A new critical Remote Code Execution (RCE) vulnerability impacting Zabbix has been reported. It has been assigned the reference CVE-2024-22116 and a CVSS 3.1 score of 9.9. The Stormshield Customer Security Lab details our protection offerings.
This vulnerability impacts the following versions of the product:
- 4.0 to 6.4.15 ;
- 0.0 Alpha 1 to 7.0.0 RC2.
Initial vector attack of the Zabbix vulnerability
This vulnerability allows an administrator with limited permissions to initiate a remote code execution on the Zabbix server. This could be used to deploy a remote shell in order to gain control of the server or dump all the user’s passwords of the platform.
Technical details of the Zabbix vulnerability
The underlying API of GeoServer does not include security checks on specific values of some parameters. This can lead to a java code interpretation sent through HTTP requests. This code will be executed using the execution context of the GeoServer server.
Attack modelling with MITRE ATT&CK
MITRE ATT&CK
- T1068 (Exploitation for Privilege Escalation)
- T1203 (Exploitation for Client Execution)
CWE
- CWE-94 Improper Control of Generation of Code ('Code Injection')
How to protect against the Zabbix vulnerability with Stormshield Network Security
Protection against CVE-2024-22116
Stormshield Network Security (SNS) firewalls detect and block exploitation of CVE-2024-22116 with the protocol inspection:
- http:client:data.180: Exploitation of a RCE in Zabbix (CVE-2024-22116)
Confidence index for the protection offered by Stormshield |
Confidence index for the absence of false positives |
Recommandations regarding the Zabbix vulnerability
It is recommended to update the Zabbix application to one of the following versions:
- 6.4.16 RC1 or above ;
- 7.0.0 RC3 or above.
