Lucene search

HistoryDec 06, 2017 - 12:00 a.m.

Zabbix Server 'active checks' Command Injection

2017-12-0600:00:00

www.tenable.com

10350

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

0.716 High

EPSS

Percentile

98.1%

JSON

The Zabbix server running on the remote host is affected by a remote command injection vulnerability due to the failure to sanitize the input data involving an IP address that would go into the ‘ip’ field of the ‘interface’ table in the ‘zabbix’ database. An unauthenticated, remote attacker can exploit this, via specially crafted packets, to execute OS commands.

Note that Zabbix server is reportedly affected by additional vulnerabilities; however, this plugin has not tested for these

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(105042);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2017-2824");
  script_bugtraq_id(98083);

  script_name(english:"Zabbix Server 'active checks' Command Injection");

  script_set_attribute(attribute:"synopsis", value:
"A network monitoring application running on the remote host is
affected by a remote command injection vulnerability.");
  script_set_attribute(attribute:"description", value:
"The Zabbix server running on the remote host is affected by a remote
command injection vulnerability due to the failure to sanitize the
input data involving an IP address that would go into the 'ip' field 
of the 'interface' table in the 'zabbix' database. An unauthenticated,
remote attacker can exploit this, via specially crafted packets, to
execute OS commands.

Note that Zabbix server is reportedly affected by additional
vulnerabilities; however, this plugin has not tested for these");
  script_set_attribute(attribute:"see_also", value:"https://support.zabbix.com/browse/ZBX-12075");
  script_set_attribute(attribute:"see_also", value:"https://www.zabbix.com/rn/rn3.2.7");
  script_set_attribute(attribute:"see_also", value:"https://www.zabbix.com/rn/rn3.0.10");
  script_set_attribute(attribute:"see_also", value:"https://www.zabbix.com/rn/rn2.2.19");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Zabbix version 3.4.0 / 3.2.7 / 3.0.10 / 2.2.19 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/07/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/07/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/12/06");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:zabbix:zabbix");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2017-2022 Tenable Network Security, Inc.");

  script_dependencies("zabbix_server_detect.nasl");
  script_require_ports("Services/zabbix_server", 10051);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("dump.inc");
include("audit.inc");

port = get_service(svc:'zabbix_server', default: 10051, exit_on_fail:TRUE);

soc = open_sock_tcp(port);
if (!soc) audit(AUDIT_SOCK_FAIL, port);

# Specify both invalid 'host' and 'ip'
# Valid chars in 'host' are: '0-9a-zA-Z. _-'
invalid_host = '$' + SCRIPT_NAME + '$';
invalid_ip   = SCRIPT_NAME;

req ='{"request":"active checks", "host":"' + 
  invalid_host + '","ip":"' +
  invalid_ip + '"}';

send(socket:soc, data:req);
res = recv(socket:soc, length:256);

if (! isnull(res))
{
  if(res =~ '^ZBXD')
  {
    # Patched server checks 'ip' first before checking 'host'
    if ('not a valid IP address' >< res)
    {
      audit(AUDIT_LISTEN_NOT_VULN, 'Zabbix server', port); 
    }
    # Vulnerable server doesn't check 'ip'
    else if ('invalid host name' >< res)
    {
      security_report_v4(port: port, severity: SECURITY_WARNING);
    }
    else
    {
      audit(AUDIT_RESP_BAD, port, "an 'active checks' request. Unexpected response:" + '\n' + hexdump(ddata: res) + '\n');  
    }
  }
  else
  {
    audit(AUDIT_RESP_BAD, port, "an 'active checks' request: bad Zabbix protocol header");  
  }
}
else
{
  audit(AUDIT_RESP_NOT, port, "an 'active checks' request");  
}

VendorProductVersionCPE
zabbixzabbixcpe:/a:zabbix:zabbix

Vendor	Product	Version	CPE
zabbix	zabbix		cpe:/a:zabbix:zabbix

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2824

support.zabbix.com/browse/ZBX-12075

www.zabbix.com/rn/rn2.2.19

www.zabbix.com/rn/rn3.0.10

www.zabbix.com/rn/rn3.2.7

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

0.716 High

EPSS

Percentile

98.1%

JSON

Related for ZABBIX_SERVER_CVE-2017-2824.NASL