Security vulnerabilities: Network monitoring tool Zabbix can leak passwords

In the latest version of the network monitoring tool Zabbix, the developers have closed a total of eight security vulnerabilities. After successful attacks, attackers can, for example, view passwords in plain text or even execute malicious code.

Dangerous gaps

Admins can find more information on the vulnerabilities and threatened versions in the warning messages linked below. The most dangerous is a vulnerability (CVE-2024-22116), which attackers can exploit to execute their own code in the context of the ping script. However, this only works if attackers are already admins with limited authorizations. Despite this hurdle, the vulnerability is considered"critical" because it can be used to compromise entire IT infrastructures.

Furthermore, the front-end audit log displays passwords in plain text (CVE-2024-36460"high"). Attackers can also paralyze systems via a DoS attack (CVE-2024-36462"high") or compromise the integrity of a Zabbix installation (CVE-2024-22121"medium").

Security updates

The developers state that they have closed the gaps in versions 5.0.43rc1, 6.0.31rc1, 6.4.16rc1 and 7.0.0rc3.

List sorted by threat level in descending order:

• Remote code execution within ping script (CVE-2024-22116)
• Direct access to memory pointers within the JS engine for modification (CVE-2024-36461)
• Front-end auditlog shows passwords in plaintext (CVE-2024-36460)
• Allocation of resources without limits or throttling (uncontrolled resource consumption) (CVE-2024-36462)
• Zabbix Agent MSI Installer Allows Non-Admin User To Access Change Option via msiexec.exe (CVE-2024-22121)
• System Information Widget in Global View Dashboard exposes information about Hosts to Users without Permission (CVE-2024-22114)
• AT(GSM) Command Injection (CVE-2024-22122)
• Zabbix Arbitrary File Read (CVE-2024-22123)

(des)