Ad Widget

Collapse

Possible security risk with zabbix_sender

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • rbenea
    Member
    • Apr 2008
    • 35
    #1

    Possible security risk with zabbix_sender

    There could be a possible security risk involving zabbix_sender because the authenticity of the sender is never verified and I can inject false data into DB.

    I created the hosts 'Test1' and 'Test2' and I could inject/update data from 2 different remote hosts.

    Now.. I understand that this should be used maybe only on localhost but even then there is no way on preventing other users from the same machine to inject data. I say that a simple shared key would fix the problem or of course use of user/pass so you can restrict access only to a certain configured host or bind the sender with the host.

    Regards,
    Rares Benea
    Tags: None
    • vins
      Member
      • Feb 2009
      • 31
      #2
      to inject data you must know the exact agent's name and the key. it's not so easy: you should sniff traffic to get actual strings.

      data exchanged between agent and servers should be crypted, but imho, adding authentication would result in performance loss.

      i think a rapid workaround would be to chmod "zabbix_sender" to be ran only by zabbix user.

        Comment

        • Calimero
          Senior Member
          • Nov 2006
          • 481
          #3
          There's an 'Allowed hosts' field when configuring zabbix_send/trapper items to restrict source host(s).

          Of course it's nowhere near strong cryptographic security. But then again cryptography makes it a bit harder to deploy, requires more CPU... Nothing comes free.

            Comment

            • Alexei
              Founder, CEO
              Zabbix Certified Trainer
              Zabbix Certified SpecialistZabbix Certified Professional
              • Sep 2004
              • 5654
              #4
              Originally posted by Calimero
              There's an 'Allowed hosts' field when configuring zabbix_send/trapper items to restrict source host(s).
              Exactly! Zabbix will accept data coming from these IPs only if this parameter is not empty.
              Alexei Vladishev
              Creator of Zabbix, Product manager
              New York | Tokyo | Riga
              My Twitter

                Comment

                • rbenea
                  Member
                  • Apr 2008
                  • 35
                  #5
                  Possible security risk

                  to inject data you must know the exact agent's name and the key.
                  The keys are standard, you can find them in the manual and the agent name it's not so hard to guess, maybe you can see it as a read only user.

                  There's an 'Allowed hosts' field when configuring zabbix_send/trapper items to restrict source host(s).
                  Yes but I'm sending from hosts that are allowed, multiple users on the same machine etc...

                  i think a rapid workaround would be to chmod "zabbix_sender" to be ran only by zabbix user.
                  The protocol is simple, you can do it with copy/paste and telnet, you don't need zabbix_sender (I didn't tried it but I think is something similar to zabbix_agent protocol)

                  Of course it's nowhere near strong cryptographic security. But then again cryptography makes it a bit harder to deploy, requires more CPU... Nothing comes free.
                  Yes and it would be harder to do it in the Hardware Zabbix agent too

                  I was thinking more like a shared key that is configured in the 'Add host' and that is sent by the agent together with the data, maybe as a standard key Of course we can XOR data or something very very simple and of course this could be required only the active agents that push data to the server.

                  Rares

                    Comment

                    Previous template Next
                    Working...