript pre-processing can be used by the attacker to gain access to
>     the file system (read-only access on behalf of user "zabbix") on the
>     Zabbix Server or Zabbix Proxy, potentially leading to unauthorized
>     access to sensitive data.
> 
> CVE-2023-29454
> 
>     A Stored or persistent cross-site scripting (XSS) vulnerability was
>     found on “Users” section in “Media” tab in “Send to” form field.  When
>     new media is created with malicious code included into field “Send to”
>     then it will execute when editing the same media.
> 
> CVE-2023-29455
> 
>     A Reflected XSS attacks, also known as non-persistent attacks, was found
>     where an attacker can pass malicious code as GET request to graph.php
>     and system will save it and will execute when current graph page is
>     opened.
> 
> CVE-2023-29456
> 
>     URL validation scheme receives input from a user and then parses it to
>     identify its various components. The validation scheme can ensure that
>     all URL components comply with internet standards.
> 
> CVE-2023-29457
> 
>     A Reflected XSS attacks, also known as non-persistent attacks, was found
>     where XSS session cookies could be revealed, enabling a perpetrator to
>     impersonate valid users and abuse their private accounts.
> 
> CVE-2023-29458
> 
>     Duktape is an 3rd-party embeddable JavaScript engine, with a focus on
>     portability and compact footprint. When adding too many values in
>     valstack JavaScript will crash. This issue occurs due to bug in Duktape
>     2.6 which is an 3rd-party solution that we use.
> 
> CVE-2023-32721
> 
>     A stored XSS has been found in the Zabbix web application in the Maps
>     element if a URL field is set with spaces before URL.
> 
> CVE-2023-32722
> 
>     The zabbix/src/libs/zbxjson module is vulnerable to a buffer overflow
>     when parsing JSON files via zbx_json_open.
> 
> CVE-2023-32724
> 
>     Memory pointer is in a property of the Ducktape object. This leads to
>     multiple vulnerabilities related to direct memory access and
>     manipulation.
> 
> CVE-2023-32726
> 
>     Possible buffer overread from reading DNS responses.
> 
> CVE-2023-32727
> 
>     An attacker who has the privilege to configure Zabbix items can use
>     function icmpping() with additional malicious command inside it to
>     execute arbitrary code on the current Zabbix server.
> 
> CVE-2024-22114
> 
>     A user with no permission to any of the Hosts can access and view host
>     count & other statistics through System Information Widget in Global
>     View Dashboard.
> 
> CVE-2024-22116
> 
>     An administrator with restricted permissions can exploit the script
>     execution functionality within the Monitoring Hosts section. The lack of
>     default escaping for script parameters enabled this user ability to
>     execute arbitrary code via the Ping script, thereby compromising
>     infrastructure.
> 
> CVE-2024-22119
> 
>     Stored XSS in graph items select form
> 
> CVE-2024-22122
> 
>     Zabbix allows to configure SMS notifications. AT command injection
>     occurs on "Zabbix Server" because there is no validation of "Number"
>     field on Web nor on Zabbix server side. Attacker can run test of SMS
>     providing specially crafted phone number and execute additional AT
>     commands on the modem.
> 
> CVE-2024-22123
> 
>     Setting SMS media allows to set GSM modem file. Later this file is used
>     as Linux device. But due everything is a file for Linux, it is possible
>     to set another file, e.g. log file and zabbix_server will try to
>     communicate with it as modem. As a result, log file will be broken with
>     AT commands and small part for log file content will be leaked to UI.
> 
> CVE-2024-36460
> 
>     The front-end audit log allows viewing of unprotected plaintext
>     passwords, where the passwords are displayed in plain text.
> 
> CVE-2024-36461
> 
>     Direct access to memory pointers within the JS engine for modification.
>     This vulnerability allows users with access to a single item
>     configuration (limited role) to compromise the whole infrastructure of
>     the monitoring solution by remote code execution.
> 
> For Debian 11 bullseye, these problems have been fixed in version
> 1:5.0.44+dfsg-1+deb11u1.
> 
> We recommend that you upgrade your zabbix packages.
> 
> For the detailed security status of zabbix please refer to
> its security tracker page at:
> https://security-tracker.debian.org/tracker/zabbix
> 
> Further information about Debian LTS security advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://wiki.debian.org/LTS
> 
> As stated above, this version is a new upstream maintaince release. 
> Upstream's "upgrade notes" lists the following changes:
> (Changes not relevant for Debian bullseye have been omitted.)
> 
> Upgrade notes for 5.0.11
> 
>     VMware event collector - The behavior of VMware event collector has been
>     changed to fix a memory overload issue.
> 
> Upgrade notes for 5.0.31
> 
>     Improved performance of history syncers
>     
>     The performance of history syncers has been improved by introducing a
>     new read-write lock. This reduces locking between history syncers,
>     trappers and proxy pollers by using a shared read lock while accessing
>     the configuration cache. The new lock can be write  locked only by the
>     configuration syncer performing a configuration cache reload.
> 
> Upgrade notes for 5.0.32
> 
>     The following limits for JavaScript objects in preprocessing have been
>     introduced:
>     
>     The total size of all messages that can be logged with the Log() method
>     has been limited to 8 MB per script execution.
>     The initialization of multiple CurlHttpRequest objects has been limited
>     to 10 per script execution.  The total length of header fields that can
>     be added to a single CurlHttpRequest object with the AddHeader() method
>     has been limited to 128 Kbytes (special characters and header names
>     included).
> 


Attachment: signature.asc
Description: PGP signature


Reply to: