CVE-2017-2826
An information disclosure vulnerability exists in the iConfig proxy request of Zabbix server 2.4.X. A specially crafted iConfig proxy request can cause the Zabbix server to send the configuration information of any Zabbix proxy, resulting in information disclosure. An attacker can make requests from an active Zabbix proxy to trigger this vulnerability.
Zabbix Server 2.4.8.r1
3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-200: Information Exposure
If an attacker can send packets to a Zabbix server from the IP address of a configured Zabbix proxy, whether through spoofing, legitimate access, or other means, then an attacker can request the database configuration information for any configured Zabbix proxy, assuming that the hostname of the Zabbix proxy can be guessed or brute-forced.
This database configuration information contains sensitive materials that could be used for further exploitation and discovery purposes.
The following is a subset of the sensitive information disclosed: 1. All configured monitored Zabbix agents and corresponding IP addresses. 2. All items that can be used to query data from the Zabbix agent, including user-configured UserParameters (potentially dangerous). 3. Hostmacros
Example Request (from any valid proxy IP): ZBXD\x01\x30\x00\x00\x00\x00\x00\x00\x00{“request”:”proxy config”,”host”:”zabbix- proxy.abcd.com”}
2017-04-22 - Vendor Disclosure
2018-04-09 - Public Release
Discovered by Lilith Wyatt of Cisco Advanced Security Initiatives Group.