CVE-2024-36465
📋 TL;DR
A SQL injection vulnerability in Zabbix allows authenticated low-privilege users with API access to execute arbitrary SQL commands via the groupBy parameter. This affects Zabbix installations where regular users have API permissions. Attackers could potentially read, modify, or delete database content.
💻 Affected Systems
- Zabbix
📦 What is this software?
Zabbix by Zabbix
Zabbix by Zabbix
Zabbix by Zabbix
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data manipulation, privilege escalation to administrative access, or full system takeover via subsequent attacks.
Likely Case
Unauthorized data access, extraction of sensitive information from Zabbix database, or modification of monitoring configurations.
If Mitigated
Limited impact if proper network segmentation, API access controls, and database permissions are implemented.
🎯 Exploit Status
Exploitation requires authenticated API access but SQL injection via parameter manipulation is straightforward for attackers with basic skills.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Zabbix 7.0.0beta3, 6.4.14, 6.0.32, 5.0.50
Vendor Advisory: https://support.zabbix.com/browse/ZBX-26257
Restart Required: Yes
Instructions:
1. Backup Zabbix database and configuration. 2. Download and install patched version from Zabbix website. 3. Follow Zabbix upgrade documentation for your version. 4. Restart Zabbix server and frontend services.
🔧 Temporary Workarounds
Restrict API Access
allRemove API access from low-privilege users until patching is complete.
# Edit Zabbix user permissions via GUI or API to remove API access from regular users
Network Segmentation
linuxRestrict network access to Zabbix API endpoints.
# Example iptables rule: iptables -A INPUT -p tcp --dport 10051 -s trusted_network -j ACCEPT
# iptables -A INPUT -p tcp --dport 10051 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit Zabbix API access to trusted IPs only
- Review and minimize API permissions for all users, especially low-privilege accounts
🔍 How to Verify
Check if Vulnerable:
Check Zabbix version and compare against affected versions. Verify if low-privilege users have API access permissions.Check Version:
zabbix_server --version | grep versionVerify Fix Applied:
Confirm Zabbix version is patched (7.0.0beta3, 6.4.14, 6.0.32, or 5.0.50+) and test API functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in Zabbix server logs
- API requests with malformed groupBy parameters
- Database error messages in logs
Network Indicators:
- Unusual API request patterns to /api_jsonrpc.php
- SQL injection patterns in HTTP POST data
SIEM Query:
source="zabbix_server.log" AND "SQL" AND ("error" OR "warning")