Page MenuHomeVyOS Platform
Create Task
Maniphest T6776

zabbix-agent affected by CVE-2023-32728 (RCE via S.M.A.R.T. plugin)
Open, HighPublicBUG
Actions

Description

Dear VyOS Maintainers,

Problem

The installed zabbix agent 2 is 6.0.14 which is affected by a RCE via it's S.M.A.R.T. plugin.
https://security-tracker.debian.org/tracker/CVE-2023-32728

Solution

Update the included zabbix agent 2 to a newer version (at least 6.0.24 which includes the fix, preferably the newest 6.0.x)

Workaround

Remove zabbix-agent until issue has been fixed in upstream or at least add a comment in the documentation that zabbix-agent is vulnerable and should not be used when lateral movement/privilege escalation from a zabbix admin to the firewall is a risk.

Best Regards

Details

Difficulty level
Unknown (require assessment)
Version
1.5-rolling-202409250007
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Security vulnerability
Forum thread
https://forum.vyos.io/t/zabbix-agent-updates/14468