CISA warns: 2 Zabbix vulnerabilities are actively exploited, patching

Sicherheit (Pexels, allgemeine Nutzung)[German]Do you use the network monitoring system Zabbix? A few days ago two vulnerabilities CVE-2022-23131 and CVE-2022-23134 became public. And there is a Zabbix update to fix these vulnerabilities. Now CISA warns that the two vulnerabilities are already being actively exploited in attacks. I had a look, even in Germany a three-digit number of Zabbix servers is probably accessible via the Internet – at least that's what Shodan says.


Advertising

What is Zabbix?

Zabbix is an open source network monitoring system, which is used to monitor IT infrastructures. The product consists of Zabbix server, Zabbix proxy and Zabbix agent. The software was mainly developed by Alexei Vladishev. Zabbix is further developed by the company Zabbix SIA. The search engine Shodan lists over 3,400 Zabbix instances that are accessible via the Internet.  However, I have not made any evaluation about the patch status.

Zabbix Instances

Vulnerabilities CVE-2022-23131 and CVE-2022-23134

As of February 16, 2022, security vendor SonarSource has published Zabbix – A Case Study of Unsafe Session Storage with details on two vulnerabilities in Zabbix. Security researchers have discovered a highly dangerous vulnerability in the Zabbix implementation of client-side sessions that can lead to the compromise of entire networks.

  • CVE-2022-23131: On instances where SAML SSO authentication is enabled (not by default), session data can be modified by a malicious actor because a user credential stored in the session has not been verified. A malicious, unauthenticated actor can exploit this issue to elevate their privileges and gain administrator access to Zabbix Frontend. To perform the attack, SAML authentication must be enabled and the attacker must know the username of the Zabbix user (or use the guest account, which is disabled by default).
  • CVE-2022-23134: After the initial setup, some steps in the setup.php file are accessible not only to super administrators but also to unauthenticated users. A malicious actor can pass these step checks and potentially change the configuration of the Zabbix frontend.

The discovered vulnerabilities affect all supported Zabbix Web Frontend versions up to and including 5.4.8, 5.0.18, and 4.0.36, require no prior knowledge of the target, and can be easily automated by attackers. Security researchers strongly recommend upgrading your instances running a Zabbix Web front end to 6.0.0beta2, 5.4.9, 5.0.19 or 4.0.37 to protect the network infrastructure.

CISA warns against exploitation of vulnerabilities

The U.S. Cybersecurity Infrastructure and Security Agency (CISA) has urged U.S. federal agencies to patch all Zabbix servers they operate. This is because it has been revealed that threat actors have begun using the two vulnerabilities mentioned above to take over unpatched systems. The National Cyber Security Center of the Netherlands also warns about the vulnerabilities.


Advertising

Zabbix vulnerabilities exploited in the wild

The above tweet indicates that there is also a proof of concept (PoC) exploit that has been public since the weekend. The colleagues here and here have published corresponding articles on the CISA warning. If anyone is using Zabbix, it would be wise to take action.


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *