日前���,zabbix官方公告發現了2個安全漏洞���,涉及多個版本��������,漏洞代號如下���:
高危漏洞���:CVE-2023-32725������,
一般漏洞���:CVE-2023-32727��������,
據了解���,高危漏洞CVE-2023-32725的CVSS評分高達9.6分��。CVE-2023-32725漏洞出現在儀表板中���,當用戶使用帶有 URL 小部件的儀表板的Scheduled reports時�������,將會造成zbx_session cookie 泄漏�����。具體來說���,在配置或生成Scheduled reports時���,URL 小部件中配置的網站將收到會話 cookie。攻擊者可以使用cookie冒充創建報告的zabbix用戶����,并在zabbix前端中以該用戶的權限向自己授權���。
CVE-2023-32725漏洞所涉及到的相關版本包括���:
????6.0.0 – 6.0.21
????6.4.0 – 6.4.6
????7.0.0alpha1 – 7.0.0alpha3
中等漏洞CVE-2023-32727是一個icmpping() 代碼執行漏洞����,CVSS評分為6.8分�。具有配置 zabbix 項目權限的攻擊者可以使用函數 icmpping() 以及函數包含的惡意命令在當前 zabbix 服務器上執行任意代碼���。
CVE-2023-32727漏洞涉及到的相關版本包括���:
????4.0.0 – 4.0.49
????5.0.0 – 5.0.38
????6.0.0 – 6.0.22
????6.4.0 – 6.4.7
????7.0.0alpha0 – 7.0.0alpha6
截至目前�������,zabbix官方未發布針對以上兩項漏洞的補丁���,但可以通過版本升級的方式修復漏洞���。以下將介紹詳細修復方案�������,包括編譯升級與免編譯替換升級方式��。
1.解決方案
1.1. 方案說明
該操作方案適用于����,通過升級平臺zabbix次要版本���,修復當前版本中存在的已知漏洞
1.2. 方案適用
高危漏洞CVE-2023-32725
一般漏洞CVE-2023-32727
以中等漏洞CVE-2023-32727為例��������,影響版本及修復版本分別如下���,
如當前平臺運行版本為5.0.9��������,則需要升級至次要版本5.0.39+;
如當前平臺運行版本為6.0.20����,則需要升級至次要版本6.0.23rc1+����。
1.3. 方案操作
具體漏洞檢查及修復方案操作������,參考2���、3���、4章節����。
如下方案中���,編譯升級操作是以zabbix版本5.0.9環境為例��������,免編譯替換升級操作是以zabbix版本6.0.20環境為例。
2.查看當前server版本
/itops/zabbix/sbin/zabbix_server -V
# 返回結果如下
zabbix_server (zabbix) 5.0.9
Revision 4d07aaafe2 22 February 2021, compilation time: Mar 18 2021 23:50:53
Copyright (C) 2021 zabbix SIA
License GPLv2+: GNU GPL version 2 or later .
This is free software: you are free to change and redistribute it according to the license. There is NO WARRANTY, to the extent permitted by law.
This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit (http://www.openssl.org/).
