Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.2138 zabbix security update 13 April 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: zabbix Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2022-35230 CVE-2022-35229 CVE-2022-24919 CVE-2022-24917 CVE-2022-24349 CVE-2021-27927 CVE-2020-15803 CVE-2019-15132 Original Bulletin: https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html Comment: CVSS (Max): 8.8 CVE-2021-27927 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3390-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost April 12, 2023 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : zabbix Version : 1:4.0.4+dfsg-1+deb10u1 CVE ID : CVE-2019-15132 CVE-2020-15803 CVE-2021-27927 CVE-2022-24349 CVE-2022-24917 CVE-2022-24919 CVE-2022-35229 CVE-2022-35230 Debian Bug : 935027 966146 1014992 1014994 Several security vulnerabilities have been discovered in zabbix, a network monitoring solution, potentially allowing User Enumeration, Cross-Site-Scripting or Cross-Site Request Forgery. CVE-2019-15132 Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it= is possible to enumerate application usernames based on the variability of ser= ver responses (e.g., the "Login name or password is incorrect" and "No permissi= ons for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php. CVE-2020-15803 Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget. CVE-2021-27927 In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges. CVE-2022-24349 An authenticated user can create a link with reflected XSS payload for actions=E2=80=99 pages, and send it to other users. Malicious code has acce= ss to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim. This attack can be implemented with the help of social engineering and expiration of a number of factors - an attacker should have authorized access to the Zabbix Frontend and allowed network connection between a malicious server and victim=E2=80=99s computer, understand attacked infrastructure, be recognized by the victim as a trustee and use trusted communication channel. CVE-2022-24917 An authenticated user can create a link with reflected Javascript code inside it for services=E2=80=99 page and send it to other users. The payloa= d can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. CVE-2022-24919 An authenticated user can create a link with reflected Javascript code inside it for graphs=E2=80=99 page and send it to other users. The payload = can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. CVE-2022-35229 An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. CVE-2022-35230 An authenticated user can create a link with reflected Javascript code inside it for the graphs page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. For Debian 10 buster, these problems have been fixed in version 1:4.0.4+dfsg-1+deb10u1. We recommend that you upgrade your zabbix packages. For the detailed security status of zabbix please refer to its security tracker page at: https://security-tracker.debian.org/tracker/zabbix Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmQ2s+0ACgkQkWT6HRe9 XTYSWBAAuD/XJFP30Nh93AGmdPEVUDiRGppn2Wasx/QuHG9XMn+bfUQZd5LneTty 6LF9y98F/dc1YXIWHjMfpMhEHK84lBwcTfYKmojJT2NHXV+2eawGgYVikmmwDKEv YLmdIygajs8m10tTSPFnenf8Pl0i2Rm3LZL04PyrwmNO2yjIjLXfAzz/7lNylGSE 7WUTnltYXl/VeYHVh5bHDYN0kiat8DlSxXlJwm385UP+NB7d7jxlAfxpytBmo5Vl eEtMPraVtG1s9isBAaVDPlYunbkiiPTqMFnQwEPwmXoZGt+4pPkJ5yURszLavnJb gdtUPYVaLsBaZLs/+K9M4vDkWOaRO6zmhw2+ZvRE+qvb9iqcK7Q+8KpikhDzvoNw NRO3sJKq6ozZuVWS/NNRZUJ2P9h6bm5aEkHxsYX2/PW5XXIyn/Md75/cHakfB/Qw NkpTrxwfHi4YmefmoiLNevmb0c3RqBfyH3TgUspxn5w74oHPSL+xYpEZjU3ZuGZk +zVmLPDlreXVKOsaFj1snb/Po8FXduAtXdlradh2oCoDl3E+61XDpNBMakYxBKST V2UdSQJdRX2wC0m+NxLdsopAyVGceOAILUWt2ygg6WTDdE5/+fcgnflV7ha9ONxU YvOtRwlL85POIH6z8nI0dni48LedU26ecN+I8DpYlIEjm2fe0Qg= =fgh1 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZDdjS8kNZI30y1K9AQgwYw//aZ23GDRneBfs/OLCKqHyOHWUXxMFimNi blOeAwGFCWLVNdmcNFArClupxwGu8EsaaSUzlA0hHxmz3HiHgt1XMiWNRe+LC0nf BfsZZpDB3xdXQnkdPr1W3qc49Wdt+zv1cSPPeBEelYopl+1H+VyEDqrljnfzQkde HhIiuYJ3XBixrFuYb2CDF9g1gGsfv4mq8X2upNovK+lufkriLi1X7r/XrYxO7RZT 1lsGuQdJeEFoPvhQOyIqT4nPmuRXylRaTRgVpKD0JPTrJYxcN5gFYpExs5r6sltP ruruiztogc8xgM2ekGtr6hWOPSFtMDIOtf2VusAn25vrxAAXWIV2fciLj0cZGQz9 RQUwJE4sUo1veG6ASo9uo7X7SO1jrnFMlrvL9o951ZtoVOqW5X1Ra23YmAZuDTZg MtQgoYFJDKiYIvqb/1XFFAVaqPXikiR1b4AUXlbV25U2F75K+V7S0D5iJ2ZpWVxj J6ht1cytlCaMLEeJB+Q29bc7gsCwGHZqosHhXiuY74Mwb194o53Kb99nLxAd3XXi 0Korw3RGRnzPaBBkk39K0DGM8JQbuH8R11598SRyyQxvhUcSdW94742MEHpfcEJq CciPjoGKdORlnsEmXKRYwSFtY2y1zlpVVTN8DexFdb87KdMbwjJBOQjcoRmpkeK9 vwZO+eWbSJ8= =9m9Q -----END PGP SIGNATURE-----