ID CVE-2017-2825 Type cve Reporter cve@mitre.org Modified 2019-10-03T00:03:00
Description
In the trapper functionality of Zabbix Server 2.4.x, specifically crafted trapper packets can pass database logic checks, resulting in database writes. An attacker can set up a Man-in-the-Middle server to alter trapper requests made between an active Zabbix proxy and Server to trigger this vulnerability.
{"seebug": [{"lastseen": "2017-11-19T11:57:58", "description": "**Official patch earlier to fix the vulnerabilities**: the [Zabbix code execution vulnerability](<https://www.seebug.org/vuldb/ssvid-93060>)\n\n### DETAILS\n\nOne of the Trapper requests made by the Zabbix proxy is the \u00ecproxy config\u00ee request, which allows a proxy to request its own proxy configuration from the Zabbix Server (or any other Zabbix Proxy\u00eds configuration if they know the hostname of that machine). When this occurs, the Zabbix Server pulls varying the configuration for the given Zabbix Proxy from its database. While the Zabbix server has hardcoded tables that it looks at when searching for the desired configuration data to send to the proxy, there is no such restriction on what the Zabbix Proxy will apply to it is database.\n\nThus, if an attacker is able to man in the middle the traffic of a Zabbix Proxy and Zabbix Server, an attacker can insert arbitrary JSON into the configuration response of the Server, and the Zabbix Proxy will apply the configuration without hesitation. This is doubly concerning since the proxy configuration the data flows unencrypted over the local network, allowing anyone with network connectivity to the Zabbix Server to utilize this attack.\n\nSince the \u00ecproxy config\u00ee request happens at regular intervals from the Proxy to the Server, an attacker can use a proxy server to intercept the traffic and insert arbitrary data into the database, as long as the destination table is a valid table in the Zabbix proxy database.\n\n### CREDIT\n\nDiscovered by Lilith Wyatt of the Cisco ASIG\n\n### TIMELINE\n\n2017-03-22 - Vendor Disclosure \n2017-04-27 - Public Release\n", "published": "2017-04-28T00:00:00", "type": "seebug", "title": "Zabbix Proxy Server SQL Database Write Vulnerability (CVE-2017-2825)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-2825"], "modified": "2017-04-28T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-93061", "id": "SSV:93061", "sourceData": "", "sourceHref": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "talos": [{"lastseen": "2020-07-01T21:25:17", "bulletinFamily": "info", "cvelist": ["CVE-2017-2825"], "description": "# Talos Vulnerability Report\n\n### TALOS-2017-0326\n\n## Zabbix Proxy Server SQL Database Write Vulnerability\n\n##### April 27, 2017\n\n##### CVE Number\n\nCVE-2017-2825 \n\n### Summary\n\nAn exploitable database write vulnerability exists in the trapper functionality of Zabbix Server 2.4.X . Specifically crafted trapper packets can pass database logic checks, resulting in database writes. An attacker set up a Man-in-the-Middle server to alter trapper requests made between an active Zabbix proxy and Server to trigger this vulnerability.\n\n### Tested Versions\n\nZabbix Server 2.4.8.r1\n\n### Product URLs\n\n[http://www.zabbix.com](<https://www.zabbix.com/download>)\n\n### CVSSv3 Score\n\n7.0 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L\n\n### CWE\n\nCWE-300: Channel Accessible by Non-Endpoint (\u2018Man-in-the-Middle\u2019)\n\n### Details\n\nOne of the Trapper requests made by the Zabbix proxy is the \u00ecproxy config\u00ee request, which allows a proxy to request its own proxy configuration from the Zabbix Server (or any other Zabbix Proxy\u00eds configuration if they know the hostname of that machine). When this occurs, the Zabbix Server pulls varying configuration for the given Zabbix Proxy from its database. While the Zabbix server has hardcoded tables that it looks at when searching for the desired configuration data to send to the proxy, there is no such restriction on what the Zabbix Proxy will apply to it is database.\n\nThus, if an attacker is able to man in the middle the traffic of a Zabbix Proxy and Zabbix Server, an attacker can insert arbitrary JSON into the configuration response of the Server, and the Zabbix Proxy will apply the configuration without hesitation. This is doubly concerning since the proxy configuration data flows unencrypted over the local network, allowing anyone with network connectivity to the Zabbix Server to utilize this attack.\n\nSince the \u00ecproxy config\u00ee request happens at regular intervals from the Proxy to the Server, an attacker can use a proxy server to intercept the traffic and insert arbitrary data into the database, as long as the destination table is a valid table in the Zabbix proxy database.