CVE-2024-22120
📋 TL;DR
CVE-2024-22120 is a SQL injection vulnerability in Zabbix server's audit logging functionality. Attackers can inject malicious SQL through the unsanitized 'clientip' field when scripts are executed, potentially leading to database compromise. This affects Zabbix server installations with script execution enabled.
💻 Affected Systems
- Zabbix
📦 What is this software?
Zabbix by Zabbix
Zabbix by Zabbix
Zabbix by Zabbix
Zabbix by Zabbix
Zabbix by Zabbix
Zabbix by Zabbix
Zabbix by Zabbix
Zabbix by Zabbix
Zabbix by Zabbix
Zabbix by Zabbix
Zabbix by Zabbix
Zabbix by Zabbix
⚠️ Risk & Real-World Impact
Worst Case
Full database compromise allowing data theft, privilege escalation, and potential remote code execution on the database server.
Likely Case
Database information disclosure, including credentials, configuration data, and monitoring information.
If Mitigated
Limited impact with proper input validation and database permissions, potentially only error messages or no exploitation.
🎯 Exploit Status
Requires authenticated access to trigger script execution. Time-based blind SQL injection requires specific timing analysis.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Zabbix 6.0.28 or 7.0.0beta2
Vendor Advisory: https://support.zabbix.com/browse/ZBX-24505
Restart Required: Yes
Instructions:
1. Backup Zabbix database and configuration. 2. Upgrade to Zabbix 6.0.28 or 7.0.0beta2. 3. Restart Zabbix server and frontend services. 4. Verify upgrade completed successfully.
🔧 Temporary Workarounds
Disable script execution
allTemporarily disable all script execution in Zabbix to prevent exploitation.
# Edit zabbix_server.conf and set EnableRemoteCommands=0
# Restart zabbix-server service
Restrict script permissions
allLimit which users can execute scripts and reduce script capabilities.
# Review and restrict UserParameter configurations
# Remove unnecessary script execution permissions
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Zabbix server from sensitive systems.
- Enable detailed audit logging and monitor for unusual SQL queries in Zabbix audit logs.
🔍 How to Verify
Check if Vulnerable:
Check Zabbix version: if running 6.0 before 6.0.28 or 7.0 before 7.0.0beta2, system is vulnerable.Check Version:
zabbix_server --version | grep 'Zabbix'Verify Fix Applied:
Verify Zabbix version is 6.0.28 or higher, or 7.0.0beta2 or higher. Check that audit logs properly sanitize clientip field.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in Zabbix audit logs
- SLEEP() or BENCHMARK() functions in audit log entries
- Abnormal timing in script execution logs
Network Indicators:
- Unusual database queries from Zabbix server IP
- Increased database response times during script execution
SIEM Query:
source="zabbix_audit.log" AND (clientip="*' OR *" OR clientip="*;*" OR clientip="*--*" OR clientip="*/*")