The US Cybersecurity and Infrastructure Security Agency (CISA) included two serious holes in the Zabbix corporate monitoring tool to its Known Exploited Vulnerabilities Catalog this week.
The two vulnerabilities, identified as CVE-2022-23131 and CVE-2022-23134, might be used to circumvent authentication and gain administrator access, allowing an attacker to run arbitrary commands.
Zabbix is an open-source network monitoring tool that companies use to collect and organise statistics like CPU load and network traffic.
The two vulnerabilities, discovered by security experts at SonarSource, a provider of code quality and security solutions, are connected to the way Zabbix saves session data on the client side and might lead to complete network compromise.
No details on the assaults that exploited these flaws appear to be available, however public proof-of-concept (PoC) exploits exist, and SonarSource reports that Zabbix is a “high-profile target for threat actors” and that an unnamed exploit acquisition firm has expressed interest in Zabbix.
The security flaws were discovered in the Zabbix Web Frontend component and affect all supported versions prior to 5.4.8, 5.0.18, and 4.0.36. In Zabbix Web Frontend 6.0.0beta2, 5.4.9, 5.0.19, and 4.0.37, both vulnerabilities were resolved.
Only situations where Security Assertion Markup Language (SAML) Single-Sign-On (SSO) authentication is enabled are affected, and the defects can be exploited without the target’s awareness.
An attacker might use earlier vulnerabilities to execute commands on linked Zabbix Server and Zabbix Agent instances after overcoming authentication and escalation rights to administrator. SonarSource says that command execution on the Server component cannot be disabled.
Although Zabbix offers a mechanism for validating the user when accessing client-side data, that function is never performed for the session entry (including user characteristics) created when SAML authentication is utilised, resulting in CVE-2022-23131.
“Once authenticated as Admin on the dashboard, attackers can run arbitrary commands on any attached Zabbix Server, as well as on Zabbix Agents if expressly authorised in the setup,” according to SonarSource.
CVE-2022-23134, another dangerous use of the session, was discovered in setup.php, a script that is only available to authenticated and highly-privileged users. An attacker might re-run the latest step of the installation process, which creates the Zabbix Web Frontend configuration file, because the validation function is not invoked here either.
“As a result, attackers can overwrite existing configuration files, even if the Zabbix Web Frontend instance is already operational.” “Attackers can acquire access to the dashboard with a highly privileged account by pointing to a database under their control,” SonarSource explains.
While this vulnerability cannot be used to access Zabbix Agents, it may be used to access the Zabbix Server, which uses the same database as the Zabbix Web Frontend. An attacker might use the hole in combination with a code execution bug, according to SonarSource, to seize control of the database and travel laterally on the network.
Patches for these flaws were made available in late December, with detailed technical information disclosed last week. CISA is now warning that the two flaws have already been exploited in the wild, and is advising businesses to upgrade to a corrected Zabbix Web Frontend version as soon as feasible.
Federal agencies should install the available patches within the next two weeks, according to Binding Operational Directive (BOD) 22-01, which was published alongside CISA’s Known Exploited Vulnerabilities Catalog in November.
