CVE-2023-29450
📋 TL;DR
This vulnerability allows attackers to exploit JavaScript pre-processing in Zabbix Server or Proxy to gain read-only file system access under the 'zabbix' user account. This can lead to unauthorized access to sensitive configuration files, logs, and other data stored on the system. Organizations running vulnerable versions of Zabbix Server or Proxy are affected.
💻 Affected Systems
- Zabbix Server
- Zabbix Proxy
📦 What is this software?
Zabbix by Zabbix
Zabbix by Zabbix
Zabbix by Zabbix
Zabbix by Zabbix
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain read access to sensitive files including configuration files with database credentials, API keys, and other secrets, potentially leading to full system compromise through credential reuse or privilege escalation.
Likely Case
Attackers exfiltrate sensitive configuration data, monitor logs, and gather intelligence about the Zabbix environment and connected systems.
If Mitigated
With proper network segmentation and access controls, impact is limited to the Zabbix server/proxy system only, preventing lateral movement to other systems.
🎯 Exploit Status
Exploitation requires access to Zabbix frontend or API with sufficient privileges to create/modify items with JavaScript pre-processing. The vulnerability has been publicly disclosed with technical details available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Zabbix 6.0.22, 6.2.11, 6.4.6, 7.0.0beta1 and later
Vendor Advisory: https://support.zabbix.com/browse/ZBX-22588
Restart Required: Yes
Instructions:
1. Backup your Zabbix configuration and database. 2. Download the patched version from official Zabbix repository. 3. Stop Zabbix services. 4. Install the updated packages. 5. Restart Zabbix services. 6. Verify the update was successful.
🔧 Temporary Workarounds
Disable JavaScript pre-processing
linuxTemporarily disable JavaScript pre-processing functionality to prevent exploitation
# Edit zabbix_server.conf or zabbix_proxy.conf
# Add or modify: AllowJavaScript=0
# Restart service: systemctl restart zabbix-server
Restrict access to Zabbix frontend
linuxLimit network access to Zabbix web interface to trusted IP addresses only
# Using iptables example:
iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Zabbix servers from sensitive systems
- Apply principle of least privilege to Zabbix user account and file permissions
🔍 How to Verify
Check if Vulnerable:
Check Zabbix version and compare against affected versions. Verify if JavaScript pre-processing is enabled in configuration.Check Version:
zabbix_server --version 2>&1 | grep 'Zabbix'Verify Fix Applied:
Verify Zabbix version is 6.0.22, 6.2.11, 6.4.6, 7.0.0beta1 or later. Test JavaScript pre-processing functionality to ensure it's properly restricted.📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript pre-processing activity
- Multiple failed file access attempts by zabbix user
- Suspicious item creation/modification in Zabbix audit logs
Network Indicators:
- Unusual outbound connections from Zabbix server
- Large data transfers from Zabbix server to external IPs
SIEM Query:
source="zabbix" AND (event="JavaScript pre-processing" OR user="zabbix" AND action="file access")