Operating System:

[Debian]

Published:

13 April 2023

Protect yourself against future threats.

//Service

Malicious URL Feed

Add this Australian-based feed to your firewall blacklist and SIEM to prevent compromises to your network.

Read more
Resources > Security Bulletins > ESB-2023.2138 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2023.2138
                          zabbix security update
                               13 April 2023

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           zabbix
Publisher:         Debian
Operating System:  Debian GNU/Linux
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-35230 CVE-2022-35229 CVE-2022-24919
                   CVE-2022-24917 CVE-2022-24349 CVE-2021-27927
                   CVE-2020-15803 CVE-2019-15132 

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html

Comment: CVSS (Max):  8.8 CVE-2021-27927 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3390-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                         Tobias Frost
April 12, 2023                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : zabbix
Version        : 1:4.0.4+dfsg-1+deb10u1
CVE ID         : CVE-2019-15132 CVE-2020-15803 CVE-2021-27927 CVE-2022-24349
                 CVE-2022-24917 CVE-2022-24919 CVE-2022-35229 CVE-2022-35230
Debian Bug     : 935027 966146 1014992 1014994

Several security vulnerabilities have been discovered in zabbix,
a network monitoring solution, potentially allowing User Enumeration,
Cross-Site-Scripting or Cross-Site Request Forgery.

CVE-2019-15132

Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it=
 is
possible to enumerate application usernames based on the variability of ser=
ver
responses (e.g., the "Login name or password is incorrect" and "No permissi=
ons
for system access" messages, or just blocking for a number of seconds). This
affects both api_jsonrpc.php and index.php.

CVE-2020-15803

Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x
before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL
Widget.

CVE-2021-27927

In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1,
5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the
CControllerAuthenticationUpdate controller lacks a CSRF protection
mechanism. The code inside this controller calls diableSIDValidation
inside the init() method. An attacker doesn't have to know Zabbix user
login credentials, but has to know the correct Zabbix URL and contact
information of an existing user with sufficient privileges.

CVE-2022-24349

An authenticated user can create a link with reflected XSS payload for
actions=E2=80=99 pages, and send it to other users. Malicious code has acce=
ss to
all the same objects as the rest of the web page and can make arbitrary
modifications to the contents of the page being displayed to a victim.
This attack can be implemented with the help of social engineering and
expiration of a number of factors - an attacker should have authorized
access to the Zabbix Frontend and allowed network connection between a
malicious server and victim=E2=80=99s computer, understand attacked
infrastructure, be recognized by the victim as a trustee and use trusted
communication channel.

CVE-2022-24917

An authenticated user can create a link with reflected Javascript code
inside it for services=E2=80=99 page and send it to other users. The payloa=
d can
be executed only with a known CSRF token value of the victim, which is
changed periodically and is difficult to predict. Malicious code has
access to all the same objects as the rest of the web page and can make
arbitrary modifications to the contents of the page being displayed to a
victim during social engineering attacks.

CVE-2022-24919

An authenticated user can create a link with reflected Javascript code
inside it for graphs=E2=80=99 page and send it to other users. The payload =
can
be executed only with a known CSRF token value of the victim, which is
changed periodically and is difficult to predict. Malicious code has
access to all the same objects as the rest of the web page and can make
arbitrary modifications to the contents of the page being displayed to a
victim during social engineering attacks.

CVE-2022-35229

An authenticated user can create a link with reflected Javascript code
inside it for the discovery page and send it to other users. The payload
can be executed only with a known CSRF token value of the victim, which
is changed periodically and is difficult to predict.

CVE-2022-35230

An authenticated user can create a link with reflected Javascript code
inside it for the graphs page and send it to other users. The payload
can be executed only with a known CSRF token value of the victim, which
is changed periodically and is difficult to predict.

For Debian 10 buster, these problems have been fixed in version
1:4.0.4+dfsg-1+deb10u1.

We recommend that you upgrade your zabbix packages.

For the detailed security status of zabbix please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/zabbix

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmQ2s+0ACgkQkWT6HRe9
XTYSWBAAuD/XJFP30Nh93AGmdPEVUDiRGppn2Wasx/QuHG9XMn+bfUQZd5LneTty
6LF9y98F/dc1YXIWHjMfpMhEHK84lBwcTfYKmojJT2NHXV+2eawGgYVikmmwDKEv
YLmdIygajs8m10tTSPFnenf8Pl0i2Rm3LZL04PyrwmNO2yjIjLXfAzz/7lNylGSE
7WUTnltYXl/VeYHVh5bHDYN0kiat8DlSxXlJwm385UP+NB7d7jxlAfxpytBmo5Vl
eEtMPraVtG1s9isBAaVDPlYunbkiiPTqMFnQwEPwmXoZGt+4pPkJ5yURszLavnJb
gdtUPYVaLsBaZLs/+K9M4vDkWOaRO6zmhw2+ZvRE+qvb9iqcK7Q+8KpikhDzvoNw
NRO3sJKq6ozZuVWS/NNRZUJ2P9h6bm5aEkHxsYX2/PW5XXIyn/Md75/cHakfB/Qw
NkpTrxwfHi4YmefmoiLNevmb0c3RqBfyH3TgUspxn5w74oHPSL+xYpEZjU3ZuGZk
+zVmLPDlreXVKOsaFj1snb/Po8FXduAtXdlradh2oCoDl3E+61XDpNBMakYxBKST
V2UdSQJdRX2wC0m+NxLdsopAyVGceOAILUWt2ygg6WTDdE5/+fcgnflV7ha9ONxU
YvOtRwlL85POIH6z8nI0dni48LedU26ecN+I8DpYlIEjm2fe0Qg=
=fgh1
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBZDdjS8kNZI30y1K9AQgwYw//aZ23GDRneBfs/OLCKqHyOHWUXxMFimNi
blOeAwGFCWLVNdmcNFArClupxwGu8EsaaSUzlA0hHxmz3HiHgt1XMiWNRe+LC0nf
BfsZZpDB3xdXQnkdPr1W3qc49Wdt+zv1cSPPeBEelYopl+1H+VyEDqrljnfzQkde
HhIiuYJ3XBixrFuYb2CDF9g1gGsfv4mq8X2upNovK+lufkriLi1X7r/XrYxO7RZT
1lsGuQdJeEFoPvhQOyIqT4nPmuRXylRaTRgVpKD0JPTrJYxcN5gFYpExs5r6sltP
ruruiztogc8xgM2ekGtr6hWOPSFtMDIOtf2VusAn25vrxAAXWIV2fciLj0cZGQz9
RQUwJE4sUo1veG6ASo9uo7X7SO1jrnFMlrvL9o951ZtoVOqW5X1Ra23YmAZuDTZg
MtQgoYFJDKiYIvqb/1XFFAVaqPXikiR1b4AUXlbV25U2F75K+V7S0D5iJ2ZpWVxj
J6ht1cytlCaMLEeJB+Q29bc7gsCwGHZqosHhXiuY74Mwb194o53Kb99nLxAd3XXi
0Korw3RGRnzPaBBkk39K0DGM8JQbuH8R11598SRyyQxvhUcSdW94742MEHpfcEJq
CciPjoGKdORlnsEmXKRYwSFtY2y1zlpVVTN8DexFdb87KdMbwjJBOQjcoRmpkeK9
vwZO+eWbSJ8=
=9m9Q
-----END PGP SIGNATURE-----