Zabbix urges upgrades after critical SQL injection bug disclosure

Open-source enterprise network and application monitoring provider Zabbix is warning customers of a new critical vulnerability that could lead to full system compromise.

Tracked as CVE-2024-42327, the SQL injection bug scored a near-perfect 9.9 when assessed using the Common Vulnerability Scoring System (CVSSv3) and can be exploited by users with API access.

The project's description of the vulnerability explained: "A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. 

"An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access."

Zabbix said three product versions are affected and should be upgraded to the latest available:

• 6.0.0…6.0.31

• 6.4.0…6.4.16

• 7.0.0

Upgrading to versions 6.0.32rc1, 6.4.17rc1, and 7.0.1rc1 respectively will protect users from the privilege escalation attacks.

The project has thousands of customers worldwide, suggesting the attack surface could not only be quite large, but also affect some major enterprises across every continent.

Altice, Bupa Chile, Dell, the European Space Agency, Seat, T-Systems, and African mega telco Vodacom are all among the various high-profile customers listed on Zabbix's website, which span multiple industries across the public and private sectors.

The FBI and CISA started ramping up their Secure by Design messaging earlier this year, setting the tone of both agencies' strategies and initiatives throughout 2024. Around the same time, SQL injection vulnerabilities like CVE-2024-42327 were added to the US' list of "unforgivable" product defects – vulnerabilities that should have been stamped out by software vendors long ago.

SQL injections have been around for decades and aren't known for being especially difficult to exploit. Currently accounting for around ten percent of the vulnerabilities in CISA's known exploited vulnerability (KEV) catalog, the prevalent defect class is often associated with or is a known precursor to ransomware activity.

The spate of data theft attacks on customers of Progress Software's MOVEit MFT last year (and this year too), facilitated by an SQL injection vulnerability, is a recent example of how much damage such ancient bugs can cause. Emsisoft's tracker puts the number of victim organizations at 2,773, which in total has compromised the data of nearly 96 million individuals.

Per the alert issued by the FBI and CISA earlier this year, the two agencies called on software vendors to ensure their products are free of these types of bug before they're shipped.

• Salt Typhoon's surge extends far beyond US telcos
• Mystery Palo Alto Networks hijack-my-firewall zero-day now officially under exploit
• Google claims Big Sleep 'first' AI to spot freshly committed security bug that fuzzing missed
• 10 nasty software bugs put thousands of fuel storage tanks at risk of cyberattacks

"Vulnerabilities like SQLi have been considered by others an 'unforgivable' vulnerability since at least 2007," the alert read. "Despite this finding, SQL vulnerabilities (such as CWE-89) are still a prevalent class of vulnerability. For example, CWE-89 is on top 25 lists for both the most dangerous and stubborn software weaknesses in 2023."

Both agencies also called on the customers of those vendors to hold developers to account, ensuring they received confirmation that a thorough code review eliminated SQLi flaws from the outset. ®