Zabbix Security network monitoring tool reports critical vulnerabilities
Take action: If you are running Zabbix network monitoring, review the vulnerabilities and plan to patch your system. The flaws isn't immediately exploitable and require user credentials. But everyone can be hacked, so don't delay.
Learn More
The developers of the network monitoring tool Zabbix have released a series of security updates addressing eight vulnerabilities, including one critical flaw.
Critical vulnerabilities
- CVE-2024-22116 (CVSS score: 9.9). Remote code execution within ping script. An administrator with restricted permissions can exploit the script execution functionality within the Monitoring Hosts section. The lack of default escaping for script parameters enabled this user ability to execute arbitrary code via the Ping script, thereby compromising infrastructure. Fixed in 6.4.16rc1, 7.0.0rc3
- CVE-2024-36461 (CVSS score: 9.1): This vulnerability allows users with access to a single item configuration (limited role) to compromise the whole infrastructure of the monitoring solution by remote code execution. Fixed in 6.0.31rc1, 6.4.16rc1, 7.0.1rc1, 7.2.0alpha1 (master)
Other vulnerabilities include:
- CVE-2024-36460 (CVSS score: 8.1): This high-severity issue involves the exposure of passwords in plaintext within the front-end audit log, which could allow attackers to access sensitive information.
- CVE-2024-36462 (CVSS score: 7.5): Another high-severity flaw that could enable attackers to launch a Denial of Service (DoS) attack by exploiting uncontrolled resource consumption, potentially paralyzing the Zabbix system.
- CVE-2024-22121 (CVSS score: 6.1): This medium-severity issue allows non-admin users to access and change options via the Zabbix Agent MSI Installer using the msiexec.exe command.
- CVE-2024-22114 (CVSS score: 4.3): A medium-severity flaw where the System Information Widget in the Global View Dashboard could expose sensitive information about hosts to unauthorized users.
- CVE-2024-22122 (CVSS score: 3.0): Involves a command injection vulnerability within the AT(GSM) command.
- CVE-2024-22123 (CVSS score: 2.7): This low-severity issue allows arbitrary file reads, which could potentially be exploited to gain unauthorized access to files.
Users of Zabbix are strongly advised to update to fixed versions to protect against these vulnerabilities.
