[ZBX-11483] CVE-2016-9140: API JSON-RPC remote code execution Created: 2016 Nov 15 Updated: 2020 Jul 16 Resolved: 2016 Nov 15 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | API (A) |
Affects Version/s: | 2.0.19, 2.2.15, 3.0.5, 3.2.1 |
Fix Version/s: | 2.0.20rc1, 2.2.16rc1, 3.0.6rc1, 3.2.2rc1, 3.4.0alpha1 |
Type: | Defect (Security) | Priority: | Blocker |
Reporter: | Dmitry Smirnov | Assignee: | Unassigned |
Resolution: | Fixed | Votes: | 0 |
Labels: | security | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified | ||
Environment: |
Debian |
Issue Links: |
|
Description |
As reported in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842702 See more:
|
Comments |
Comment by Aleksandrs Saveljevs [ 2016 Nov 15 ] |
I wonder whether this is a duplicate of |
Comment by richlv [ 2016 Nov 15 ] |
doesn't look like it - the exploit-db example logs in as Admin, then does script.update, followed by script.execute - it does not connect to the trapper port directly but goes through the frontend. that looks like somebody with the superadmin rights using a feature as intended... not sure anything can/should be done about it. |
Comment by Oleg Egorov (Inactive) [ 2016 Nov 15 ] |
RESOLVED in svn://svn.zabbix.com/branches/dev/ZBX-11483 r63776 |
Comment by Oleg Egorov (Inactive) [ 2016 Nov 15 ] |
(1) No translation string changes. gunarspujats CLOSED |
Comment by Oleg Egorov (Inactive) [ 2016 Nov 15 ] |
See fix related issue ZBX-11485 |
Comment by Gunars Pujats (Inactive) [ 2016 Nov 15 ] |
Tested |
Comment by Oleg Egorov (Inactive) [ 2016 Nov 15 ] |
Fixed in:
|
Comment by Oleksii Zagorskyi [ 2016 Nov 15 ] |
As I see the actual fix is different from described supposed security issue. What current fix did is - added permissions check for zabbix hosts, a script to be executed for. I might be wrong, but, as current fix does not touch server side code and thinking about oleg.egorov Current fix is frontend side only, and ,yes, now you need have permissions for host to access any operation on it zalex_ua ok. how about server side then ? oleg.egorov Server side available only in 3.3(trunk) zalex_ua Trunk tested, yes, the |