An exploitable code execution vulnerability exists in the trapper command functionality of Zabbix Server 2.4.X. A specially crafted set of packets can cause a command injection resulting in remote code execution. An attacker can make requests from an active Zabbix Proxy to trigger this vulnerability.

The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4767-1 advisory.

    Fu Chuang discovered that Zabbix did not properly parse IPs. A remote attacker could possibly use this     issue to execute arbitrary code. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM and Ubuntu     18.04 ESM. (CVE-2020-11800)

    It was discovered that Zabbix incorrectly handled certain requests. A remote attacker could possibly use     this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
    (CVE-2017-2824, CVE-2017-2825)

    It was discovered that Zabbix incorrectly handled certain XML files. A remote attacker could possibly use     this issue to read arbitrary files or potentially execute arbitrary code. This issue only affected Ubuntu     14.04 ESM. (CVE-2014-3005)

    It was discovered that Zabbix incorrectly handled certain inputs. A remote attacker could possibly use     this issue to execute arbitrary SQL commands. This issue only affected Ubuntu 14.04 ESM. (CVE-2016-10134,     CVE-2016-4338)

    It was discovered that Zabbix incorrectly handled the request parameter. A remote attacker could possibly     use this issue to redirect requests to external links. This issue only affected Ubuntu 14.04 ESM and     Ubuntu 18.04 ESM. (CVE-2016-10742)

    It was discovered that Zabbix incorrectly handled failed login attempts. A remote attacker could possibly     use this issue to enumerate users. (CVE-2019-15132)

    It was discovered that Zabbix did not properly validate input. A remote attacker could exploit this to     conduct cross-site scripting (XSS) attacks. This issue only affected Ubuntu 16.04 ESM, Ubuntu 18.04 ESM     and Ubuntu 20.04 ESM. (CVE-2020-15803)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Zabbix server running on the remote host is affected by a remote command injection vulnerability due to the failure to sanitize the input data involving an IP address that would go into the 'ip' field of the 'interface' table in the 'zabbix' database. An unauthenticated, remote attacker can exploit this, via specially crafted packets, to execute OS commands.

Note that Zabbix server is reportedly affected by additional vulnerabilities; however, this plugin has not tested for these

mitre reports :

An exploitable code execution vulnerability exists in the trapper command functionality of Zabbix Server 2.4.X. A specially crafted set of packets can cause a command injection resulting in remote code execution. An attacker can make requests from an active Zabbix Proxy to trigger this vulnerability.

Lilith Wyatt discovered two vulnerabilities in the Zabbix network monitoring system which may result in execution of arbitrary code or database writes by malicious proxies.

- http://www.zabbix.com/rn3.0.8

- http://www.zabbix.com/rn3.0.9

- https://www.zabbix.com/documentation/3.0/manual/introduction/whatsnew308

- https://www.zabbix.com/documentation/3.0/manual/introduction/whatsnew309

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its self-reported version number, the instance of Zabbix running on the remote host is 2.0.x prior to 2.0.21, 2.2.x prior to 2.2.18, 3.0.x prior to 3.0.9, or 3.2.x prior to 3.2.5. It is, therefore, affected by multiple vulnerabilities :

  - A remote code execution vulnerability exists in the     trapper command functionality due to improper handling     of trapper packets. An unauthenticated, remote attacker     can exploit this, via a specially crafted set of trapper     packets, to inject arbitrary commands and execute     arbitrary code. (CVE-2017-2824 / TALOS-2017-0325)

  - A security bypass vulnerability exists in the trapper     command functionality due to improper handling of     trapper packets. A man-in-the-middle (MitM) attacker can     exploit this, via a specially crafted trapper packet, to     bypass database security checks and write arbitrary data     to the database. (CVE-2017-2825 / TALOS-2017-0326)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
183641	Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM : Zabbix vulnerabilities (USN-4767-1)	Nessus	Ubuntu Local Security Checks	critical
105042	Zabbix Server 'active checks' Command Injection	Nessus	Misc.	high
102530	FreeBSD : Zabbix -- Remote code execution (5df8bd95-8290-11e7-93af-005056925db4)	Nessus	FreeBSD Local Security Checks	high
102444	Debian DSA-3937-1 : zabbix - security update	Nessus	Debian Local Security Checks	high
101639	Fedora 26 : zabbix (2017-5c8a4ebccd)	Nessus	Fedora Local Security Checks	high
101184	Fedora 24 : zabbix (2017-d191fb7fce)	Nessus	Fedora Local Security Checks	high
101181	Fedora 25 : zabbix (2017-63aca509fb)	Nessus	Fedora Local Security Checks	high
100615	Zabbix 2.0.x < 2.0.21 / 2.2.x < 2.2.18 / 3.0.x < 3.0.9 / 3.2.x < 3.2.5 Multiple Vulnerabilities	Nessus	CGI abuses	high

Detections

Analytics

CVE-2017-2824

high

Tenable Plugins

critical

high

high

high

high

high

high

high