Remote code execution within ping script
traduction en cours…Plateforme
zabbix
Composant
zabbix
Corrigé dans
6.4.16
7.0.1
CVE-2024-22116 is a critical Remote Code Execution (RCE) vulnerability discovered in Zabbix, a popular open-source monitoring solution. This flaw allows an administrator with restricted permissions to execute arbitrary code on the system through the Monitoring Hosts section's script execution functionality. The vulnerability impacts Zabbix versions 6.4.9 through 7.0.0rc2, and a fix is available in version 7.0.1.
Impact et Scénarios d'Attaquetraduction en cours…
The impact of CVE-2024-22116 is severe. A successful exploit allows an attacker to gain complete control over the Zabbix server, potentially leading to data breaches, system compromise, and disruption of monitoring services. Attackers could leverage this RCE to install malware, steal sensitive data collected by Zabbix (including credentials and system metrics), or pivot to other systems within the network. The ability to execute arbitrary code bypasses standard security controls and represents a significant escalation of privileges. This vulnerability shares similarities with other script injection flaws where insufficient input validation allows for code execution.
Contexte d'Exploitationtraduction en cours…
CVE-2024-22116 was publicly disclosed on August 9, 2024. The CVSS score of 9.9 (CRITICAL) indicates a high probability of exploitation. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk. It is not currently listed on CISA KEV, but its criticality warrants close monitoring. Active exploitation campaigns are possible given the ease of exploitation and the widespread use of Zabbix.
Qui Est à Risquetraduction en cours…
Organizations heavily reliant on Zabbix for monitoring critical infrastructure are particularly at risk. This includes those with complex Zabbix configurations, custom scripts, or a large number of administrators with varying permission levels. Shared hosting environments utilizing Zabbix are also vulnerable, as a compromised account on one instance could potentially impact others.
Étapes de Détectiontraduction en cours…
• linux / server:
journalctl -u zabbix-server -g "Ping script execution"• zabbix: Review Zabbix logs for unusual script execution attempts, particularly those originating from restricted user accounts. • generic web: Check Zabbix server access logs for requests to the Monitoring Hosts section with unusual parameters. • windows / supply-chain: While Zabbix primarily runs on Linux, if agents are deployed on Windows, monitor PowerShell execution logs for suspicious scripts related to Zabbix.
Chronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.50% (percentile 66%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Faible — tout compte utilisateur valide est suffisant.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Modifié — l'attaque peut pivoter au-delà du composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Élevé — panne complète ou épuisement des ressources. Déni de service total.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2024-22116 is to immediately upgrade to Zabbix version 7.0.1 or later. If upgrading is not immediately feasible, consider restricting access to the Monitoring Hosts section to only highly trusted administrators. Implement strict input validation and sanitization for all script parameters within Zabbix. While a WAF may offer some protection, it is not a substitute for patching. Monitor Zabbix logs for suspicious activity, particularly related to script execution, and consider implementing intrusion detection signatures to identify potential exploitation attempts. After upgrading, confirm the fix by attempting to execute a script with malicious code through the Monitoring Hosts section; it should be rejected.
Comment corrigertraduction en cours…
Actualice Zabbix a la última versión disponible. Las versiones afectadas son 6.4.9 a 6.4.15 y 7.0.0alpha1 a 7.0.0rc2. La actualización corregirá la vulnerabilidad de ejecución remota de código.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2024-22116 — RCE in Zabbix?
CVE-2024-22116 is a critical Remote Code Execution vulnerability in Zabbix, allowing administrators with restricted permissions to execute arbitrary code via the Ping script.
Am I affected by CVE-2024-22116 in Zabbix?
You are affected if you are running Zabbix versions 6.4.9 through 7.0.0rc2. Upgrade to 7.0.1 or later to mitigate the risk.
How do I fix CVE-2024-22116 in Zabbix?
Upgrade to Zabbix version 7.0.1 or later. As a temporary workaround, restrict access to the Monitoring Hosts section to trusted administrators.
Is CVE-2024-22116 being actively exploited?
While no active exploitation has been confirmed, the high CVSS score and ease of exploitation suggest a high probability of exploitation.
Where can I find the official Zabbix advisory for CVE-2024-22116?
Refer to the official Zabbix security advisory: [https://www.zabbix.com/security/advisories/ZBX-2701](https://www.zabbix.com/security/advisories/ZBX-2701)
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.