Zabbix Network and Application Monitoring System

2024: A critical vulnerability has been found in Zabbix. It is recommended to update

In early December, FSTEC warned of the discovery of a vulnerability in the Zabbix industrial monitoring tool that allows a SQL injection attack. Vulnerability BDU:2024-10543^[1] has a danger level of 9.9 out of 10 in CVSSv3. The bug has been fixed by the manufacturer, so the main recommendation is to update Zabbix to one of the latest versions - 7.0.1rc1, 6.0.32rc1 or 6.4.17rc1.

The vulnerability was found in the addRelatedObjects function, which is part of the Zabbix open-source monitoring tool. It allows an attacker, with minimal authority, to embed his SQL query on the database, which can lead to raising the attacker's authority in the DBMS. The vulnerability appeared in version 6.0, so earlier versions are not affected. Signs of exploitation of this vulnerability have not yet been identified, but quite a lot of methods for effective exploitation of SQL injections have been developed.

Zabbix is extremely popular in many Russian companies, from the largest to the smallest. It is one of the leading monitoring tools, "Philippe Scherbanich, an independent IT expert and backend developer, told TAdviser. - According to a 2023 study by Flant, 52.5% of respondents used Zabbix to collect metrics, which exceeded that of other systems such as Prometheus. Another indicator of the popularity of this system may be that in 2019 Zabbix opened a representative office in Russia. But in March 2022, she suspended commercial activities in our country.

Nevertheless, Zabbix, as an open source tool, is actively used in Russian enterprises from various industries.

Zabbix is one of the most popular monitoring tools in Russia and beyond, "said Dmitry Malashikhin, R-Vision vulnerability detection analyst. - Its popularity is due to the free distribution model and wide functionality. Many IT companies and organizations in various fields actively use Zabbix to control and manage their systems. According to the latest Censys data, more than 1,700 open Zabbix servers were discovered in the Russian segment of the Internet, which indicates the widespread use of this monitoring system in the country.

However, not all Zabbix servers are vulnerable to the detected error.

At the moment, among more than 16 thousand SKIPAs of Zabbix tracked by SayberOK, about 30% are vulnerable, BDU:2024-10543 Sergey Gordeychik, CEO of SayberOK, shared with TAdviser. - This is a serious indicator, especially considering that privileged accounts can often be found on the system, and fixes were released back in July. However, it is important to note that this vulnerability requires an unprivileged account to exploit, which to some extent reduces the risk. However, for multi-tenant installations, for example on hosting, the problem remains extremely relevant and requires a careful approach.

Sergey Gordeichik stressed that more than 40% of all Zabbix systems in Runet operate on software versions lower than 6.0.0. This means that they use legacy, unsupported, or developer-limited software versions. Moreover, versions below 6.0.0 are not affected by the BDU:2024-10543 vulnerability.

The Zabbix system is very popular among Russian companies due to its functionality and flexibility, "said Dmitry Zubarev, deputy director of the UTSB analytical center. - We often meet her during penetration tests and audits of corporate networks of companies from various industries: from IT to the extractive industry. This means that the mentioned vulnerability can be relevant for a large number of companies, regardless of their scope.

𝓲

TAdviser

At the same time, the level of criticality of the vulnerability is quite high, that is, it can be dangerous for a wide range of Zabbix users. The vulnerability can be exploited with almost any access rights to the Zabbix system, warned TAdviser readers Ruslan Suleimanov, director of digital transformation at Innostage.

The vulnerability affects versions of Zabbix 6.0.0-6.0.31, 6.4.0-6.4.16 and 7.0.0. It is critical and allows any Zabbix user to execute arbitrary SQL queries. The main vector of use is privilege escalation in the Zabbix system.

Moreover, the more the monitoring system built on Zabbix is integrated into the information system, the more dangerous this configuration turns out to be for users.

