• Vulnerable U
  • Posts
  • Zabbix Warns of Critical SQL Injection Flaw

Zabbix Warns of Critical SQL Injection Flaw

The Zabbix vulnerability could allow attackers to escalate privileges and take over vulnerable Zabbix servers.

Author

Newsroom
December 02, 2024

Zabbix, an open-source monitoring tool for enterprises to keep tabs on IT infrastructure pieces like networks and server infrastructure, cloud deployments and virtual machines, has disclosed a critical-severity flaw (CVE-2024-42327). The vulnerability could allow attackers to escalate privileges and take over vulnerable Zabbix servers.

Key Details:

  • The flaw enables SQL injection and stems from the user.get API endpoint, specifically in the CUser class in the addRelatedObjects function

  • According to an analysis of the flaw by Qualys researchers, “this function is being called from the CUser.get function, which is available to users with API access. An attacker may inject SQL commands by manipulating API calls. Successful exploitation of the vulnerability may allow an attacker to gain unauthorized access and control”

  • The flaw can be exploited by non-admin users (including accounts with default User roles) with API access

  • The flaw was discovered earlier this year by Márk Rákóczi and reported through the HackerOne bug bounty program 

Vendor Updates: The flaw impacts Zabbix versions 6.0.0-6.0.31, 6.4.0-6.4.16 and 7.0.0. Versions 6.0.32rc1, 6.4.17rc1 and 7.0.1rc1, which address the vulnerability, were released earlier this year.

Zabbix said its tools are used across various industries, including banking and finance, healthcare and government, and lists customers like the Nexon, European Space Agency and more. For impacted enterprise users, the vulnerability has a 9.9 CVSS score out of 10, making it critical severity and therefore important to address. Additionally, more than 83,000 internet-exposed Zabbix instances currently exist, according to Qualys. The Zabbix security advisory does not give any information about whether the flaw is being targeted by threat actors.

In addition to CVE-2024-42327, Zabbix also disclosed several other high-severity flaws last week, including one that could allow for arbitrary code execution and denial of service (CVE-2024-42330), a missing authorization check that could enable privilege escalation (CVE-2024-36467) and a bug that could allow attackers to sign a forged zbx-session cookies, allowing them to sign in with admin permissions (CVE-2024-36466).