[#ZBX-23858] Code injection in zabbix_agent2 smartctl plugin (CVE-2023-32728)

[ZBX-23858] Code injection in zabbix_agent2 smartctl plugin (CVE-2023-32728) Created: 2023 Dec 18 Updated: 2024 Oct 15 Resolved: 2023 Dec 18
Status:	Closed
Project:	ZABBIX BUGS AND ISSUES
Component/s:	Agent2 plugin (G)
Affects Version/s:	None
Fix Version/s:	None

Type:

Defect (Security)

Priority:

Minor

Reporter:

Maris Melnikovs (Inactive)

Assignee:

Zabbix Support Team

Resolution:

Fixed

Votes:

0

Labels:

None

Remaining Estimate:

Not Specified

Time Spent:

Not Specified

Original Estimate:

Not Specified

Issue Links:

Causes
Duplicate

Description

Mitre ID	CVE-2023-32728
CVSS score	4.6
CVSS vector	https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L
Severity	Medium
Summary	Code injection in Zabbix Agent 2 smart.disk.get caused by smartctl plugin
Description	The Zabbix Agent 2 item key smart.disk.get does not sanitize its parameters before passing them to a shell command resulting possible vulnerability for remote code execution.
Common Weakness Enumeration (CWE)	CWE-20 Improper Input Validation
Common Attack Pattern Enumeration and Classification (CAPEC)	CAPEC-253 Remote Code Inclusion
Known attack vectors	An attacker can execute arbitrary code on any device having an Zabbix Agent2 listening and having smartctl installed.
Patch provided	No
Component/s	Agent 2
Affected version/s and fix version/s	5.0.0 - 5.0.38 / 5.0.39rc1 6.0.0 - 6.0.23 / 6.0.24rc1 6.4.0 - 6.4.8 / 6.4.9rc1 7.0.0alpha1 - 7.0.0alpha7 / 7.0.0alpha8
Fix compatibility tests	-
Resolution	Fixed
Workarounds	-
Acknowledgements	This vulnerability is reported in HackerOne bounty hunter platform by Philippe Antoine (catenacyber)

Comments

Comment by James G Stroud [ 2023 Dec 27 ]

Hi Zabbix Support Team, we are running Zabbix Agent 2 version 5.4.0alapha1. Is this impacted with this as well? The output of this command

cld-zabbix_agent2 --version

is below

sysop@dal3-qz2-sr1-rk327-s18:~$ /usr/sbin/cld-zabbix_agent2 --version
zabbix_agent2 (Zabbix) 5.4.0alpha1

Comment by gofree [ 2024 Jan 03 ]

So when reffering to "listening" does it mean only passive agent is affected ?

Comment by Eriks Sneiders [ 2024 Jan 16 ]

FIXED IN

5.0.39rc1: ef5c6430bb6
6.0.24rc1: 418efe8e423
6.4.9rc1: 396a0f0fb9a
7.0.0alpha8 (master): 2809717d48c

Comment by Eriks Sneiders [ 2024 Jan 16 ]

Hi, all!

strouja Zabbix version 5.4 is not supported any more, so the fix was not implemented there, you can read more about currently supported versions here https://www.zabbix.com/life_cycle_and_release_policy

[email protected] as far as I know both active and passive agent 2 were affected.

Comment by James G Stroud [ 2024 Jan 16 ]

Eriks, thanks I knew that 5.4 is not supported. I'm just trying to confirm that 5.4 agents are affected because the CVE as written does not say it is but I'm sure it is as all other Zabbix versions for servers and agents are affected

Comment by Eriks Sneiders [ 2024 Jan 16 ]

strouja Well judging from your previous comment You are using 5.4.0alpha1, and it turns out it would not have the smart bug because based on the original Smart plugin ticket ~~ZBXNEXT-6339~~ and double checking the source code the smart plugin was introduced with 5.4.0alpha2, but I would still highly suggest updating to a newer or LTS Zabbix version.

But if you are asking if the newest 5.4 Zabbix agent 2 is affected, then yes it is.

Comment by dimir [ 2024 Jan 27 ]

~~ZBX-23978~~ claims this one introduced a regression.

Generated at Sat Apr 19 12:16:11 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.