CVE CyberSecurity Database News

CVE-2024-22120 - Zabbix Server Command Execution Vulnerability with SQL Injection in Client IP Field

Poster -

Zabbix server is an open-source software for monitoring applications and networks. It is designed to help system administrators and developers keep track of the performance, availability, and security of their systems. Zabbix server uses a script execution feature that enables administrators to configure and run scripts to perform various tasks.

Recently, a security vulnerability (CVE-2024-22120) has been discovered in Zabbix server, which allows an attacker to perform command execution and inject SQL into the "clientip" field. This vulnerability is caused by insufficient input validation in the "clientip" field entry in the "Audit Log." The exploit takes advantage of the time-based blind SQL injection technique, making it possible for an attacker to gain unauthorized access and potentially cause significant damage to the system.

Code Snippet

The following code snippet demonstrates the SQL injection vulnerability in the "clientip" field in the "Audit Log":

-- INSERT INTO auditlog (clientip) VALUES ('192.168..1');
INSERT INTO auditlog (clientip) VALUES ('192.168..1 UNION SELECT SLEEP(5)-- ');

In this example, the attacker inserts an SQL query in the "clientip" field value (192.168..1) to perform a time-based blind SQL injection using the SLEEP function.

This vulnerability was initially reported and discussed in the following online sources

1. Zabbix Official GitHub Repository: https://github.com/zabbix/zabbix
2. Zabbix Server Security Advisory: https://www.zabbix.com/cve-2024-22120
3. National Vulnerability Database (NVD) Entry: https://nvd.nist.gov/vuln/detail/CVE-2024-22120

An attacker constructs a malicious SQL query that targets the "clientip" field in the "Audit Log".

2. The attacker injects the malicious SQL query into the "clientip" field by either initiating a new command execution or intercepting an existing one.
3. When the Zabbix server processes the malicious SQL query, it does not sanitize the input properly, resulting in the execution of the malicious query.
4. The attacker takes advantage of the time-based blind SQL injection technique to confirm the success of the injection and gather further information about the system.

Mitigation

To protect against this vulnerability CVE-2024-22120, Zabbix server developers have released patches and updates for affected versions. System administrators are advised to apply the latest Zabbix server updates and follow security best practices to ensure their systems are protected.

Additionally, input validation should be implemented for the "clientip" field in the "Audit Log" to prevent future SQL injection attacks. Proper input validation can help minimize the risk of similar vulnerabilities being exploited in the future.

In conclusion, CVE-2024-22120 is a critical security vulnerability in Zabbix server that allows attackers to perform command execution and inject SQL into the "clientip" field. System administrators and developers should take immediate action to mitigate the risks associated with this vulnerability and ensure the security of their systems and networks.

Timeline

Published on: 05/17/2024 10:15:07 UTC
Last modified on: 06/04/2024 17:52:44 UTC