Vulnerabilities > CVE-2017-2825
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
LOW Integrity impact
HIGH Availability impact
LOW Summary
In the trapper functionality of Zabbix Server 2.4.x, specifically crafted trapper packets can pass database logic checks, resulting in database writes. An attacker can set up a Man-in-the-Middle server to alter trapper requests made between an active Zabbix proxy and Server to trigger this vulnerability.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 21 | |
OS | 2 |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3937.NASL description Lilith Wyatt discovered two vulnerabilities in the Zabbix network monitoring system which may result in execution of arbitrary code or database writes by malicious proxies. last seen 2020-06-01 modified 2020-06-02 plugin id 102444 published 2017-08-14 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102444 title Debian DSA-3937-1 : zabbix - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-3937. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(102444); script_version("3.6"); script_cvs_date("Date: 2018/11/10 11:49:38"); script_cve_id("CVE-2017-2824", "CVE-2017-2825"); script_xref(name:"DSA", value:"3937"); script_name(english:"Debian DSA-3937-1 : zabbix - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Lilith Wyatt discovered two vulnerabilities in the Zabbix network monitoring system which may result in execution of arbitrary code or database writes by malicious proxies." ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/zabbix" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2017/dsa-3937" ); script_set_attribute( attribute:"solution", value: "Upgrade the zabbix packages. For the oldstable distribution (jessie), these problems have been fixed in version 1:2.2.7+dfsg-2+deb8u3. For the stable distribution (stretch), these problems have been fixed prior to the initial release." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:zabbix"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"patch_publication_date", value:"2017/08/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/14"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"zabbix-agent", reference:"1:2.2.7+dfsg-2+deb8u3")) flag++; if (deb_check(release:"8.0", prefix:"zabbix-frontend-php", reference:"1:2.2.7+dfsg-2+deb8u3")) flag++; if (deb_check(release:"8.0", prefix:"zabbix-java-gateway", reference:"1:2.2.7+dfsg-2+deb8u3")) flag++; if (deb_check(release:"8.0", prefix:"zabbix-proxy-mysql", reference:"1:2.2.7+dfsg-2+deb8u3")) flag++; if (deb_check(release:"8.0", prefix:"zabbix-proxy-pgsql", reference:"1:2.2.7+dfsg-2+deb8u3")) flag++; if (deb_check(release:"8.0", prefix:"zabbix-proxy-sqlite3", reference:"1:2.2.7+dfsg-2+deb8u3")) flag++; if (deb_check(release:"8.0", prefix:"zabbix-server-mysql", reference:"1:2.2.7+dfsg-2+deb8u3")) flag++; if (deb_check(release:"8.0", prefix:"zabbix-server-pgsql", reference:"1:2.2.7+dfsg-2+deb8u3")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family CGI abuses NASL id ZABBIX_FRONTEND_3_2_5.NASL description According to its self-reported version number, the instance of Zabbix running on the remote host is 2.0.x prior to 2.0.21, 2.2.x prior to 2.2.18, 3.0.x prior to 3.0.9, or 3.2.x prior to 3.2.5. It is, therefore, affected by multiple vulnerabilities : - A remote code execution vulnerability exists in the trapper command functionality due to improper handling of trapper packets. An unauthenticated, remote attacker can exploit this, via a specially crafted set of trapper packets, to inject arbitrary commands and execute arbitrary code. (CVE-2017-2824 / TALOS-2017-0325) - A security bypass vulnerability exists in the trapper command functionality due to improper handling of trapper packets. A man-in-the-middle (MitM) attacker can exploit this, via a specially crafted trapper packet, to bypass database security checks and write arbitrary data to the database. (CVE-2017-2825 / TALOS-2017-0326) Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 100615 published 2017-06-05 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100615 title Zabbix 2.0.x < 2.0.21 / 2.2.x < 2.2.18 / 3.0.x < 3.0.9 / 3.2.x < 3.2.5 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(100615); script_version("1.4"); script_cvs_date("Date: 2019/11/13"); script_cve_id("CVE-2017-2824", "CVE-2017-2825"); script_bugtraq_id(98083, 98094); script_name(english:"Zabbix 2.0.x < 2.0.21 / 2.2.x < 2.2.18 / 3.0.x < 3.0.9 / 3.2.x < 3.2.5 Multiple Vulnerabilities"); script_summary(english:"Checks the Zabbix version on the login page."); script_set_attribute(attribute:"synopsis", value: "A web application running on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the instance of Zabbix running on the remote host is 2.0.x prior to 2.0.21, 2.2.x prior to 2.2.18, 3.0.x prior to 3.0.9, or 3.2.x prior to 3.2.5. It is, therefore, affected by multiple vulnerabilities : - A remote code execution vulnerability exists in the trapper command functionality due to improper handling of trapper packets. An unauthenticated, remote attacker can exploit this, via a specially crafted set