The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned of active exploitation of two security flaws impacting Zabbix open-source enterprise monitoring platform, adding them to its Known Exploited Vulnerabilities Catalog.
On top of that, CISA is also recommending that Federal Civilian Executive Branch (FCEB) agencies patch all systems against the vulnerabilities by March 8, 2022 to reduce their exposure to potential cyberattacks.
Tracked as CVE-2022-23131 (CVSS score: 9. 8) and CVE-2022-23134 (CVSS score: 5. 3), the shortcomings could lead to the compromise of complete networks, enabling a malicious unauthenticated actor to escalate privileges and gain admin access to the Zabbix Frontend as well as make configuration changes.
Thomas Chauchefoin from SonarSource has been credited with discovering and reporting the two flaws, which affect Zabbix Web Frontend versions up to and including 5.4. 8, 5.0. 18 and 4.0.36. The issues have since been addressed in versions 5.4. 9, 5.0. 9 and 4.0. 37 shipped late December 2021.
Both the flaws are the result of what the company calls “unsafe session storage,” allowing attackers to bypass authentication and execute arbitrary code. It’s, however, worth pointing out that the flaws only impact instances where Security Assertion Markup Language (SAML) Single sign-on (SSO) authentication is enabled.
“Always provide access to sensible services with extended internal accesses (e.g., orchestration, monitoring) over VPNs or a restricted set of IP addresses, harden filesystem permissions to prevent unintended changes, remove setup scripts, etc.,” Chauchefoin said.