CVE-2024-42327 (CVSS 9.9): Critical SQL Injection Vulnerability Found in Zabbix

Zabbix, a popular open-source IT infrastructure monitoring tool used by organizations worldwide, has been found to contain a critical SQL injection vulnerability (CVE-2024-42327) with a CVSS score of 9.9. This vulnerability allows attackers to escalate privileges and gain complete control of Zabbix instances, potentially compromising sensitive monitoring data and connected systems.

The vulnerability resides in the user.get API endpoint and can be exploited by any non-admin user with API access, including those with the default “User” role. By manipulating specific API calls, attackers can inject malicious SQL code that grants them unauthorized access and control.

Impact and Exploitation

Successful exploitation of CVE-2024-42327 could lead to:

• Data breaches: Attackers can access and exfiltrate sensitive monitoring data, including system configurations, performance metrics, and user credentials.
• System compromise: Attackers can leverage their escalated privileges to compromise the underlying Zabbix server and potentially pivot to other connected systems.
• Denial of service: Attackers can disrupt monitoring operations by manipulating or deleting critical data.

Mitigation and Remediation

Zabbix has addressed this vulnerability in the following versions:

• 6.0.32rc1
• 6.4.17rc1
• 7.0.1rc1

Organizations using Zabbix are strongly urged to update their deployments to the latest patched versions immediately. Additionally, it is recommended to review user roles and permissions to ensure that only authorized personnel have API access.

Vulnerability Discovery and Disclosure

The vulnerability was discovered by security researcher Márk Rákóczi and reported through the HackerOne bug bounty platform. Zabbix has acknowledged the report and promptly released patches to address the issue.

Related Posts: