------------------------------------------------------------------------- Debian LTS Advisory DLA-3909-1 debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost October 03, 2024 https://wiki.debian.org/LTS -------------------------------------------------------------------------
Package : zabbix
Version : 1:5.0.44+dfsg-1+deb11u1
CVE ID : CVE-2022-23132 CVE-2022-23133 CVE-2022-24349 CVE-2022-24917
CVE-2022-24918 CVE-2022-24919 CVE-2022-35229 CVE-2022-35230
CVE-2022-43515 CVE-2023-29449 CVE-2023-29450 CVE-2023-29454
CVE-2023-29455 CVE-2023-29456 CVE-2023-29457 CVE-2023-29458
CVE-2023-32721 CVE-2023-32722 CVE-2023-32724 CVE-2023-32726
CVE-2023-32727 CVE-2024-22114 CVE-2024-22116 CVE-2024-22119
CVE-2024-22122 CVE-2024-22123 CVE-2024-36460 CVE-2024-36461
Debian Bug : 1014992 1014994 1026847 1053877 1055175 1078553
Several security vulnerabilities have been discovered in zabbix, a network
monitoring solution, potentially among other effects allowing XSS, Code
Execution, information disclosure, remote code execution, impersonation or
session hijacking.
As the version uploaded is a new upstrea maintainance version, there a a
few minor new features and behavioural changes with this version. Please
see below for further information.
CVE-2022-23132
During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is
in use to access PID files in [/var/run/zabbix] folder. In this case,
Zabbix Proxy or Server processes can bypass file read, write and execute
permissions check on the file system level
CVE-2022-23133
An authenticated user can create a hosts group from the configuration
with XSS payload, which will be available for other users. When XSS is
stored by an authenticated malicious actor and other users try to search
for groups during new host creation, the XSS payload will fire and the
actor can steal session cookies and perform session hijacking to
impersonate users or take over their accounts.
CVE-2022-24349
An authenticated user can create a hosts group from the configuration
with XSS payload, which will be available for other users. When XSS is
stored by an authenticated malicious actor and other users try to search
for groups during new host creation, the XSS payload will fire and the
actor can steal session cookies and perform session hijacking to
impersonate users or take over their accounts.
CVE-2022-24917
An authenticated user can create a link with reflected Javascript code
inside it for services’ page and send it to other users. The payload can
be executed only with a known CSRF token value of the victim, which is
changed periodically and is difficult to predict. Malicious code has
access to all the same objects as the rest of the web page and can make
arbitrary modifications to the contents of the page being displayed to a
victim during social engineering attacks.
CVE-2022-24918
An authenticated user can create a link with reflected Javascript code
inside it for items’ page and send it to other users. The payload can be
executed only with a known CSRF token value of the victim, which is
changed periodically and is difficult to predict. Malicious code has
access to all the same objects as the rest of the web page and can make
arbitrary modifications to the contents of the page being displayed to a
victim during social engineering attacks.
CVE-2022-24919
An authenticated user can create a link with reflected Javascript code
inside it for graphs’ page and send it to other users. The payload can
be executed only with a known CSRF token value of the victim, which is
changed periodically and is difficult to predict. Malicious code has
access to all the same objects as the rest of the web page and can make
arbitrary modifications to the contents of the page being displayed to a
victim during social engineering attacks.
CVE-2022-35229
An authenticated user can create a link with reflected Javascript code
inside it for the discovery page and send it to other users. The payload
can be executed only with a known CSRF token value of the victim, which
is changed periodically and is difficult to predict.
CVE-2022-35230
An authenticated user can create a link with reflected Javascript code
inside it for the graphs page and send it to other users. The payload
can be executed only with a known CSRF token value of the victim, which
is changed periodically and is difficult to predict.
CVE-2022-43515
Zabbix Frontend provides a feature that allows admins to maintain the
installation and ensure that only certain IP addresses can access it. In
this way, any user will not be able to access the Zabbix Frontend while
it is being maintained and possible sensitive data will be prevented
from being disclosed. An attacker can bypass this protection and access
the instance using IP address not listed in the defined range.
CVE-2023-29449
JavaScript preprocessing, webhooks and global scripts can cause
uncontrolled CPU, memory, and disk I/O utilization.
Preprocessing/webhook/global script configuration and testing are only
available to Administrative roles (Admin and Superadmin). Administrative
privileges should be typically granted to users who need to perform
tasks that require more control over the system. The security risk is
limited because not all users have this level of access.
