CVE-2023-32722
📋 TL;DR
CVE-2023-32722 is a critical buffer overflow vulnerability in Zabbix's JSON parsing module that allows remote code execution when processing malicious JSON files. This affects Zabbix servers and proxies that parse JSON data. Attackers can exploit this to gain complete control of affected systems.
💻 Affected Systems
- Zabbix
📦 What is this software?
Zabbix by Zabbix
Zabbix by Zabbix
Zabbix by Zabbix
Zabbix by Zabbix
Zabbix by Zabbix
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.
Likely Case
Remote code execution allowing attackers to install malware, create backdoors, or disrupt monitoring operations.
If Mitigated
Limited impact if network segmentation prevents external access and proper input validation is in place.
🎯 Exploit Status
The vulnerability is in a core parsing function and requires minimal attacker sophistication to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Zabbix 6.0.22, 6.2.11, 6.4.6, and 7.0.0alpha2
Vendor Advisory: https://support.zabbix.com/browse/ZBX-23390
Restart Required: Yes
Instructions:
1. Backup your Zabbix configuration and database. 2. Download the patched version from Zabbix website. 3. Stop Zabbix services. 4. Install the updated packages. 5. Restart Zabbix services. 6. Verify the version is updated.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to Zabbix servers and proxies to only trusted sources
iptables -A INPUT -p tcp --dport 10051 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 10051 -j DROP
Disable Unnecessary JSON Processing
allReview and disable any unnecessary JSON-based integrations or data sources
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Zabbix servers from untrusted networks
- Deploy web application firewall (WAF) rules to block malicious JSON payloads
🔍 How to Verify
Check if Vulnerable:
Check Zabbix version with 'zabbix_server --version' or 'zabbix_proxy --version' and compare against affected versionsCheck Version:
zabbix_server --version 2>/dev/null || zabbix_proxy --version 2>/dev/null || dpkg -l | grep zabbix-server || rpm -qa | grep zabbixVerify Fix Applied:
Verify version is 6.0.22, 6.2.11, 6.4.6 or higher, and test JSON parsing functionality📡 Detection & Monitoring
Log Indicators:
- Segmentation fault errors in Zabbix logs
- Unexpected process crashes
- Unusual JSON parsing errors
Network Indicators:
- Unusual connections to Zabbix ports (10051, 10050)
- Large JSON payloads sent to Zabbix endpoints
SIEM Query:
source="zabbix.log" AND ("segmentation fault" OR "core dumped" OR "buffer overflow")