CVE-2024-22120 Overview
CVE-2024-22120 is a SQL Injection vulnerability affecting Zabbix server that allows attackers to exploit time-based blind SQL injection through the audit logging functionality. When Zabbix server executes configured scripts, an audit entry is recorded in the "Audit Log." The vulnerability exists because the clientip field is not properly sanitized before being used in SQL queries, allowing malicious actors to inject arbitrary SQL commands and exfiltrate sensitive data from the underlying database.
Critical Impact
Attackers with low-privilege access can exploit this SQL injection vulnerability to read, modify, or delete sensitive data from the Zabbix database, potentially compromising the entire monitoring infrastructure and gaining access to credentials, host configurations, and network topology information.
Affected Products
- Zabbix versions 5.0.0 through 5.0.x (prior to patched versions)
- Zabbix versions 6.0.x through 6.4.x (prior to patched versions)
- Zabbix 7.0.0 alpha1 through alpha9
- Zabbix 7.0.0 beta1
Discovery Timeline
- 2024-05-17 - CVE-2024-22120 published to NVD
- 2025-10-08 - Last updated in NVD database
Technical Details for CVE-2024-22120
Vulnerability Analysis
This SQL Injection vulnerability targets the audit logging mechanism within Zabbix server. When scripts are executed through the Zabbix interface, the system logs audit events including metadata about the operation. The clientip field, which captures the IP address of the client initiating the script execution, lacks proper input sanitization and escaping before being incorporated into SQL statements.
The time-based blind SQL injection technique allows attackers to infer database contents by observing response timing differences. By crafting payloads that introduce conditional delays (using functions like SLEEP() in MySQL or pg_sleep() in PostgreSQL), an attacker can extract data one character at a time by measuring whether the server response is delayed.
This vulnerability is particularly dangerous in monitoring infrastructure because Zabbix databases typically contain sensitive information including host credentials, SNMP community strings, database passwords, and detailed network topology maps.
Root Cause
The root cause is improper input validation (CWE-20) in the Zabbix server's audit logging functionality. The clientip parameter is inserted into SQL queries without proper sanitization, parameterization, or escaping. This allows user-controlled input to break out of the intended SQL context and inject malicious SQL statements into the query.
The audit logging code path accepts the client IP address and directly concatenates it into the SQL INSERT statement for the audit log table, creating a classic SQL injection attack surface.
Attack Vector
The attack is network-based and requires low-privilege authentication to the Zabbix system. An attacker with access to execute configured scripts can manipulate the clientip field to inject SQL payloads. The exploitation flow involves:
- Authenticating to the Zabbix frontend with a low-privilege account that has script execution permissions
- Initiating a script execution request with a crafted clientip value containing SQL injection payloads
- Using time-based inference to extract data by observing response delays
- Iteratively extracting sensitive database contents including user credentials and host configurations
The vulnerability requires no user interaction and can be exploited remotely over the network. The time-based blind technique means no error messages or direct output is required—the attacker simply measures timing to infer successful injection.
Detection Methods for CVE-2024-22120
Indicators of Compromise
- Unusual characters in audit log clientip fields, particularly SQL syntax elements like single quotes, semicolons, UNION, SELECT, or time delay functions
- Abnormally slow responses during script execution operations
- Multiple rapid script execution requests from the same user or session
- Database query logs showing SLEEP(), BENCHMARK(), pg_sleep(), or similar time-delay functions
- Failed or malformed audit log entries
Detection Strategies
- Monitor database query logs for time-based SQL injection signatures including SLEEP(), WAITFOR DELAY, pg_sleep(), and BENCHMARK() functions
- Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in HTTP requests to Zabbix endpoints
- Configure alerting for script execution activities from unexpected user accounts or during unusual hours
- Deploy network-based intrusion detection rules targeting SQL injection payloads in Zabbix traffic
Monitoring Recommendations
- Enable detailed SQL query logging on the Zabbix database server and forward logs to SIEM for analysis
- Monitor for response time anomalies on Zabbix API endpoints, particularly those related to script execution
- Audit user permissions regularly to ensure script execution capabilities are restricted to necessary accounts only
- Implement database activity monitoring to detect unusual query patterns or data access
How to Mitigate CVE-2024-22120
Immediate Actions Required
- Review the official Zabbix security advisory at Zabbix Support Issue ZBX-24505 and apply the recommended patches immediately
- Audit all Zabbix user accounts and remove script execution permissions from any accounts that do not require them
- Implement network segmentation to restrict access to the Zabbix server from trusted networks only
- Enable database query logging temporarily to detect any ongoing exploitation attempts
- Review audit logs for suspicious clientip values that may indicate previous exploitation
Patch Information
Zabbix has released security patches to address this vulnerability. Administrators should upgrade to the latest patched version for their respective release branch. Detailed patch information and affected version ranges are available in the Zabbix Support Issue ZBX-24505.
Organizations running Zabbix 7.0.0 alpha or beta releases should upgrade to a stable, patched release as soon as available.
Workarounds
- Restrict script execution permissions to only essential administrative accounts until patches can be applied
- Implement network-level access controls (firewall rules) to limit which IP addresses can access the Zabbix frontend
- Deploy a Web Application Firewall (WAF) with SQL injection detection rules in front of the Zabbix server
- Disable or remove any unnecessary configured scripts to reduce the attack surface
- Consider temporarily disabling the audit logging feature if operationally feasible until the patch is applied
# Restrict Zabbix frontend access at the firewall level
# Example: Allow only management network to access Zabbix
iptables -A INPUT -p tcp --dport 80 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
