#VU60811 Improper Authentication in Zabbix - CVE-2022-23131

Cybersecurity Help s.r.o.

Published: 2022-02-23 | Updated: 2024-09-20

Vulnerability identifier: #VU60811

Vulnerability risk: High

CVSSv4.0: 9.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]

CVE-ID: CVE-2022-23131

CWE-ID: CWE-287

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Zabbix
Server applications / Remote management servers, RDP, SSH

Vendor: Zabbix

Description

The vulnerability allows a remote attacker to bypass SAML authentication process.

The vulnerability exists due to unsafe usage of session data stored in local storage when using SAML SSO authentication. A remote attacker with knowledge of a valid username can bypass SAML SSO authentication and gain administrative access to Zabbix Frontend.

Successful exploitation of the vulnerability requires that the SAML SSO authentication is enabled (disabled by default).

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Zabbix: 5.4.0 rc1 - 5.4.8

External links
https://support.zabbix.com/browse/ZBX-20350

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Zabbix

Fedora EPEL 7 update for zabbix50

Fedora EPEL 7 update for zabbix40