CVE-2024-36467
📋 TL;DR
This vulnerability allows authenticated users with API access to escalate their privileges by adding themselves to any group, including administrative groups like Zabbix Administrators. It affects Zabbix monitoring systems where users have access to the user.update API endpoint. The default User role is sufficient to exploit this vulnerability.
💻 Affected Systems
- Zabbix
📦 What is this software?
Zabbix by Zabbix
Zabbix by Zabbix
Zabbix by Zabbix
Zabbix by Zabbix
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains administrative privileges, enabling complete control over the Zabbix monitoring system, including modifying configurations, accessing sensitive monitoring data, and potentially using Zabbix as a pivot point to attack monitored systems.
Likely Case
Malicious or compromised users escalate their privileges to gain administrative access, allowing them to modify monitoring configurations, suppress alerts, or access sensitive infrastructure data.
If Mitigated
Impact is limited to authorized users who already have API access but cannot escalate beyond their intended permissions.
🎯 Exploit Status
Exploitation requires authenticated API access but is straightforward once credentials are obtained. The vulnerability is in the user.update API endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Zabbix 7.0.0beta2
Vendor Advisory: https://support.zabbix.com/browse/ZBX-25614
Restart Required: No
Instructions:
1. Upgrade to Zabbix 7.0.0beta2 or later. 2. No database schema changes required. 3. The fix is included in the standard upgrade process.
🔧 Temporary Workarounds
Restrict API Access
allLimit API access to only trusted users and applications. Remove API access from users who don't require it.
# Review and modify user permissions in Zabbix GUI or via API
# Remove API access from unnecessary users
Implement API Rate Limiting
allConfigure rate limiting on API endpoints to detect and prevent suspicious privilege escalation attempts.
# Configure web server rate limiting (e.g., nginx, Apache)
# Implement application-level rate limiting if available
🧯 If You Can't Patch
- Implement strict access controls and monitor API usage for privilege escalation attempts.
- Regularly audit user permissions and group memberships to detect unauthorized changes.
🔍 How to Verify
Check if Vulnerable:
Check Zabbix version via GUI (Administration → General → About) or API. If version is between 7.0.0alpha1 and 7.0.0beta1, the system is vulnerable.Check Version:
zabbix_server --version | grep versionVerify Fix Applied:
After upgrading to 7.0.0beta2 or later, verify that users with default User role cannot add themselves to administrative groups via the user.update API endpoint.📡 Detection & Monitoring
Log Indicators:
- API calls to user.update endpoint with usergrp.add parameter
- Unexpected changes to user group memberships
- Users added to administrative groups
Network Indicators:
- Increased API traffic to user.update endpoint
- Patterns of privilege escalation attempts
SIEM Query:
source="zabbix" AND (api_method="user.update" AND parameters CONTAINS "usergrp.add")