Zabbix Proxy Server SQL Database Write Vulnerability

Summary

An exploitable database write vulnerability exists in the trapper functionality of Zabbix Server 2.4.X . Specifically crafted trapper packets can pass database logic checks, resulting in database writes. An attacker set up a Man-in-the-Middle server to alter trapper requests made between an active Zabbix proxy and Server to trigger this vulnerability.

Tested Versions

Zabbix Server 2.4.8.r1

Product URLs

http://www.zabbix.com

CVSSv3 Score

7.0 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L

CWE

CWE-300: Channel Accessible by Non-Endpoint (‘Man-in-the-Middle’)

Details

One of the Trapper requests made by the Zabbix proxy is the ìproxy configî request, which allows a proxy to request its own proxy configuration from the Zabbix Server (or any other Zabbix Proxyís configuration if they know the hostname of that machine). When this occurs, the Zabbix Server pulls varying configuration for the given Zabbix Proxy from its database. While the Zabbix server has hardcoded tables that it looks at when searching for the desired configuration data to send to the proxy, there is no such restriction on what the Zabbix Proxy will apply to it is database.

Thus, if an attacker is able to man in the middle the traffic of a Zabbix Proxy and Zabbix Server, an attacker can insert arbitrary JSON into the configuration response of the Server, and the Zabbix Proxy will apply the configuration without hesitation. This is doubly concerning since the proxy configuration data flows unencrypted over the local network, allowing anyone with network connectivity to the Zabbix Server to utilize this attack.

Since the ìproxy configî request happens at regular intervals from the Proxy to the Server, an attacker can use a proxy server to intercept the traffic and insert arbitrary data into the database, as long as the destination table is a valid table in the Zabbix proxy database.

Timeline

2017-03-22 - Vendor Disclosure
2017-04-27 - Public Release