VyOS Networks Blog

Building an open source network OS for the people, together.

Remote code execution in listening Zabbix agent (CVE-2023-32728)

Daniil Baturin
Posted 24 Oct, 2024

Hello, Community!

Our community member Fabian Riechsteiner brought to our attention that the version of the Zabbix agent present in VyOS 1.4.0 is susceptible to a remote code execution vulnerability — CVE-2023-32728. We made a hotfix available to subscribers, and the fix will be a part of the upcoming VyOS 1.4.1 release.

Zabbix agent must be configured and listening to exploit this vulnerability.

This is what a vulnerable configuration looks like:


vyos@vyos# show service monitoring 
 zabbix-agent {
     listen-address 192.0.2.10
     server 203.0.113.1
 }

An odd fact is that the fix was not included in Debian Bookwork repositories and still is not included. A different Zabbix agent version is available in bookworm-backports, but it is not guaranteed to be compatible with older Zabbix server versions. To keep the agent updated, we will switch to using official Zabbix repositories for building future releases — this is already done in current and will soon be in the nightly builds.

 

The post categories:

Comments