Talos Vulnerability Report

TALOS-2017-0327

Zabbix Server Config Proxy Request Information Disclosure Vulnerability

April 9, 2018
CVE Number

CVE-2017-2826

Summary

An information disclosure vulnerability exists in the iConfig proxy request of Zabbix server 2.4.X. A specially crafted iConfig proxy request can cause the Zabbix server to send the configuration information of any Zabbix proxy, resulting in information disclosure. An attacker can make requests from an active Zabbix proxy to trigger this vulnerability.

Tested Versions

Zabbix Server 2.4.8.r1

Product URLs

http://www.zabbix.com

CVSSv3 Score

3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-200: Information Exposure

Details

If an attacker can send packets to a Zabbix server from the IP address of a configured Zabbix proxy, whether through spoofing, legitimate access, or other means, then an attacker can request the database configuration information for any configured Zabbix proxy, assuming that the hostname of the Zabbix proxy can be guessed or brute-forced.

This database configuration information contains sensitive materials that could be used for further exploitation and discovery purposes.

The following is a subset of the sensitive information disclosed: 1. All configured monitored Zabbix agents and corresponding IP addresses. 2. All items that can be used to query data from the Zabbix agent, including user-configured UserParameters (potentially dangerous). 3. Hostmacros

Example Request (from any valid proxy IP):

ZBXD\x01\x30\x00\x00\x00\x00\x00\x00\x00{"request":"proxy config","host":"zabbix-   proxy.abcd.com"}

Timeline

2017-04-22 - Vendor Disclosure
2018-04-09 - Public Release

Credit

Discovered by Lilith Wyatt of Cisco Advanced Security Initiatives Group.