CISA Warns of Imminent Exploits on Zabbix Monitoring Tool’s Recent Vulnerabilities

Benefits and Best Practices of Adaptive Security

This week, CISA updated Known Exploited Vulnerabilities Catalog by adding two flaws emanating from Zabbix monitoring solution. The two vulnerabilities, CVE-2022-23134 and CVE-2022-23131 could allow attackers to bypass security authentication and attack Zabbix.

The open-source enterprise solution tool, Zabbix, which collects and centralizes network data, and traffic, is susceptible to two vulnerabilities that attackers can capitalize on by gaining administrator rights and executing arbitrary commands.

The flaws are attributable to how Zabbix stores its client-side session data, leading to network compromise. The vulnerabilities were identified by researchers working for SonarSource, the code quality, and security solutions provider. The flaws affect all Web Frontend versions of Zabbix prior to versions 5.0.18, 4.0.36, and 5.4.8. Consequently, Zabbix Frontend 6.0.0beta2, 4.0.37, 5.0.19, and 5.4.9 addressed the two vulnerabilities.

SonarSource asserts that once the attacker gets hold of the administrator rights, they could attack Zabbix Server linked to the monitoring tool. Additionally, the attacker can execute commands by leveraging past vulnerabilities because the Zabbix server component cannot disallow their execution.

SonarSource says that if the attackers are explicitly allowed in the configuration, they can access any attached Zabbix Server, including Zabbix agents, and execute arbitrary commands. 

The attacker can exploit the security holes in situations where Security Assertion Markup Language (SAML) Single-Sign-On (SSO) authentication is enabled. Despite a user validation mechanism when accessing client-side stored data, the CVE-2022-23131 flaw exists because the validation is never requested when using SAML authentication on the session entry that contains user attributes.

CVE-2022-23134 compromised setup.php, accessible only to authorized privileged users. This unsafe use did not call for validation, thus allowing the attacker to rerun the final stage of the process, which creates the configuration file for Zabbix Frontend. 

SonarSource further explains that the attackers can override the existing files, even though Zabbix instance is in progress, by taking over the control of a database control using a privileged administrator account.

Although no evidence exists yet on the attacks that exploit these vulnerabilities, public proof-of-concept (PoC) believes exploits exist. Subsequently, SonarSource reiterated that indeed Zabbix is a “high-profile target for threat actors” and further revealed that an unnamed exploit acquisition company has expressed interest in Zabbix.

Although the vulnerability doesn’t affect Zabbix Agent, a similar process can be used to attack the Server, which uses a database similar to Zabbix Frontend. SonarSource believes attackers could access the database (a user which can read and write to it) in order to compromise it. 

Since Zabbix Server uses the same database, they could move laterally and gain access to the network after compromising the database. Updates for two unpatched security vulnerabilities in the open-source software management tool Zabbix were released last December. In December, Zabbix developers patched two open-source Web Frontend software vulnerabilities. 

Last week, the firm published full details about the two, warning that they’re already exploited and rife out there. In addition, they urged government organizations and others to upgrade to its fixed version immediately.

Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) warn of the security vulnerabilities in the open-source software management tool Zabbix. The two vulnerabilities, which could allow attackers to take control of a vulnerable system, were listed among the Known Exploited Vulnerabilities catalog published by CISA last month. Agencies use this catalog as a reference to check if their systems are at risk.

A BOD publication (22-01) of November alongside the Known Exploited Vulnerabilities Catalog , requires federal agencies to patch the two recently discovered vulnerabilities in Zabbix within two weeks; otherwise, their IT systems may be at risk. An attacker could take advantage of this vulnerability to gain unauthorized access to the database and use that access to steal data or access other parts of a company’s network. 


    Leave a Comment


    Welcome! Login in to your account

    Remember me Lost your password?

    Don't have account. Register

    Lost Password