Critical vulnerabilities in Zabbix Web Frontend allow authentication bypass, code execution on servers

by | Feb 21, 2022 | News

Patreon

Reading Time: 1 Minute

Two vulnerabilities in open source monitoring platform Zabbix could allow an attacker to bypass authentication and execute arbitrary code on a targeted server.

 

 

The security flaws were found in Zabbix Web Frontend, a platform used to collect, centralize. and track metrics such as CPU load and network traffic across entire infrastructures.

Researchers from SonarSource, who discovered the bugs, noted that Zabbix is a high-profile target for threat actors due to its popularity, features, and its “privileged position in most company’s networks”.

 

Issues

 

The first vulnerability, tracked as CVE-2022-23131, which was given a severity of 9.1, is unsafe client-side session storage leading to authentication bypass/instance takeover via Zabbix Frontend with configured SAML.

In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified.

A malicious unauthenticated actor could exploit this issue to escalate privileges and gain admin access to the Zabbix Frontend.

 

See Also: Complete Offensive Security and Ethical Hacking Course

 

 

A caveat to this is that to perform the attack, SAML authentication is required to be enabled, and the assailant has to know the username of Zabbix user (or use the guest account, which is disabled by default), a security advisory from Zabbix notes.

The second vulnerability found by SonarSource, tracked as CVE-2022-23134, is rated as medium severity and allows some steps of setup.php file to be reachable not only by super-administrators, but by unauthenticated users as well.

A malicious actor could pass step checks and potentially change the configuration of Zabbix Frontend, an advisory notes.

 
 
 

 

 

Patch now

In a blog post from SonarSource, the researchers said that when writing and reviewing code related to important security features, “it is easy to make the same assumptions as the original developer who introduced the vulnerability”.

They wrote: “Here, there were no integration tests related to the client-side session storage that could have spotted this behavior.

“Always provide access to sensible services with extended internal accesses (e.g. orchestration, monitoring) over VPNs or a restricted set of IP addresses, harden filesystem permissions to prevent unintended changes, remove setup scripts, etc.”

Finally, the researchers recommended upgrading all instances running a Zabbix Web Frontend to 6.0.0beta2, 5.4.9, 5.0.19, or 4.0.37.

 

See Also: Offensive Security Tool: Swaks – Swiss Army Knife for SMTP

 

 

 

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

 

 

 

See Also: How ILOVEYOU worm became the first global computer virus pandemic

 

Source: portswigger.net

Source Link

 

 

 


 

merch

Share This