日前���,zabbix官方公告發(fā)現(xiàn)了2個(gè)安全漏洞���,涉及多個(gè)版本���,漏洞代號(hào)如下���:
高危漏洞���:CVE-2023-32725���,
一般漏洞���:CVE-2023-32727���,
據(jù)了解���,高危漏洞CVE-2023-32725的CVSS評分高達(dá)9.6分。CVE-2023-32725漏洞出現(xiàn)在儀表板中���,當(dāng)用戶使用帶有 URL 小部件的儀表板的Scheduled reports時(shí)���,將會(huì)造成zbx_session cookie 泄漏。具體來說���,在配置或生成Scheduled reports時(shí)���,URL 小部件中配置的網(wǎng)站將收到會(huì)話 cookie。攻擊者可以使用cookie冒充創(chuàng)建報(bào)告的zabbix用戶���,并在zabbix前端中以該用戶的權(quán)限向自己授權(quán)。
CVE-2023-32725漏洞所涉及到的相關(guān)版本包括���:
????6.0.0 – 6.0.21
????6.4.0 – 6.4.6
????7.0.0alpha1 – 7.0.0alpha3
中等漏洞CVE-2023-32727是一個(gè)icmpping() 代碼執(zhí)行漏洞���,CVSS評分為6.8分。具有配置 zabbix 項(xiàng)目權(quán)限的攻擊者可以使用函數(shù) icmpping() 以及函數(shù)包含的惡意命令在當(dāng)前 zabbix 服務(wù)器上執(zhí)行任意代碼。
CVE-2023-32727漏洞涉及到的相關(guān)版本包括���:
????4.0.0 – 4.0.49
????5.0.0 – 5.0.38
????6.0.0 – 6.0.22
????6.4.0 – 6.4.7
????7.0.0alpha0 – 7.0.0alpha6
截至目前���,zabbix官方未發(fā)布針對以上兩項(xiàng)漏洞的補(bǔ)丁���,但可以通過版本升級(jí)的方式修復(fù)漏洞。以下將介紹詳細(xì)修復(fù)方案���,包括編譯升級(jí)與免編譯替換升級(jí)方式。
1.解決方案
1.1. 方案說明
該操作方案適用于���,通過升級(jí)平臺(tái)zabbix次要版本���,修復(fù)當(dāng)前版本中存在的已知漏洞
1.2. 方案適用
高危漏洞CVE-2023-32725
一般漏洞CVE-2023-32727
以中等漏洞CVE-2023-32727為例���,影響版本及修復(fù)版本分別如下���,
如當(dāng)前平臺(tái)運(yùn)行版本為5.0.9���,則需要升級(jí)至次要版本5.0.39+;
如當(dāng)前平臺(tái)運(yùn)行版本為6.0.20���,則需要升級(jí)至次要版本6.0.23rc1+。
1.3. 方案操作
具體漏洞檢查及修復(fù)方案操作���,參考2���、3���、4章節(jié)。
如下方案中���,編譯升級(jí)操作是以zabbix版本5.0.9環(huán)境為例���,免編譯替換升級(jí)操作是以zabbix版本6.0.20環(huán)境為例。
2.查看當(dāng)前server版本
/itops/zabbix/sbin/zabbix_server -V
# 返回結(jié)果如下
zabbix_server (zabbix) 5.0.9
Revision 4d07aaafe2 22 February 2021, compilation time: Mar 18 2021 23:50:53
Copyright (C) 2021 zabbix SIA
License GPLv2+: GNU GPL version 2 or later .
This is free software: you are free to change and redistribute it according to the license. There is NO WARRANTY, to the extent permitted by law.
This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit (http://www.openssl.org/).
