CISA Warns of Attacks Exploiting Recent Vulnerabilities in Zabbix Monitoring Tool

The United States Cybersecurity and Infrastructure Security Agency (CISA) this week expanded its Known Exploited Vulnerabilities Catalog with two critical flaws in the Zabbix enterprise monitoring solution.

Tracked as CVE-2022-23131 and CVE-2022-23134, the two vulnerabilities could be exploited to bypass authentication and gain administrator privileges, which could then allow an attacker to execute arbitrary commands.

Zabbix is an open-source monitoring platform that organizations deploy within their networks to collect and centralize data such as CPU load and network traffic.

Identified by security researchers with SonarSource, a provider of code quality and security solutions, the two vulnerabilities are related to the manner in which Zabbix stores session data on the client-side and could lead to complete network compromise.

No information appears to be available on the attacks exploiting these vulnerabilities, but public proof-of-concept (PoC) exploits exist and SonarSource noted that Zabbix is a “high-profile target for threat actors” and that an unnamed exploit acquisition company has expressed interest in Zabbix.

The security holes were identified in Zabbix Web Frontend and impact all supported versions of the component prior to 5.4.8, 5.0.18 and 4.0.36. Both vulnerabilities were addressed in Zabbix Web Frontend 6.0.0beta2, 5.4.9, 5.0.19, and 4.0.37.

The flaws only impact instances where Security Assertion Markup Language (SAML) Single-Sign-On (SSO) authentication is enabled, and can be exploited without prior knowledge of the target.

[READ: CISA’s ‘Must Patch’ List Puts Spotlight on Vulnerability Management Processes]

After bypassing authentication and escalating privileges to administrator, an attacker could leverage previous vulnerabilities to execute commands on linked Zabbix Server and Zabbix Agent instances. Execution of commands cannot be disallowed on the Server component, SonarSource explains.

CVE-2022-23131 exists because, although Zabbix has a mechanism of validating the user when accessing data stored client-side, that function is never called for the session entry (containing user attributes) created when SAML authentication is used.

“Once authenticated as Admin on the dashboard, attackers can execute arbitrary commands on any attached Zabbix Server, and on Zabbix Agents if explicitly allowed in the configuration,” SonarSource says.

Also an unsafe use of the session, CVE-2022-23134 was identified in setup.php, a script that is only accessible to authenticated and highly-privileged users. Because the validation function is not called here either, an attacker could re-run the latest step of the installation process, during which the Zabbix Web Frontend configuration file is created.

[READ: CISA Urges Organizations to Patch Recent Chrome, Magento Zero-Days]

“As a result, existing configuration files can be overridden by attackers even if the Zabbix Web Frontend instance is already in a working state. By pointing to a database under their control, attackers can then gain access to the dashboard with a highly-privileged account,” SonarSource explains.

While this vulnerability cannot be exploited to reach Zabbix Agents, the Zabbix Server is accessible this way, because it uses the same database as Zabbix Web Frontend. According to SonarSource, an attacker could chain the flaw with a code execution bug to take over the database and move laterally on the network.

Patches for these vulnerabilities were released in late December, with full technical details published last week. Now, CISA warns that the two bugs are already exploited in the wild, urging organizations to update to a fixed Zabbix Web Frontend version as soon as possible.

As per Binding Operational Directive (BOD) 22-01, which was published alongside CISA’s Known Exploited Vulnerabilities Catalog in November, federal agencies should install the available patches within the next two weeks.

Related: CISA Creates List of Free Cybersecurity Tools and Services for Defenders

Related: CISA Releases Final IPv6 Security Guidance for Federal Agencies

Related: CISA Urges Organizations to Patch Exploited Windows Vulnerability

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *