ALT-BU-2024-1544-1
Branch c9f2 update bulletin.
Closed vulnerabilities
BDU:2024-00033
Уязвимость функции icmpping универсальной системы мониторинга Zabbix, позволяющая нарушителю выполнить произвольный код
BDU:2024-00645
Уязвимость компонента DNS Response Handler агента универсальной системы мониторинга Zabbix, позволяющая нарушителю вызвать переполнение буфера
Modified: 2024-11-21
CVE-2023-32726
The vulnerability is caused by improper check for check if RDLENGTH does not overflow the buffer in response from DNS server.
- https://lists.debian.org/debian-lts-announce/2024/01/msg00012.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BYSYLA7VTHR25CBLYO5ZLEJFGU7HTHQB/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UMFKNV5E4LG2DIZNPRWQ2ENH75H6UEQT/
- https://support.zabbix.com/browse/ZBX-23855
- https://lists.debian.org/debian-lts-announce/2024/01/msg00012.html
- https://support.zabbix.com/browse/ZBX-23855
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UMFKNV5E4LG2DIZNPRWQ2ENH75H6UEQT/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BYSYLA7VTHR25CBLYO5ZLEJFGU7HTHQB/
Modified: 2024-11-21
CVE-2023-32727
An attacker who has the privilege to configure Zabbix items can use function icmpping() with additional malicious command inside it to execute arbitrary code on the current Zabbix server.
Modified: 2024-11-21
CVE-2023-32728
The Zabbix Agent 2 item key smart.disk.get does not sanitize its parameters before passing them to a shell command resulting possible vulnerability for remote code execution.