Debian Local Security Checks : Debian: Security Advisory (DLA-3538-1)

Vulnerability Search		Search 324607 CVE descriptions and 146377 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.1.1.2.2023.3538

Category: Debian Local Security Checks

Title: Debian: Security Advisory (DLA-3538-1)

Summary: The remote host is missing an update for the Debian 'zabbix' package(s) announced via the DLA-3538-1 advisory.

Description: Summary:
The remote host is missing an update for the Debian 'zabbix' package(s) announced via the DLA-3538-1 advisory.

Vulnerability Insight:
Several security vulnerabilities have been discovered in zabbix, a network monitoring solution, potentially allowing to crash the server, information disclosure or Cross-Site-Scripting attacks.

Important Notices: To mitigate CVE-2019-17382, on existing installations, the guest account needs to be manually disabled, for example by disabling the the Guest group in the UI: Administration -> User groups -> Guests -> Untick Enabled

This update also fixes a regression with CVE-2022-35229, which broke the possiblity to edit and add discovery rules in the UI.

CVE-2013-7484

Zabbix before version 4.4.0alpha2 stores credentials in the users table with the password hash stored as a MD5 hash, which is a known insecure hashing method. Furthermore, no salt is used with the hash.

CVE-2019-17382

(Disputed, not seen by upstream as not a security issue)

An issue was discovered in zabbix.php?actionUshboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.

CVE-2022-35229

An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict.

CVE-2022-43515

Zabbix Frontend provides a feature that allows admins to maintain the installation and ensure that only certain IP addresses can access it. In this way, any user will not be able to access the Zabbix Frontend while it is being maintained and possible sensitive data will be prevented from being disclosed. An attacker can bypass this protection and access the instance using IP address not listed in the defined range.

CVE-2023-29450

JavaScript pre-processing can be used by the attacker to gain access to the file system (read-only access on behalf of user zabbix) on the Zabbix Server or Zabbix Proxy, potentially leading to unauthorized access to sensitive data.

CVE-2023-29451

Specially crafted string can cause a buffer overrun in the JSON parser library leading to a crash of the Zabbix Server or a Zabbix Proxy.

CVE-2023-29454

A Stored or persistent cross-site scripting (XSS) vulnerability was found on aUsersa section in aMediaa tab in aSend toa form field. When new media is created with malicious code included into field aSend toa then it will execute when editing the same media.

CVE-2023-29455

A Reflected XSS attacks, also known as non-persistent attacks, was found where an attacker can pass malicious code as GET request to graph.php and system will save it and will execute when current graph page is opened.

CVE-2023-29456

URL validation scheme receives input from a user ... [Please see the references for more information on the vulnerabilities]

Affected Software/OS:
'zabbix' package(s) on Debian 10.

Solution:
Please install the updated package(s).

CVSS Score:
6.4

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:N

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2013-7484
https://support.zabbix.com/browse/ZBX-16551
https://support.zabbix.com/browse/ZBXNEXT-1898
https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html
Common Vulnerability Exposure (CVE) ID: CVE-2019-17382
https://www.exploit-db.com/exploits/47467
Common Vulnerability Exposure (CVE) ID: CVE-2022-35229
https://support.zabbix.com/browse/ZBX-21306
https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html
Common Vulnerability Exposure (CVE) ID: CVE-2022-43515
https://support.zabbix.com/browse/ZBX-22050
Common Vulnerability Exposure (CVE) ID: CVE-2023-29450
https://support.zabbix.com/browse/ZBX-22588
Common Vulnerability Exposure (CVE) ID: CVE-2023-29451
https://support.zabbix.com/browse/ZBX-22587
Common Vulnerability Exposure (CVE) ID: CVE-2023-29454
https://support.zabbix.com/browse/ZBX-22985
Common Vulnerability Exposure (CVE) ID: CVE-2023-29455
https://support.zabbix.com/browse/ZBX-22986
Common Vulnerability Exposure (CVE) ID: CVE-2023-29456
https://support.zabbix.com/browse/ZBX-22987
Common Vulnerability Exposure (CVE) ID: CVE-2023-29457
https://support.zabbix.com/browse/ZBX-22988