Compiled with OpenSSL 1.0.2k-fips ?26 Jan 2017
Running with OpenSSL 1.0.2k-fips ?26 Jan 2017
根據返回信息可判斷當前版本5.0.9������,在漏洞影響范圍版本內�����。
3.重新編譯新版本server(如部署為免編譯方式�������,則直接參考第4章節解壓即用zabbix_server版本替換方式)
3.1. 獲取之前編譯參數
翻查之前的編譯路徑����,以當前環境5.0.9為例���,全盤find 目錄 zabbix-5.0.9
find / -name zabbix-5.0.9
#?返回結果如下
/root/packages/LWSetup/packages/zabbix-5.0.9
#?進入目錄下查看config.log文件
cd /root/packages/LWSetup/packages/zabbix-5.0.9
grep ‘/configure’ config.log#?返回結果如下#??$ ./configure –prefix=/itops/zabbix –enable-server –enable-agent –with-postgresql=/itops/postgresql/bin/pg_config –with-net-snmp –with-libcurl –with-libxml2 –with-unixodbc –with-openipmi –enable-ipv6 –enable-java –with-openssl –with-ssh2 –with-iconv –with-iconv-include –with-iconv-lib –with-libpcre –with-libpcre-include –with-libpcre-lib –with-libevent –with-libevent-include –with-zlib –with-zlib-include –with-zlib-lib –with-libpthread –with-libpthread-include –with-libpthread-lib –with-libevent-lib –with-ldap#?Configured with: ../configure –prefix=/usr –mandir=/usr/share/man –infodir=/usr/share/info –with-bugurl=http://bugzilla.redhat.com/bugzilla –enable-bootstrap –enable-shared –enable-threads=posix –enable-checking=release –with-system-zlib –enable-__cxa_atexit –disable-libunwind-exceptions –enable-gnu-unique-object –enable-linker-build-id –with-linker-hash-style=gnu –enable-languages=c,c++,objc,obj-c++,java,fortran,ada,go,lto –enable-plugin –enable-initfini-array –disable-libgcj –with-isl=/builddir/build/BUILD/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/isl-install –with-cloog=/builddir/build/BUILD/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/cloog-install –enable-gnu-indirect-function –with-tune=generic –with-arch_32=x86-64 –build=x86_64-redhat-linux
可以獲取到編譯參數為���:./configure –prefix=/itops/zabbix –enable-server –enable-agent –with-postgresql=/itops/postgresql/bin/pg_config –with-net-snmp –with-libcurl –with-libxml2 –with-unixodbc –with-openipmi –enable-ipv6 –enable-java –with-openssl –with-ssh2 –with-iconv –with-iconv-include –with-iconv-lib –with-libpcre –with-libpcre-include –with-libpcre-lib –with-libevent –with-libevent-include –with-zlib –with-zlib-include –with-zlib-lib –with-libpthread –with-libpthread-include –with-libpthread-lib –with-libevent-lib –with-ldap
3.2. 獲取編譯包
由漏洞公告情況可知�����,需要升級到哪些版本才能避免漏洞風險���,可從zabbix官網 獲取編譯包����。如下操作以5.0.40版本zabbix為例
3.3. 執行編譯操作
cp -rp /itops/zabbix/ /itops/zabbix-5.0.9/
tar xf zabbix-5.0.40.tar.gz
cd zabbix-5.0.40
./configure –prefix=/itops/zabbix –enable-server –enable-agent –with-postgresql=/itops/postgresql/bin/pg_config –with-net-snmp –with-libcurl –with-libxml2 –with-unixodbc –with-openipmi –enable-ipv6 –enable-java –with-openssl –with-ssh2 –with-iconv –with-iconv-include –with-iconv-lib –with-libpcre –with-libpcre-include –with-libpcre-lib –with-libevent –with-libevent-include –with-zlib –with-zlib-include –with-zlib-lib –with-libpthread –with-libpthread-include –with-libpthread-lib –with-libevent-lib –with-ldap
make install
#?編譯成功返回如下
make[2]: Leaving directory `/root/packages/LWSetup/packages/zabbix-5.0.40/database/sqlite3′
make[2]: Entering directory `/root/packages/LWSetup/packages/zabbix-5.0.40/database’
make[3]: Entering directory `/root/packages/LWSetup/packages/zabbix-5.0.40/database’
make[3]: Nothing to be done for `install-exec-am’.
make[3]: Nothing to be done for `install-data-am’.
make[3]: Leaving directory `/root/packages/LWSetup/packages/zabbix-5.0.40/database’
make[2]: Leaving directory `/root/packages/LWSetup/packages/zabbix-5.0.40/database’
make[1]: Leaving directory `/root/packages/LWSetup/packages/zabbix-5.0.40/database’
Making install in man
make[1]: Entering directory `/root/packages/LWSetup/packages/zabbix-5.0.40/man’
make[2]: Entering directory `/root/packages/LWSetup/packages/zabbix-5.0.40/man’
make[2]: Nothing to be done for `install-exec-am’.
