Researchers from SonarSource have discovered a critical severity vulnerability in Zabbix that allows an attacker to bypass authentication and execute arbitrary code on a targeted server.
Zabbix is an open-source monitoring software program that can be used to track IT infrastructures like networks, servers, virtual machines, and cloud services.
The vulnerability is tracked as CVE-2022-23131. Unsafe client-side session storage leads to this authentication bypass/instance takeover through Zabbix Frontend with configured SAML.
Because a user login recorded in the session was not confirmed, session data can be manipulated by a malicious actor in cases where SAML SSO authentication is enabled (non-default).
This flaw might be used by a hostile unauthenticated actor to escalate privileges and get admin access to the Zabbix Frontend.
Affected versions
Zabbix Web Frontend 5.4.0 to 5.4.8 and 6.0.0alpha1 are the versions affected by this vulnerability.
Mitigation
In its security advisory, Zabbix has recommended that users should upgrade their Web Frontend versions to 6.0.0beta2, 5.4.9, 5.0.19, or 4.0.37.
Qualys Detection
Qualys customers can scan their devices with QID 376061 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References
https://www.zabbix.com/security_advisories
https://portswigger.net/daily-swig/critical-vulnerabilities-in-zabbix-web-frontend-allow-authentication-bypass-code-execution-on-servers