The vulnerability is critical because it allows an unauthenticated attacker to gain access to data from Zabbix databases containing, among other things, system administrator accounts, "explained Dmitry Orlov, head of security analysis at Simplicity. - Even the most inexperienced hacker can exploit it. The vulnerability will pose a real danger if Zabbix is integrated into the infrastructure, is not isolated from the domain and uses domain accounts. If Zabbix is isolated from the internal network, then an attacker can get information that will be useful to him for a further attack on the company.

Also, the exploitation of a freshly identified vulnerability can allow an attacker to seize an administrator account, after which, using the exploitation of another Zabbix (CVE-2024-22116) vulnerability, he can gain remote access to the server on which Zabbix is running, Dmitry Orlov added.

However, the massive exploitation of this vulnerability in most cases is hampered by the fact that the security monitoring system is usually installed outside the perimeter, inside the corporate network, and you still need to get to it.

The level of criticality of the disclosed vulnerability is very close to the maximum, but mass exploitation is hampered by the fact that, firstly, the attacker needs an account in Zabbix at least with minimal rights, and, secondly, needs network access to the Zabbix server, which in companies that have become more or less concerned about information security is impossible directly from the Internet, - said Ilya Polyakov, head of code analysis at Angara Security. - That is, in order to exploit this SQL injection, hackers will need to "break through" the perimeter of the organization and compromise the Zabbix account, which is all manual work.

It is hiding the interface inside the perimeter of the corporate network that is the main method of protection against such attacks. In addition, if the Zabbix software cannot be updated, FSTEC recommends the following compensatory measures:

• Restrict user access to the application software interface (API) of the vulnerable software;
• Use firewall tools to limit the ability to remotely access vulnerable software;
• Disable or completely delete unused user accounts of vulnerable software;
• Minimize user privileges.

However, Dmitry Kuzevanov, CISO, director of the UserGate monitoring and response center, suggests using NGFW instead of the classic firewall:

Protection against any vulnerabilities, regardless of their criticality, is universal: timely update of software and use a reliable modern firewall system - NGFW - with an intrusion detection system. It allows you to block malicious activity at the network level. At the same time, do not forget that security solutions to maintain relevance also require regular updates.

However, SQL injections are a kind of attack that even NGFW cannot always recognize, since hacking occurs with a violation of application logic. It is the application developers who must either build protection or fix vulnerabilities in a timely manner.

SQL injections are one of the most common threats to web applications, especially those that interact with databases, "Dmitry Khomutov, director of Ideco, explained to TAdviser. - To protect the system from such attacks, use parameterized queries instead of concatenating strings when generating SQL queries. This helps to avoid malicious code injection. Regular application security audits are required to identify and resolve vulnerabilities in a timely manner. In addition, it is worth using the Web Application Firewall (WAF), a security system that analyzes web traffic and blocks suspicious queries such as SQL commands or other non-standard patterns. Unlike a traditional firewall, WAF works at the application level, providing protection against many threats.

However, if the developer of the web application is the company itself, then the mechanisms for protecting against SQL injection should be expanded:

If the company itself is a software developer or uses "self-written" software in its work, then an integral part of the development will be an audit of the created (updated) software modules on the test bench before their introduction into the main publication, - warns Konstantin Gorbunov, an expert on network threats of the "Security Code." - It should include both testing components (functional, unit and automated) and information security checks - scanning open nodes, searching for various vulnerabilities both on the client (the possibility of reflected queries (XSS), cross-site query fakes (CSRF) or privilege escalation using modification of javascript code), and on the server (SQL injection, unauthorized access checks, CSV injection, validation of incoming parameters and others).

2022

Zabbix 6.0 LTS

On February 15, 2022, Zabbix announced the release of the next version of Zabbix 6.0 LTS.

Zabbix 6.0 LTS

According to the company, monitoring services has undergone significant changes. Zabbix 6.0 LTS aims to provide additional business value through the use of updated Business Service Monitoring (BSM) features. Business Service Monitoring combines performance with optimized UI/UX, providing end users with the tools they need to monitor the resource service model, perform automated source data analysis, control SLA levels, etc.

