Vulnerabilities > CVE-2017-2825 - Man in the Middle Security Bypass vulnerability in Zabbix Proxy Server

CVSS 6.8 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

zabbix

debian

nessus

NVD

Published: 2018-04-20

Updated: 2019-10-03

Summary

In the trapper functionality of Zabbix Server 2.4.x, specifically crafted trapper packets can pass database logic checks, resulting in database writes. An attacker can set up a Man-in-the-Middle server to alter trapper requests made between an active Zabbix proxy and Server to trigger this vulnerability.

Vulnerable Configurations

Part	Description	Count
Application	Zabbix Zabbix Zabbix 2.4.0 Zabbix Zabbix 2.4.1 Zabbix Zabbix 2.4.2 Zabbix Zabbix 2.4.3 Zabbix Zabbix 2.4.4 Zabbix Zabbix 2.4.5 Zabbix Zabbix 2.4.6 Zabbix Zabbix 2.4.7 Zabbix Zabbix 2.4.8	21
OS	Debian Debian Debian Linux 8.0 Debian Debian Linux 9.0	2

Nessus

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-3937.NASL
description	Lilith Wyatt discovered two vulnerabilities in the Zabbix network monitoring system which may result in execution of arbitrary code or database writes by malicious proxies.
last seen	2020-06-01
modified	2020-06-02
plugin id	102444
published	2017-08-14
reporter	This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/102444
title	Debian DSA-3937-1 : zabbix - security update
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-3937. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(102444); script_version("3.6"); script_cvs_date("Date: 2018/11/10 11:49:38"); script_cve_id("CVE-2017-2824", "CVE-2017-2825"); script_xref(name:"DSA", value:"3937"); script_name(english:"Debian DSA-3937-1 : zabbix - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Lilith Wyatt discovered two vulnerabilities in the Zabbix network monitoring system which may result in execution of arbitrary code or database writes by malicious proxies." ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/zabbix" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2017/dsa-3937" ); script_set_attribute( attribute:"solution", value: "Upgrade the zabbix packages. For the oldstable distribution (jessie), these problems have been fixed in version 1:2.2.7+dfsg-2+deb8u3. For the stable distribution (stretch), these problems have been fixed prior to the initial release." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:zabbix"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"patch_publication_date", value:"2017/08/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/14"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"zabbix-agent", reference:"1:2.2.7+dfsg-2+deb8u3")) flag++; if (deb_check(release:"8.0", prefix:"zabbix-frontend-php", reference:"1:2.2.7+dfsg-2+deb8u3")) flag++; if (deb_check(release:"8.0", prefix:"zabbix-java-gateway", reference:"1:2.2.7+dfsg-2+deb8u3")) flag++; if (deb_check(release:"8.0", prefix:"zabbix-proxy-mysql", reference:"1:2.2.7+dfsg-2+deb8u3")) flag++; if (deb_check(release:"8.0", prefix:"zabbix-proxy-pgsql", reference:"1:2.2.7+dfsg-2+deb8u3")) flag++; if (deb_check(release:"8.0", prefix:"zabbix-proxy-sqlite3", reference:"1:2.2.7+dfsg-2+deb8u3")) flag++; if (deb_check(release:"8.0", prefix:"zabbix-server-mysql", reference:"1:2.2.7+dfsg-2+deb8u3")) flag++; if (deb_check(release:"8.0", prefix:"zabbix-server-pgsql", reference:"1:2.2.7+dfsg-2+deb8u3")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	CGI abuses
NASL id	ZABBIX_FRONTEND_3_2_5.NASL
description	According to its self-reported version number, the instance of Zabbix running on the remote host is 2.0.x prior to 2.0.21, 2.2.x prior to 2.2.18, 3.0.x prior to 3.0.9, or 3.2.x prior to 3.2.5. It is, therefore, affected by multiple vulnerabilities : - A remote code execution vulnerability exists in the trapper command functionality due to improper handling of trapper packets. An unauthenticated, remote attacker can exploit this, via a specially crafted set of trapper packets, to inject arbitrary commands and execute arbitrary code. (CVE-2017-2824 / TALOS-2017-0325) - A security bypass vulnerability exists in the trapper command functionality due to improper handling of trapper packets. A man-in-the-middle (MitM) attacker can exploit this, via a specially crafted trapper packet, to bypass database security checks and write arbitrary data to the database. (CVE-2017-2825 / TALOS-2017-0326) Note that Nessus has not tested for these issues but has instead relied only on the application
last seen	2020-06-01
modified	2020-06-02
plugin id	100615
published	2017-06-05
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/100615
title	Zabbix 2.0.x < 2.0.21 / 2.2.x < 2.2.18 / 3.0.x < 3.0.9 / 3.2.x < 3.2.5 Multiple Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(100615); script_version("1.4"); script_cvs_date("Date: 2019/11/13"); script_cve_id("CVE-2017-2824", "CVE-2017-2825"); script_bugtraq_id(98083, 98094); script_name(english:"Zabbix 2.0.x < 2.0.21 / 2.2.x < 2.2.18 / 3.0.x < 3.0.9 / 3.2.x < 3.2.5 Multiple Vulnerabilities"); script_summary(english:"Checks the Zabbix version on the login page."); script_set_attribute(attribute:"synopsis", value: "A web application running on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the instance of Zabbix running on the remote host is 2.0.x prior to 2.0.21, 2.2.x prior to 2.2.18, 3.0.x prior to 3.0.9, or 3.2.x prior to 3.2.5. It is, therefore, affected by multiple vulnerabilities : - A remote code execution vulnerability exists in the trapper command functionality due to improper handling of trapper packets. An unauthenticated, remote attacker can exploit this, via a specially crafted set of trapper packets, to inject arbitrary commands and execute arbitrary code. (CVE-2017-2824 / TALOS-2017-0325) - A security bypass vulnerability exists in the trapper command functionality due to improper handling of trapper packets. A man-in-the-middle (MitM) attacker can exploit this, via a specially crafted trapper packet, to bypass database security checks and write arbitrary data to the database. (CVE-2017-2825 / TALOS-2017-0326) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://blog.talosintelligence.com/2017/04/zabbix-multiple-vulns.html"); script_set_attribute(attribute:"see_also", value:"https://www.talosintelligence.com/reports/TALOS-2017-0325/"); script_set_attribute(attribute:"see_also", value:"https://www.talosintelligence.com/reports/TALOS-2017-0326/"); script_set_attribute(attribute:"see_also", value:"https://support.zabbix.com/browse/ZBX-12075"); script_set_attribute(attribute:"see_also", value:"https://support.zabbix.com/browse/ZBX-12076"); script_set_attribute(attribute:"solution", value: "Upgrade to Zabbix version 2.0.21 / 2.2.18 / 3.0.9 / 3.2.5 or later. Alternatively, to mitigate CVE-2017-2824, delete the three default script entries inside the Zabbix Server database per the TALOS-2017-0325 advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-2825"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/27"); script_set_attribute(attribute:"patch_publication_date", value:"2017/04/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/06/05"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:zabbix:zabbix"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("zabbix_frontend_detect.nasl"); script_require_keys("installed_sw/zabbix", "Settings/ParanoidReport"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); app = "zabbix"; get_install_count(app_name:app, exit_if_zero:TRUE); port = get_http_port(default:80, php:TRUE); install = get_single_install( app_name : app, port : port, exit_if_unknown_ver : TRUE ); dir = install['path']; ver = install['version']; install_url = build_url(port:port, qs:dir); if (report_paranoia < 2) audit(AUDIT_PARANOID); fix = NULL; if (ver =~ "^2\.0\.([0-9]\|[1][0-9]\|20\|21rc[0-9]+)($\|[^0-9])") fix = "2.0.21"; else if (ver =~ "^2\.2\.([0-9]\|1[0-7]\|18rc[0-9]+)($\|[^0-9])") fix = "2.2.18"; else if (ver =~ "^3\.0\.([0-8]\|9rc[0-9]+)($\|[^0-9])") fix = "3.0.9"; else if (ver =~ "^3\.2\.([0-4]\|5rc[0-9]+)($\|[^0-9])") fix = "3.2.5"; if (!isnull(fix)) { report = '\n URL : ' + install_url + '\n Installed version : ' + ver + '\n Fixed version : 2.0.21 / 2.2.18 / 3.0.9 / 3.2.5' + '\n'; security_report_v4(port:port, extra:report, severity:SECURITY_WARNING); exit(0); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, "Zabbix", install_url, ver);

