CVE-2024-42331 - Heap Use-After-Free Vulnerability in Zabbix Server Duktape JavaScript Engine

This blog post aims to dissect a crucial security vulnerability (CVE-2024-42331) that can be exploited in the popular open-source monitoring software Zabbix. Specifically, a heap use-after-free bug was discovered in Zabbix Server's embedded Duktape JavaScript engine. This vulnerability can lead to severe security issues, including both denial of service (DoS) attacks and the potential execution of arbitrary code.

Before moving ahead, let's trace the origin of the bug and explore the exact location in the source code where the vulnerability lies.

Vulnerability Origin

The vulnerability (CVE-2024-42331) was found in the following source code file and method of Zabbix's src/libs/zbxembed/:

This method is responsible for retrieving a heap pointer from the Duktape JavaScript engine

void es_browser_ctor(zbx_es_browser_t *browser, zbx_es_script_t *script, zbx_es_env_t *env, zbx_es_wd_t *wd, zbx_es_debug_t *debug)
{
   //...
   wd->browser = browser;
   //...
}

The es_browser_ctor() function stores the pointer to the task's browser in the task's wd (window descriptor) structure.

The vulnerability occurs during the interaction between the es_browser_ctor() method and the browser_push_error() method of src/libs/zbxembed/browser_error.c.

Vulnerability Details

The use-after-free bug occurs when the wd->browser heap pointer is freed by garbage collection. This error can potentially crash the Zabbix Server or serve as an entry point for arbitrary code execution.

Furthermore, the browser's pointer is set to NULL after being freed

static void browser_push_error(zbx_es_wd_t *wd, const char *msg)
{
    zbx_es_browser_t *browser = wd->browser;

    if (NULL == browser)
        return;

    //...
}

This check for NULL is insufficient protection, as the heap pointer has already been freed, leading to a use-after-free vulnerability.

To exploit this vulnerability, an attacker must take advantage of memory chunk reuse. The duktape engine’s memory manager can process simultaneous allocations causing memory chunks to be reused from the heap cache.

References

Original Mention: https://zabbix.org/wiki/Docs/protocols/zabbix_protocols

Zabbix Source Code: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse

Duktape JavaScript Engine: https://duktape.org/

Mitigation

To prevent exploitation of this vulnerability, it is necessary to ensure that the wd->browser heap pointer is not prematurely freed by garbage collection. Developers should review their memory management implementation and apply patches as necessary.

Until a patched version is available, administrators should monitor their Zabbix environment and make sure to update their installations as soon as a fixed version is released.

Conclusion

CVE-2024-42331 is a critical use-after-free vulnerability in the Zabbix Server's Duktape JavaScript engine, which can lead to server crashes, denial of service attacks, and potentially arbitrary code execution. Keeping server software up-to-date and applying the necessary security patches can help prevent the exploitation of this vulnerability. Zabbix administrators should keep a close watch on their installations and apply any fixes promptly to maintain the security and integrity of their monitoring systems.

Timeline

Published on: 11/27/2024 12:15:21 UTC