Debian Bug report logs -
#471678
zabbix: CVE-2008-1353 local or remote DoS for authenticated hosts
Reported by: Nico Golde <nion@debian.org>
Date: Wed, 19 Mar 2008 14:03:04 UTC
Severity: grave
Tags: security
Fixed in version zabbix/1:1.4.5-1
Done: Michael Ablassmeier <abi@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Zabbix Maintainers <kobold-zabbix@debian.org>
:
Bug#471678
; Package zabbix
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
New Bug report received and forwarded. Copy sent to Zabbix Maintainers <kobold-zabbix@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: zabbix
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for zabbix.
CVE-2008-1353[0]:
| zabbix_agentd in ZABBIX 1.4.4 allows remote attackers to cause a
| denial of service (CPU and connection consumption) via multiple
| vfs.file.cksum commands with a special device node such as
| /dev/urandom or /dev/zero.
This should just work for authenticated hosts or hosts with
a spoofed IP address. However from what I see this is also
useable for local users.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1353
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Zabbix Maintainers <kobold-zabbix@debian.org>
:
Bug#471678
; Package zabbix
.
(full text, mbox, link).
Acknowledgement sent to Michael Ablassmeier <abi@grinser.de>
:
Extra info received and forwarded to list. Copy sent to Zabbix Maintainers <kobold-zabbix@debian.org>
.
(full text, mbox, link).
Message #10 received at 471678@bugs.debian.org (full text, mbox, reply):
hi,
On Wed, Mar 19, 2008 at 03:01:49PM +0100, Nico Golde wrote:
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for zabbix.
>
> CVE-2008-1353[0]:
> | zabbix_agentd in ZABBIX 1.4.4 allows remote attackers to cause a
> | denial of service (CPU and connection consumption) via multiple
> | vfs.file.cksum commands with a special device node such as
> | /dev/urandom or /dev/zero.
>
> This should just work for authenticated hosts or hosts with
> a spoofed IP address. However from what I see this is also
> useable for local users.
thanks for you report, this issue has been reportet to upstream
(ZBX-328) but no patch so far. Waiting for a patch ..
bye,
- michael
Information forwarded to debian-bugs-dist@lists.debian.org, Zabbix Maintainers <kobold-zabbix@debian.org>
:
Bug#471678
; Package zabbix
.
(full text, mbox, link).
Acknowledgement sent to Michael Ablassmeier <abi@grinser.de>
:
Extra info received and forwarded to list. Copy sent to Zabbix Maintainers <kobold-zabbix@debian.org>
.
(full text, mbox, link).
Message #15 received at 471678@bugs.debian.org (full text, mbox, reply):
hi,
see upstreams response.
----- Forwarded message from "Alexei Vladishev (ZABBIX Support)" <support@zabbix.com> -----
From: "Alexei Vladishev (ZABBIX Support)" <support@zabbix.com>
Date: Tue, 25 Mar 2008 16:31:18 +0200 (EET)
To: abi@debian.org
Subject: [ZABBIX] Closed: (ZBX-328) Possible DoS against zabbix-agentd
[ https://support.zabbix.com/browse/ZBX-328?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alexei Vladishev closed ZBX-328.
--------------------------------
Resolution: Fixed
The problem was fixed a couple of months ago. Please wait for 1.4.5. It will be released this week.
Alexei
> Possible DoS against zabbix-agentd
> ----------------------------------
>
> Key: ZBX-328
> URL: https://support.zabbix.com/browse/ZBX-328
> Project: ZABBIX
> Issue Type: Bug
> Components: Agent (Unix)
> Environment: Debian etch, kernel 2.6.18, Intel(R) Pentium(R) 4 CPU 2.80GHz
> Reporter: Milen Rangelov
> Assignee: Alexei Vladishev
>
> An authorized host can cause the zabbix_agentd to hang, overconsuming CPU resources.
> This can be triggered by sending the agent a file checksum request (vfs.file.cksum[file]) with file argument being some "special" device file like /dev/zero or /dev/urandom (the latter rises kernel CPU usage even more).
> If the malicious user sends <number_of_zabbix_agentd_children> requests, then the zabbix_agentd service will not be able to serve any requests until it's restarted.
> Here's some example session :
> ------------
> gat3way:/etc/zabbix# echo "vfs.file.cksum[/dev/urandom]" | nc localhost 10050 &
> [1] 24429
> gat3way:/etc/zabbix# echo "vfs.file.cksum[/dev/urandom]" | nc localhost 10050 &
> [2] 24431
> gat3way:/etc/zabbix# echo "vfs.file.cksum[/dev/urandom]" | nc localhost 10050 &
> [3] 24433
> gat3way:/etc/zabbix# echo "vfs.file.cksum[/dev/urandom]" | nc localhost 10050 &
> [4] 24435
> ...and some output from top:
> <snip>
> Tasks: 183 total, 5 running, 178 sleeping, 0 stopped, 0 zombie
> Cpu(s): 2.0%us, 97.0%sy, 1.0%ni, 0.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
> <snip>
> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
> 24381 zabbix 30 5 5056 1032 768 R 65 0.1 4:16.01 zabbix_agentd
> 24382 zabbix 30 5 5068 1044 776 R 50 0.1 4:12.18 zabbix_agentd
> 24380 zabbix 30 5 5068 1044 776 R 50 0.1 4:01.24 zabbix_agentd
> 24379 zabbix 30 5 5056 1036 772 R 31 0.1 4:08.24 zabbix_agentd
> ------------------------
> zabbix_agentd accepts new connections, but does not serve them.
