Bug 7277 - zabbix new security issue CVE-2012-3435
: zabbix new security issue CVE-2012-3435
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/514538/
: MGA2-64-OK MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-08-31 21:41 CEST by David Walser
Modified: 2012-12-31 23:22 CET (History)
5 users (show)

See Also:
Source RPM: zabbix-1.8.11-2.mga2.src.rpm
CVE:
Status comment:


Attachments
zabbix-1.8.2-CVE-2012-3435.patch (860 bytes, patch)
2012-09-06 22:44 CEST, David Walser
Details | Diff
POC python script with indenting fixed. (2.17 KB, text/plain)
2012-12-30 21:51 CET, Dave Hodgins
Details

Description David Walser 2012-08-31 21:41:10 CEST
Fedora has issued an advisory on August 22:
http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085844.html

Mageia 2 is also affected.
Comment 1 David Walser 2012-09-06 22:44:14 CEST
Created attachment 2762 [details]
zabbix-1.8.2-CVE-2012-3435.patch

Debian has issued an advisory for this today (September 6):
http://www.debian.org/security/2012/dsa-2539

Interestingly, they haven't fixed it yet in wheezy, which has the same zabbix version we do (1.8.11).

Also, the patch they used is different than the suggested patch for 1.8.x linked by RedHat (which is here):
https://gist.github.com/3181678

I've attached Debian's patch for 1.8.2.
Comment 2 David Walser 2012-12-21 01:54:58 CET
An update has been uploaded for Mageia 2 by Dimitri.

This can be assigned to QA when he confirms it's ready and it's been updated in Cauldron too.

Packages built:
zabbix-1.8.15-1.mga2
zabbix-agent-1.8.15-1.mga2
zabbix-web-1.8.15-1.mga2

from zabbix-1.8.15-1.mga2.src.rpm
Comment 3 Dimitri Jakov 2012-12-21 06:07:53 CET
David,

I'm working on Zabbix 2.0.4 package now (for inclusion into Mageia 3), and it's going to take some time. I think there is no need for Mga2 update to wait, so it can be pushed now.
Comment 4 David Walser 2012-12-21 14:23:45 CET
Ahh yes, I remember you telling me that on IRC now.  Thanks Dimitri!

Assigning to QA.

Advisory:
========================

Updated zabbix packages fix security vulnerability:

SQL injection vulnerability in frontends/php/popup_bitem.php in Zabbix
1.8.15rc1 and earlier, and 2.x before 2.0.2rc1, allows remote attackers to
execute arbitrary SQL commands via the itemid parameter (CVE-2012-3435).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3435
http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085844.html
========================

Updated packages in core/updates_testing:
========================
zabbix-1.8.15-1.mga2
zabbix-agent-1.8.15-1.mga2
zabbix-web-1.8.15-1.mga2

from zabbix-1.8.15-1.mga2.src.rpm
Comment 5 claire robinson 2012-12-21 17:55:18 CET
Possible PoC: http://www.exploit-db.com/exploits/20087/
Comment 6 claire robinson 2012-12-21 17:58:23 CET
PoC seems unrelated but is linked from the zabbix bug 

https://support.zabbix.com/browse/ZBX-5348
Comment 7 claire robinson 2012-12-21 18:01:47 CET
Same PoC found at: http://www.securityfocus.com/bid/54661/exploit
Comment 8 claire robinson 2012-12-21 18:33:32 CET
Before
------
Installed zabbix & zabbix-web, browsed to http://localhost/zabbix and created the db with phpmyadmin.

It's necessary to chmod 777 /usr/share/zabbix/conf to allow it to save the config file. chmod back to 755 afterwards.

After completing the web based installation successfully when it moves on to the login page it shows alot of mysql errors at the top of the page. Checking with phpmyadmin shows the zabbix db is empty, despite the connection test succeeding. Tried also with skip-networking disabled.

# systemctl start zabbix.service

started OK

Not sure how to proceed. I'll test with the updated packages.
Comment 9 claire robinson 2012-12-21 18:37:01 CET
Same problem with updated packages

Testing was mga2 32 btw
Comment 10 Dimitri Jakov 2012-12-21 18:46:51 CET
(In reply to comment #8)

> After completing the web based installation successfully when it moves on to
> the login page it shows alot of mysql errors at the top of the page.

