Zabbix Proxy Server SQL Database Write Vulnerability (CVE-2017-2825)

2017-04-2800:00:00

Root

www.seebug.org

0.002 Low

EPSS

Percentile

58.6%

JSON

Official patch earlier to fix the vulnerabilities: the Zabbix code execution vulnerability

DETAILS

One of the Trapper requests made by the Zabbix proxy is the ìproxy configî request, which allows a proxy to request its own proxy configuration from the Zabbix Server (or any other Zabbix Proxyís configuration if they know the hostname of that machine). When this occurs, the Zabbix Server pulls varying the configuration for the given Zabbix Proxy from its database. While the Zabbix server has hardcoded tables that it looks at when searching for the desired configuration data to send to the proxy, there is no such restriction on what the Zabbix Proxy will apply to it is database.

Thus, if an attacker is able to man in the middle the traffic of a Zabbix Proxy and Zabbix Server, an attacker can insert arbitrary JSON into the configuration response of the Server, and the Zabbix Proxy will apply the configuration without hesitation. This is doubly concerning since the proxy configuration the data flows unencrypted over the local network, allowing anyone with network connectivity to the Zabbix Server to utilize this attack.

Since the ìproxy configî request happens at regular intervals from the Proxy to the Server, an attacker can use a proxy server to intercept the traffic and insert arbitrary data into the database, as long as the destination table is a valid table in the Zabbix proxy database.