Copyright Copyright (C) 2023 Greenbone AG

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.1.1.2.2023.3538
Category:	Debian Local Security Checks
Title:	Debian: Security Advisory (DLA-3538-1)
Summary:	The remote host is missing an update for the Debian 'zabbix' package(s) announced via the DLA-3538-1 advisory.
Description:	Summary: The remote host is missing an update for the Debian 'zabbix' package(s) announced via the DLA-3538-1 advisory. Vulnerability Insight: Several security vulnerabilities have been discovered in zabbix, a network monitoring solution, potentially allowing to crash the server, information disclosure or Cross-Site-Scripting attacks. Important Notices: To mitigate CVE-2019-17382, on existing installations, the guest account needs to be manually disabled, for example by disabling the the Guest group in the UI: Administration -> User groups -> Guests -> Untick Enabled This update also fixes a regression with CVE-2022-35229, which broke the possiblity to edit and add discovery rules in the UI. CVE-2013-7484 Zabbix before version 4.4.0alpha2 stores credentials in the users table with the password hash stored as a MD5 hash, which is a known insecure hashing method. Furthermore, no salt is used with the hash. CVE-2019-17382 (Disputed, not seen by upstream as not a security issue) An issue was discovered in zabbix.php?actionUshboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin. CVE-2022-35229 An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. CVE-2022-43515 Zabbix Frontend provides a feature that allows admins to maintain the installation and ensure that only certain IP addresses can access it. In this way, any user will not be able to access the Zabbix Frontend while it is being maintained and possible sensitive data will be prevented from being disclosed. An attacker can bypass this protection and access the instance using IP address not listed in the defined range. CVE-2023-29450 JavaScript pre-processing can be used by the attacker to gain access to the file system (read-only access on behalf of user zabbix) on the Zabbix Server or Zabbix Proxy, potentially leading to unauthorized access to sensitive data. CVE-2023-29451 Specially crafted string can cause a buffer overrun in the JSON parser library leading to a crash of the Zabbix Server or a Zabbix Proxy. CVE-2023-29454 A Stored or persistent cross-site scripting (XSS) vulnerability was found on aUsersa section in aMediaa tab in aSend toa form field. When new media is created with malicious code included into field aSend toa then it will execute when editing the same media. CVE-2023-29455 A Reflected XSS attacks, also known as non-persistent attacks, was found where an attacker can pass malicious code as GET request to graph.php and system will save it and will execute when current graph page is opened. CVE-2023-29456 URL validation scheme receives input from a user ... [Please see the references for more information on the vulnerabilities] Affected Software/OS: 'zabbix' package(s) on Debian 10. Solution: Please install the updated package(s). CVSS Score: 6.4 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2013-7484 https://support.zabbix.com/browse/ZBX-16551 https://support.zabbix.com/browse/ZBXNEXT-1898 https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html Common Vulnerability Exposure (CVE) ID: CVE-2019-17382 https://www.exploit-db.com/exploits/47467 Common Vulnerability Exposure (CVE) ID: CVE-2022-35229 https://support.zabbix.com/browse/ZBX-21306 https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html Common Vulnerability Exposure (CVE) ID: CVE-2022-43515 https://support.zabbix.com/browse/ZBX-22050 Common Vulnerability Exposure (CVE) ID: CVE-2023-29450 https://support.zabbix.com/browse/ZBX-22588 Common Vulnerability Exposure (CVE) ID: CVE-2023-29451 https://support.zabbix.com/browse/ZBX-22587 Common Vulnerability Exposure (CVE) ID: CVE-2023-29454 https://support.zabbix.com/browse/ZBX-22985 Common Vulnerability Exposure (CVE) ID: CVE-2023-29455 https://support.zabbix.com/browse/ZBX-22986 Common Vulnerability Exposure (CVE) ID: CVE-2023-29456 https://support.zabbix.com/browse/ZBX-22987 Common Vulnerability Exposure (CVE) ID: CVE-2023-29457 https://support.zabbix.com/browse/ZBX-22988
Copyright	Copyright (C) 2023 Greenbone AG