CVE-2022-23131: Zabbix Frontend Authentication Bypass Vulnerability Alert

CVE-2022-23131
The U.S Cybersecurity and Infrastructure Security Agency (CISA) has added two new Zabbix vulnerabilities (CVE-2022-23131 & CVE-2022-23134) to its catalog of known exploited vulnerabilities. The vulnerability is reported to affect the Zabbix infrastructure monitoring tool.
The details of the vulnerabilities are as follows:
  • CVE-2022-23131 – Unsafe client-side session storage leading to authentication bypass/instance takeover via Zabbix Frontend with configured SAML
    • Affected versions: 5.4.0 – 5.4.8; 6.0.0alpha1
  • CVE-2022-23134 – Possible view of the setup pages by unauthenticated users if config file already exists
    • Affected versions: 5.4.0 – 5.4.8; 6.0.0 – 6.0.0beta1
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, to reduce the significant risk of known exploited vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date. Additionally, cybersecurity experts recommend that organizations review and proactively address vulnerabilities in their infrastructure as soon as possible. Notably, CISA ordered all Federal Civilian Executive Branch Agencies (FCEB) agencies to address both Zabbix vulnerabilities by March 8, 2022.
These two vulnerabilities were disclosed by SonarSource researcher Thomas Chauchefoin, and the affected Zabbix Web versions mainly include 5.4.8, 5.0.18, and 4.0.36.In a blog, Zabbix Certified Expert & Trainer, Arturs Lontons writes: “We urge everyone who is using the SAML SSO authentication features in your environment or update your Zabbix instance to one of the aforementioned versions where the security vulnerabilities have been resolved.