Claire,

Have you created database structure and performed initial population? You will need to manually execute 3 SQL scripts for that. Please see http://www.zabbix.com/documentation/1.8/manual/installation (4.3 Zabbix Server, Step 3).

SQL scripts are shipped in /usr/share/doc/zabbix/create directory.
Comment 11 claire robinson 2012-12-21 18:52:58 CET
Thanks Dimitri, that was quick :)
Comment 12 Dimitri Jakov 2012-12-21 19:26:11 CET
The package has been updated to include a short READMI.urpmi clarifying that one needs to run SQL scripts manually to complete Zabbix installation.
Comment 13 claire robinson 2012-12-21 19:28:35 CET
Thanks Dimitri!

New srpm zabbix-1.8.15-2.mga2
Comment 14 David Walser 2012-12-21 19:28:47 CET
Thanks Dimitri.

Reposting the advisory with the updated package version.

Advisory:
========================

Updated zabbix packages fix security vulnerability:

SQL injection vulnerability in frontends/php/popup_bitem.php in Zabbix
1.8.15rc1 and earlier, and 2.x before 2.0.2rc1, allows remote attackers to
execute arbitrary SQL commands via the itemid parameter (CVE-2012-3435).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3435
http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085844.html
========================

Updated packages in core/updates_testing:
========================
zabbix-1.8.15-2.mga2
zabbix-agent-1.8.15-2.mga2
zabbix-web-1.8.15-2.mga2

from zabbix-1.8.15-2.mga2.src.rpm
Comment 15 Manuel Hiebel 2012-12-21 23:34:05 CET
*** Bug 8458 has been marked as a duplicate of this bug. ***
Comment 16 Dave Hodgins 2012-12-30 20:34:46 CET
In http://127.0.0.1/zabbix/setup.php, I'm getting a message
date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EST/-5.0/no DST' instead [include/page_header.php:145]

Also, in the "Check of pre-requisites", I'm getting a fail on
PHP timezone

The php-timezonedb package is installed, so I'm not sure what's needed
to fix these problems.
Comment 17 Dave Hodgins 2012-12-30 20:39:04 CET
Ignore Comment 16.  Figured out I had to set the date.timezone in
/etc/php.ini
Comment 18 Dave Hodgins 2012-12-30 20:51:30 CET
On the login screen, I'm now getting an error
include(): Failed opening 'schema.inc.php' for inclusion (include_path='.:/usr/lib/php/:/usr/share/pear/:/usr/share/php/') [.php:1163]

I've manually added  /usr/share/zabbix/include/ to the include_path
in /etc/php.ini to get rid of that error.

(I'm still working with the Core Release version, to see if I can get the
poc to work).
Comment 19 Dave Hodgins 2012-12-30 21:14:42 CET
Found out the db user/password have to be set in /etc/zabbix/zabbix_server.conf,
as well as in the web interface.
Comment 20 Dave Hodgins 2012-12-30 21:51:01 CET
Created attachment 3302 [details]
POC python script with indenting fixed.

After fixing the indentation of the POC script, so that it'll at least run,
the output with the Core Release version is
$ python zabbix.test.py

[*] Zabbix 2.0.1 Session Extractor 0day
[*] http://www.offensive-security.com
##################################

[*] Searching sessions belonging to id 1

And that's it.  I'll install the update now, and see if there's any difference.
Comment 21 Dave Hodgins 2012-12-30 22:11:18 CET
No difference after updating, but it looks to me like the poc is not valid.

As this is a security update, and the packages are working, on both i586
and x86-64, I'll go ahead and validate the update.

Could someone from the sysadmin team push the srpm
zabbix-1.8.15-2.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated zabbix packages fix security vulnerability:

SQL injection vulnerability in frontends/php/popup_bitem.php in Zabbix
1.8.15rc1 and earlier, and 2.x before 2.0.2rc1, allows remote attackers to
execute arbitrary SQL commands via the itemid parameter (CVE-2012-3435).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3435
http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085844.html

https://bugs.mageia.org/show_bug.cgi?id=7277
Comment 22 Thomas Backlund 2012-12-31 23:22:21 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0370

Note You need to log in before you can comment on or make changes to this bug.