CISA: Zabbix servers under attack following vulnerability disclosure

Overview

US Cybersecurity Infrastructure and Security Agency (CISA) urges federal agencies to patch Zabbix servers following intel of active exploits by threat actors.

Vulnerabilities referenced by CISA are tracked as CVE-2022-23131: Zabbix Frontend Authentication Bypass Vulnerability and CVE-2022-23134: Zabbix Frontend Improper Access Control Vulnerability.

CISA: “These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.”

Zabbix is a very popular open-source web-based app that can be used to monitor and receive telemetry from a wide array of IT systems deployed inside large enterprise networks, supporting acquisition from workstations, servers, and cloud resources alike.

Another vulnerability, a hardcoded backdoor account in Extensis Portfolio (CVE-2022-24255), which is an IT monitoring and management tool similar to Zabbix was detailed in a report shortly after.

Exploits have not been observed, but it’s just as an attractive target as Zabbix systems and even easier to exploit.

Impact

These Zabbix vulnerabilities could allow attackers to bypass authentication procedures, access resources in the Zabbix installer files and re-configure servers.

In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified.

Malicious unauthenticated actors may exploit this issue to escalate privileges and gain admin access to Zabbix Frontend. To perform the attack, SAML authentication is required to be enabled and the actor has to know the username of Zabbix user (or use the guest account, which is disabled by default).

Affected Products

Zabbix servers

Containment, Mitigations & Remediations

Zabbix maintainers:

[CVE-2022-23131]
– Resolution: Apply the updates listed in the ‘Fixed Version’ section to appropriate products or if an immediate update is not possible, follow the presented below workarounds.
– Workaround: Disable SAML authentication

[CVE-2022-23134]
– Resolution: Apply the updates listed in the ‘Fixed Version’ section to appropriate products or if immediate update is not possible, follow the presented below workarounds.
– Workaround: Remove the setup.php file

Indicators of Compromise

While CISA has not released details about the current exploitation attempts, a proof-of-concept for at least one of the vulnerabilities has been available on GitHub for at least a few days.

Threat Landscape

According to a Shodan Trends page, there are currently more than 3,800 Zabbix instances connected to the internet, which if left unpatched, are at serious risk of being compromised.

Mitre Methodologies

T1556 – Modify Authentication Process
T1098 – Account Manipulation
TA0004 -Privilege Escalation

Further Information

https://www.cisa.gov/uscert/ncas/current-activity/2022/02/22/cisa-adds-two-known-exploited-vulnerabilities-catalog
https://support.zabbix.com/browse/ZBX-20350
https://support.zabbix.com/browse/ZBX-20384
https://github.com/Mr-xn/cve-2022-23131
https://blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage
https://www.whiteoaksecurity.com/blog/extensis-portfolio-vulnerability-disclosure/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23131
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23134
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24255