[ZBX-22002] Zabbix Agent Installer Adds Allow All TCP any any firewall rule (CVE-2022-43516) Created: 2022 Nov 30  Updated: 2025 Apr 07  Resolved: 2022 Dec 02

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Agent (G)
Affects Version/s: 6.0.10, 6.2.5
Fix Version/s: 6.0.12rc2, 6.2.6rc2, 6.4.0beta5, 6.4 (plan)

Type: Defect (Security) Priority: Critical
Reporter: Joshua PowellNishiyama Assignee: Michael Veksler
Resolution: Fixed Votes: 0
Labels: agent, security-vulnerabilities
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Windows Server 2022 Datacenter (Japanese)
Windows Server 2019 Datacenter (Japanese)

Attachments: PNG File Zabbix Firewall All Allow.png     PNG File Zabbix Installer Server Settings.png     File zabbix_agent-6.4.0-x64.msi     File zabbix_agent2-6.4.0-x64.msi.7z.001     File zabbix_agent2-6.4.0-x64.msi.7z.002    
Issue Links:
Duplicate
Sub-task
depends on ZBX-21972 TLSPSKVALUE doesn't work in silent mode Closed
Team: Team B
Sprint: Sprint 95 (Dec 2022)
Story Points: 1

 Description   

ID: ZBV-2022-12-1

CVE: CVE-2022-43516

Synopsis: Zabbix Agent installer adds “allow all TCP any any” firewall rule

Description: A Firewall Rule which allows all incoming TCP connections to all programs from any source and to all ports is created in Windows Firewall after Zabbix agent installation (MSI)

CVSS score: 6.5

Zabbix Severity: Medium

Known Attack Vectors: An attacker can connect to all TCP services running on the machine with Zabbix Agent

Resolution: To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products or use the workaround

Workarounds: If an immediate update is not possible, change the applied local firewall rule to allow the agent port only.

--------

Steps to reproduce:

  1. Download Agent 1 or Agent 2 (Does not Matter)
    1. Windows-Any-amd64-6.0 LTS-OpenSSL-MSI
    2. Windows-Any-amd64-6.2-OpenSSL-MSI
  2. Install with Default Options
  3. Set Server and Proxy Server to Zabbix Server IP
  4. Install
  5. Check Firewall Rules (Seen in both Domain and Non-Domain)

Have Only tested 6.0.10,6.0.11,6.2.15. Others can test other versions and platforms.

Result:

A Firewall Rule which allows all incoming TCP connections to all programs from any source and to all ports is created in Windows Firewall.

See Screenshot

Expected:
Allow Agent Port Number only.

 Comments   
Comment by Joshua PowellNishiyama [ 2022 Nov 30 ]
3. Set Server and Active Server/Proxy IP to Zabbix Server IP

In the reproduction steps, was meaning during the installer

Note: Active Server IP can be blank as well.

Comment by Michael Veksler [ 2022 Dec 07 ]

Available in:

  • 6.0.12rc2
  • 6.2.6rc2
  • 6.4.0beta5
Comment by Michael Veksler [ 2022 Dec 08 ]

Versions of MSI Agent that have been fixed and re-uploaded:

  • 5.0.29, 5.0.30 (version 28 November 2022)
  • 6.0.10, 6.0.11
  • 6.2.4,  6.2.5
  • 6.4.0beta2, 6.4.0beta3, 6.4.0beta4

Versions prior to 5.0.29, 6.0.10, 6.2.4 didn't have this vulnerability.

Generated at Tue Jun 24 06:35:10 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.