Zabbix: Root privilege escalation — GLSA 202101-11

Multiple vulnerabilities were discovered in Gentoo's ebuild for Zabbix which could lead to root privilege escalation.

Affected packages

net-analyzer/zabbix on all architectures
Affected versions < 4.4.6
Unaffected versions >= 3.0.30
>= 4.0.18

Background

Zabbix is software for monitoring applications, networks, and servers.

Description

It was discovered that Gentoo’s Zabbix ebuild did not properly set permissions or placed the pid file in an unsafe directory.

Impact

A local attacker could escalate privileges.

Workaround

There is no known workaround at this time.

Resolution

All Zabbix 3.0.x users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose
 ">=net-analyzer/zabbix-3.0.30:0/3.0"
 

All Zabbix 4.0.x users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose
 ">=net-analyzer/zabbix-4.0.18:0/4.0"
 

All other Zabbix users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-analyzer/zabbix-4.4.6"
 

References

Release date
January 21, 2021

Latest revision
January 21, 2021: 1

Severity
normal

Exploitable
local

Bugzilla entries