Catalog product

Zabbix vulnerabilities added to CISA catalog

Two Zabbix vulnerabilities have been added the U.S. Cybersecurity Infrastructure and Security Agency’s Catalog of Known Exploited Vulnerabilities.

Federal civil agencies have until March 8 to fix CVE-2022-23131 and CVE-2022-23134 – a Zabbix Frontend authentication bypass vulnerability and a Zabbix Frontend inappropriate access control vulnerability. Zabbix is ​​a popular open source monitoring platform.

Fixes for issues came out in december. Zabbix explained that in case of instances “where SAML SSO authentication is enabled (not by default), session data can be modified by a malicious actor, because a user login stored in the session has not been verified”.

“An unauthenticated malicious actor can exploit this issue to elevate privileges and gain admin access to Zabbix Frontend. To perform the attack, SAML authentication must be enabled and the actor must know the username of the Zabbix user (or use the guest account, which is disabled by default),” Zabbix said.

“To address this vulnerability, apply the updates listed in the “Fixed Version” section to the appropriate products or if an immediate update is not possible, follow the workarounds provided below.”

Zabbix credited Thomas Chauchefoin of SonarSource for discovering and reporting the issue. Sonar Source published his own blog on vulnerabilities where Chauchefoin details the intricacies of the problem. He discovered it in November and found that the initial patch offered by Zabbix could be bypassed.

Casey Bisson from BluBracket explained that Zabbix is ​​widely used by businesses of all sizes to monitor servers and network equipment everywhere, from data centers to branch offices.

“A vulnerability that allows attackers to bypass authentication checks could give those attackers access to many infrastructure details,” Bisson said.

“Zabbix details could reveal a map of sensitive corporate networks and equipment deep within corporate networks, including potentially vulnerable versions of software on that equipment. This information could be used to target other electronic attacks , social engineering and spear phishing.”



Mike Parkin of Vulcan Cyber ​​added that Zabbix has a user base spread across the globe, with a large portion in Europe, and spread across a range of vertical markets.

Both National Cybersecurity Center of the Netherlands and the Ukrainian Computer Emergency Response Team has posted notices about the problem in recent days. The Ukrainian advisory indicates that CVE-2022-23131 has a severity level of 9.1.

Parkin noted that the attack surface is reduced because the target must be in a non-default configuration and the attacker must know a valid username.

“Zabbix has included a workaround – disabling SAML authentication – and fixes have been released, so it should be easy for affected organizations to mitigate this issue,” Parkin said.