ZABBIX BUGS AND ISSUES
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-7703

Security flaw with API access when using HTTP authentication

    Details

      Description

      When Zabbix is configured with HTTP authentication, the API uses permissions of the user passed to the user.login call. Therefore, as long as you can authenticate to the Zabbix server, you could impersonate any user via the API by passing another username to the user.login request.

      CVE-2014-1682

      1. ZBX-7703-1.8.2.patch
        0.9 kB
        Pavels Jelisejevs
      2. ZBX-7703-2.2.1.patch
        1 kB
        Pavels Jelisejevs

        Activity

        Hide
        richlv added a comment - - edited

        -------------------------
        Vulnerability description
        -------------------------

        User may impersonate as any other user using Zabbix API when using HTTP authentication.

        Please use CVE-2014-1682 to refer to this vulnerability.

        -------
        Details
        -------

        After logging into Zabbix using HTTP authentication, users could use user.login API method and pass another user account. This could lead to impersonating of any other user and/or to privilege escalation.

        This issue has been reported by Vitaly Shupak.

        -----------------
        Affected versions
        -----------------

        All of the Zabbix versions are vulnerable to this problem.

        --------------
        Fixed versions
        --------------

        These vulnerabilities have been fixed in the latest releases of Zabbix.

        The fix is available in the following Zabbix releases:
        2.2.2
        2.0.11
        1.8.20

        Additionally, patches are available for the following Zabbix versions:
        2.2.1
        1.8.2

        Show
        richlv added a comment - - edited ------------------------- Vulnerability description ------------------------- User may impersonate as any other user using Zabbix API when using HTTP authentication. Please use CVE-2014-1682 to refer to this vulnerability. ------- Details ------- After logging into Zabbix using HTTP authentication, users could use user.login API method and pass another user account. This could lead to impersonating of any other user and/or to privilege escalation. This issue has been reported by Vitaly Shupak. ----------------- Affected versions ----------------- All of the Zabbix versions are vulnerable to this problem. -------------- Fixed versions -------------- These vulnerabilities have been fixed in the latest releases of Zabbix. The fix is available in the following Zabbix releases: 2.2.2 2.0.11 1.8.20 Additionally, patches are available for the following Zabbix versions: 2.2.1 1.8.2
        Hide
        Pavels Jelisejevs added a comment -

        RESOLVED for 1.8 in svn://svn.zabbix.com/branches/dev/ZBX-7703 and 2.0 in svn://svn.zabbix.com/branches/dev/ZBX-7703-20.

        Show
        Pavels Jelisejevs added a comment - RESOLVED for 1.8 in svn://svn.zabbix.com/branches/dev/ZBX-7703 and 2.0 in svn://svn.zabbix.com/branches/dev/ZBX-7703-20.
        Hide
        Eduards Samersovs added a comment - - edited

        (1) possible undefined index if $_SERVER['PHP_AUTH_USER'] not exist

        Pavels Jelisejevs RESOLVED for 1.8 in r41986 and 2.0 in r41989.

        Eduards Samersovs CLOSED

        Show
        Eduards Samersovs added a comment - - edited (1) possible undefined index if $_SERVER ['PHP_AUTH_USER'] not exist Pavels Jelisejevs RESOLVED for 1.8 in r41986 and 2.0 in r41989. Eduards Samersovs CLOSED
        Hide
        Eduards Samersovs added a comment -

        Tested

        Show
        Eduards Samersovs added a comment - Tested
        Hide
        Pavels Jelisejevs added a comment -

        Fixed in
        1.8.20rc1 r42010,
        2.0.11rc1 r42011,
        2.2.2rc1 r42012,
        2.3.0 r42013.

        Show
        Pavels Jelisejevs added a comment - Fixed in 1.8.20rc1 r42010, 2.0.11rc1 r42011, 2.2.2rc1 r42012, 2.3.0 r42013.
        Hide
        Pavels Jelisejevs added a comment -

        CLOSED.

        Show
        Pavels Jelisejevs added a comment - CLOSED.
        Hide
        Pavels Jelisejevs added a comment -

        Attached a patch for 2.2.1. Note, that the fix contains new translatable strings.

        Show
        Pavels Jelisejevs added a comment - Attached a patch for 2.2.1. Note, that the fix contains new translatable strings.
        Hide
        Vitaly Shupak added a comment -

        The current patch checks that the user specified in the login call matches the PHP_AUTH_USER variable set by the web server, but this requires that the client know what user is being authenticated, which is not always obvious. For example, when using Kerberos authentication, the client doesn't need to know his principal - the Kerberos libraries take care of that transparently. Furthermore, the web server may rewrite the authenticated user using aname_to_localname mapping, so it's impossible for the client to know for certain which username will be set by the web server in the PHP_AUTH_USER variable.

        A better implementation would be to just ignore the user passed to the login API call and always use PHP_AUTH_USER instead. If you want to take that even further, then the login API call should not be required at all when using HTTP authentication.

        Show
        Vitaly Shupak added a comment - The current patch checks that the user specified in the login call matches the PHP_AUTH_USER variable set by the web server, but this requires that the client know what user is being authenticated, which is not always obvious. For example, when using Kerberos authentication, the client doesn't need to know his principal - the Kerberos libraries take care of that transparently. Furthermore, the web server may rewrite the authenticated user using aname_to_localname mapping, so it's impossible for the client to know for certain which username will be set by the web server in the PHP_AUTH_USER variable. A better implementation would be to just ignore the user passed to the login API call and always use PHP_AUTH_USER instead. If you want to take that even further, then the login API call should not be required at all when using HTTP authentication.
        Hide
        Christoph Haas added a comment -

        svn://svn.zabbix.com/branches/dev/ZBX-7703 does not exist. Please try to provide a patch for 1.8.2. Thank you.

        (Context: I am one of the maintainers of the official Debian package and need to fix this security issue: https://security-tracker.debian.org/tracker/CVE-2014-1682)

        Show
        Christoph Haas added a comment - svn://svn.zabbix.com/branches/dev/ZBX-7703 does not exist. Please try to provide a patch for 1.8.2. Thank you. (Context: I am one of the maintainers of the official Debian package and need to fix this security issue: https://security-tracker.debian.org/tracker/CVE-2014-1682 )
        Hide
        richlv added a comment -

        for the record, you should be able to access that branch in the revision before it got deleted, for example :

        svn ls svn://svn.zabbix.com/branches/dev/ZBX-7703@42013
        
        Show
        richlv added a comment - for the record, you should be able to access that branch in the revision before it got deleted, for example : svn ls svn://svn.zabbix.com/branches/dev/ZBX-7703@42013
        Hide
        Pavels Jelisejevs added a comment -

        Vitaly, I'm not familiar with the details of Kerberos authentication. Could you explain how can a client authenticate without knowing the correct username? Or do you mean that the username used for authentication may not match the one passed in PHP_AUTH_USER?

        As for completely skipping the login method: we cannot do it since Zabbix will still generate an internal session for the user and the client needs to know the session ID.

        Show
        Pavels Jelisejevs added a comment - Vitaly, I'm not familiar with the details of Kerberos authentication. Could you explain how can a client authenticate without knowing the correct username? Or do you mean that the username used for authentication may not match the one passed in PHP_AUTH_USER? As for completely skipping the login method: we cannot do it since Zabbix will still generate an internal session for the user and the client needs to know the session ID.
        Hide
        Pavels Jelisejevs added a comment -

        Christoph, I've attached a patch for 1.8.2.

        Show
        Pavels Jelisejevs added a comment - Christoph, I've attached a patch for 1.8.2.
        Hide
        Vitaly Shupak added a comment -

        The details of Kerberos aren't primarily the issue. When you’re using HTTP authentication — of any kind — the web server will tell Zabbix the client's identity (in the case of Apache and mod_auth_kerb, in the REMOTE_USER environment variable or PHP_AUTH_USER php variable), as verified via the HTTP authentication exchange. The client should not need to supply it again inside the Zabbix login request — once is enough.

        A point which is relevant to Kerberos specifically, though, is that as a practical matter with Kerberos the client may not in fact know the identity it is presenting. That's because the details of Kerberos are abstracted away; the client automatically uses whatever identity is present in its Kerberos credential cache. This is handled by the GSSAPI/Kerberos library on the client: it is responsible for generating an encrypted authentication token that tells the web server the client's identity. The HTTP libraries do not have to deal with any of that.

        Show
        Vitaly Shupak added a comment - The details of Kerberos aren't primarily the issue. When you’re using HTTP authentication — of any kind — the web server will tell Zabbix the client's identity (in the case of Apache and mod_auth_kerb, in the REMOTE_USER environment variable or PHP_AUTH_USER php variable), as verified via the HTTP authentication exchange. The client should not need to supply it again inside the Zabbix login request — once is enough. A point which is relevant to Kerberos specifically, though, is that as a practical matter with Kerberos the client may not in fact know the identity it is presenting. That's because the details of Kerberos are abstracted away; the client automatically uses whatever identity is present in its Kerberos credential cache. This is handled by the GSSAPI/Kerberos library on the client: it is responsible for generating an encrypted authentication token that tells the web server the client's identity. The HTTP libraries do not have to deal with any of that.
        Hide
        Pavels Jelisejevs added a comment -

        Vitaly, thanks for the explanation. I've created a separate ZBX for resolving this issue - ZBX-7789.

        Show
        Pavels Jelisejevs added a comment - Vitaly, thanks for the explanation. I've created a separate ZBX for resolving this issue - ZBX-7789 .

          People

          • Assignee:
            Unassigned
            Reporter:
            Vitaly Shupak
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: