===================================================================== CERT-Renater Note d'Information No. 2013/VULN438 _____________________________________________________________________ DATE : 08/10/2013 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Zabbix versions prior to 2.0.9, 1.8.18. ====================================================================== https://www.zabbix.com/forum/showthread.php?t=42586 ______________________________________________________________________ Security alert: SQL injection in Zabbix frontend and API ------------------------- Vulnerability description ------------------------- Zabbix frontend and API are vulnerable to SQL injection attacks. The vulnerabilities allow an attacker to gain access to the database and execute arbitrary SQL statements. Please use CVE-2013-5743 to refer to this vulnerability. ------- Details ------- (1) The following API methods and parameters have have been reported to be vulnerable: alert.get: time_from, time_till; event.get: object, source, eventid_from, eventid_till; graphitem.get: parameter: type; graph.get: parameter: type; graphprototype.get: parameter: type; history.get: parameter: time_from, time_till; trigger.get: parameter: lastChangeSince, lastChangeTill, min_severity; triggerprototype.get: parameter: min_severity; usergroup.get: parameter: status. This issue has been reported by Bernhard Schildendorfer from SEC Consult. (2) Code responsible for adding objects such as graphs or maps to favorites is also vulnerable to this type of attacks. This can be exploited on the "Dashboard", "Graphs", "Maps", "Latest data" and "Screens" pages in the "Monitoring" section. This issue has been reported by Lincoln, a member of Corelan Team. ----------------- Affected versions ----------------- All of the Zabbix versions are in some way vulnerable to this type of attacks. -------------- Fixed versions -------------- These vulnerabilities have been fixed in the latest releases of Zabbix. Additionally, an internal security audit was performed and similar vulnerabilities have been fixed in other areas. The fix will be available in the following Zabbix releases 2.0.9 1.8.18 Additionally, patches are available for the following Zabbix versions: 2.0.8 1.8.17 1.8.2 Please see https://support.zabbix.com/browse/ZBX-7091 for the patches. -------------- Distribution patches -------------- The fix has been included in 1.8.17-2 and 2.0.8-2 packages from the official Zabbix repository and 2.0.8-3.el6 EPEL package at the time of this writing. ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================