CISA Warns of Actively Exploited Vulnerabilities in Zabbix Servers
A notification from the U.S. Cybersecurity Infrastructure and Security Agency (CISA) warns that threat actors are exploiting vulnerabilities in Zabbix open-source tool for monitoring networks, servers, virtual machines, and cloud services.
The agency is asking federal agencies to patch any Zabbix servers against security issues tracked as CVE-2022-23131 and CVE-2022-23134, to avoid “significant risk” from malicious cyber actors.
The same warning comes from the Computer Emergency Response Team (CERT) of Ukraine, who notes that one of the vulnerabilities has a critical severity score of 9.1 out of 10.
Exploits publicly available
Proof-of-concept exploit code for CVE-2022-23131 affecting Zabbix Frontend has been publicly shared by more than one researcher starting February 21.
An attacker leveraging this security issue could bypass authentication on servers with configured Security Assertion Markup Language (SAML, a non-default state.
SAML is an open standard providing a single point of authentication (single sign-on) that exchange data between an identity provider and a service provider.
The National Cyber Security Center in Netherlands alerts that the vulnerability is being actively exploited and it can allow remote code execution with root privileges.
The Ukrainian Computer Emergency Response Team (CERT) also published a warning about the risk of leaving Zabbix servers unpatched against the two vulnerabilities, especially CVE-2022-23131.
“If SAML SSO authentication is enabled (not by default), session data can be modified by an attacker, as the user login stored in the session is not verified. This allows an untested attacker to exploit this vulnerability to gain privileges and gain administrator access to Zabbix Frontend” - Ukraine CERT
The second vulnerability, CVE-2022-23134, is medium severity improper access control issue that allows attackers to change the configuration file (the setup.php script) and gain access to the dashboard with elevated privileges.
İki güvenlik açığı, bulgularını bu ayın başlarında teknik bir raporda yayınlayan SonarSource araştırmacıları tarafından keşfedildi ve CVE-2022-23131'den yararlanmanın "basit olduğunu, özellikle de Zabbix Web Frontend'in otomatik olarak yüksek ayrıcalıklı bir kullanıcıyla yapılandırıldığını belirtti.”
The maintainers of the Zabbix project have released updates (versions 5.4.9, 5.0.9, and 4.0.37) that address both issues and it is highly recommended to install them, especially in a context of active exploitation.
CISA has added the vulnerabilities to its Known Exploited Vulnerabilities Catalog that represent a frequent attack vector and is asking federal agencies to install available patches by March 8.
| CVE ID | Vulnerability Name | Due Date |
| CVE-2022-23131 | Zabbix Frontend Authentication Bypass Vulnerability | 3/8/2022 |
| CVE-2022-23134 | Zabbix Frontend Improper Access Control Vulnerability | 3/8/2022
|
Sign up for the e-mail list to be informed about the developments in the cyber world and to be informed about the weekly newsletter.
Haber bültenine kaydolduğunuz için teşekkürler!
Something went wrong.
