Bug 901875 (CVE-2013-1364)

Summary: CVE-2013-1364 zabbix: possible to override LDAP configuration parameters via the API
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: brett.lentz, dan, dmcphers, jialiu, kseifried, lmeyer, nelsonab, tkramer, volker27
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20121220,reported=20130118,source=gentoo,cvss2=5.8/AV:N/AC:M/Au:N/C:P/I:P/A:N,epel-6/zabbix=affected,epel-6/zabbix20=affected,fedora-all/zabbix=affected,openshift-1/zabbix=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-28 03:29:46 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 901876, 901877, 901878, 1082437    
Bug Blocks:    

Description Vincent Danen 2013-01-19 13:38:34 EST
It was reported [1] that the user.login method in Zabbix would accept a 'cnf' parameter containing the configuration parameters to use for LDAP authentication, which would override the configuration stored in the database.  This can be used to authenticate to Zabbix using a completely different LDAP application (e.g. authenticate to Zabbix using some other LDAP directory the attacker has credentials for).

This has been corrected in upstream versions 2.1.0 r32446, 2.0.5rc1 r32444 and 1.8.16rc1 r32442.  Patches are attached to the upstream bug report.

[1] https://support.zabbix.com/browse/ZBX-6097
Comment 1 Vincent Danen 2013-01-19 13:39:55 EST
Created zabbix tracking bugs for this issue

Affects: epel-6 [bug 901876]
Affects: fedora-all [bug 901878]
Comment 2 Vincent Danen 2013-01-19 13:39:58 EST
Created zabbix20 tracking bugs for this issue

Affects: epel-6 [bug 901877]