CVE-2023-29450
JavaScript pre-processing can be used by the attacker to gain access to
the file system (read-only access on behalf of user "zabbix") on the
Zabbix Server or Zabbix Proxy, potentially leading to unauthorized
access to sensitive data.
CVE-2023-29454
A Stored or persistent cross-site scripting (XSS) vulnerability was
found on “Users” section in “Media” tab in “Send to” form field. When
new media is created with malicious code included into field “Send to”
then it will execute when editing the same media.
CVE-2023-29455
A Reflected XSS attacks, also known as non-persistent attacks, was found
where an attacker can pass malicious code as GET request to graph.php
and system will save it and will execute when current graph page is
opened.
CVE-2023-29456
URL validation scheme receives input from a user and then parses it to
identify its various components. The validation scheme can ensure that
all URL components comply with internet standards.
CVE-2023-29457
A Reflected XSS attacks, also known as non-persistent attacks, was found
where XSS session cookies could be revealed, enabling a perpetrator to
impersonate valid users and abuse their private accounts.
CVE-2023-29458
Duktape is an 3rd-party embeddable JavaScript engine, with a focus on
portability and compact footprint. When adding too many values in
valstack JavaScript will crash. This issue occurs due to bug in Duktape
2.6 which is an 3rd-party solution that we use.
CVE-2023-32721
A stored XSS has been found in the Zabbix web application in the Maps
element if a URL field is set with spaces before URL.
CVE-2023-32722
The zabbix/src/libs/zbxjson module is vulnerable to a buffer overflow
when parsing JSON files via zbx_json_open.
CVE-2023-32724
Memory pointer is in a property of the Ducktape object. This leads to
multiple vulnerabilities related to direct memory access and
manipulation.
CVE-2023-32726
Possible buffer overread from reading DNS responses.
CVE-2023-32727
An attacker who has the privilege to configure Zabbix items can use
function icmpping() with additional malicious command inside it to
execute arbitrary code on the current Zabbix server.
CVE-2024-22114
A user with no permission to any of the Hosts can access and view host
count & other statistics through System Information Widget in Global
View Dashboard.
CVE-2024-22116
An administrator with restricted permissions can exploit the script
execution functionality within the Monitoring Hosts section. The lack of
default escaping for script parameters enabled this user ability to
execute arbitrary code via the Ping script, thereby compromising
infrastructure.
CVE-2024-22119
Stored XSS in graph items select form
CVE-2024-22122
Zabbix allows to configure SMS notifications. AT command injection
occurs on "Zabbix Server" because there is no validation of "Number"
field on Web nor on Zabbix server side. Attacker can run test of SMS
providing specially crafted phone number and execute additional AT
commands on the modem.
CVE-2024-22123
Setting SMS media allows to set GSM modem file. Later this file is used
as Linux device. But due everything is a file for Linux, it is possible
to set another file, e.g. log file and zabbix_server will try to
communicate with it as modem. As a result, log file will be broken with
AT commands and small part for log file content will be leaked to UI.
CVE-2024-36460
The front-end audit log allows viewing of unprotected plaintext
passwords, where the passwords are displayed in plain text.
CVE-2024-36461
Direct access to memory pointers within the JS engine for modification.
This vulnerability allows users with access to a single item
configuration (limited role) to compromise the whole infrastructure of
the monitoring solution by remote code execution.
For Debian 11 bullseye, these problems have been fixed in version
1:5.0.44+dfsg-1+deb11u1.
We recommend that you upgrade your zabbix packages.
For the detailed security status of zabbix please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/zabbix
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
As stated above, this version is a new upstream maintaince release.
Upstream's "upgrade notes" lists the following changes:
(Changes not relevant for Debian bullseye have been omitted.)
Upgrade notes for 5.0.11
VMware event collector - The behavior of VMware event collector has been
changed to fix a memory overload issue.
Upgrade notes for 5.0.31
Improved performance of history syncers
The performance of history syncers has been improved by introducing a
new read-write lock. This reduces locking between history syncers,
trappers and proxy pollers by using a shared read lock while accessing
the configuration cache. The new lock can be write locked only by the
configuration syncer performing a configuration cache reload.
Upgrade notes for 5.0.32
The following limits for JavaScript objects in preprocessing have been
introduced:
The total size of all messages that can be logged with the Log() method
has been limited to 8 MB per script execution.
The initialization of multiple CurlHttpRequest objects has been limited
to 10 per script execution. The total length of header fields that can
be added to a single CurlHttpRequest object with the AddHeader() method
has been limited to 128 Kbytes (special characters and header names
included).
signature.asc
Description: PGP signature
