Update to the Debian LTS advisory DLA-3909: Since the upload of 1:5.0.44+dfsg-1+deb11u1 information became available that the uploaded version fixed the following vulnerabilties in addition to the already communicated ones: CVE-2024-22117 When a URL is added to the map element, it is recorded in the database with sequential IDs. Upon adding a new URL, the system retrieves the last sysmapelementurlid value and increments it by one. However, an issue arises when a user manually changes the sysmapelementurlid value by adding sysmapelementurlid + 1. This action prevents others from adding URLs to the map element. CVE-2024-36463 The implementation of atob in "Zabbix JS" allows to create a string with arbitrary content and use it to access internal properties of objects. CVE-2024-36467 An authenticated user with API access (e.g.: user with default User role), more specifically a user with access to the user.update API endpoint is enough to be able to add themselves to any group (e.g.: Zabbix Administrators), except to groups that are disabled or having restricted GUI access. On Thu, Oct 03, 2024 at 08:05:58PM +0200, Tobias Frost wrote: > ------------------------------------------------------------------------- > Debian LTS Advisory DLA-3909-1 debian-lts@lists.debian.org > https://www.debian.org/lts/security/ Tobias Frost > October 03, 2024 https://wiki.debian.org/LTS > ------------------------------------------------------------------------- > > Package : zabbix > Version : 1:5.0.44+dfsg-1+deb11u1 > CVE ID : CVE-2022-23132 CVE-2022-23133 CVE-2022-24349 CVE-2022-24917 > CVE-2022-24918 CVE-2022-24919 CVE-2022-35229 CVE-2022-35230 > CVE-2022-43515 CVE-2023-29449 CVE-2023-29450 CVE-2023-29454 > CVE-2023-29455 CVE-2023-29456 CVE-2023-29457 CVE-2023-29458 > CVE-2023-32721 CVE-2023-32722 CVE-2023-32724 CVE-2023-32726 > CVE-2023-32727 CVE-2024-22114 CVE-2024-22116 CVE-2024-22119 > CVE-2024-22122 CVE-2024-22123 CVE-2024-36460 CVE-2024-36461 > Debian Bug : 1014992 1014994 1026847 1053877 1055175 1078553 > > Several security vulnerabilities have been discovered in zabbix, a network > monitoring solution, potentially among other effects allowing XSS, Code > Execution, information disclosure, remote code execution, impersonation or > session hijacking. > > As the version uploaded is a new upstrea maintainance version, there a a > few minor new features and behavioural changes with this version. Please > see below for further information. > > CVE-2022-23132 > > During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is > in use to access PID files in [/var/run/zabbix] folder. In this case, > Zabbix Proxy or Server processes can bypass file read, write and execute > permissions check on the file system level > > CVE-2022-23133 > > An authenticated user can create a hosts group from the configuration > with XSS payload, which will be available for other users. When XSS is > stored by an authenticated malicious actor and other users try to search > for groups during new host creation, the XSS payload will fire and the > actor can steal session cookies and perform session hijacking to > impersonate users or take over their accounts. > > CVE-2022-24349 > > An authenticated user can create a hosts group from the configuration > with XSS payload, which will be available for other users. When XSS is > stored by an authenticated malicious actor and other users try to search > for groups during new host creation, the XSS payload will fire and the > actor can steal session cookies and perform session hijacking to > impersonate users or take over their accounts. > > CVE-2022-24917 > > An authenticated user can create a link with reflected Javascript code > inside it for services’ page and send it to other users. The payload can > be executed only with a known CSRF token value of the victim, which is > changed periodically and is difficult to predict. Malicious code has > access to all the same objects as the rest of the web page and can make > arbitrary modifications to the contents of the page being displayed to a > victim during social engineering attacks. > > CVE-2022-24918 > > An authenticated user can create a link with reflected Javascript code > inside it for items’ page and send it to other users. The payload can be > executed only with a known CSRF token value of the victim, which is > changed periodically and is difficult to predict. Malicious code has > access to all the same objects as the rest of the web page and can make > arbitrary modifications to the contents of the page being displayed to a > victim during social engineering attacks. > > CVE-2022-24919 > > An authenticated user can create a link with reflected Javascript code > inside it for graphs’ page and send it to other users. The payload can > be executed only with a known CSRF token value of the victim, which is > changed periodically and is difficult to predict. Malicious code has > access to all the same objects as the rest of the web page and can make > arbitrary modifications to the contents of the page being displayed to a > victim during social engineering attacks. > > CVE-2022-35229 > > An authenticated user can create a link with reflected Javascript code > inside it for the discovery page and send it to other users. The payload > can be executed only with a known CSRF token value of the victim, which > is changed periodically and is difficult to predict. > > CVE-2022-35230 > > An authenticated user can create a link with reflected Javascript code > inside it for the graphs page and send it to other users. The payload > can be executed only with a known CSRF token value of the victim, which > is changed periodically and is difficult to predict. > > CVE-2022-43515 > > Zabbix Frontend provides a feature that allows admins to maintain the > installation and ensure that only certain IP addresses can access it. In > this way, any user will not be able to access the Zabbix Frontend while > it is being maintained and possible sensitive data will be prevented > from being disclosed. An attacker can bypass this protection and access > the instance using IP address not listed in the defined range. > > CVE-2023-29449 > > JavaScript preprocessing, webhooks