SB2017081209 - Debian update for zabbix

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Command injection (CVE-ID: CVE-2017-2824)

The vulnerability allows a remote unauthenticated attacker to execute arbitrary code on a targeted system.

The weakness exists due to insufficient validation of user-supplied input by the trapper command function. An attacker can submitt specially crafted packets from an active Zabbix proxy, inject arbitrary commands and execute arbitrary code on the targeted system.

Successful exploitation of the vulnerability results in arbitrary code execution.

Proof-of-concept code demonstrating an exploit of this vulnerability is publicly available.

2) Improper input validation (CVE-ID: CVE-2017-2825)

The vulnerability allows a remote unauthenticated attacker to write arbitrary files on the target system.

The weakness exists in the trapper functionality due to insufficient validation of trapper packets. A remote attacker can submit specially crafted trapper packets, bypass database logic checks, perform man-in-the-middle attack between an active Zabbix proxy and the target Zabbix server, alter the trapper requests made between the Zabbix proxy and the target server and perform database writes.

Remediation

Install update from vendor's website.

References

• https://support.zabbix.com/browse/ZBX-12075
• https://support.zabbix.com/browse/ZBX-12076