-------------------------------------------------------------------------
Debian LTS Advisory DLA-3538-1                [email protected]
https://www.debian.org/lts/security/                         Tobias Frost
August 22, 2023                               https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : zabbix
Version        : 1:4.0.4+dfsg-1+deb10u2
CVE ID         : CVE-2013-7484 CVE-2019-17382 CVE-2022-35229 CVE-2022-43515 
                 CVE-2023-29450 CVE-2023-29451 CVE-2023-29454 CVE-2023-29455 
                 CVE-2023-29456 CVE-2023-29457
Debian Bug     : 1026847

Several security vulnerabilities have been discovered in zabbix, a network
monitoring solution, potentially allowing to crash the server, information
disclosure or Cross-Site-Scripting attacks.

Important Notices:
To mitigate CVE-2019-17382, on existing installations, the guest account
needs to be manually disabled, for example by disabling the the "Guest
group" in the UI:
   Administration -> User groups -> Guests -> Untick Enabled

This update also fixes a regression with CVE-2022-35229, which broke the
possiblity to edit and add discovery rules in the UI.



CVE-2013-7484

    Zabbix before version 4.4.0alpha2 stores credentials in the "users"
    table with the password hash stored as a MD5 hash, which is a known
    insecure hashing method. Furthermore, no salt is used with the hash.

CVE-2019-17382 (Disputed, not seen by upstream as not a security issue)

    An issue was discovered in
    zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through
    4.4. An attacker can bypass the login page and access the dashboard
    page, and then create a Dashboard, Report, Screen, or Map without
    any Username/Password (i.e., anonymously). All created elements
    (Dashboard/Report/Screen/Map) are accessible by other users and by
    an admin.

CVE-2022-35229

    An authenticated user can create a link with reflected
    Javascript code inside it for the discovery page and send it to
    other users. The payload can be executed only with a known CSRF
    token value of the victim, which is changed periodically and is
    difficult to predict.

CVE-2022-43515

    Zabbix Frontend provides a feature that allows admins to
    maintain the installation and ensure that only certain IP addresses
    can access it. In this way, any user will not be able to access the
    Zabbix Frontend while it is being maintained and possible sensitive
    data will be prevented from being disclosed. An attacker can bypass
    this protection and access the instance using IP address not listed
    in the defined range.

CVE-2023-29450

    JavaScript pre-processing can be used by the attacker to gain
    access to the file system (read-only access on behalf of user
    "zabbix") on the Zabbix Server or Zabbix Proxy, potentially leading
    to unauthorized access to sensitive data.

CVE-2023-29451

    Specially crafted string can cause a buffer overrun in the JSON
    parser library leading to a crash of the Zabbix Server or a Zabbix
    Proxy.

CVE-2023-29454

    A Stored or persistent cross-site scripting (XSS) vulnerability
    was found on “Users” section in “Media” tab in “Send to” form field.
    When new media is created with malicious code included into field
    “Send to” then it will execute when editing the same media.

CVE-2023-29455

    A Reflected XSS attacks, also known as non-persistent attacks, was
    found where an attacker can pass malicious code as GET request to
    graph.php and system will save it and will execute when current
    graph page is opened.

CVE-2023-29456

    URL validation scheme receives input from a user and then parses
    it to identify its various components. The validation scheme can
    ensure that all URL components comply with internet standards.

CVE-2023-29457

    A Reflected XSS attacks, also known as non-persistent attacks, was
    found where XSS session cookies could be revealed, enabling a
    perpetrator to impersonate valid users and abuse their private
    accounts.

For Debian 10 buster, these problems have been fixed in version
1:4.0.4+dfsg-1+deb10u2.

We recommend that you upgrade your zabbix packages.

For the detailed security status of zabbix please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/zabbix

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Debian LTS: DLA-3538-1: zabbix security update

August 22, 2023
Several security vulnerabilities have been discovered in zabbix, a network monitoring solution, potentially allowing to crash the server, information disclosure or Cross-Site-Scrip...

Summary


Several security vulnerabilities have been discovered in zabbix, a network
monitoring solution, potentially allowing to crash the server, information
disclosure or Cross-Site-Scripting attacks.

Important Notices:
To mitigate CVE-2019-17382, on existing installations, the guest account
needs to be manually disabled, for example by disabling the the "Guest
group" in the UI:
Administration -> User groups -> Guests -> Untick Enabled

This update also fixes a regression with CVE-2022-35229, which broke the
possiblity to edit and add discovery rules in the UI.



CVE-2013-7484

Zabbix before version 4.4.0alpha2 stores credentials in the "users"
table with the password hash stored as a MD5 hash, which is a known
insecure hashing method. Furthermore, no salt is used with the hash.

CVE-2019-17382 (Disputed, not seen by upstream as not a security issue)

An issue was discovered in
zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through
4.4. An attacker can bypass the login page and access the dashboard
page, and then create a Dashboard, Report, Screen, or Map without
any Username/Password (i.e., anonymously). All created elements
(Dashboard/Report/Screen/Map) are accessible by other users and by
an admin.

CVE-2022-35229

An authenticated user can create a link with reflected
Javascript code inside it for the discovery page and send it to
other users. The payload can be executed only with a known CSRF
token value of the victim, which is changed periodically and is
difficult to predict.

CVE-2022-43515

Zabbix Frontend provides a feature that allows admins to
maintain the installation and ensure that only certain IP addresses
can access it. In this way, any user will not be able to access the
Zabbix Frontend while it is being maintained and possible sensitive
data will be prevented from being disclosed. An attacker can bypass
this protection and access the instance using IP address not listed
in the defined range.

CVE-2023-29450

JavaScript pre-processing can be used by the attacker to gain
access to the file system (read-only access on behalf of user
"zabbix") on the Zabbix Server or Zabbix Proxy, potentially leading
to unauthorized access to sensitive data.

CVE-2023-29451

Specially crafted string can cause a buffer overrun in the JSON
parser library leading to a crash of the Zabbix Server or a Zabbix
Proxy.

CVE-2023-29454

A Stored or persistent cross-site scripting (XSS) vulnerability
was found on “Users” section in “Media” tab in “Send to” form field.
When new media is created with malicious code included into field
“Send to” then it will execute when editing the same media.

CVE-2023-29455

A Reflected XSS attacks, also known as non-persistent attacks, was
found where an attacker can pass malicious code as GET request to
graph.php and system will save it and will execute when current
graph page is opened.

CVE-2023-29456

URL validation scheme receives input from a user and then parses
it to identify its various components. The validation scheme can
ensure that all URL components comply with internet standards.

CVE-2023-29457

A Reflected XSS attacks, also known as non-persistent attacks, was
found where XSS session cookies could be revealed, enabling a
perpetrator to impersonate valid users and abuse their private
accounts.

For Debian 10 buster, these problems have been fixed in version
1:4.0.4+dfsg-1+deb10u2.

We recommend that you upgrade your zabbix packages.

For the detailed security status of zabbix please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/zabbix

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Severity
Package : zabbix
Version : 1:4.0.4+dfsg-1+deb10u2
CVE ID : CVE-2013-7484 CVE-2019-17382 CVE-2022-35229 CVE-2022-43515
Debian Bug : 1026847
Feedback