Compiled with OpenSSL 1.0.2k-fips ?26 Jan 2017
Running with OpenSSL 1.0.2k-fips ?26 Jan 2017
根據(jù)返回信息可判斷當(dāng)前版本5.0.9���,在漏洞影響范圍版本內(nèi)。
3.重新編譯新版本server(如部署為免編譯方式���,則直接參考第4章節(jié)解壓即用zabbix_server版本替換方式)
3.1. 獲取之前編譯參數(shù)
翻查之前的編譯路徑���,以當(dāng)前環(huán)境5.0.9為例���,全盤find 目錄 zabbix-5.0.9
find / -name zabbix-5.0.9
#?返回結(jié)果如下
/root/packages/LWSetup/packages/zabbix-5.0.9
#?進(jìn)入目錄下查看config.log文件
cd /root/packages/LWSetup/packages/zabbix-5.0.9
grep ‘/configure’ config.log#?返回結(jié)果如下#??$ ./configure –prefix=/itops/zabbix –enable-server –enable-agent –with-postgresql=/itops/postgresql/bin/pg_config –with-net-snmp –with-libcurl –with-libxml2 –with-unixodbc –with-openipmi –enable-ipv6 –enable-java –with-openssl –with-ssh2 –with-iconv –with-iconv-include –with-iconv-lib –with-libpcre –with-libpcre-include –with-libpcre-lib –with-libevent –with-libevent-include –with-zlib –with-zlib-include –with-zlib-lib –with-libpthread –with-libpthread-include –with-libpthread-lib –with-libevent-lib –with-ldap#?Configured with: ../configure –prefix=/usr –mandir=/usr/share/man –infodir=/usr/share/info –with-bugurl=http://bugzilla.redhat.com/bugzilla –enable-bootstrap –enable-shared –enable-threads=posix –enable-checking=release –with-system-zlib –enable-__cxa_atexit –disable-libunwind-exceptions –enable-gnu-unique-object –enable-linker-build-id –with-linker-hash-style=gnu –enable-languages=c,c++,objc,obj-c++,java,fortran,ada,go,lto –enable-plugin –enable-initfini-array –disable-libgcj –with-isl=/builddir/build/BUILD/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/isl-install –with-cloog=/builddir/build/BUILD/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/cloog-install –enable-gnu-indirect-function –with-tune=generic –with-arch_32=x86-64 –build=x86_64-redhat-linux
可以獲取到編譯參數(shù)為���:./configure –prefix=/itops/zabbix –enable-server –enable-agent –with-postgresql=/itops/postgresql/bin/pg_config –with-net-snmp –with-libcurl –with-libxml2 –with-unixodbc –with-openipmi –enable-ipv6 –enable-java –with-openssl –with-ssh2 –with-iconv –with-iconv-include –with-iconv-lib –with-libpcre –with-libpcre-include –with-libpcre-lib –with-libevent –with-libevent-include –with-zlib –with-zlib-include –with-zlib-lib –with-libpthread –with-libpthread-include –with-libpthread-lib –with-libevent-lib –with-ldap
3.2. 獲取編譯包
由漏洞公告情況可知���,需要升級(jí)到哪些版本才能避免漏洞風(fēng)險(xiǎn)���,可從zabbix官網(wǎng) 獲取編譯包。如下操作以5.0.40版本zabbix為例
3.3. 執(zhí)行編譯操作
cp -rp /itops/zabbix/ /itops/zabbix-5.0.9/
tar xf zabbix-5.0.40.tar.gz
cd zabbix-5.0.40
./configure –prefix=/itops/zabbix –enable-server –enable-agent –with-postgresql=/itops/postgresql/bin/pg_config –with-net-snmp –with-libcurl –with-libxml2 –with-unixodbc –with-openipmi –enable-ipv6 –enable-java –with-openssl –with-ssh2 –with-iconv –with-iconv-include –with-iconv-lib –with-libpcre –with-libpcre-include –with-libpcre-lib –with-libevent –with-libevent-include –with-zlib –with-zlib-include –with-zlib-lib –with-libpthread –with-libpthread-include –with-libpthread-lib –with-libevent-lib –with-ldap
make install
#?編譯成功返回如下
make[2]: Leaving directory `/root/packages/LWSetup/packages/zabbix-5.0.40/database/sqlite3′
make[2]: Entering directory `/root/packages/LWSetup/packages/zabbix-5.0.40/database’
make[3]: Entering directory `/root/packages/LWSetup/packages/zabbix-5.0.40/database’
make[3]: Nothing to be done for `install-exec-am’.
make[3]: Nothing to be done for `install-data-am’.
make[3]: Leaving directory `/root/packages/LWSetup/packages/zabbix-5.0.40/database’
make[2]: Leaving directory `/root/packages/LWSetup/packages/zabbix-5.0.40/database’
make[1]: Leaving directory `/root/packages/LWSetup/packages/zabbix-5.0.40/database’
Making install in man
make[1]: Entering directory `/root/packages/LWSetup/packages/zabbix-5.0.40/man’
make[2]: Entering directory `/root/packages/LWSetup/packages/zabbix-5.0.40/man’
make[2]: Nothing to be done for `install-exec-am’.
