CVE-2024-36465: Zabbix SQL Injection Vulnerability Allowing Low Privilege Users API Access

Zabbix is a widely used open-source software that monitors various IT components, including networks, servers, and applications. Unfortunately, a recently discovered security vulnerability (CVE-2024-36465) affects Zabbix, potentially allowing a low privilege user with API access to execute arbitrary SQL commands through a SQL injection vulnerability found in the CApiService.php file.

This post will delve into the details of this vulnerability, along with how it may be exploited. We'll also provide a code snippet and links to original references to better understand and mitigate this issue.

Vulnerability Details

CVE-2024-36465 affects the file include/classes/api/CApiService.php within certain versions of Zabbix, creating a SQL injection vulnerability. In particular, the groupBy parameter may be exploited by a low privilege (regular) Zabbix user with API access to execute arbitrary SQL commands.

The vulnerability arises due to improper input sanitization of the user-supplied data, allowing an attacker to manipulate the underlying SQL query and consequently gain unauthorized access, modify, or corrupt data, or even execute commands on the backend database.

Exploit Details

To exploit this vulnerability, an attacker must first have a low privilege (regular) Zabbix user account with API access. The attacker can then craft a malicious API request that includes the SQL injection payload in the groupBy parameter.

Here's an example code snippet that demonstrates how the vulnerability may be exploited

// Assuming $params contains user-supplied data
$params = [
    'groupBy' => "1;-- SQL INJECTION PAYLOAD GOES HERE",
];

$apiServiceObj = new CApiService();
$result = $apiServiceObj->get($params);

An attacker may use various techniques, such as string concatenation, typecasting, or function calls, to craft a SQL injection payload that manipulates the original SQL query, ultimately allowing the execution of arbitrary SQL commands.

Original References

- Zabbix Official Security Advisory
- CVE-2024-36465 Details
- Zabbix API documentation

To mitigate this vulnerability, Zabbix users should

1. Upgrade to a patched version of Zabbix. Check the Zabbix Official Security Advisory for the specific versions that have been patched and are not affected by CVE-2024-36465.

2. Limit API access to only trusted users or applications, and minimize the privileges granted to these users or applications.

3. Perform proper input validation and sanitization on all user-supplied data, especially any data passed to an API.

Conclusion

CVE-2024-36465 is a critical vulnerability that may allow a low privilege Zabbix user with API access to execute arbitrary SQL commands via a SQL injection vulnerability in CApiService.php. To protect your Zabbix installation from this vulnerability, it's essential to upgrade to a patched version, limit API access, perform necessary input validation, and closely monitor the logs.

Timeline

Published on: 04/02/2025 06:15:34 UTC
Last modified on: 04/02/2025 14:58:07 UTC