CVE-2022-22704 – CVE-2022-22704 is a privilege escalation vulner... (How to Fix)

📋 TL;DR

CVE-2022-22704 is a privilege escalation vulnerability in zabbix-agent2 on Alpine Linux that allows local users to gain root privileges. The vulnerability occurs due to incorrect assumptions about systemd configuration handling. Only Alpine Linux systems running vulnerable versions of zabbix-agent2 are affected.

💻 Affected Systems

Products:

zabbix-agent2

Versions: All versions before 5.4.9-r1

Operating Systems: Alpine Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Alpine Linux packaging of zabbix-agent2. Other distributions are not affected.

📦 What is this software?

Zabbix Agent2 by Zabbix

View all CVEs affecting Zabbix Agent2 →

Zabbix Agent2 by Zabbix

View all CVEs affecting Zabbix Agent2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains full root privileges on the system, enabling complete system compromise, data theft, and lateral movement.

🟠

Likely Case

Privileged service account or local user escalates to root, potentially compromising the monitoring system and gaining access to sensitive monitoring data.

🟢

If Mitigated

With proper access controls and minimal privileges, impact is limited to the zabbix-agent2 service scope.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring existing access to the system.

🏢 Internal Only: HIGH - Internal users or compromised service accounts can exploit this to gain root access on affected systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access to the system. The vulnerability details and exploitation method are publicly documented in the Alpine Linux issue tracker.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.4.9-r1 and later

Vendor Advisory: https://gitlab.alpinelinux.org/alpine/aports/-/issues/13368

Restart Required: Yes

Instructions:

1. Update Alpine Linux packages: apk update && apk upgrade
2. Specifically update zabbix-agent2: apk upgrade zabbix-agent2
3. Restart the zabbix-agent2 service: rc-service zabbix-agent2 restart

🔧 Temporary Workarounds

Remove zabbix-agent2

linux

Uninstall the vulnerable package if not needed

apk del zabbix-agent2

Restrict service permissions

linux

Run zabbix-agent2 with reduced privileges using systemd security features

Edit /etc/systemd/system/zabbix-agent2.service.d/security.conf with: [Service]
DynamicUser=yes
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes

🧯 If You Can't Patch

Isolate affected systems from critical infrastructure and sensitive data
Implement strict access controls and monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check installed zabbix-agent2 version: apk info zabbix-agent2 | grep version

Check Version:

apk info zabbix-agent2 | grep version

Verify Fix Applied:

Verify version is 5.4.9-r1 or higher: apk info zabbix-agent2 | grep version

📡 Detection & Monitoring

Log Indicators:

Unexpected privilege escalation in audit logs
zabbix-agent2 process running as root when configured otherwise
Failed privilege escalation attempts in system logs

Network Indicators:

Unusual outbound connections from zabbix-agent2 host
Monitoring data exfiltration

SIEM Query:

process.name:"zabbix-agent2" AND user.name:"root" AND NOT parent.process.name:"systemd"

📊 Metadata

CVE ID: CVE-2022-22704

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-909

Published: January 6, 2022

Last Updated: November 21, 2024

🔗 References

https://gitlab.alpinelinux.org/alpine/aports/-/issues/13368 Exploit,Issue Tracking,Third Party Advisory
https://gitlab.alpinelinux.org/alpine/aports/-/issues/13368 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-22704, you might also want to check these: