Zabbix Agent on Windows missing basic security mitigations

XMLWordPrintable

    • Type: Change Request
    • Resolution: Unresolved
    • Priority: Trivial
    • None
    • Affects Version/s: None
    • Component/s: None
    • None

      The Zabbix Agent binaries on Windows are lacking various basic security mitigations like DEP, ASLR and High Entropy ASLR (on 64-bit environments).
      Not having these mitigations would make it easier for an attacker to write a reliable exploit in case of a memory corruption vulnerability in the agent.

      So, this is not a direct vulnerability, but rather a defense-in-depth measure that could prevent successful exploitation of future known and unknown vulnerabilities.

      Looking at the source code, you seem to be using MinGW as a compiler. As far as I can find (I'm not an expert on MinGW at all) modern versions of MinGW can use these compiler flags to enable these mitigations:

      DEP:
      Wl,-nxcompat

      ASLR:
      Wl,-dynamicbase

      High Entropy ASLR (64-bit binaries only):
      Wl,-high-entropy-va

      To verify it's indeed active, you could use the Sysinternals Suite' Process Explorer, which is able to display if DEP/ASLR is enabled per process.

      Could the Windows binaries please be compiled with these flags, to improve the security of the Zabbix Agent on Windows?

            Assignee:
            Unassigned
            Reporter:
            A
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: