Menu
▾
▴
[Zabbix-announce] LDAP authentication vulnerability discovered
|
From: Alexei V. <ale...@za...> - 2013-01-17 17:20:36
|
During an internal security audit we discovered a serious vulnerability in the API authentication mechanism. The vulnerability affects installations using LDAP for authentication and running Zabbix newer than 1.8.1. The issue has been fixed in Zabbix 1.8.16, 2.0.5 and 2.1.0. Please use CVE-2013-1364 to refer to this issue. The vulnerability allows the exploiter to set up his own LDAP server and use it for authentication instead of the one configured in Zabbix. This can be done by passing the configuration of the malicious LDAP server in the "cnf" parameter when calling the user.login API method. The given configuration will override the one stored in the database and will be used for authentication. If the targeted Zabbix installation has users with the same user name (for instance, "Admin") as the malicious LDAP server, the authentication will be successful. Originally the "cnf" parameter was implemented to test the LDAP configuration in the Zabbix frontend, but was mistakenly made available to remote API calls. We have provided patches[1] to fix the issue for Zabbix versions 1.8.2, 2.0.1 and newer. To apply the patch to Zabbix, navigate to the Zabbix frontend folder and run the patch utility: # cd /full_path_to_frontend # patch -p2 < /full_path_to_file/ldap_X-Y-Z.diff We consider security to be very important in Zabbix and will take all measures to make sure such problems do not occur in the future. [1] https://support.zabbix.com/browse/ZBX-6097 Kind regards, Alexei -- Alexei Vladishev Zabbix Product Manager Tel: +371 6 7784743 Fax: +371 6 7784741 Email: ale...@za... |
