Lucene search

K
debianDebianDEBIAN:DLA-3390-1:93341
HistoryApr 12, 2023 - 1:36 p.m.

[SECURITY] [DLA 3390-1] zabbix security update

2023-04-1213:36:51
lists.debian.org
12
cve-2021-27927
cve-2022-24917
cve-2022-35230
update
zabbix
debian
cve-2022-35229
cve-2022-24349
vulnerabilities
cve-2020-15803
cve-2019-15132
cve-2022-24919
security

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7

Confidence

Low

EPSS

0.079

Percentile

94.3%


Debian LTS Advisory DLA-3390-1 [email protected]
https://www.debian.org/lts/security/ Tobias Frost
April 12, 2023 https://wiki.debian.org/LTS

Package : zabbix
Version : 1:4.0.4+dfsg-1+deb10u1
CVE ID : CVE-2019-15132 CVE-2020-15803 CVE-2021-27927 CVE-2022-24349
CVE-2022-24917 CVE-2022-24919 CVE-2022-35229 CVE-2022-35230
Debian Bug : 935027 966146 1014992 1014994

Several security vulnerabilities have been discovered in zabbix,
a network monitoring solution, potentially allowing User Enumeration,
Cross-Site-Scripting or Cross-Site Request Forgery.

CVE-2019-15132

Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is
possible to enumerate application usernames based on the variability of server
responses (e.g., the "Login name or password is incorrect" and "No permissions
for system access" messages, or just blocking for a number of seconds). This
affects both api_jsonrpc.php and index.php.

CVE-2020-15803

Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x
before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL
Widget.

CVE-2021-27927

In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1,
5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the
CControllerAuthenticationUpdate controller lacks a CSRF protection
mechanism. The code inside this controller calls diableSIDValidation
inside the init() method. An attacker doesn't have to know Zabbix user
login credentials, but has to know the correct Zabbix URL and contact
information of an existing user with sufficient privileges.

CVE-2022-24349

An authenticated user can create a link with reflected XSS payload for
actions’ pages, and send it to other users. Malicious code has access to
all the same objects as the rest of the web page and can make arbitrary
modifications to the contents of the page being displayed to a victim.
This attack can be implemented with the help of social engineering and
expiration of a number of factors - an attacker should have authorized
access to the Zabbix Frontend and allowed network connection between a
malicious server and victim’s computer, understand attacked
infrastructure, be recognized by the victim as a trustee and use trusted
communication channel.

CVE-2022-24917

An authenticated user can create a link with reflected Javascript code
inside it for services’ page and send it to other users. The payload can
be executed only with a known CSRF token value of the victim, which is
changed periodically and is difficult to predict. Malicious code has
access to all the same objects as the rest of the web page and can make
arbitrary modifications to the contents of the page being displayed to a
victim during social engineering attacks.

CVE-2022-24919

An authenticated user can create a link with reflected Javascript code
inside it for graphs’ page and send it to other users. The payload can
be executed only with a known CSRF token value of the victim, which is
changed periodically and is difficult to predict. Malicious code has
access to all the same objects as the rest of the web page and can make
arbitrary modifications to the contents of the page being displayed to a
victim during social engineering attacks.

CVE-2022-35229

An authenticated user can create a link with reflected Javascript code
inside it for the discovery page and send it to other users. The payload
can be executed only with a known CSRF token value of the victim, which
is changed periodically and is difficult to predict.

CVE-2022-35230

An authenticated user can create a link with reflected Javascript code
inside it for the graphs page and send it to other users. The payload
can be executed only with a known CSRF token value of the victim, which
is changed periodically and is difficult to predict.

For Debian 10 buster, these problems have been fixed in version
1:4.0.4+dfsg-1+deb10u1.

We recommend that you upgrade your zabbix packages.

For the detailed security status of zabbix please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/zabbix

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7

Confidence

Low

EPSS

0.079

Percentile

94.3%