cbcvebase.
CVE-2016-4338
published 2017-01-23

CVE-2016-4338: The mysql user parameter configuration script (userparameter_mysql.conf) in the agent in Zabbix before 2.0.18, 2.2.x before 2.2.13, and 3.0.x before 3.0.3…

PriorityP268high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
21.14%
97.3th percentile
The mysql user parameter configuration script (userparameter_mysql.conf) in the agent in Zabbix before 2.0.18, 2.2.x before 2.2.13, and 3.0.x before 3.0.3, when used with a shell other than bash, allows context-dependent attackers to execute arbitrary code or SQL commands via the mysql.size parameter.

Affected

42 ranges· showing 25
VendorProductVersion rangeFixed in
debianzabbix< zabbix 1:3.0.3+dfsg-1 (bookworm)zabbix 1:3.0.3+dfsg-1 (bookworm)
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix

Detection & IOCsextracted from sources · hover to see the quote

port10050
path/etc/zabbix/zabbix_agentd.d/userparameter_mysql.conf
commandecho 'mysql.size[/tmp/owned,all,both]' | nc localhost 10050
filenameuserparameter_mysql.conf
  • Monitor Zabbix agent (port 10050) for inbound requests containing the mysql.size parameter with path-like values in the first argument (e.g., mysql.size[/tmp/...,all,both]), which indicates exploitation of the shell injection via a non-bash /bin/sh.
  • Alert on shell error output 'sh: 1: [[: not found' from the Zabbix agent process, which indicates /bin/sh is dash and the vulnerable code path is being triggered.
  • Detect unexpected process execution (e.g., arbitrary binaries or scripts) spawned by the zabbix user (uid=110, gid=114) as a child of the Zabbix agent, which may indicate successful command injection via mysql.size.
  • ·The vulnerability is only exploitable when /bin/sh is a non-bash shell (e.g., dash). Systems where /bin/sh is bash are not affected because bash supports the [[ compound command used in the parameter script.
  • ·Remote exploitation requires the attacker's IP to be listed in the Zabbix agent's 'Server' configuration directive; otherwise the attack must originate from the configured Zabbix server IP or via IP spoofing (e.g., ARP spoofing).
  • ·Because injected commands are piped to mysql, SQL command injection against the monitored MySQL instance may also be possible in addition to OS command injection.

CVSS provenance

nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.