CISA Announces Attacks Abusing Recent Flaws in Zabbix Monitoring Tool

CISA Announces Attacks Abusing Recent Flaws in Zabbix Monitoring Tool

The US Cybersecurity and Infrastructure Security Agency (CISA) included two severe flaws of the Zabbix corporate monitoring tool to its Known Exploited Vulnerabilities Catalog. The two flaws, identified as CVE-2022-23131 and CVE-2022-23134, might be used to circumvent authentication and acquire administrator access, allowing an attacker to run arbitrary commands.

Zabbix is an open-source network monitoring tool that companies use to collect and organize statistics like CPU load and network traffic. The two vulnerabilities discovered by security experts at SonarSource are connected to how Zabbix saves session data on the client-side and might lead to total network compromise.

No details on the attacks that exploited these flaws appear to be accessible, however public proof-of-concept (PoC) exploits exist, and SonarSource reports that Zabbix is a “high-profile target for threat actors” and that an unidentified exploit acquisition firm has indicated an interest in Zabbix. 

The security flaws were discovered in the Zabbix Web Frontend component and affected all supported versions before 5.4.8, 5.0.18, and 4.0.36. Both vulnerabilities were resolved in Zabbix Web Frontend 6.0.0beta2, 5.4.9, 5.0.19, and 4.0.37. Only situations where Security Assertion Markup Language (SAML) Single-Sign-On (SSO) authentication is enabled are affected, and the defects may be exploited without the target’s awareness.

An attacker might use earlier vulnerabilities to execute commands on connected Zabbix Server and Zabbix Agent instances after overcoming authentication and escalation rights to the administrator. SonarSource says that command execution on the Server component cannot be disabled. Although Zabbix offers a method for verifying the user when accessing client-side data, that function is never performed for the session entry (including user characteristics) produced when SAML authentication is used, resulting in CVE-2022-23131.

CVE-2022-23134, another dangerous usage of the session, was discovered in setup.php, a script only available to authenticated and highly-privileged users. An attacker might re-run the last stage of the installation process, which creates the Zabbix Web Frontend configuration file, because the validation function is not invoked here either. 

While this vulnerability cannot be used to access Zabbix Agents, it may be used to access the Zabbix Server, which employs the same database as the Zabbix Web Frontend. According to SonarSource, an attacker might use the hole in combination with a code execution problem to seize control of the database and travel laterally on the network.

Patches for these flaws were made available in late December, with complete technical information revealed last week. CISA now warns that two flaws have already been exploited in the wild. It also advises businesses to upgrade to a corrected Zabbix Web Frontend version as soon as feasible.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.