This post is also available in:
עברית (Hebrew)
Zabbix, a popular open-source IT infrastructure management and monitoring tool, has patched a critical SQL injection (SQLi) vulnerability that poses a serious security risk to thousands of servers. The flaw, rated 9.9 out of 10 in severity, allows attackers with non-admin user accounts to gain full control of vulnerable systems, potentially compromising sensitive data and disrupting operations.
The vulnerability is located in the CUser class, specifically in the addRelatedObjects function, which is invoked by the CUser.get function. This function is accessible to any user with API access, making it relatively easy for attackers to exploit the flaw without requiring administrative privileges. By manipulating API calls, an attacker can inject malicious SQL commands, which, if successful, could grant unauthorized access to the underlying server.
A scan conducted by cloud security firm Qualys uncovered over 83,000 potentially vulnerable systems online, underscoring the widespread nature of the issue. The Zabbix tool is used by organizations globally to monitor critical IT components such as networks, servers, virtual machines, and cloud services. It collects, stores, and analyzes data, offering real-time insights into infrastructure performance. Given its central role in IT management, a security breach in Zabbix could have significant consequences for affected organizations.
According to Cybernews, the flaw was reported by security researcher Márk Rákóczi via the HackerOne bug bounty platform. Zabbix quickly responded to the discovery of the vulnerability by releasing updated versions of the software that patch the flaw. The fixed versions include 6.0.32rc1, 6.4.17rc1, and 7.0.1rc1. Organizations using Zabbix are strongly advised to update to these versions to mitigate the risk of exploitation.
The discovery of the vulnerability highlights the importance of using secure API access methods and regularly updating open-source software. As IT infrastructure management tools like Zabbix are often integral to critical business functions, ensuring their security is crucial to safeguarding organizational operations.