?/usr/bin/mkdir -p ‘/itops/zabbix/share/man/man1’
?/usr/bin/install -c -m 644 ‘zabbix_get.man’ ‘/itops/zabbix/share/man/man1/zabbix_get.1’
?/usr/bin/install -c -m 644 ‘zabbix_sender.man’ ‘/itops/zabbix/share/man/man1/zabbix_sender.1’
?/usr/bin/mkdir -p ‘/itops/zabbix/share/man/man8’
?/usr/bin/install -c -m 644 ‘zabbix_agentd.man’ ‘/itops/zabbix/share/man/man8/zabbix_agentd.8’
?/usr/bin/install -c -m 644 ‘zabbix_server.man’ ‘/itops/zabbix/share/man/man8/zabbix_server.8’
make[2]: Leaving directory `/root/packages/LWSetup/packages/zabbix-5.0.40/man’
make[1]: Leaving directory `/root/packages/LWSetup/packages/zabbix-5.0.40/man’
Making install in misc
make[1]: Entering directory `/root/packages/LWSetup/packages/zabbix-5.0.40/misc’
make[2]: Entering directory `/root/packages/LWSetup/packages/zabbix-5.0.40/misc’
make[2]: Nothing to be done for `install-exec-am’.
make[2]: Nothing to be done for `install-data-am’.
make[2]: Leaving directory `/root/packages/LWSetup/packages/zabbix-5.0.40/misc’
make[1]: Leaving directory `/root/packages/LWSetup/packages/zabbix-5.0.40/misc’
make[1]: Entering directory `/root/packages/LWSetup/packages/zabbix-5.0.40′
make[2]: Entering directory `/root/packages/LWSetup/packages/zabbix-5.0.40′
make[2]: Nothing to be done for `install-exec-am’.
make[2]: Nothing to be done for `install-data-am’.
make[2]: Leaving directory `/root/packages/LWSetup/packages/zabbix-5.0.40′
make[1]: Leaving directory `/root/packages/LWSetup/packages/zabbix-5.0.40′
configure 編譯參數(shù)報(bào)錯(cuò)
報(bào)錯(cuò)���:configure: error: Invalid Net-SNMP directory – unable to find net-snmp-config
處理���:yum install -y net-snmp-devel
3.4. 執(zhí)行服務(wù)重啟操作
service zabbix_server restart
service zabbix_agentd restart
3.5. proxy重新編譯操作
上述漏洞未涉及proxy部分���,可不予升級(jí)操作���,主要版本一致即可���,次要版本有差異不影響。
如有升級(jí)必要���,參考server編譯操作���,基本一致
3.6. 回滾操作
mv /itops/zabbix/ /itops/zabbix-5.0.40
mv /itops/zabbix-5.0.9/ /itops/zabbix/
service zabbix_server restart
4.免編譯安裝替換新版server
4.1. 獲取免編譯包
使用尊龍時(shí)凱社區(qū)發(fā)布的免編譯tar.xz包進(jìn)行解壓替換
4.2. 執(zhí)行替換操作
·?上傳新解壓即用包至server服務(wù)器
從附件中下載程序包及l(fā)ib包
????zabbix-server
????zabbix-lib
注意���:該包僅支持centos/redhat7.4-7.9環(huán)境
·?備份原server目錄
cp -rp /itops/zabbix/ /itops/bakzbx-6.0.20
mv /usr/lib/itops/zabbix /usr/lib/itops/libzbx-6.0.20
·?解壓文件
tar xf zabbix-6.0.25.tar.xz -C /tmp
tar xf zabbix-lib.tar.xz -C /usr/lib/itops
·?替換原啟動(dòng)文件及依賴庫
mv -f /tmp/zabbix/sbin/zabbix_server /itops/zabbix/sbin/zabbix_server
mv -f /tmp/zabbix/sbin/zabbix_agentd /itops/zabbix/sbin/zabbix_agentd
chmod +x /itops/zabbix/sbin/zabbix*
chown itops: /itops/zabbix/sbin/zabbix*
chown -R itops: /usr/lib/itops/zabbix
4.3. 執(zhí)行服務(wù)重啟操作
service zabbix_server restart
service zabbix_agentd restart
4.4. 回滾操作
service zabbix_server stop
mv /itops/zabbix/ /itops/zabbix-6.0.25
mv /itops/bakzbx-6.0.20 /itops/zabbix/
mv /usr/lib/itops/zabbix /usr/lib/itops/libzbx-6.0.25
mv /usr/lib/itops/zabbix-6.0.20 /usr/lib/itops/zabbix
service zabbix_server start
至此���,漏洞修復(fù)完成。
以上漏洞修復(fù)方案由尊龍時(shí)凱社區(qū)提供。尊龍時(shí)凱社區(qū)是國內(nèi)較大的專業(yè)運(yùn)維監(jiān)控技術(shù)交流平臺(tái)���,致力于為廣大運(yùn)維人員提供運(yùn)維技術(shù)交流互助空間���,更多zabbix技術(shù)知識(shí)歡迎加入尊龍時(shí)凱社區(qū)。此外���,更多zabbix部署問題���、zabbix開發(fā)問題等也歡迎到尊龍時(shí)凱社區(qū)留言。
尊龍時(shí)凱官網(wǎng)
