During an internal security audit we discovered a serious vulnerability
in the API authentication mechanism. The vulnerability affects
installations using LDAP for authentication and running Zabbix
newer than 1.8.1. The issue has been fixed in Zabbix 1.8.16, 2.0.5 and
Please use CVE-2013-1364 to refer to this issue.
The vulnerability allows the exploiter to set up his own LDAP server and
use it for authentication instead of the one configured in Zabbix. This
can be done by passing the configuration of the malicious LDAP server in
the "cnf" parameter when calling the user.login API method. The given
configuration will override the one stored in the database and will be
used for authentication. If the targeted Zabbix installation has users
with the same user name (for instance, "Admin") as the malicious LDAP
server, the authentication will be successful.
Originally the "cnf" parameter was implemented to test the LDAP
configuration in the Zabbix frontend, but was mistakenly made available
to remote API calls.
We have provided patches to fix the issue for Zabbix versions 1.8.2,
2.0.1 and newer. To apply the patch to Zabbix, navigate to the Zabbix
frontend folder and run the patch utility:
# cd /full_path_to_frontend
# patch -p2 < /full_path_to_file/ldap_X-Y-Z.diff
We consider security to be very important in Zabbix and will take all
measures to make sure such problems do not occur in the future.
Zabbix Product Manager
Tel: +371 6 7784743
Fax: +371 6 7784741