A Zabbix affected by two actively exploited vulnerabilities.

THREAT LEVEL: Red.

For a detailed advisory, download the pdf file here

Multiple security vulnerabilities have been discovered in Zabbix (open-source network traffic monitoring software) Web Frontend component while implementing client-side sessions storage and are being actively exploited as per CISA. Successful exploitation of these vulnerabilities may allow an attacker to bypass authentication, escalate privileges and execute an arbitrary code on a targeted server instance that could lead to the complete compromise of the network infrastructure.

An authentication bypass is one of the vulnerabilities, which has been assigned CVE-2022-23131. This issue occurs since the Zabbix Web Frontend is automatically configured with a highly-privileged user named “Admin” which may allow attackers to gain admin privileges to the Zabbix Frontend. SAML authentication must be enabled for the attack to be successful, and the actor must know the Zabbix user’s name (or use the guest account, which is disabled by default).

Another one is an improper access control vulnerability that has been issued CVE-2022-23134. This issue exists due to unsafe use of the session in the “setup.php” file which is usually run by system administrators when first deploying Zabbix Web Frontend and later access is only allowed to authenticated and highly-privileged users. Attackers can override the existing configuration files and gain access to the dashboard with a highly-privileged account.

These vulnerabilities are actively being exploited and hence organizations should apply the patch as soon as possible.

Potential MITRE ATT&CK TTPs are:

TA0001: Initial Access

T1190: Exploit Public-Facing Application

TA0004: Privilege Escalation

T1068: Exploitation for Privilege Escalation

TA0002: Execution

T1059: Command and Scripting Interpreter