A ready-made solution for proper availability allows Zabbix users to deploy an affordable Zabbix server cluster without using external tools. Users can now deploy one or more backup nodes and avoid failures during unplanned outages, server upgrades, or other maintenance tasks.

Thanks to Zabbix machine learning, anomaly detection is easier than before. The goal was to provide a set of features to allow users to avoid statically determining the threshold of a problem, relying instead on Zabbix machine learning.

As containers and container orchestration systems become increasingly popular, it is important to provide an appropriate solution for monitoring these environments. With support for monitoring nodes, nodes and internal components of Kubernetes, Zabbix users now have the ability to control their Kubernetes installations on several levels.

Zabbix 6.0 LTS comes complete with many templates for various vendors such as Dell, Cisco, F5, Cloudflare and others. In addition to optimized data collection, the updated version also provides other ways to visualize it. ITOps teams will appreciate the ability to create geographic maps and gain a more complete understanding of the state of the company's infrastructure. The release also allows you to study the collected data in more detail using an additional set of widgets: an overview of the upper and lower value data, visualization of the SLA state, and more.

Simultaneously with the release of the updated version, Zabbix offers an updated set of training courses developed for Zabbix 6.0 LTS. Training courses cover all Zabbix 6.0 LTS capabilities - from learning the GUI to deploying complex distributed environments and learning how Zabbix internal processes work.

In addition to the updated features, Zabbix 6.0 LTS also includes many UI/UX changes and performance optimization, as well as a set of monitoring and integration templates for various vendors such as pfSense, F5, Mikrotik, Dell, HPE and others. Zabbix 6.0 LTS also includes changes introduced in previous non-LTS releases - Zabbix 5.2 and Zabbix 5.4.

VMmanager Virtualization Platform Compatibility

On February 7, 2022 Zabbix , the company announced that the technological compatibility of the network services, equipment servers and Zabbix monitoring system with the platform was confirmed. virtualizations VMmanager Users can now monitor everything - infrastructures both physical and - virtual with a single, one-stop solution.

Zabbix is a tool for remote monitoring of hardware and software resources. The system allows you to solve tasks to track network activity and server health, as well as warn about potentially dangerous situations. Thanks to built-in analysis and forecasting mechanisms, Zabbix regulates the efficient use of IT infrastructure in various companies.

VMmanager 6 is a platform for building and managing cloudy a virtual infrastructure on premium. It allows you to deploy the infrastructure using equipment room KVM both virtualization container and LXD\LXC. VMmanager 6 provides the end user with the ability to manage virtual networks independently of the physical network (based on SDN VXLAN/EVPN), as well as build Overlay networks and - IP fabric without using specialized equipment. The solution monitors the state of resources, has an integrated integration Grafana metric visualization tool and a Zabbix monitoring system. These integrations simplify product implementation and reduce maintenance effort.

"We aim to give our users enough value in a product that improves the quality and reliability of infrastructure, reduces implementation costs and service resources. Zabbix is a generally recognized technological monitoring tool, for this reason we have implemented integration with this software, "- says Alexander Grishin, owner of the VMmanager product.

2021: Astra Linux Compatibility

On December 24, 2021, Astra Linux GC, a developer of secure operating systems and virtualization tools, announced the conclusion of a technology partnership agreement with Zabbix, the manufacturer of the eponymous comprehensive software solution for monitoring the full technology stack in IT infrastructures of any scale.

According to the document, the vendors' plans include comprehensive verification and compatibility of Zabbix software with Astra Linux OS, official product certification within the framework of the Ready for Astra Linux IT manufacturers' cooperation program, as well as joint work in the areas of formation, promotion, implementation and support of domestic high-tech solutions for automated secure systems based on Zabbix and Astra Linux products. The full range of engagement areas will be defined during planned technical and business meetings.

