Debian DLA-3538-1 : zabbix - LTS security update

critical Nessus Plugin ID 180038

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-3538 advisory.

- Zabbix before 5.0 represents passwords in the users table with unsalted MD5. (CVE-2013-7484)

- An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin. (CVE-2019-17382)

- Zabbix Frontend provides a feature that allows admins to maintain the installation and ensure that only certain IP addresses can access it. In this way, any user will not be able to access the Zabbix Frontend while it is being maintained and possible sensitive data will be prevented from being disclosed. An attacker can bypass this protection and access the instance using IP address not listed in the defined range. (CVE-2022-43515)

- JavaScript pre-processing can be used by the attacker to gain access to the file system (read-only access on behalf of user zabbix) on the Zabbix Server or Zabbix Proxy, potentially leading to unauthorized access to sensitive data. (CVE-2023-29450)

- Specially crafted string can cause a buffer overrun in the JSON parser library leading to a crash of the Zabbix Server or a Zabbix Proxy. (CVE-2023-29451)

- Stored or persistent cross-site scripting (XSS) is a type of XSS where the attacker first sends the payload to the web application, then the application saves the payload (e.g., in a database or server-side text files), and finally, the application unintentionally executes the payload for every victim visiting its web pages. (CVE-2023-29454)

- Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected off a web application to the victim's browser. The script is activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts. (CVE-2023-29455)

- URL validation scheme receives input from a user and then parses it to identify its various components.
The validation scheme can ensure that all URL components comply with internet standards. (CVE-2023-29456)

- Reflected XSS attacks, occur when a malicious script is reflected off a web application to the victim's browser. The script can be activated through Action form fields, which can be sent as request to a website with a vulnerability that enables execution of malicious scripts. (CVE-2023-29457)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the zabbix packages.

For Debian 10 buster, these problems have been fixed in version 1

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026847

https://security-tracker.debian.org/tracker/source-package/zabbix

https://www.debian.org/lts/security/2023/dla-3538

https://security-tracker.debian.org/tracker/CVE-2013-7484

https://security-tracker.debian.org/tracker/CVE-2019-17382

https://security-tracker.debian.org/tracker/CVE-2022-43515

https://security-tracker.debian.org/tracker/CVE-2023-29450

https://security-tracker.debian.org/tracker/CVE-2023-29451

https://security-tracker.debian.org/tracker/CVE-2023-29454

https://security-tracker.debian.org/tracker/CVE-2023-29455

https://security-tracker.debian.org/tracker/CVE-2023-29456

https://security-tracker.debian.org/tracker/CVE-2023-29457

Plugin Details

Severity: Critical

ID: 180038

File Name: debian_DLA-3538.nasl

Version: 1.1

Type: local

Agent: unix

Published: 8/22/2023

Updated: 1/16/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2019-17382

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2022-43515

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:10.0, p-cpe:/a:debian:debian_linux:zabbix

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/22/2023

Vulnerability Publication Date: 10/9/2019

Reference Information

CVE: CVE-2013-7484, CVE-2019-17382, CVE-2022-43515, CVE-2023-29450, CVE-2023-29451, CVE-2023-29454, CVE-2023-29455, CVE-2023-29456, CVE-2023-29457