Seebug

bulletinFamily	exploit
description	Official patch earlier to fix the vulnerabilities: the [Zabbix code execution vulnerability](<https://www.seebug.org/vuldb/ssvid-93060>) ### DETAILS One of the Trapper requests made by the Zabbix proxy is the ìproxy configî request, which allows a proxy to request its own proxy configuration from the Zabbix Server (or any other Zabbix Proxyís configuration if they know the hostname of that machine). When this occurs, the Zabbix Server pulls varying the configuration for the given Zabbix Proxy from its database. While the Zabbix server has hardcoded tables that it looks at when searching for the desired configuration data to send to the proxy, there is no such restriction on what the Zabbix Proxy will apply to it is database. Thus, if an attacker is able to man in the middle the traffic of a Zabbix Proxy and Zabbix Server, an attacker can insert arbitrary JSON into the configuration response of the Server, and the Zabbix Proxy will apply the configuration without hesitation. This is doubly concerning since the proxy configuration the data flows unencrypted over the local network, allowing anyone with network connectivity to the Zabbix Server to utilize this attack. Since the ìproxy configî request happens at regular intervals from the Proxy to the Server, an attacker can use a proxy server to intercept the traffic and insert arbitrary data into the database, as long as the destination table is a valid table in the Zabbix proxy database. ### CREDIT Discovered by Lilith Wyatt of the Cisco ASIG ### TIMELINE 2017-03-22 - Vendor Disclosure 2017-04-27 - Public Release
id	SSV:93061
last seen	2017-11-19
modified	2017-04-28
published	2017-04-28
reporter	Root
title	Zabbix Proxy Server SQL Database Write Vulnerability (CVE-2017-2825)

Talos

id	TALOS-2017-0326
last seen	2019-05-29
published	2017-04-27
reporter	Talos Intelligence
source	http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0326
title	Zabbix Proxy Server SQL Database Write Vulnerability

Summary

Vulnerable Configurations

Nessus

Seebug

Talos

References