edit-icon download-icon

[Vulnerability notice] CVE-2017-2824: Remote code execution and database write vulnerabilities in Zabbix

Last Updated: Apr 08, 2018

Recently, the open-source network monitoring software Zabbix has been revealed to have two high-risk vulnerabilities. An attacker can exploit these vulnerabilities to run codes remotely and write arbitrary data to the database, posing a risk of data leakage.

See the following for more information about the vulnerability.


CVE identifier

CVE-2017-2824

Vulnerability name

Zabbix Server Active Proxy Trapper remote code execution vulnerability (CVE-2017-2824)

Zabbix Proxy database write vulnerability (CVE-2017-2824)

Vulnerability rating

High

Vulnerability description

  • Zabbix Server Active Proxy Trapper remote code execution vulnerability (CVE-2017-2824)

    The trapper command functionality of Zabbix 2.4.x has a code execution vulnerability. A specially crafted set of packets can cause a command injection, resulting in remote code execution. An attacker can make requests from an active Zabbix Proxy to trigger this vulnerability.

  • Zabbix proxy database write vulnerability (CVE-2017-2824)

    The trapper functionality of Zabbix 2.4.x has a database write vulnerability. A specially crafted set of malicious trapper packets can bypass the logic check and write data to the database. An attacker can perform a man-in-the-middle (MITM) attack to maliciously manipulate responses to requests from an active Zabbix Proxy and thus to trigger this vulnerability.

Condition and method of exploitation

Remote exploitation

Affected scope

Zabbix 2.4.7 - 2.4.8r1

Vulnerability detection

Check whether any affected version of Apache Hadoop is used.

How to fix or mitigate

  • Delete the default script entry from the Zabbix database.

    • Run the SQL statement to directly delete the entry:

      1. >use zabbix;
      2. >delete * from scripts;
    • Log on to the administration console, and select Administration > Scripts > Checkmarks > Delete Selected.

  • The vulnerabilities have been fixed in pre-2.2.18.rc1 r67269, pre-3.0.9rc1 r67270, pre-3.2.5.rc1 r67271, and pre-3.4.0alpha1 (trunk) r67272. We recommend that you upgrade to the latest version immediately.

Reference

[1]. http://blog.talosintelligence.com/2017/04/zabbix-multiple-vulns.html
[2]. http://www.talosintelligence.com/reports/TALOS-2017-0325/
[3]. http://www.talosintelligence.com/reports/TALOS-2017-0326/
[4]. https://support.zabbix.com/browse/ZBX-12075
[5]. https://support.zabbix.com/browse/ZBX-12076

Thank you! We've received your feedback.