November 29, 2024 at 12:50PM
Zabbix has alerted customers to a critical SQL injection vulnerability (CVE-2024-42327) that could allow system compromise via API access. Affected versions include 6.0.0-6.0.31, 6.4.0-6.4.16, and 7.0.0. Users should upgrade to protect against potential privilege escalation attacks, as the vulnerability poses risks across many industries.
**Meeting Takeaways:**
1. **Critical Vulnerability Alert**: Zabbix has reported a critical SQL injection vulnerability (CVE-2024-42327) that could lead to full system compromise. It received a CVSSv3 score of 9.9.
2. **Exploitation Details**: The vulnerability can be exploited by non-admin users with API access. Specifically, it lies within the CUser class in the addRelatedObjects function.
3. **Affected Versions**: The following product versions are affected:
– Zabbix 6.0.0 to 6.0.31
– Zabbix 6.4.0 to 6.4.16
– Zabbix 7.0.0
Users are advised to upgrade to:
– 6.0.32rc1
– 6.4.17rc1
– 7.0.1rc1
4. **Impact Potential**: With thousands of customers globally, including major enterprises like Dell and the European Space Agency, the attack surface could be significant.
5. **Industry Trends**: The FBI and CISA are focusing on reducing SQL injection vulnerabilities, labeling them as “unforgivable” product defects that should be eliminated by software vendors.
6. **Historical Context**: SQL injection has been a longstanding vulnerability, contributing to significant data breach incidents, such as the attacks related to Progress Software’s MOVEit MFT.
7. **Vendor Responsibility**: Software vendors are urged to ensure their products are free from such vulnerabilities prior to release, with an emphasis on thorough code reviews.
8. **Accountability**: Customers of software vendors are encouraged to demand confirmation of security measures against SQL vulnerabilities from developers.