Bug 1013963 (CVE-2013-5572)

Summary: CVE-2013-5572 zabbix: password leakage
Product: [Other] Security Response Reporter: Ratul Gupta <ratulg>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: brett.lentz, ccoleman, dan, dmcphers, jialiu, lmeyer, nelsonab, tkramer, volker27
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-30 04:32:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1013964, 1013965, 1016869    
Bug Blocks: 1013967    

Description Ratul Gupta 2013-10-01 07:22:12 UTC 
Zabbix, a network management system application designed to monitor and track the status of various network services, is found to have a vulnerability that could lead to password leakage.

Once the user is able to open a console session in zabbix, he can access the tab where various users of the system are displayed. An impersonated user can view the application source code, and could find the password that interacts zabbix, for eg, with a domain controller.

The field that should be looked for in the source code of the website is:
   type = "password" id = "ldap_bind_password" name = "ldap_bind_password" value = <password>.

And also if the user requests to refresh the web page, the browser asks the user to store or cache the password, which could also lead to password leakage.
Comment 1 Ratul Gupta 2013-10-01 07:26:47 UTC 
Created zabbix tracking bugs for this issue:

Affects: fedora-all [bug 1013964]
Affects: epel-all [bug 1013965]
Comment 2 Vincent Danen 2013-10-01 14:19:42 UTC 
This was reported on full-disclosure: http://archives.neohapsis.com/archives/fulldisclosure/2013-09/0149.html
Comment 3 Volker Fröhlich 2013-10-01 14:34:46 UTC 
The description is vague and they didn't bother to mention the upstream status. Assumptions are, this resembles https://support.zabbix.com/browse/ZBX-6721.
Comment 4 Vincent Danen 2013-10-08 20:24:07 UTC 
That reference looks correct to me.
Comment 7 Volker Fröhlich 2014-01-24 15:34:53 UTC 
Upstream confirms that the CVE resembles ZBX-6721. It will be fixed in 2.0.11 and 2.2.2, but foresee-ably not 1.8. The reason is, that the CVE is not considered that dangerous.
Comment 8 Fedora Update System 2014-03-02 19:24:10 UTC 
zabbix20-2.0.11-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2014-03-02 19:24:38 UTC 
zabbix20-2.0.11-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2014-03-02 19:25:15 UTC 
zabbix-1.8.20-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2014-05-01 22:20:37 UTC 
zabbix-2.0.11-3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2014-05-01 22:21:03 UTC 
zabbix-2.0.11-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.