What is CVE-2022-23131?
(Zabbix Frontend Authentication Bypass Vulnerability)
It allows bypassing authentication and acquiring administrator access in cases where SAML SSO authentication is enabled. One of the most widely used Single-Sign-On (SSO) standards is Security Assertion Markup Language (SAML). It uses XML to allow Identity Providers (IdPs, entities that may authenticate users) to notify the Service Provider (SP, in this case, Zabbix) who you are. The Zabbix Web Frontend can be configured to support user authentication through SAML. However, it is not enabled by default because it requires knowledge of the identity provider's data. For enterprise deployments, this is the most popular configuration.
They don't require any prior information of the victims, and attackers can easily automate them. With CVE-2021-46088, for which exploitation code is already public, attackers can leverage this access to execute arbitrary instructions on both the associated Zabbix Server and Zabbix Agent instances. Zabbix Servers, unlike Zabbix Agent, cannot be configured to prevent instructions from being executed.
Severity of the Vulnerability
The severity of 9.1 out of 10 has been assigned to the vulnerability.
CVE | CVE-2022-23131 |
Vendor | Zabbix |
Product | Frontend |
Vulnerability Name | Zabbix Frontend Authentication Bypass Vulnerability |
Date added to Catalog | 2022-02-22 |
Description | Authentication bypass/instance takeover through Zabbix Frontend with enabled SAML due to insecure client-side session storage. |
Impact of CVE-2022-23131
The identified vulnerabilities affect all the supported Zabbix Web Frontend releases up to and including 5.4.8, 5.0.18, 6.0.0alpha1, and 4.0.36 at the time of our analysis.
Once authenticated as an admin on the dashboard, attackers will have the ability to run arbitrary commands on any attached Zabbix Server and Zabbix Agents if the settings allow it.
CVE | Remediation |
CVE-2022-23131 | It is recommended to upgrade all the instances that are running with Zabbix Web Frontend to 6.0.0beta2, 5.4.9, 5.0.19, or 4.0.37 |
What is CVE-2022-23134?
(Zabbix Frontend Improper Access Control Vulnerability)
Some steps of the setup.php file are accessible not just by super-administrators but also by unauthenticated users after the initial setup procedure. Malicious actors can bypass step checks and potentially alter the Zabbix Frontend configuration.
Zabbix Web Frontend is first deployed, this script is normally launched by system administrators, and access is afterwards restricted to highly-privileged and authenticated users. An attacker might re-run in the latest step of the installation process that creates the Zabbix Web Frontend configuration file because the validation function is not invoked here—resulting in attackers overwriting existing configuration files, even if the Zabbix Web Frontend instance is already operational. Attackers can gain access to the dashboard with a highly privileged account by pointing to a database under their control.
Severity of the vulnerability
The severity of 5.3 out of 10 has been assigned to the vulnerability.
CVE | CVE-2022-23134 |
Vendor | Zabbix |
Product | Frontend |
Vulnerability Name | Zabbix Frontend Improper Access Control Vulnerability |
Date added to Catalog | 2022-02-22 |
Description | Malicious actors can bypass step checks and potentially alter the Zabbix Frontend settings. |
Impact of CVE-2022-23134
This vulnerability affects 5.4.0 - 5.4.8, 6.0.0 - 6.0.0beta1. While this vulnerability cannot be used to access Zabbix Agents, it might be used to access the Zabbix Server, which uses the same database as the Zabbix Web Frontend.
An attacker might exploit the vulnerability in combination with a code execution flaw to gain control of the database and move around the network laterally.
CVE | Remediation |
CVE-2022-23134 | Use the version 5.4.9 , 6.0.0beta2 |