Hello, Community!
Our community member Fabian Riechsteiner brought to our attention that the version of the Zabbix agent present in VyOS 1.4.0 is susceptible to a remote code execution vulnerability — CVE-2023-32728. We made a hotfix available to subscribers, and the fix will be a part of the upcoming VyOS 1.4.1 release.
Zabbix agent must be configured and listening to exploit this vulnerability.
This is what a vulnerable configuration looks like:
vyos@vyos# show service monitoring
zabbix-agent {
listen-address 192.0.2.10
server 203.0.113.1
}
An odd fact is that the fix was not included in Debian Bookwork repositories and still is not included. A different Zabbix agent version is available in bookworm-backports, but it is not guaranteed to be compatible with older Zabbix server versions. To keep the agent updated, we will switch to using official Zabbix repositories for building future releases — this is already done in current and will soon be in the nightly builds.