\n\n### Timeline\n\n2017-03-22 - Vendor Disclosure \n2017-04-27 - Public Release\n\n##### Credit\n\nDiscovered by Lilith Wyatt of Cisco ASIG\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2017-0294\n\nPrevious Report\n\nTALOS-2017-0325\n", "edition": 13, "modified": "2017-04-27T00:00:00", "published": "2017-04-27T00:00:00", "id": "TALOS-2017-0326", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0326", "title": "Zabbix Proxy Server SQL Database Write Vulnerability", "type": "talos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:34:30", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2825", "CVE-2017-2824"], "description": "Zabbix is prone to multiple vulnerabilities.", "modified": "2018-10-26T00:00:00", "published": "2017-04-28T00:00:00", "id": "OPENVAS:1361412562310106796", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106796", "type": "openvas", "title": "Zabbix Multiple Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_zabbix_mult_vuln.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Zabbix Multiple Vulnerabilities\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:zabbix:zabbix\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106796\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-28 08:43:22 +0200 (Fri, 28 Apr 2017)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2017-2824\", \"CVE-2017-2825\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Zabbix Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"zabbix_web_detect.nasl\");\n script_mandatory_keys(\"Zabbix/installed\");\n\n script_tag(name:\"summary\", value:\"Zabbix is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Zabbix is prone to multiple vulnerabilities:\n\n - Zabbix Server Active Proxy Trapper Remote Code Execution Vulnerability (CVE-2017-2824)\n\n - Zabbix Proxy Server SQL Database Write Vulnerability (CVE-2017-2825)\");\n\n script_tag(name:\"impact\", value:\"An unauthenticated attacker may execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Zabbix version prior to 2.0.21, 2.2.x, 3.0.x and 3.2.x.\");\n\n script_tag(name:\"solution\", value:\"Update to 2.0.21, 2.2.18, 3.0.9, 3.2.5 or newer versions.\");\n\n script_xref(name:\"URL\", value:\"http://blog.talosintelligence.com/2017/04/zabbix-multiple-vulns.html\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_is_less(version: version, test_version: \"2.0.21\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.0.21\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version =~ \"^2\\.2\") {\n if (version_is_less(version: version, test_version: \"2.2.18\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.2.18\");\n security_message(port: port, data: report);\n exit(0);\n }\n}\n\nif (version =~ \"^3\\.0\") {\n if (version_is_less(version: version, test_version: \"3.0.9\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"3.0.9\");\n security_message(port: port, data: report);\n exit(0);\n }\n}\n\nif (version =~ \"^3\\.2\") {\n if (version_is_less(version: version, test_version: \"3.2.5\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"3.2.5\");\n security_message(port: port, data: report);\n exit(0);\n }\n}\n\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2825", "CVE-2017-2824"], "description": "Lilith Wyatt discovered two vulnerabilities in the Zabbix network\nmonitoring system which may result in execution of arbitrary code or\ndatabase writes by malicious proxies.", "modified": "2019-03-18T00:00:00", "published": "2017-08-12T00:00:00", "id": "OPENVAS:1361412562310703937", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703937", "type": "openvas", "title": "Debian Security Advisory DSA 3937-1 (zabbix - security update)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_3937.nasl 14280 2019-03-18 14:50:45Z cfischer $\n#\n# Auto-generated from advisory DSA 3937-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703937\");\n script_version(\"$Revision: 14280 $\");\n script_cve_id(\"CVE-2017-2824\", \"CVE-2017-2825\");\n script_name(\"Debian Security Advisory DSA 3937-1 (zabbix - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:50:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-12 00:00:00 +0200 (Sat, 12 Aug 2017)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2017/dsa-3937.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n script_tag(name:\"affected\", value:\"zabbix on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (jessie), these problems have been fixed\nin version 1:2.2.7+dfsg-2+deb8u3.\n\nFor the stable distribution (stretch), these problems have been fixed\nprior to the initial release.\n\nWe recommend that you upgrade your zabbix packages.\");\n script_tag(name:\"summary\", value:\"Lilith Wyatt discovered two vulnerabilities in the Zabbix network\nmonitoring system which may result in execution of arbitrary code or\ndatabase writes by malicious proxies.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"zabbix-agent\", ver:\"1:2.2.7+dfsg-2+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"zabbix-frontend-php\", ver:\"1:2.2.7+dfsg-2+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"zabbix-java-gateway\", ver:\"1:2.2.7+dfsg-2+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"zabbix-proxy-mysql\", ver:\"1:2.2.7+dfsg-2+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"zabbix-proxy-pgsql\", ver:\"1:2.2.7+dfsg-2+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"zabbix-proxy-sqlite3\", ver:\"1:2.2.7+dfsg-2+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"zabbix-server-mysql\", ver:\"1:2.2.7+dfsg-2+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"zabbix-server-pgsql\", ver:\"1:2.2.7+dfsg-2+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-01T07:01:18", "description": "According to its self-reported version number, the instance of Zabbix\nrunning on the remote host is 2.0.x prior to 2.0.21, 2.2.x prior to\n2.2.18, 3.0.x prior to 3.0.9, or 3.2.x prior to 3.2.5. It is,\ntherefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the\n trapper command functionality due to improper handling\n of trapper packets. An unauthenticated, remote attacker\n can exploit this, via a specially crafted set of trapper\n packets, to inject arbitrary commands and execute\n arbitrary code. (CVE-2017-2824 / TALOS-2017-0325)\n\n - A security bypass vulnerability exists in the trapper\n command functionality due to improper handling of\n trapper packets. A man-in-the-middle (MitM) attacker can\n exploit this, via a specially crafted trapper packet, to\n bypass database security checks and write arbitrary data\n to the database. (CVE-2017-2825 / TALOS-2017-0326)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 27, "cvss3": {"score": 7.0, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L"}, "published": "2017-06-05T00:00:00", "title": "Zabbix 2.0.x < 2.0.21 / 2.2.x < 2.2.18 / 3.0.x < 3.0.9 / 3.2.x < 3.2.5 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2825", "CVE-2017-2824"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:zabbix:zabbix"], "id": "ZABBIX_FRONTEND_3_2_5.NASL", "href": "https://www.tenable.com/plugins/nessus/100615", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100615);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\"CVE-2017-2824\", \"CVE-2017-2825\");\n script_bugtraq_id(98083, 98094);\n\n script_name(english:\"Zabbix 2.0.x < 2.0.21 / 2.2.x < 2.2.18 / 3.0.x < 3.0.9 / 3.2.x < 3.2.5 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the Zabbix version on the login page.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the instance of Zabbix\nrunning on the remote host is 2.0.x prior to 2.0.21, 2.2.x prior to\n2.2.18, 3.0.x prior to 3.0.9, or 3.2.x prior to 3.2.5. It is,\ntherefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the\n trapper command functionality due to improper handling\n of trapper packets. An unauthenticated, remote attacker\n can exploit this, via a specially crafted set of trapper\n packets, to inject arbitrary commands and execute\n arbitrary code. (CVE-2017-2824 / TALOS-2017-0325)\n\n - A security bypass vulnerability exists in the trapper\n command functionality due to improper handling of\n trapper packets. A man-in-the-middle (MitM) attacker can\n exploit this, via a specially crafted trapper packet, to\n bypass database security checks and write arbitrary data\n to the database. (CVE-2017-2825 / TALOS-2017-0326)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blog.talosintelligence.com/2017/04/zabbix-multiple-vulns.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.talosintelligence.com/reports/TALOS-2017-0325/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.talosintelligence.com/reports/TALOS-2017-0326/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.zabbix.com/browse/ZBX-12075\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.zabbix.com/browse/ZBX-12076\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Zabbix version 2.0.21 / 2.2.18 / 3.0.9 / 3.2.5 or later.