Update to the Debian LTS advisory DLA-3909:
Since the upload of 1:5.0.44+dfsg-1+deb11u1 information became available
that the uploaded version fixed the following vulnerabilties in addition
to the already communicated ones:
CVE-2024-22117
When a URL is added to the map element, it is recorded in the database
with sequential IDs. Upon adding a new URL, the system retrieves the
last sysmapelementurlid value and increments it by one. However, an
issue arises when a user manually changes the sysmapelementurlid value
by adding sysmapelementurlid + 1. This action prevents others from
adding URLs to the map element.
CVE-2024-36463
The implementation of atob in "Zabbix JS" allows to create a string with
arbitrary content and use it to access internal properties of objects.
CVE-2024-36467
An authenticated user with API access (e.g.: user with default User
role), more specifically a user with access to the user.update API
endpoint is enough to be able to add themselves to any group (e.g.:
Zabbix Administrators), except to groups that are disabled or having
restricted GUI access.
On Thu, Oct 03, 2024 at 08:05:58PM +0200, Tobias Frost wrote:
> -------------------------------------------------------------------------
> Debian LTS Advisory DLA-3909-1 debian-lts@lists.debian.org
> https://www.debian.org/lts/security/ Tobias Frost
> October 03, 2024 https://wiki.debian.org/LTS
> -------------------------------------------------------------------------
>
> Package : zabbix
> Version : 1:5.0.44+dfsg-1+deb11u1
> CVE ID : CVE-2022-23132 CVE-2022-23133 CVE-2022-24349 CVE-2022-24917
> CVE-2022-24918 CVE-2022-24919 CVE-2022-35229 CVE-2022-35230
> CVE-2022-43515 CVE-2023-29449 CVE-2023-29450 CVE-2023-29454
> CVE-2023-29455 CVE-2023-29456 CVE-2023-29457 CVE-2023-29458
> CVE-2023-32721 CVE-2023-32722 CVE-2023-32724 CVE-2023-32726
> CVE-2023-32727 CVE-2024-22114 CVE-2024-22116 CVE-2024-22119
> CVE-2024-22122 CVE-2024-22123 CVE-2024-36460 CVE-2024-36461
> Debian Bug : 1014992 1014994 1026847 1053877 1055175 1078553
>
> Several security vulnerabilities have been discovered in zabbix, a network
> monitoring solution, potentially among other effects allowing XSS, Code
> Execution, information disclosure, remote code execution, impersonation or
> session hijacking.
>
> As the version uploaded is a new upstrea maintainance version, there a a
> few minor new features and behavioural changes with this version. Please
> see below for further information.
>
> CVE-2022-23132
>
> During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is
> in use to access PID files in [/var/run/zabbix] folder. In this case,
> Zabbix Proxy or Server processes can bypass file read, write and execute
> permissions check on the file system level
>
> CVE-2022-23133
>
> An authenticated user can create a hosts group from the configuration
> with XSS payload, which will be available for other users. When XSS is
> stored by an authenticated malicious actor and other users try to search
> for groups during new host creation, the XSS payload will fire and the
> actor can steal session cookies and perform session hijacking to
> impersonate users or take over their accounts.
>
> CVE-2022-24349
>
> An authenticated user can create a hosts group from the configuration
> with XSS payload, which will be available for other users. When XSS is
> stored by an authenticated malicious actor and other users try to search
> for groups during new host creation, the XSS payload will fire and the
> actor can steal session cookies and perform session hijacking to
> impersonate users or take over their accounts.
>
> CVE-2022-24917
>
> An authenticated user can create a link with reflected Javascript code
> inside it for services’ page and send it to other users. The payload can
> be executed only with a known CSRF token value of the victim, which is
> changed periodically and is difficult to predict. Malicious code has
> access to all the same objects as the rest of the web page and can make
> arbitrary modifications to the contents of the page being displayed to a
> victim during social engineering attacks.
>
> CVE-2022-24918
>
> An authenticated user can create a link with reflected Javascript code
> inside it for items’ page and send it to other users. The payload can be
> executed only with a known CSRF token value of the victim, which is
> changed periodically and is difficult to predict. Malicious code has
> access to all the same objects as the rest of the web page and can make
> arbitrary modifications to the contents of the page being displayed to a
> victim during social engineering attacks.
>
> CVE-2022-24919
>
> An authenticated user can create a link with reflected Javascript code
> inside it for graphs’ page and send it to other users. The payload can
> be executed only with a known CSRF token value of the victim, which is
> changed periodically and is difficult to predict. Malicious code has
> access to all the same objects as the rest of the web page and can make
> arbitrary modifications to the contents of the page being displayed to a
> victim during social engineering attacks.
>
> CVE-2022-35229
>
> An authenticated user can create a link with reflected Javascript code
> inside it for the discovery page and send it to other users. The payload
> can be executed only with a known CSRF token value of the victim, which
> is changed periodically and is difficult to predict.
>
> CVE-2022-35230
>
> An authenticated user can create a link with reflected Javascript code
> inside it for the graphs page and send it to other users. The payload
> can be executed only with a known CSRF token value of the victim, which
> is changed periodically and is difficult to predict.
>
> CVE-2022-43515
>
> Zabbix Frontend provides a feature that allows admins to maintain the
> installation and ensure that only certain IP addresses can access it. In
> this way, any user will not be able to access the Zabbix Frontend while
> it is being maintained and possible sensitive data will be prevented
> from being disclosed. An attacker can bypass this protection and access
> the instance using IP address not listed in the defined range.
