The European Commission voted a new electronic identification scheme that creates new opportunities for EU citizens and businesses. Read More
Related Posts
Unpatched Mazda Connect bugs let hackers install persistent malware
Unpatched Mazda Connect bugs let hackers install persistent malware
Attackers could exploit several vulnerabilities in the Mazda Connect infotainment unit, present in multiple car models including Mazda 3 (2014-2021), to execute arbitrary code with root permission. […] Read More
“Intelligence, Special Operations, and Strategy” – with Michael Vickers
“Intelligence, Special Operations, and Strategy” – with Michael Vickers
Michael Vickers joins Andrew Hammond to discuss his remarkable career and memoir. He was formerly the Undersecretary of Defense for Intelligence. Read More
The CyberWire
Zabbix SQL Injection Vulnerability Let Attackers Gain Complete Control Of Instances
Zabbix SQL Injection Vulnerability Let Attackers Gain Complete Control Of Instances
A critical security flaw has been discovered in Zabbix, the popular open-source monitoring solution, potentially allowing attackers to gain full control over affected instances.
The vulnerability, identified as CVE-2024-42327, affects multiple versions of Zabbix and has been assigned a CVSS score of 9.9, indicating its severe nature.
The SQL injection vulnerability exists in the CUser class within the Zabbix frontend, specifically in the addRelatedObjects function.
This function is called by the CUser.get function, which is accessible to any user with API access.
What makes this vulnerability particularly concerning is that it can be exploited by non-admin user accounts with the default User role or any role that provides API access.
Security researcher Mark Rakoczi discovered and reported the vulnerability through the HackerOne bug bounty platform. The flaw affects Zabbix versions 6.0.0 to 6.0.31, 6.4.0 to 6.4.16, and 7.0.0.
Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.
Technical Analysis
Successful exploitation of this vulnerability could lead to severe consequences, including:-
- Unauthorized access to the Zabbix database
- Exfiltration of sensitive information
- Modification or deletion of critical monitoring data
- Execution of arbitrary commands on the database server
- Privilege escalation within the Zabbix system
The high CVSS score reflects the potential for significant damage to an organization’s monitoring infrastructure and data confidentiality.
As of November 28, 2024, Zabbix has not yet released a patch to address this vulnerability. However, the company has acknowledged the issue and is working on a fix.
Zabbix users are advised to monitor the official Zabbix security advisories and update channels for patch information as it becomes available.
In the meantime, security experts recommend implementing several mitigation strategies:-
- Review and restrict API access permissions
- Implement additional access controls and monitoring for the Zabbix frontend
- Use Web Application Firewall (WAF) rules to detect and block potential SQL injection attempts
- Regularly audit user roles and permissions
- Implement network segmentation to limit the exposure of the Zabbix server
- Monitor database and application logs for suspicious activities
Given the critical nature of this vulnerability, organizations using Zabbix are urged to prioritize this issue for immediate attention and remediation once a patch becomes available.
The potential for attackers to gain complete control over Zabbix instances underscores the importance of prompt action to protect monitoring infrastructure and sensitive data.
As the situation develops, Zabbix users should stay vigilant and follow the official Zabbix communication channels for updates and further guidance on addressing this significant security risk.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
The post Zabbix SQL Injection Vulnerability Let Attackers Gain Complete Control Of Instances appeared first on Cyber Security News.