\nAlternatively, to mitigate CVE-2017-2824, delete the three default\nscript entries inside the Zabbix Server database per the\nTALOS-2017-0325 advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-2825\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/05\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zabbix:zabbix\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"zabbix_frontend_detect.nasl\");\n script_require_keys(\"installed_sw/zabbix\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"zabbix\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_single_install(\n app_name : app,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\ndir = install['path'];\nver = install['version'];\ninstall_url = build_url(port:port, qs:dir);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nfix = NULL;\n\nif (ver =~ \"^2\\.0\\.([0-9]|[1][0-9]|20|21rc[0-9]+)($|[^0-9])\")\n fix = \"2.0.21\";\n\nelse if (ver =~ \"^2\\.2\\.([0-9]|1[0-7]|18rc[0-9]+)($|[^0-9])\")\n fix = \"2.2.18\";\n\nelse if (ver =~ \"^3\\.0\\.([0-8]|9rc[0-9]+)($|[^0-9])\")\n fix = \"3.0.9\";\n\nelse if (ver =~ \"^3\\.2\\.([0-4]|5rc[0-9]+)($|[^0-9])\")\n fix = \"3.2.5\";\n\nif (!isnull(fix))\n{\n report =\n '\\n URL : ' + install_url +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : 2.0.21 / 2.2.18 / 3.0.9 / 3.2.5' +\n '\\n';\n\n security_report_v4(port:port, extra:report, severity:SECURITY_WARNING);\n exit(0);\n}\nelse\n audit(AUDIT_WEB_APP_NOT_AFFECTED, \"Zabbix\", install_url, ver);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T09:50:32", "description": "Lilith Wyatt discovered two vulnerabilities in the Zabbix network\nmonitoring system which may result in execution of arbitrary code or\ndatabase writes by malicious proxies.", "edition": 27, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-08-14T00:00:00", "title": "Debian DSA-3937-1 : zabbix - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2825", "CVE-2017-2824"], "modified": "2017-08-14T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:zabbix"], "id": "DEBIAN_DSA-3937.NASL", "href": "https://www.tenable.com/plugins/nessus/102444", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3937. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102444);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-2824\", \"CVE-2017-2825\");\n script_xref(name:\"DSA\", value:\"3937\");\n\n script_name(english:\"Debian DSA-3937-1 : zabbix - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Lilith Wyatt discovered two vulnerabilities in the Zabbix network\nmonitoring system which may result in execution of arbitrary code or\ndatabase writes by malicious proxies.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/zabbix\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2017/dsa-3937\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the zabbix packages.\n\nFor the oldstable distribution (jessie), these problems have been\nfixed in version 1:2.2.7+dfsg-2+deb8u3.\n\nFor the stable distribution (stretch), these problems have been fixed\nprior to the initial release.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:zabbix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"zabbix-agent\", reference:\"1:2.2.7+dfsg-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"zabbix-frontend-php\", reference:\"1:2.2.7+dfsg-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"zabbix-java-gateway\", reference:\"1:2.2.7+dfsg-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"zabbix-proxy-mysql\", reference:\"1:2.2.7+dfsg-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"zabbix-proxy-pgsql\", reference:\"1:2.2.7+dfsg-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"zabbix-proxy-sqlite3\", reference:\"1:2.2.7+dfsg-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"zabbix-server-mysql\", reference:\"1:2.2.7+dfsg-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"zabbix-server-pgsql\", reference:\"1:2.2.7+dfsg-2+deb8u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2020-08-12T01:06:51", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2825", "CVE-2017-2824"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3937-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nAugust 12, 2017 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : zabbix\nCVE ID : CVE-2017-2824 CVE-2017-2825\n\nLilith Wyatt discovered two vulnerabilities in the Zabbix network\nmonitoring system which may result in execution of arbitrary code or\ndatabase writes by malicious proxies.\n\nFor the oldstable distribution (jessie), these problems have been fixed\nin version 1:2.2.7+dfsg-2+deb8u3.\n\nFor the stable distribution (stretch), these problems have been fixed\nprior to the initial release.\n\nWe recommend that you upgrade your zabbix packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 10, "modified": "2017-08-12T00:24:29", "published": "2017-08-12T00:24:29", "id": "DEBIAN:DSA-3937-1:63B5F", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2017/msg00198.html", "title": "[SECURITY] [DSA 3937-1] zabbix security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}
