500342 – (CVE-2014-1682) <net-analyzer/zabbix-{2.0.11_rc1-r1,2.2.2_rc2-r1}: Multiple Vulnerabilities (CVE-2013-5572,CVE-2014-{1682,1685})

Bug 500342 (CVE-2014-1682) - <net-analyzer/zabbix-{2.0.11_rc1-r1,2.2.2_rc2-r1}: Multiple Vulnerabilities (CVE-2013-5572,CVE-2014-{1682,1685})

Summary: <net-analyzer/zabbix-{2.0.11_rc1-r1,2.2.2_rc2-r1}: Multiple Vulnerabilities (...

Status:	RESOLVED FIXED

Alias:	CVE-2014-1682

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/55099/
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2014-02-05 09:14 UTC by Agostino Sarubbo
Modified:	2014-02-24 21:51 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2014-02-05 09:14:48 UTC

From ${URL} :

Description

A vulnerability has been reported in Zabbix, which can be exploited by malicious users to conduct spoofing 
attacks.

The vulnerability is caused due to an error when handling the user.login call related to API permissions 
and can be exploited to impersonate any user by passing another username to the user.login request.

Successful exploitation requires Zabbix to be configured with HTTP authentication.

The vulnerability is reported in versions 1.8.19, 2.0.10, and 2.2.1. Other versions may also be affected.


Solution:
Fixed in the SVN repository.

Provided and/or discovered by:
Vitaly Shupak within a bug report.

Original Advisory:
Zabbix:
http://www.zabbix.com/rn1.8.20rc1.php
http://www.zabbix.com/rn2.0.11rc1.php
http://www.zabbix.com/rn2.2.2rc1.php

Vitaly Shupak:
https://support.zabbix.com/browse/ZBX-7703


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Yury German Gentoo Infrastructure

2014-02-06 03:43:31 UTC

Adding CVE's as Versions contain other vulnerability fixes:

CVE-2013-5572 - Was fixed for 2.0 Slot, now fixed as part of 2.2.2rc2 as well.
CVE-2014-1682 - Fixed for 2.0.11rc1 and 2.2.2rc1
CVE-2014-1685 - Fixed for 2.2.2rc2

Vulnerability Information:
Zabbix being able to switch users without proper credentials when using HTTP authentication; reference CVE-2014-1682
https://support.zabbix.com/browse/ZBX-7703

LDAP authentication; reference CVE-2013-5572
https://support.zabbix.com/browse/ZBX-6721

admin user being able to update media for other users; reference CVE-2014-1685
https://support.zabbix.com/browse/ZBX-7693

Comment 2 Matthew Marlowe (RETIRED) gentoo-dev

2014-02-07 04:21:26 UTC

In CVS, awaiting build on test box.

Comment 3 Matthew Marlowe (RETIRED) gentoo-dev

2014-02-12 02:32:32 UTC

Let's stabilize 2.0.11_rc1-r1.
2.2.2_rc2-r1 can stay in testing but should be safe.
Will clean out all older ebuilds once 2.0.11_rc1-r1 is stabilized.

Comment 4 Yury German Gentoo Infrastructure

2014-02-14 18:36:37 UTC

Arches, please test and mark stable:

=net-analyzer/zabbix-2.0.11_rc1-r1

Target Keywords : "amd64 x86"

=net-analyzer/zabbix-2.2.2_rc2-r1 - Do Not Stable / Testing.

Comment 5 Agostino Sarubbo gentoo-dev

2014-02-16 07:08:40 UTC

amd64 stable

Comment 6 Agostino Sarubbo gentoo-dev

2014-02-16 07:08:53 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 7 Matthew Marlowe (RETIRED) gentoo-dev

2014-02-23 02:25:18 UTC

Old ebuilds cleaned up. Looks good.

Comment 8 Chris Reffett (RETIRED) gentoo-dev

2014-02-23 02:26:17 UTC

GLSA vote: no.

Comment 9 Sergey Popov gentoo-dev

2014-02-24 21:51:40 UTC

GLSA vote: no

Closing as noglsa