CVE-2016-4338
published 2017-01-23CVE-2016-4338: The mysql user parameter configuration script (userparameter_mysql.conf) in the agent in Zabbix before 2.0.18, 2.2.x before 2.2.13, and 3.0.x before 3.0.3…
PriorityP268high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
21.14%
97.3th percentile
The mysql user parameter configuration script (userparameter_mysql.conf) in the agent in Zabbix before 2.0.18, 2.2.x before 2.2.13, and 3.0.x before 3.0.3, when used with a shell other than bash, allows context-dependent attackers to execute arbitrary code or SQL commands via the mysql.size parameter.
Affected
42 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | zabbix | < zabbix 1:3.0.3+dfsg-1 (bookworm) | zabbix 1:3.0.3+dfsg-1 (bookworm) |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor Zabbix agent (port 10050) for inbound requests containing the mysql.size parameter with path-like values in the first argument (e.g., mysql.size[/tmp/...,all,both]), which indicates exploitation of the shell injection via a non-bash /bin/sh. ↗
- →Alert on shell error output 'sh: 1: [[: not found' from the Zabbix agent process, which indicates /bin/sh is dash and the vulnerable code path is being triggered. ↗
- →Detect unexpected process execution (e.g., arbitrary binaries or scripts) spawned by the zabbix user (uid=110, gid=114) as a child of the Zabbix agent, which may indicate successful command injection via mysql.size. ↗
- ·The vulnerability is only exploitable when /bin/sh is a non-bash shell (e.g., dash). Systems where /bin/sh is bash are not affected because bash supports the [[ compound command used in the parameter script. ↗
- ·Remote exploitation requires the attacker's IP to be listed in the Zabbix agent's 'Server' configuration directive; otherwise the attack must originate from the configured Zabbix server IP or via IP spoofing (e.g., ARP spoofing). ↗
- ·Because injected commands are piped to mysql, SQL command injection against the monitored MySQL instance may also be possible in addition to OS command injection. ↗
CVSS provenance
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Zabbix vulnerabilities
vendor_ubuntu·2022-06-15·CVSS 9.8
CVE-2016-10742 [CRITICAL] Zabbix vulnerabilities
Title: Zabbix vulnerabilities
Summary: Several security issues were fixed in Zabbix.
Fu Chuang discovered that Zabbix did not properly parse IPs. A remote
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM and Ubuntu 18.04 ESM.
(CVE-2020-11800)
It was discovered that Zabbix incorrectly handled certain requests. A
remote attacker could possibly use this issue to execute arbitrary code.
This issue only affected Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
(CVE-2017-2824, CVE-2017-2825)
It was discovered that Zabbix incorrectly handled certain XML files. A
remote attacker could possibly use this issue to read arbitrary files or
potentially execute arbitrary code. This issue only affected
Ubuntu 14.04 ESM. (CVE-2014-3005)
Debian
CVE-2016-4338: zabbix - The mysql user parameter configuration script (userparameter_mysql.conf) in the ...
vendor_debian·2016·CVSS 8.1
CVE-2016-4338 [HIGH] CVE-2016-4338: zabbix - The mysql user parameter configuration script (userparameter_mysql.conf) in the ...
The mysql user parameter configuration script (userparameter_mysql.conf) in the agent in Zabbix before 2.0.18, 2.2.x before 2.2.13, and 3.0.x before 3.0.3, when used with a shell other than bash, allows context-dependent attackers to execute arbitrary code or SQL commands via the mysql.size parameter.
Scope: local
bookworm: resolved (fixed in 1:3.0.3+dfsg-1)
bullseye: resolved (fixed in 1:3.0.3+dfsg-1)
forky: resolved (fixed in 1:3.0.3+dfsg-1)
sid: resolved (fixed in 1:3.0.3+dfsg-1)
trixie: resolved (fixed in 1:3.0.3+dfsg-1)
OSV
zabbix vulnerabilities
osv·2022-06-15·CVSS 9.8
CVE-2020-11800 [CRITICAL] zabbix vulnerabilities
zabbix vulnerabilities
Fu Chuang discovered that Zabbix did not properly parse IPs. A remote
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM and Ubuntu 18.04 ESM.
(CVE-2020-11800)
It was discovered that Zabbix incorrectly handled certain requests. A
remote attacker could possibly use this issue to execute arbitrary code.
This issue only affected Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
(CVE-2017-2824, CVE-2017-2825)
It was discovered that Zabbix incorrectly handled certain XML files. A
remote attacker could possibly use this issue to read arbitrary files or
potentially execute arbitrary code. This issue only affected
Ubuntu 14.04 ESM. (CVE-2014-3005)
It was discovered that Zabbix incorrectly handled certain inp
GHSA
GHSA-399r-wgcm-v67f: The mysql user parameter configuration script (userparameter_mysql
ghsa_unreviewed·2022-05-14
CVE-2016-4338 [HIGH] CWE-89 GHSA-399r-wgcm-v67f: The mysql user parameter configuration script (userparameter_mysql
The mysql user parameter configuration script (userparameter_mysql.conf) in the agent in Zabbix before 2.0.18, 2.2.x before 2.2.13, and 3.0.x before 3.0.3, when used with a shell other than bash, allows context-dependent attackers to execute arbitrary code or SQL commands via the mysql.size parameter.
OSV
CVE-2016-4338: The mysql user parameter configuration script (userparameter_mysql
osv·2017-01-23·CVSS 8.1
CVE-2016-4338 [HIGH] CVE-2016-4338: The mysql user parameter configuration script (userparameter_mysql
The mysql user parameter configuration script (userparameter_mysql.conf) in the agent in Zabbix before 2.0.18, 2.2.x before 2.2.13, and 3.0.x before 3.0.3, when used with a shell other than bash, allows context-dependent attackers to execute arbitrary code or SQL commands via the mysql.size parameter.
No detection rules found.
http://packetstormsecurity.com/files/136898/Zabbix-Agent-3.0.1-mysql.size-Shell-Command-Injection.htmlhttp://seclists.org/fulldisclosure/2016/May/9http://www.securityfocus.com/archive/1/538258/100/0/threadedhttp://www.securityfocus.com/bid/89631https://security.gentoo.org/glsa/201612-42https://support.zabbix.com/browse/ZBX-10741https://www.exploit-db.com/exploits/39769/https://www.zabbix.com/documentation/2.0/manual/introduction/whatsnew2018#miscellaneous_improvementshttps://www.zabbix.com/documentation/2.2/manual/introduction/whatsnew2213#miscellaneous_improvementshttps://www.zabbix.com/documentation/3.0/manual/introduction/whatsnew303#miscellaneous_improvementshttp://packetstormsecurity.com/files/136898/Zabbix-Agent-3.0.1-mysql.size-Shell-Command-Injection.htmlhttp://seclists.org/fulldisclosure/2016/May/9http://www.securityfocus.com/archive/1/538258/100/0/threadedhttp://www.securityfocus.com/bid/89631https://security.gentoo.org/glsa/201612-42https://support.zabbix.com/browse/ZBX-10741https://www.exploit-db.com/exploits/39769/https://www.zabbix.com/documentation/2.0/manual/introduction/whatsnew2018#miscellaneous_improvementshttps://www.zabbix.com/documentation/2.2/manual/introduction/whatsnew2213#miscellaneous_improvementshttps://www.zabbix.com/documentation/3.0/manual/introduction/whatsnew303#miscellaneous_improvements
2017-01-23
Published