A notification from the U.S. Cybersecurity Infrastructure and Security Agency (CISA) warns that threat actors are exploiting vulnerabilities in the Zabbix open-source tool for monitoring networks, servers, virtual machines, and cloud services.
The agency is asking federal agencies to patch any Zabbix servers against security issues tracked as CVE-2022-23131 and CVE-2022-23134, to avoid “significant risk” from malicious cyber actors.
The same warning comes from the Computer Emergency Response Team (CERT) of Ukraine, which notes that one of the vulnerabilities has a critical severity score of 9.1 out of 10.
Exploits publicly available
Proof-of-concept exploit code for CVE-2022-23131 affecting Zabbix Frontend has been publicly shared by more than one researcher starting February 21.
An attacker leveraging this security issue could bypass authentication on servers with configured Security Assertion Markup Language (SAML, a non-default state.
SAML is an open standard providing a single point of authentication (single sign-on) that exchanges data between an identity provider and a service provider.
The National Cyber Security Center in the Netherlands alerts that the vulnerability is being actively exploited and it can allow remote code execution with root privileges.
The Ukrainian Computer Emergency Response Team (CERT) also published a warning about the risk of leaving Zabbix servers unpatched against the two vulnerabilities, especially CVE-2022-23131.
“If SAML SSO authentication is enabled (not by default), session data can be modified by an attacker, as the user login stored in the session is not verified. This allows an untested attacker to exploit this vulnerability to gain privileges and gain administrator access to Zabbix Frontend” – Ukraine CERT
The second vulnerability, CVE-2022-23134, is medium severity improper access control issue that allows attackers to change the configuration file (the setup.php script) and gain access to the dashboard with elevated privileges.
The two vulnerabilities were discovered by researchers from SonarSource, who published their findings in a technical report earlier this month, noting that exploiting CVE-2022-23131 is “straightforward, especially since the Zabbix Web Frontend is automatically configured with a highly-privileged user named Admin.”
The maintainers of the Zabbix project have released updates (versions 5.4.9, 5.0.9, and 4.0.37) that address both issues and it is highly recommended to install them, especially in a context of active exploitation.
CISA has added the vulnerabilities to its Known Exploited Vulnerabilities Catalog that represent a frequent attack vector and is asking federal agencies to install available patches by March 8.