[ZBX-11483] CVE-2016-9140: API JSON-RPC remote code execution Created: 2016 Nov 15  Updated: 2020 Jul 16  Resolved: 2016 Nov 15

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: API (A)
Affects Version/s: 2.0.19, 2.2.15, 3.0.5, 3.2.1
Fix Version/s: 2.0.20rc1, 2.2.16rc1, 3.0.6rc1, 3.2.2rc1, 3.4.0alpha1

Type: Defect (Security) Priority: Blocker
Reporter: Dmitry Smirnov Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Debian


Issue Links:
Duplicate

 Description   

As reported in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842702
Zabbix 2.2+ appears to be vulnerable to CVE-2016-9140.

See more:



 Comments   
Comment by Aleksandrs Saveljevs [ 2016 Nov 15 ]

I wonder whether this is a duplicate of ZBX-9425.

Comment by richlv [ 2016 Nov 15 ]

doesn't look like it - the exploit-db example logs in as Admin, then does script.update, followed by script.execute - it does not connect to the trapper port directly but goes through the frontend.

that looks like somebody with the superadmin rights using a feature as intended... not sure anything can/should be done about it.

Comment by Oleg Egorov (Inactive) [ 2016 Nov 15 ]

RESOLVED in svn://svn.zabbix.com/branches/dev/ZBX-11483 r63776

Comment by Oleg Egorov (Inactive) [ 2016 Nov 15 ]

(1) No translation string changes.

gunarspujats CLOSED

Comment by Oleg Egorov (Inactive) [ 2016 Nov 15 ]

See fix related issue ZBX-11485

Comment by Gunars Pujats (Inactive) [ 2016 Nov 15 ]

Tested

Comment by Oleg Egorov (Inactive) [ 2016 Nov 15 ]

Fixed in:

  • pre-2.0.20rc1 r63786
  • pre-2.2.16rc1 r63788
  • pre-3.0.6rc1 r63789
  • pre-3.2.2rc1 r63792
  • pre-3.3.0 (trunk) r63793
Comment by Oleksii Zagorskyi [ 2016 Nov 15 ]

As I see the actual fix is different from described supposed security issue.
Yes, supposed, because the thing reported is not really security issue, as Rich already noted.
Zabbix Super Admins are allowed to define/update any custom shell commands, which later may be used by limited zabbix users.
Closing such issue without explanations will lead to false positives in different security reports, which is not good as for Zabbix.

What current fix did is - added permissions check for zabbix hosts, a script to be executed for.
For example previously I hadn't read access to a host, but I could execute scriptID=1 (ping, usually, by default) and I'd know for example IP/DNS address of the host in zabbix.

I might be wrong, but, as current fix does not touch server side code and thinking about ZBX-9425 example, I wonder - is that ok?

oleg.egorov Current fix is frontend side only, and ,yes, now you need have permissions for host to access any operation on it

zalex_ua ok. how about server side then ?

oleg.egorov Server side available only in 3.3(trunk)

zalex_ua Trunk tested, yes, the ZBX-9425 includes a fix for permission check on server side, which has been fixed for frontend in current issue.

Generated at Fri Mar 29 06:50:22 EET 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.