Security vulnerability findings
(ZBX-12074)
[ZBX-12076] Bug 2. Active Zabbix Proxy MITM Database Overwrite (CVSS 6.8: SIR: High) Created: 2017 Mar 22 Updated: 2017 Apr 20 Resolved: 2017 Apr 20 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Server (S) |
Affects Version/s: | None |
Fix Version/s: | 2.0.21rc1, 2.2.18rc1, 3.0.9rc1, 3.2.5rc1, 3.4.0alpha1 |
Type: | Sub-task | Priority: | Critical |
Reporter: | Rostislav Palivoda | Assignee: | Unassigned |
Resolution: | Fixed | Votes: | 0 |
Labels: | None | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Team: | Team C |
Sprint: | Sprint 4, Sprint 5 |
Story Points: | 2 |
Description |
One of the more interesting Trapper requests made by the Zabbix proxy is the “proxy config” request. Interestingly, a proxy can request it’s own proxy configuration from the Zabbix Server, or any other Zabbix Proxy’s configuration if they know the hostname of that machine. Regardless of this minor information disclosure bug, there’s a more pivotal issue. While the Zabbix server has hardcoded database tables that it looks at when gathering the configuration data to send to the proxy, there’s no such restriction on what the Zabbix Proxy will apply to it’s databases. Thus, if an attacker is able to man in the middle (MITM) the traffic of the Zabbix Proxy and Zabbix Server, an attacker can insert arbitrary JSON into the configuration response of the Server, and the Zabbix Proxy will apply the configuration without hesitation. This is doubly concerning since the proxy configuration data flows unencrypted by default over the network. Since the “proxy config” request happens at regular intervals from the Proxy to the Server, ASIG was able to use a MITM attack to intercept the traffic and insert data into the conversation that we wanted, writing a script into the database of a target Zabbix Proxy. As of yet, this has not been able to be successfully exploited for RCE. Confirmed Versions: Zabbix 2.4.7 - 2.4.8r1 Remediation Recommendations cannot as of now be provided, the only feasible solution to this issue would be an upstream patch by Zabbix engineers, which would probably include having a hardcoded whitelist of tables that could be modified with the "proxy config" response. |
Comments |
Comment by Andris Zeila [ 2017 Mar 29 ] |
Successfully tested |
Comment by Rostislav Palivoda [ 2017 Apr 06 ] |
glebs.ivanovskis Do we need any documentation changes on that? |