Two vulnerabilities in open source monitoring platform Zabbix , a platform used to collect, centralize and track metrics such as CPU load and network traffic across entire infrastructures could allow an attacker to bypass authentication and execute arbitrary code on a targeted server.
The first vulnerability, tracked as CVE-2022-23131, which was given a severity of 9.1, is unsafe client side session storage leading to authentication bypass/instance takeover via Zabbix Frontend with configured SAML.
In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified.
A malicious unauthenticated actor could exploit this issue to escalate privileges and gain admin access to the Zabbix Frontend. A caveat to this is that to perform the attack, SAML authentication is required to be enabled, and the assailant has to know the username of Zabbix user.
The second vulnerability tracked as CVE-2022-23134, is rated as medium severity and allows some steps of setup.php file to be reachable not only by super administrators, but unauthenticated users as well. A malicious actor could pass step checks and potentially change the configuration of Zabbix Frontend.
The researchers said that when writing and reviewing code related to important security features, it is easy to make the same assumptions as the original developer who introduced the vulnerability.
Always provide access to sensible services with extended internal accesses over VPNs or a restricted set of IP addresses, harden filesystem permissions to prevent unintended changes, remove setup scripts, etc. It’s recommended upgrading all instances running a Zabbix Web Frontend to 6.0.0beta2, 5.4.9, 5.0.19, or 4.0.37.