We strive to make the use of the Zabbix monitoring system as convenient as possible for our users and customers. This means not only the presence of an interface, documentation and offered services in Russian, but also full compatibility with domestic software. Partnership with Astra Linux GC will allow our team to guarantee such compatibility of the Zabbix solution with Astra Linux OS in the long term, and this, in turn, will enable customers to actively use domestic software products, - said Sergey Sorokin, Director of Zabbix LLC.

Our common goal is to fill the IT market not just with a large set of diverse software and hardware, but to make all components work correctly within a single infrastructure. Only in this case will import substitution be really useful and effective. Together with Zabbix specialists, we will carry out all the necessary tests and, if necessary, initiate product improvements that will ensure correct work, convenience and 100% reliability of complex solutions, "said Anton Rudevsky, Head of the Astra Linux GC Partner Department.

2015: Zabbix 3.0

In the release of Zabbix 3.0, scheduled for autumn 2015, it is planned to implement the concept of "priority on the side of the interface": create a more convenient and modern minimalist interface for wide screens, own user pages, the first versions of widgets and dashboards. In addition, there will be built-in support for "strong" encryption and authentication (TLS, PSK, OpenSSL, GnuTLS, Polar SSL), a new type of macro will be introduced - contextual. Among the announced improvements are also flexible checks (can be used as a checklist for the readiness of business systems for operation), authentication for SMTP, XML versionality, improved log file monitoring, advanced ODBC support, baseline monitoring (anomaly detection and working with trends).

The main areas of improvement:

• web-interface (navigation oriented to monitoring objects, information connectivity, speed of operation on large installations);
• API (moving the API to the server side, accelerating the API at least 10 times, redesigning the error notification mechanism);
• visualization (the system has an excellent back-end, and front-end must be brought to the same level);
• reporting (improved data visualization, flexible analytics settings, faster system response when generating real-time reporting on any amount of data);
• architecture development (horizontal scalability at the storage level, built-in availability and fault tolerance, "new" distributed monitoring, separation of the operating part of the system from historical data.

2014

As of 2014, the company's leading product Zabbix SIA is the Zabbix network and application monitoring system - one of the most popular monitoring programs with. open source Zabbix is used by a large number of companies that have chosen it for ease of use, high fault tolerance, scalability and reliability in operation at extremely low costs for its use.

The first release of Zabbix took place in 2001. Zabbix SIA was founded in 2005 to provide professional technical services. The main office is located in Riga (Latvia), the branch is located in Tokyo (Japan). The director of Zabbix SIA is its owner and creator of the monitoring program Vladyshev Alexey.

Zabbix SIA's client list includes companies of various sizes from various industries, including the largest telecommunications, financial, educational, trade, medical and government agencies from around the world, some of which are included in the Fortune 500 list.

The company has more than 65 partners around the world, including industry leaders in their countries.

Zabbix is designed for companies of all sizes and areas of business and is designed to monitor devices, networks, operating systems, virtual machines, cross-platform software and business applications. The key competitive advantages of the solution are versatility, speed, rich visualization, and ease of maintenance. According to the vendor's estimate, one Zabbix server allows you to handle over 25,000 new events per second, which is equivalent to monitoring 50,000 devices by 15 parameters at a 30-second interval.

The SaaS corporate IT services and infrastructure monitoring service is primarily addressed to companies for which the IT infrastructure is a critical link in the business due to the scale of operations, uniqueness of configurations, high requirements for office operations in a single information space, heterogeneity across manufacturers, quality of work and communication channels.

Monitoring of corporate IT networks and services is today one of the most popular services in the global IT services market - according to the MSP Mentor review, in the world it tops the list of the most important tools to support the uninterrupted operation of companies (96.6%), in Russia the demand for it is also growing. The most noticeable is this need among companies for which the downtime of IT services is critical for key business processes and is fraught with serious financial risks, including organizations with a geographically distributed infrastructure, which should work smoothly in 24x7 mode.