Zabbix Addresses Multi Vulnerabilities, Including RCE CVE-2024-36461 (CVSS 9.1) Flaw
Zabbix, the widely-used open-source monitoring solution, has released a series of security updates addressing critical vulnerabilities, most notably CVE-2024-36461, which carries a CVSS score of 9.1. This vulnerability allows users with limited access to a single item configuration within Zabbix to potentially gain control over the entire monitoring infrastructure through remote code execution.
The vulnerability arises from the direct accessibility of JavaScript engine memory pointers, enabling unauthorized modification. Successful exploitation could result in a complete compromise of the monitored systems and the Zabbix platform itself, potentially leading to data breaches, service disruptions, and further attacks.
This finding represents a continuation of previously identified security issues in Zabbix’s JavaScript engine.
Affected Versions and Remediation
Zabbix versions 6.0.0 to 6.0.30, 6.4.0 to 6.4.15, and 7.0.0alpha1 to 7.0.0 are affected. Users are strongly advised to update their Zabbix installations to the latest fixed versions: 6.0.31rc1, 6.4.16rc1, or 7.0.1rc1, respectively.
In response to the discovery of CVE-2024-36461, the Zabbix Team has released an update that not only addresses this critical issue but also patches several other vulnerabilities, each with varying degrees of severity:
- CVE-2024-22121 (CVSS 6.1): Privilege escalation flaws that could allow non-admin users to gain unauthorized access to critical system functions.
- CVE-2024-22122 (CVSS 3.0): Command injection vulnerabilities that could enable attackers to execute arbitrary commands on the underlying system.
- CVE-2024-22123 (CVSS 2.7): Arbitrary file read issues that could expose sensitive data.
- CVE-2024-22114 (CVSS 4.3): Information disclosure flaws that could reveal confidential information about monitored hosts.
- CVE-2024-36460 (CVSS 8.1): Front-end auditlog shows passwords in plaintext
- CVE-2024-36462 (CVSS 7.5): Uncontrolled resource consumption vulnerabilities that could be exploited for denial-of-service attacks.
Recommendations
Given the severity of these vulnerabilities, immediate action is crucial. Zabbix users, particularly those managing critical infrastructure, are urged to prioritize patching their systems.
Organizations should also review their access control policies and ensure that users are granted the minimum necessary privileges to perform their tasks. This principle of least privilege helps to contain the potential impact of a compromise.