ZABBIX BUGS AND ISSUES
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-5924

Possible security issue due to misuse of the libcurl API

    Details

      Description

      Alessandro Ghedini on behalf of Debian security team kindly shared his concerns regarding the following:

      We recently discovered that zabbix is using the libcurl API in a way that may not be what the original author intended.
      In particular I'm referring to the fact that the CURLOPT_SSL_VERIFYHOST option is treated as it was a boolean value
      while in fact it isn't (it may take three different values):

      From the file "src/libs/zbxmedia/eztexting.c":

      if (CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_USERAGENT, "Zabbix " ZABBIX_VERSION)) ||
      CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_FOLLOWLOCATION, 1L)) ||
      CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_WRITEFUNCTION, WRITEFUNCTION2)) ||
      CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_HEADERFUNCTION, HEADERFUNCTION2)) ||
      CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_SSL_VERIFYPEER, 1L)) ||
      CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_SSL_VERIFYHOST, 1L)) ||
      CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_POSTFIELDS, postfields)) ||
      CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_POST, 1L)) ||
      CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_URL, EZ_TEXTING_API_URL)) ||
      CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_TIMEOUT, (long)EZ_TEXTING_TIMEOUT)))

      { zbx_snprintf(error, max_error_len, "Could not set cURL option %d: [%s]", opt, curl_easy_strerror(err)); goto clean; }

      Setting the value to "1" does not enable the host checks (well, not all of them)
      and this may lead to security issues. The correct value to enable all the security checks is "2".

      From the libcurl documentation:

      > When CURLOPT_SSL_VERIFYHOST is 2, that certificate must indicate
      > that the server is the server to which you meant to connect, or the
      > connection fails.
      >
      > Curl considers the server the intended one when the Common Name
      > field or a Subject Alternate Name field in the certificate matches
      > the host name in the URL to which you told Curl to connect.
      >
      > When the value is 1, the certificate must contain a Common Name
      > field, but it doesn't matter what name it says. (This is not
      > ordinarily a useful setting).
      >
      > When the value is 0, the connection succeeds regardless of the
      > names in the certificate.

      Note that this should be fixed anyway, since as of curl v7.28.1 the value "1" is not a valid value
      anymore and libcurl will return an error.

        Activity

        Show
        Oleksiy Zagorskyi added a comment - - edited (1) Also it should be documented. Andris Zeila 1.8.18 https://www.zabbix.com/documentation/1.8/manual/about/what_s_new_1.8.18 https://www.zabbix.com/documentation/1.8/manual/about/installation_and_upgrade 2.0.8 https://www.zabbix.com/documentation/2.0/manual/introduction/whatsnew208#security_fixes https://www.zabbix.com/documentation/2.0/manual/installation/upgrade_notes_208?&#daemon_security_fixes 2.2.0 https://www.zabbix.com/documentation/2.2/manual/introduction/whatsnew220#security_fixes https://www.zabbix.com/documentation/2.2/manual/installation/upgrade_notes_220#daemon_security_fixes Please review. Oleksiy Zagorskyi Pretty simple and clear, thanks ! CLOSED
        Hide
        Henri Salo added a comment -
        Show
        Henri Salo added a comment - Please use CVE-2012-6086 for this issue. CVE request http://www.openwall.com/lists/oss-security/2013/01/02/1 CVE assigment http://www.openwall.com/lists/oss-security/2013/01/03/1
        Hide
        Matthew Marlowe added a comment -

        As the gentoo package maintainer for Zabbix, I'd like to mention that this issue has reached the attention of our security team, and that curl 7.28.1 is currently one of the releases available to our users....if this bug isn't addressed shortly, I'll need to update our package to indicate it is not compatible with newer versions of curl.

        Show
        Matthew Marlowe added a comment - As the gentoo package maintainer for Zabbix, I'd like to mention that this issue has reached the attention of our security team, and that curl 7.28.1 is currently one of the releases available to our users....if this bug isn't addressed shortly, I'll need to update our package to indicate it is not compatible with newer versions of curl.
        Hide
        Volker Fröhlich added a comment -

        Please take the time to address this 5 month old CVE!

        Show
        Volker Fröhlich added a comment - Please take the time to address this 5 month old CVE!
        Hide
        Matthew Marlowe added a comment -

        curl 7.29 has now gone stable in gentoo although prior versions are still supported, please resolve this bug....thanks.

        Show
        Matthew Marlowe added a comment - curl 7.29 has now gone stable in gentoo although prior versions are still supported, please resolve this bug....thanks.
        Hide
        Andris Zeila added a comment -

        Fixed in development branch svn://svn.zabbix.com/branches/dev/ZBX-5924

        Show
        Andris Zeila added a comment - Fixed in development branch svn://svn.zabbix.com/branches/dev/ZBX-5924
        Hide
        Volker Fröhlich added a comment - - edited

        Backported to EPEL 5 and 6 zabbix20 packages, as well as zabbix 2.0 packages in Fedora.

        1.8 in EPEL 6 remains to be done.

        Show
        Volker Fröhlich added a comment - - edited Backported to EPEL 5 and 6 zabbix20 packages, as well as zabbix 2.0 packages in Fedora. 1.8 in EPEL 6 remains to be done.
        Hide
        Alexander Vladishev added a comment -

        Successfully tested!

        Show
        Alexander Vladishev added a comment - Successfully tested!
        Hide
        Andris Zeila added a comment -

        Released in:
        pre-1.8.18rc1 r37454
        pre-2.0.8rc1 r37455
        pre-2.1.2 r37456

        Show
        Andris Zeila added a comment - Released in: pre-1.8.18rc1 r37454 pre-2.0.8rc1 r37455 pre-2.1.2 r37456
        Hide
        Volker Fröhlich added a comment -

        Backported to 1.8 in EPEL 6 (1.8.17-2)

        Show
        Volker Fröhlich added a comment - Backported to 1.8 in EPEL 6 (1.8.17-2)
        Hide
        richlv added a comment - - edited

        subissue (1) has not been closed

        Oleksiy Zagorskyi Closed already.

        Show
        richlv added a comment - - edited subissue (1) has not been closed Oleksiy Zagorskyi Closed already.

          People

          • Assignee:
            Andris Zeila
            Reporter:
            Dmitry Smirnov
          • Votes:
            2 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: