-
Change Request
-
Resolution: Unresolved
-
Trivial
-
None
-
None
-
None
-
None
A few months ago I reported to support that for (at least) the Zabbix Agent binaries inside the RHEL/CentOS RPM's were lacking several security hardening mitigations. These mitigations/compiler flags (ASLR/PIE, Full RELRO, NX) were added in the latest Zabbix Agent CentOS/RHEL RPMs released in March.
However, I see that the "stack canaries" and "fortify source" mitigations are now disabled (which wasn't the case in earlier versions), probably because these compiler flags are not set or overruled by the new compiler flags. This wasn't the case earlier as far as I can trace back.
This can be easily verified using the following script: https://raw.githubusercontent.com/slimm609/checksec.sh/master/checksec
- ./checksec --file /usr/sbin/zabbix_agentd
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Full RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH No 0 13 /usr/sbin/zabbix_agentd
The solution is to make sure that the GCC compiler uses the "-fstack-protector --param ssp-buffer-size=4" flags if using GCC older than 4.9 (like CentOS 7 and lower) or "-fstack-protector-strong" on GCC 4.9+ (other distributions) to enable all the stack smashing protection features.
Also please add the "-D_FORTIFY_SOURCE=2" flag to harden/fortify various common memory functions and to prevent attacks against these.
Could the binaries please be compiled with these additional compiler flags?