These vulnerabilities were discovered by Lilith Wyatt of Cisco ASIG
Summary
Zabbix is an enterprise monitoring solution that is designed to give organizations the ability to monitor the health and status of various systems within their networks, including: network services, servers, and networking equipment. Cisco recently discovered multiple vulnerabilities in the Zabbix Server software component that could be leveraged by attackers to write directly to the Zabbix Proxy database or achieve remote code execution on the Zabbix Server. Cisco worked with Zabbix to responsibly disclose these vulnerabilities and ensure that a patch is available. Zabbix has released public advisories regarding these vulnerabilities which are located here and here.
Vulnerability Details
Zabbix Server Active Proxy Trapper Remote Code Execution Vulnerability (TALOS-2017-0325 / CVE-2017-2824)
By default, Zabbix Server exposes a series of APIs to Zabbix Proxy which are responsible for discovery and configuration tasks which are created and executed based on information provided by the Zabbix Proxy using this API. The existence of a command injection vulnerability in the "discovery" requests associated with these APIs could allow an attacker to insert arbitrary commands into the Zabbix database. The injected commands inserted by the attacker can then be executed by sending an appropriate <command> request specifying the <hostid> associated with the record that was previously created. This could allow an attacker to achieve remote code execution on the Zabbix server.
For full details regarding this vulnerability, please see the advisory here.
Zabbix Proxy Server SQL Database Write Vulnerability (TALOS-2017-0326 / CVE-2017-2825)
When configured in active proxy mode, the Zabbix Proxy will send "proxy config" requests to the Zabbix server on startup, as well as during regular intervals. The Zabbix server responds to these requests by transmitting the proxy configuration in an unencrypted state. While the Zabbix server uses a hardcoded list of database table names to create the proxy configuration, the Zabbix proxy does not utilize such a list or any validation on the response received from the server. An attacker with the capability to perform a man-in-the-middle (MITM) attack against this communications channel could maliciously manipulate these responses, thus allowing the attacker the ability to write to the database on the Zabbix proxy.
For full details regarding this vulnerability, please see the advisory here.
Affected Versions
The following software versions are listed as confirmed affected in the advisories released by Zabbix:
Zabbix 2.4.7 - 2.4.8r1
Conclusion
Cisco worked to responsibly disclose these vulnerabilities to Zabbix. Zabbix has released public advisories regarding these vulnerabilities. These advisories can be found here and here. As this vulnerability can be leveraged by an attacker to obtain remote code execution on affected systems, it is recommended that the applicable security updates be applied as quickly as possible. Ensuring that systems remained patched against the latest software vulnerabilities is essential to ensuring that environments remain protected.
Research efforts to identify zero-day vulnerabilities in software will remain an ongoing effort by Talos. Our work in developing programmatic methods to identify zero-day vulnerabilities and making sure they are addressed in a responsible manner is critical to improving the overall security of the internet.
Coverage
The following Snort IDs have been released to detect this vulnerability: 42326, 42337.
Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Defense Center or Snort.org.
For further zero day or vulnerability reports and information visit: