CVE-2024-36460
📋 TL;DR
This vulnerability in Zabbix's front-end audit log allows unauthorized viewing of plaintext passwords. Attackers with access to the audit log interface can see user passwords in clear text. This affects all Zabbix administrators and users whose credentials are logged.
💻 Affected Systems
- Zabbix
📦 What is this software?
Zabbix by Zabbix
Zabbix by Zabbix
Zabbix by Zabbix
Zabbix by Zabbix
⚠️ Risk & Real-World Impact
Worst Case
Full credential compromise leading to complete system takeover, lateral movement, and data exfiltration.
Likely Case
Privileged account compromise allowing attackers to modify monitoring configurations, create backdoors, or access sensitive infrastructure data.
If Mitigated
Limited exposure if audit log access is properly restricted and monitored.
🎯 Exploit Status
Exploitation requires access to Zabbix front-end with appropriate permissions to view audit logs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Zabbix 6.0.31, 7.0.0beta3 and later
Vendor Advisory: https://support.zabbix.com/browse/ZBX-25017
Restart Required: No
Instructions:
1. Upgrade to Zabbix 6.0.31 or 7.0.0beta3+. 2. Apply patches from vendor repository. 3. Verify passwords are no longer displayed in plaintext in audit logs.
🔧 Temporary Workarounds
Restrict Audit Log Access
allLimit access to audit log functionality to only essential administrators.
# Configure Zabbix user permissions to restrict 'Audit log' access
# Edit user roles in Administration -> Users -> Permissions
Disable Password Audit Logging
linuxTemporarily disable audit logging for password-related events.
# In zabbix_server.conf: AuditLogEnable=0
# Or configure specific audit log filters to exclude password events
🧯 If You Can't Patch
- Implement strict access controls to audit log interface with multi-factor authentication.
- Monitor audit log access and set alerts for any unauthorized viewing attempts.
🔍 How to Verify
Check if Vulnerable:
Login to Zabbix web interface, navigate to Audit log, check if password fields show plaintext values.Check Version:
zabbix_server --version | grep 'Zabbix'Verify Fix Applied:
After patching, verify that passwords appear as asterisks or are not displayed in audit logs.📡 Detection & Monitoring
Log Indicators:
- Multiple audit log access events from unusual users or IPs
- Audit log queries filtering for password-related events
Network Indicators:
- Unusual patterns of HTTP requests to /zabbix/auditlog.php
SIEM Query:
source="zabbix" AND (url="/auditlog" OR event_description="password") | stats count by src_ip, user