www.belgium.be Logo of the federal government

Warning: Critical SQL Injection vulnerability in multiple Zabbix frontend versions can lead to privilege escalation, Patch Immediately!

Referentie: 
Advisory #2024-279
Versie: 
1.0
Geïmpacteerde software: 
Zabbix frontend versions 6.0.0 - 6.0.31, 6.4.0 - 6.4.16, and 7.0.0
Type: 
SQL Injection
CVE/CVSS: 

CVE-2024-42327 - 9.9 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Bronnen

Zabbix - https://support.zabbix.com/browse/ZBX-25623

NIST NVD - https://nvd.nist.gov/vuln/detail/CVE-2024-42327

Risico’s

Zabbix frontend software monitors numerous parameters of a network and the health and integrity of servers, virtual machines, applications, services, databases, websites, the cloud, etc...

A 9.9 critical vulnerability exists in its versions 6.0.0 - 6.0.31, 6.4.0 - 6.4.16, and 7.0.0.  If left unpatched, affected devices are vulnerable to SQL injection attacks with possible high impact on confidentiality, integrity and availability of systems and data.

CVE-2024-42327 is fixed via software updates to versions 6.0.32rc1, 6.4.17rc1, and 7.0.1rc1.

No information is available that the vulnerability is being actively exploited.

Beschrijving

CVE-2024-42327 is an 'Improper Neutralization of Special Elements used in an SQL Command' type vulnerability, also known as 'SQL Injection'.

If exploited successfully, an attacker can escalate privileges to a higher level and achieve further unknown impact. The exploit is available to non-admin users with default user roles or to any role with API access.

More specifically, the vulnerability exists in the CUser class in the addRelatedObjects function which is being called from the CUser.get function.  The latter is available to every user with API access.

Aanbevolen acties

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident.
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

Referenties

Zabbix - https://www.zabbix.com/manuals