of trapper packets, to inject arbitrary commands and execute arbitrary code. (CVE-2017-2824 / TALOS-2017-0325) - A security bypass vulnerability exists in the trapper command functionality due to improper handling of trapper packets. A man-in-the-middle (MitM) attacker can exploit this, via a specially crafted trapper packet, to bypass database security checks and write arbitrary data to the database. (CVE-2017-2825 / TALOS-2017-0326) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://blog.talosintelligence.com/2017/04/zabbix-multiple-vulns.html"); script_set_attribute(attribute:"see_also", value:"https://www.talosintelligence.com/reports/TALOS-2017-0325/"); script_set_attribute(attribute:"see_also", value:"https://www.talosintelligence.com/reports/TALOS-2017-0326/"); script_set_attribute(attribute:"see_also", value:"https://support.zabbix.com/browse/ZBX-12075"); script_set_attribute(attribute:"see_also", value:"https://support.zabbix.com/browse/ZBX-12076"); script_set_attribute(attribute:"solution", value: "Upgrade to Zabbix version 2.0.21 / 2.2.18 / 3.0.9 / 3.2.5 or later. Alternatively, to mitigate CVE-2017-2824, delete the three default script entries inside the Zabbix Server database per the TALOS-2017-0325 advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-2825"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/27"); script_set_attribute(attribute:"patch_publication_date", value:"2017/04/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/06/05"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:zabbix:zabbix"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("zabbix_frontend_detect.nasl"); script_require_keys("installed_sw/zabbix", "Settings/ParanoidReport"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); app = "zabbix"; get_install_count(app_name:app, exit_if_zero:TRUE); port = get_http_port(default:80, php:TRUE); install = get_single_install( app_name : app, port : port, exit_if_unknown_ver : TRUE ); dir = install['path']; ver = install['version']; install_url = build_url(port:port, qs:dir); if (report_paranoia < 2) audit(AUDIT_PARANOID); fix = NULL; if (ver =~ "^2\.0\.([0-9]|[1][0-9]|20|21rc[0-9]+)($|[^0-9])") fix = "2.0.21"; else if (ver =~ "^2\.2\.([0-9]|1[0-7]|18rc[0-9]+)($|[^0-9])") fix = "2.2.18"; else if (ver =~ "^3\.0\.([0-8]|9rc[0-9]+)($|[^0-9])") fix = "3.0.9"; else if (ver =~ "^3\.2\.([0-4]|5rc[0-9]+)($|[^0-9])") fix = "3.2.5"; if (!isnull(fix)) { report = '\n URL : ' + install_url + '\n Installed version : ' + ver + '\n Fixed version : 2.0.21 / 2.2.18 / 3.0.9 / 3.2.5' + '\n'; security_report_v4(port:port, extra:report, severity:SECURITY_WARNING); exit(0); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, "Zabbix", install_url, ver);
Seebug
bulletinFamily | exploit |
description | **Official patch earlier to fix the vulnerabilities**: the [Zabbix code execution vulnerability](<https://www.seebug.org/vuldb/ssvid-93060>) ### DETAILS One of the Trapper requests made by the Zabbix proxy is the ìproxy configî request, which allows a proxy to request its own proxy configuration from the Zabbix Server (or any other Zabbix Proxyís configuration if they know the hostname of that machine). When this occurs, the Zabbix Server pulls varying the configuration for the given Zabbix Proxy from its database. While the Zabbix server has hardcoded tables that it looks at when searching for the desired configuration data to send to the proxy, there is no such restriction on what the Zabbix Proxy will apply to it is database. Thus, if an attacker is able to man in the middle the traffic of a Zabbix Proxy and Zabbix Server, an attacker can insert arbitrary JSON into the configuration response of the Server, and the Zabbix Proxy will apply the configuration without hesitation. This is doubly concerning since the proxy configuration the data flows unencrypted over the local network, allowing anyone with network connectivity to the Zabbix Server to utilize this attack. Since the ìproxy configî request happens at regular intervals from the Proxy to the Server, an attacker can use a proxy server to intercept the traffic and insert arbitrary data into the database, as long as the destination table is a valid table in the Zabbix proxy database. ### CREDIT Discovered by Lilith Wyatt of the Cisco ASIG ### TIMELINE 2017-03-22 - Vendor Disclosure 2017-04-27 - Public Release |
id | SSV:93061 |
last seen | 2017-11-19 |
modified | 2017-04-28 |
published | 2017-04-28 |
reporter | Root |
title | Zabbix Proxy Server SQL Database Write Vulnerability (CVE-2017-2825) |
Talos
id | TALOS-2017-0326 |
last seen | 2019-05-29 |
published | 2017-04-27 |
reporter | Talos Intelligence |
source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0326 |
title | Zabbix Proxy Server SQL Database Write Vulnerability |
References
- http://www.securityfocus.com/bid/98094
- http://www.securityfocus.com/bid/98094
- https://talosintelligence.com/vulnerability_reports/TALOS-2017-0326
- https://talosintelligence.com/vulnerability_reports/TALOS-2017-0326
- https://www.debian.org/security/2017/dsa-3937
- https://www.debian.org/security/2017/dsa-3937