and global scripts can cause > uncontrolled CPU, memory, and disk I/O utilization. > Preprocessing/webhook/global script configuration and testing are only > available to Administrative roles (Admin and Superadmin). Administrative > privileges should be typically granted to users who need to perform > tasks that require more control over the system. The security risk is > limited because not all users have this level of access. > > CVE-2023-29450 > > JavaScript pre-processing can be used by the attacker to gain access to > the file system (read-only access on behalf of user "zabbix") on the > Zabbix Server or Zabbix Proxy, potentially leading to unauthorized > access to sensitive data. > > CVE-2023-29454 > > A Stored or persistent cross-site scripting (XSS) vulnerability was > found on “Users” section in “Media” tab in “Send to” form field. When > new media is created with malicious code included into field “Send to” > then it will execute when editing the same media. > > CVE-2023-29455 > > A Reflected XSS attacks, also known as non-persistent attacks, was found > where an attacker can pass malicious code as GET request to graph.php > and system will save it and will execute when current graph page is > opened. > > CVE-2023-29456 > > URL validation scheme receives input from a user and then parses it to > identify its various components. The validation scheme can ensure that > all URL components comply with internet standards. > > CVE-2023-29457 > > A Reflected XSS attacks, also known as non-persistent attacks, was found > where XSS session cookies could be revealed, enabling a perpetrator to > impersonate valid users and abuse their private accounts. > > CVE-2023-29458 > > Duktape is an 3rd-party embeddable JavaScript engine, with a focus on > portability and compact footprint. When adding too many values in > valstack JavaScript will crash. This issue occurs due to bug in Duktape > 2.6 which is an 3rd-party solution that we use. > > CVE-2023-32721 > > A stored XSS has been found in the Zabbix web application in the Maps > element if a URL field is set with spaces before URL. > > CVE-2023-32722 > > The zabbix/src/libs/zbxjson module is vulnerable to a buffer overflow > when parsing JSON files via zbx_json_open. > > CVE-2023-32724 > > Memory pointer is in a property of the Ducktape object. This leads to > multiple vulnerabilities related to direct memory access and > manipulation. > > CVE-2023-32726 > > Possible buffer overread from reading DNS responses. > > CVE-2023-32727 > > An attacker who has the privilege to configure Zabbix items can use > function icmpping() with additional malicious command inside it to > execute arbitrary code on the current Zabbix server. > > CVE-2024-22114 > > A user with no permission to any of the Hosts can access and view host > count & other statistics through System Information Widget in Global > View Dashboard. > > CVE-2024-22116 > > An administrator with restricted permissions can exploit the script > execution functionality within the Monitoring Hosts section. The lack of > default escaping for script parameters enabled this user ability to > execute arbitrary code via the Ping script, thereby compromising > infrastructure. > > CVE-2024-22119 > > Stored XSS in graph items select form > > CVE-2024-22122 > > Zabbix allows to configure SMS notifications. AT command injection > occurs on "Zabbix Server" because there is no validation of "Number" > field on Web nor on Zabbix server side. Attacker can run test of SMS > providing specially crafted phone number and execute additional AT > commands on the modem. > > CVE-2024-22123 > > Setting SMS media allows to set GSM modem file. Later this file is used > as Linux device. But due everything is a file for Linux, it is possible > to set another file, e.g. log file and zabbix_server will try to > communicate with it as modem. As a result, log file will be broken with > AT commands and small part for log file content will be leaked to UI. > > CVE-2024-36460 > > The front-end audit log allows viewing of unprotected plaintext > passwords, where the passwords are displayed in plain text. > > CVE-2024-36461 > > Direct access to memory pointers within the JS engine for modification. > This vulnerability allows users with access to a single item > configuration (limited role) to compromise the whole infrastructure of > the monitoring solution by remote code execution. > > For Debian 11 bullseye, these problems have been fixed in version > 1:5.0.44+dfsg-1+deb11u1. > > We recommend that you upgrade your zabbix packages. > > For the detailed security status of zabbix please refer to > its security tracker page at: > https://security-tracker.debian.org/tracker/zabbix > > Further information about Debian LTS security advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://wiki.debian.org/LTS > > As stated above, this version is a new upstream maintaince release. > Upstream's "upgrade notes" lists the following changes: > (Changes not relevant for Debian bullseye have been omitted.) > > Upgrade notes for 5.0.11 > > VMware event collector - The behavior of VMware event collector has been > changed to fix a memory overload issue. > > Upgrade notes for 5.0.31 > > Improved performance of history syncers > > The performance of history syncers has been improved by introducing a > new read-write lock. This reduces locking between history syncers, > trappers and proxy pollers by using a shared read lock while accessing > the configuration cache. The new lock can be write locked only by the > configuration syncer performing a configuration cache reload. > > Upgrade notes for 5.0.32 > > The following limits for JavaScript objects in preprocessing have been > introduced: > > The total size of all messages that can be logged with the Log() method > has been limited to 8 MB per script execution. > The initialization of multiple CurlHttpRequest objects has been limited > to 10 per script execution. The total length of header fields that can > be added to a single CurlHttpRequest object with the AddHeader() method > has been limited to 128 Kbytes (special characters and header names > included). >
Attachment:
signature.asc
Description: PGP signature