> The malicious user needs to connect from an authorized host, but it's not so hard to spoof it if he's on the same ethernet segment as the host running the zabbix_agent.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://support.zabbix.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
----- End forwarded message -----
Information forwarded to debian-bugs-dist@lists.debian.org, Zabbix Maintainers <kobold-zabbix@debian.org>
:
Bug#471678
; Package zabbix
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Zabbix Maintainers <kobold-zabbix@debian.org>
.
(full text, mbox, link).
Message #20 received at 471678@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Michael,
* Michael Ablassmeier <abi@grinser.de> [2008-03-25 16:25]:
> On Wed, Mar 19, 2008 at 03:01:49PM +0100, Nico Golde wrote:
[...]
> > This should just work for authenticated hosts or hosts with
> > a spoofed IP address. However from what I see this is also
> > useable for local users.
>
> thanks for you report, this issue has been reportet to upstream
> (ZBX-328) but no patch so far. Waiting for a patch ..
I also already contacted them for a patch. They told me they
will do a new release this week that fixes the issue and it
is already fixed in the beta version.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Reply sent to Michael Ablassmeier <abi@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #25 received at 471678-close@bugs.debian.org (full text, mbox, reply):
Source: zabbix
Source-Version: 1:1.4.5-1
We believe that the bug you reported is fixed in the latest version of
zabbix, which is due to be installed in the Debian FTP archive:
zabbix-agent_1.4.5-1_amd64.deb
to pool/main/z/zabbix/zabbix-agent_1.4.5-1_amd64.deb
zabbix-frontend-php_1.4.5-1_all.deb
to pool/main/z/zabbix/zabbix-frontend-php_1.4.5-1_all.deb
zabbix-server-mysql_1.4.5-1_amd64.deb
to pool/main/z/zabbix/zabbix-server-mysql_1.4.5-1_amd64.deb
zabbix-server-pgsql_1.4.5-1_amd64.deb
to pool/main/z/zabbix/zabbix-server-pgsql_1.4.5-1_amd64.deb
zabbix_1.4.5-1.diff.gz
to pool/main/z/zabbix/zabbix_1.4.5-1.diff.gz
zabbix_1.4.5-1.dsc
to pool/main/z/zabbix/zabbix_1.4.5-1.dsc
zabbix_1.4.5.orig.tar.gz
to pool/main/z/zabbix/zabbix_1.4.5.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 471678@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Ablassmeier <abi@debian.org> (supplier of updated zabbix package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 27 Mar 2008 12:15:28 +0100
Source: zabbix
Binary: zabbix-agent zabbix-server-mysql zabbix-server-pgsql zabbix-frontend-php
Architecture: source amd64 all
Version: 1:1.4.5-1
Distribution: unstable
Urgency: high
Maintainer: abi@grinser.de
Changed-By: Michael Ablassmeier <abi@debian.org>
Description:
zabbix-agent - software for monitoring of your networks -- agent
zabbix-frontend-php - software for monitoring of your servers -- php frontend
zabbix-server-mysql - software for monitoring of your networks -- server
zabbix-server-pgsql - software for monitoring of your networks -- server
Closes: 471678
Changes:
zabbix (1:1.4.5-1) unstable; urgency=high
.
* New upstream release
* Fixed remote DoS (CVE-2008-1353) Closes: #471678
Files:
d7d14428ed9035e719c0b078d0e77cfe 875 net optional zabbix_1.4.5-1.dsc
f87d73852fdab33f99beebfd16c21c63 4137972 net optional zabbix_1.4.5.orig.tar.gz
9ca3700d1014d064afe2ecb1924d75b8 19834 net optional zabbix_1.4.5-1.diff.gz
0c0187b176fbdecd1192dcb1a40a7cd6 172896 net optional zabbix-agent_1.4.5-1_amd64.deb
ce0403fbd83bef7e372f60d466b3875f 367188 net optional zabbix-server-mysql_1.4.5-1_amd64.deb
519c3fee6c12c51273c0c262ba37266c 372660 net optional zabbix-server-pgsql_1.4.5-1_amd64.deb
3b07db6fe57dbda9cf365d129f29f6b6 1023688 net optional zabbix-frontend-php_1.4.5-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH64aHEFV7g4B8rCURAv+7AJsGxnWfOeoAlJ9i9KuaJ63MZVxdPgCeIFHu
yn9X1gnKjEr3NTMWUpLC1hw=
=kg/k
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 30 Apr 2008 07:48:19 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:01:47 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.