?/usr/bin/mkdir -p ‘/itops/zabbix/share/man/man1’
?/usr/bin/install -c -m 644 ‘zabbix_get.man’ ‘/itops/zabbix/share/man/man1/zabbix_get.1’
?/usr/bin/install -c -m 644 ‘zabbix_sender.man’ ‘/itops/zabbix/share/man/man1/zabbix_sender.1’
?/usr/bin/mkdir -p ‘/itops/zabbix/share/man/man8’
?/usr/bin/install -c -m 644 ‘zabbix_agentd.man’ ‘/itops/zabbix/share/man/man8/zabbix_agentd.8’
?/usr/bin/install -c -m 644 ‘zabbix_server.man’ ‘/itops/zabbix/share/man/man8/zabbix_server.8’
make[2]: Leaving directory `/root/packages/LWSetup/packages/zabbix-5.0.40/man’
make[1]: Leaving directory `/root/packages/LWSetup/packages/zabbix-5.0.40/man’
Making install in misc
make[1]: Entering directory `/root/packages/LWSetup/packages/zabbix-5.0.40/misc’
make[2]: Entering directory `/root/packages/LWSetup/packages/zabbix-5.0.40/misc’
make[2]: Nothing to be done for `install-exec-am’.
make[2]: Nothing to be done for `install-data-am’.
make[2]: Leaving directory `/root/packages/LWSetup/packages/zabbix-5.0.40/misc’
make[1]: Leaving directory `/root/packages/LWSetup/packages/zabbix-5.0.40/misc’
make[1]: Entering directory `/root/packages/LWSetup/packages/zabbix-5.0.40′
make[2]: Entering directory `/root/packages/LWSetup/packages/zabbix-5.0.40′
make[2]: Nothing to be done for `install-exec-am’.
make[2]: Nothing to be done for `install-data-am’.
make[2]: Leaving directory `/root/packages/LWSetup/packages/zabbix-5.0.40′
make[1]: Leaving directory `/root/packages/LWSetup/packages/zabbix-5.0.40′
configure 編譯參數報錯
報錯���:configure: error: Invalid Net-SNMP directory – unable to find net-snmp-config
處理���:yum install -y net-snmp-devel
3.4. 執行服務重啟操作
service zabbix_server restart
service zabbix_agentd restart
3.5. proxy重新編譯操作
上述漏洞未涉及proxy部分�����,可不予升級操作����,主要版本一致即可��������,次要版本有差異不影響�����。
如有升級必要����,參考server編譯操作������,基本一致
3.6. 回滾操作
mv /itops/zabbix/ /itops/zabbix-5.0.40
mv /itops/zabbix-5.0.9/ /itops/zabbix/
service zabbix_server restart
4.免編譯安裝替換新版server
4.1. 獲取免編譯包
使用尊龍時凱社區發布的免編譯tar.xz包進行解壓替換
4.2. 執行替換操作
·?上傳新解壓即用包至server服務器
從附件中下載程序包及lib包
????zabbix-server
????zabbix-lib
注意���:該包僅支持centos/redhat7.4-7.9環境
·?備份原server目錄
cp -rp /itops/zabbix/ /itops/bakzbx-6.0.20
mv /usr/lib/itops/zabbix /usr/lib/itops/libzbx-6.0.20
·?解壓文件
tar xf zabbix-6.0.25.tar.xz -C /tmp
tar xf zabbix-lib.tar.xz -C /usr/lib/itops
·?替換原啟動文件及依賴庫
mv -f /tmp/zabbix/sbin/zabbix_server /itops/zabbix/sbin/zabbix_server
mv -f /tmp/zabbix/sbin/zabbix_agentd /itops/zabbix/sbin/zabbix_agentd
chmod +x /itops/zabbix/sbin/zabbix*
chown itops: /itops/zabbix/sbin/zabbix*
chown -R itops: /usr/lib/itops/zabbix
4.3. 執行服務重啟操作
service zabbix_server restart
service zabbix_agentd restart
4.4. 回滾操作
service zabbix_server stop
mv /itops/zabbix/ /itops/zabbix-6.0.25
mv /itops/bakzbx-6.0.20 /itops/zabbix/
mv /usr/lib/itops/zabbix /usr/lib/itops/libzbx-6.0.25
mv /usr/lib/itops/zabbix-6.0.20 /usr/lib/itops/zabbix
service zabbix_server start
至此���,漏洞修復完成��。
以上漏洞修復方案由尊龍時凱社區提供�����。尊龍時凱社區是國內較大的專業運維監控技術交流平臺�������,致力于為廣大運維人員提供運維技術交流互助空間�����,更多zabbix技術知識歡迎加入尊龍時凱社區�����。此外���,更多zabbix部署問題���、zabbix開發問題等也歡迎到尊龍時凱社區留言�。
尊龍時凱官網
