CVE-2024-42327
📋 TL;DR
This CVE describes an SQL injection vulnerability in Zabbix's CUser class that allows non-admin users with API access to execute arbitrary SQL queries. Any Zabbix installation with users having default User role or other roles granting API access is affected. The vulnerability has a critical CVSS score of 9.9 due to the potential for complete system compromise.
💻 Affected Systems
- Zabbix
📦 What is this software?
Zabbix by Zabbix
Zabbix by Zabbix
Zabbix by Zabbix
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data exfiltration, privilege escalation to admin, and potential remote code execution on the underlying server.
Likely Case
Unauthorized data access, privilege escalation within Zabbix, and potential lateral movement to other systems.
If Mitigated
Limited impact if proper network segmentation, least privilege access, and monitoring are in place.
🎯 Exploit Status
Exploitation requires authenticated API access but is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Zabbix 7.0.0, 6.0.29, 6.4.17, 5.0.47
Vendor Advisory: https://support.zabbix.com/browse/ZBX-25623
Restart Required: Yes
Instructions:
1. Backup your Zabbix database and configuration. 2. Download the patched version from Zabbix website. 3. Follow Zabbix upgrade documentation for your specific version. 4. Restart Zabbix services after upgrade.
🔧 Temporary Workarounds
Restrict API Access
allRemove API access from non-admin users until patching is complete
UPDATE users SET api_access=0 WHERE role_id NOT IN (SELECT roleid FROM role WHERE name='Admin')
Network Segmentation
linuxRestrict access to Zabbix frontend to trusted networks only
iptables -A INPUT -p tcp --dport 80 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit Zabbix frontend access to authorized users only
- Enable detailed SQL query logging and monitor for suspicious database activity
🔍 How to Verify
Check if Vulnerable:
Check Zabbix version via web interface or command: zabbix_server --versionCheck Version:
zabbix_server --version 2>/dev/null || grep ZABBIX_VERSION /usr/share/zabbix/include/defines.inc.phpVerify Fix Applied:
Verify version is 7.0.0+, 6.0.29+, 6.4.17+, or 5.0.47+ and test API access with non-admin user📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in Zabbix logs
- Multiple failed login attempts followed by API access
- Database error messages containing SQL syntax
Network Indicators:
- Unusual API call patterns from non-admin users
- Large data transfers from Zabbix database
SIEM Query:
source="zabbix" AND ("SQL syntax" OR "database error" OR "CUser.get" AND NOT user="Admin")