Zabbix SQL Injection Vulnerability Let Attackers Gain Complete Control Of Instances


A critical security flaw has been discovered in Zabbix, the popular open-source monitoring solution, potentially allowing attackers to gain full control over affected instances.

The vulnerability, identified as CVE-2024-42327, affects multiple versions of Zabbix and has been assigned a CVSS score of 9.9, indicating its severe nature.

The SQL injection vulnerability exists in the CUser class within the Zabbix frontend, specifically in the addRelatedObjects function.

This function is called by the CUser.get function, which is accessible to any user with API access.

What makes this vulnerability particularly concerning is that it can be exploited by non-admin user accounts with the default User role or any role that provides API access.

Security researcher Mark Rakoczi discovered and reported the vulnerability through the HackerOne bug bounty platform. The flaw affects Zabbix versions 6.0.0 to 6.0.31, 6.4.0 to 6.4.16, and 7.0.0.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

Technical Analysis

Successful exploitation of this vulnerability could lead to severe consequences, including:-

  • Unauthorized access to the Zabbix database
  • Exfiltration of sensitive information
  • Modification or deletion of critical monitoring data
  • Execution of arbitrary commands on the database server
  • Privilege escalation within the Zabbix system

The high CVSS score reflects the potential for significant damage to an organization’s monitoring infrastructure and data confidentiality.

As of November 28, 2024, Zabbix has not yet released a patch to address this vulnerability. However, the company has acknowledged the issue and is working on a fix.

Zabbix users are advised to monitor the official Zabbix security advisories and update channels for patch information as it becomes available.

In the meantime, security experts recommend implementing several mitigation strategies:-

  • Review and restrict API access permissions
  • Implement additional access controls and monitoring for the Zabbix frontend
  • Use Web Application Firewall (WAF) rules to detect and block potential SQL injection attempts
  • Regularly audit user roles and permissions
  • Implement network segmentation to limit the exposure of the Zabbix server
  • Monitor database and application logs for suspicious activities

Given the critical nature of this vulnerability, organizations using Zabbix are urged to prioritize this issue for immediate attention and remediation once a patch becomes available.

The potential for attackers to gain complete control over Zabbix instances underscores the importance of prompt action to protect monitoring infrastructure and sensitive data.

As the situation develops, Zabbix users should stay vigilant and follow the official Zabbix communication channels for updates and further guidance on addressing this significant security risk.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar



Source link