>
> CVE-2023-29449
>
> JavaScript preprocessing, webhooks and global scripts can cause
> uncontrolled CPU, memory, and disk I/O utilization.
> Preprocessing/webhook/global script configuration and testing are only
> available to Administrative roles (Admin and Superadmin). Administrative
> privileges should be typically granted to users who need to perform
> tasks that require more control over the system. The security risk is
> limited because not all users have this level of access.
>
> CVE-2023-29450
>
> JavaScript pre-processing can be used by the attacker to gain access to
> the file system (read-only access on behalf of user "zabbix") on the
> Zabbix Server or Zabbix Proxy, potentially leading to unauthorized
> access to sensitive data.
>
> CVE-2023-29454
>
> A Stored or persistent cross-site scripting (XSS) vulnerability was
> found on “Users” section in “Media” tab in “Send to” form field. When
> new media is created with malicious code included into field “Send to”
> then it will execute when editing the same media.
>
> CVE-2023-29455
>
> A Reflected XSS attacks, also known as non-persistent attacks, was found
> where an attacker can pass malicious code as GET request to graph.php
> and system will save it and will execute when current graph page is
> opened.
>
> CVE-2023-29456
>
> URL validation scheme receives input from a user and then parses it to
> identify its various components. The validation scheme can ensure that
> all URL components comply with internet standards.
>
> CVE-2023-29457
>
> A Reflected XSS attacks, also known as non-persistent attacks, was found
> where XSS session cookies could be revealed, enabling a perpetrator to
> impersonate valid users and abuse their private accounts.
>
> CVE-2023-29458
>
> Duktape is an 3rd-party embeddable JavaScript engine, with a focus on
> portability and compact footprint. When adding too many values in
> valstack JavaScript will crash. This issue occurs due to bug in Duktape
> 2.6 which is an 3rd-party solution that we use.
>
> CVE-2023-32721
>
> A stored XSS has been found in the Zabbix web application in the Maps
> element if a URL field is set with spaces before URL.
>
> CVE-2023-32722
>
> The zabbix/src/libs/zbxjson module is vulnerable to a buffer overflow
> when parsing JSON files via zbx_json_open.
>
> CVE-2023-32724
>
> Memory pointer is in a property of the Ducktape object. This leads to
> multiple vulnerabilities related to direct memory access and
> manipulation.
>
> CVE-2023-32726
>
> Possible buffer overread from reading DNS responses.
>
> CVE-2023-32727
>
> An attacker who has the privilege to configure Zabbix items can use
> function icmpping() with additional malicious command inside it to
> execute arbitrary code on the current Zabbix server.
>
> CVE-2024-22114
>
> A user with no permission to any of the Hosts can access and view host
> count & other statistics through System Information Widget in Global
> View Dashboard.
>
> CVE-2024-22116
>
> An administrator with restricted permissions can exploit the script
> execution functionality within the Monitoring Hosts section. The lack of
> default escaping for script parameters enabled this user ability to
> execute arbitrary code via the Ping script, thereby compromising
> infrastructure.
>
> CVE-2024-22119
>
> Stored XSS in graph items select form
>
> CVE-2024-22122
>
> Zabbix allows to configure SMS notifications. AT command injection
> occurs on "Zabbix Server" because there is no validation of "Number"
> field on Web nor on Zabbix server side. Attacker can run test of SMS
> providing specially crafted phone number and execute additional AT
> commands on the modem.
>
> CVE-2024-22123
>
> Setting SMS media allows to set GSM modem file. Later this file is used
> as Linux device. But due everything is a file for Linux, it is possible
> to set another file, e.g. log file and zabbix_server will try to
> communicate with it as modem. As a result, log file will be broken with
> AT commands and small part for log file content will be leaked to UI.
>
> CVE-2024-36460
>
> The front-end audit log allows viewing of unprotected plaintext
> passwords, where the passwords are displayed in plain text.
>
> CVE-2024-36461
>
> Direct access to memory pointers within the JS engine for modification.
> This vulnerability allows users with access to a single item
> configuration (limited role) to compromise the whole infrastructure of
> the monitoring solution by remote code execution.
>
> For Debian 11 bullseye, these problems have been fixed in version
> 1:5.0.44+dfsg-1+deb11u1.
>
> We recommend that you upgrade your zabbix packages.
>
> For the detailed security status of zabbix please refer to
> its security tracker page at:
> https://security-tracker.debian.org/tracker/zabbix
>
> Further information about Debian LTS security advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://wiki.debian.org/LTS
>
> As stated above, this version is a new upstream maintaince release.
> Upstream's "upgrade notes" lists the following changes:
> (Changes not relevant for Debian bullseye have been omitted.)
>
> Upgrade notes for 5.0.11
>
> VMware event collector - The behavior of VMware event collector has been
> changed to fix a memory overload issue.
>
> Upgrade notes for 5.0.31
>
> Improved performance of history syncers
>
> The performance of history syncers has been improved by introducing a
> new read-write lock. This reduces locking between history syncers,
> trappers and proxy pollers by using a shared read lock while accessing
> the configuration cache. The new lock can be write locked only by the
> configuration syncer performing a configuration cache reload.
>
> Upgrade notes for 5.0.32
>
> The following limits for JavaScript objects in preprocessing have been
> introduced:
>
> The total size of all messages that can be logged with the Log() method
> has been limited to 8 MB per script execution.
> The initialization of multiple CurlHttpRequest objects has been limited
> to 10 per script execution. The total length of header fields that can
> be added to a single CurlHttpRequest object with the AddHeader() method
> has been limited to 128 Kbytes (special characters and header names
> included).
>
Attachment:
signature.asc
Description: PGP signature