[ZBX-5924] Possible security issue due to misuse of the libcurl API Created: 2012 Dec 02  Updated: 2020 Jul 16  Resolved: 2014 Jan 31

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Documentation (D), Proxy (P), Server (S)
Affects Version/s: 2.0.3
Fix Version/s: 1.8.18rc1, 2.0.8rc1, 2.1.2

Type: Defect (Security) Priority: Minor
Reporter: Dmitry Smirnov Assignee: Andris Zeila
Resolution: Fixed Votes: 2
Labels: curl, security, ssl, trivial
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Debian


 Description   

Alessandro Ghedini on behalf of Debian security team kindly shared his concerns regarding the following:

We recently discovered that zabbix is using the libcurl API in a way that may not be what the original author intended.
In particular I'm referring to the fact that the CURLOPT_SSL_VERIFYHOST option is treated as it was a boolean value
while in fact it isn't (it may take three different values):

From the file "src/libs/zbxmedia/eztexting.c":

if (CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_USERAGENT, "Zabbix " ZABBIX_VERSION)) ||
CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_FOLLOWLOCATION, 1L)) ||
CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_WRITEFUNCTION, WRITEFUNCTION2)) ||
CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_HEADERFUNCTION, HEADERFUNCTION2)) ||
CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_SSL_VERIFYPEER, 1L)) ||
CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_SSL_VERIFYHOST, 1L)) ||
CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_POSTFIELDS, postfields)) ||
CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_POST, 1L)) ||
CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_URL, EZ_TEXTING_API_URL)) ||
CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_TIMEOUT, (long)EZ_TEXTING_TIMEOUT)))

{ zbx_snprintf(error, max_error_len, "Could not set cURL option %d: [%s]", opt, curl_easy_strerror(err)); goto clean; }

Setting the value to "1" does not enable the host checks (well, not all of them)
and this may lead to security issues. The correct value to enable all the security checks is "2".

From the libcurl documentation:

> When CURLOPT_SSL_VERIFYHOST is 2, that certificate must indicate
> that the server is the server to which you meant to connect, or the
> connection fails.
>
> Curl considers the server the intended one when the Common Name
> field or a Subject Alternate Name field in the certificate matches
> the host name in the URL to which you told Curl to connect.
>
> When the value is 1, the certificate must contain a Common Name
> field, but it doesn't matter what name it says. (This is not
> ordinarily a useful setting).
>
> When the value is 0, the connection succeeds regardless of the
> names in the certificate.

Note that this should be fixed anyway, since as of curl v7.28.1 the value "1" is not a valid value
anymore and libcurl will return an error.

 Comments   
Comment by Oleksii Zagorskyi [ 2012 Dec 02 ]

(1) Also it should be documented.

wiper
1.8.18
https://www.zabbix.com/documentation/1.8/manual/about/what_s_new_1.8.18
https://www.zabbix.com/documentation/1.8/manual/about/installation_and_upgrade

2.0.8
https://www.zabbix.com/documentation/2.0/manual/introduction/whatsnew208#security_fixes
https://www.zabbix.com/documentation/2.0/manual/installation/upgrade_notes_208?&#daemon_security_fixes

2.2.0
https://www.zabbix.com/documentation/2.2/manual/introduction/whatsnew220#security_fixes
https://www.zabbix.com/documentation/2.2/manual/installation/upgrade_notes_220#daemon_security_fixes

Please review.

zalex_ua Pretty simple and clear, thanks !
CLOSED

Comment by Henri Salo [ 2013 Jan 05 ]

Please use CVE-2012-6086 for this issue.

CVE request http://www.openwall.com/lists/oss-security/2013/01/02/1
CVE assigment http://www.openwall.com/lists/oss-security/2013/01/03/1

Comment by Matthew Marlowe [ 2013 Jan 19 ]

As the gentoo package maintainer for Zabbix, I'd like to mention that this issue has reached the attention of our security team, and that curl 7.28.1 is currently one of the releases available to our users....if this bug isn't addressed shortly, I'll need to update our package to indicate it is not compatible with newer versions of curl.

Comment by Volker Fröhlich [ 2013 Apr 28 ]

Please take the time to address this 5 month old CVE!

Comment by Matthew Marlowe [ 2013 Jun 22 ]

curl 7.29 has now gone stable in gentoo although prior versions are still supported, please resolve this bug....thanks.

Comment by Andris Zeila [ 2013 Jul 29 ]

Fixed in development branch svn://svn.zabbix.com/branches/dev/ZBX-5924

Comment by Volker Fröhlich [ 2013 Jul 30 ]

Backported to EPEL 5 and 6 zabbix20 packages, as well as zabbix 2.0 packages in Fedora.

1.8 in EPEL 6 remains to be done.

Comment by Alexander Vladishev [ 2013 Jul 31 ]

Successfully tested!

Comment by Andris Zeila [ 2013 Jul 31 ]

Released in:
pre-1.8.18rc1 r37454
pre-2.0.8rc1 r37455
pre-2.1.2 r37456

Comment by Volker Fröhlich [ 2013 Aug 04 ]

Backported to 1.8 in EPEL 6 (1.8.17-2)

Comment by richlv [ 2013 Oct 26 ]

subissue (1) has not been closed

zalex_ua Closed already.

Generated at Fri Apr 19 20:00:40 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.