Zabbix 5.4.x < 5.4.9 Multiple Vulnerabilities

critical Nessus Plugin ID 158452

Synopsis

A web application running on the remote host is affected by multiple vulnerabilities.

Description

According to its self-reported version number, the instance of Zabbix running on the remote host is 5.4.x prior to 5.4.9. It is, therefore, affected by multiple vulnerabilities:

- In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Malicious unauthenticated actor may exploit this issue to escalate privileges and gain admin access to Zabbix Frontend. To perform the attack, SAML authentication is required to be enabled and the actor has to know the username of Zabbix user (or use the guest account, which is disabled by default). (CVE-2022-23131)

- During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is in use to access PID files in [/var/run/zabbix] folder. In this case, Zabbix Proxy or Server processes can bypass file read, write and execute permissions check on the file system level. (CVE-2022-23132)

- An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. (CVE-2022-23133)

- After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend. (CVE-2022-23134)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Zabbix version 5.8.9 or later

See Also

https://support.zabbix.com/browse/ZBX-20350

https://support.zabbix.com/browse/ZBX-20341

https://support.zabbix.com/browse/ZBX-20388

https://support.zabbix.com/browse/ZBX-20384

Plugin Details

Severity: Critical

ID: 158452

File Name: zabbix_frontend_5_4_9.nasl

Version: 1.8

Type: remote

Family: CGI abuses

Published: 2/28/2022

Updated: 6/5/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus

Enable CGI Scanning: true

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2022-23132

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

CVSS Score Source: CVE-2022-23131

Vulnerability Information

CPE: cpe:/a:zabbix:zabbix

Required KB Items: installed_sw/zabbix

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/23/2021

Vulnerability Publication Date: 12/20/2021

CISA Known Exploited Vulnerability Due Dates: 3/8/2022

Exploitable With

CANVAS (CANVAS)

Reference Information

CVE: CVE-2022-23131, CVE-2022-23132, CVE-2022-23133, CVE-2022-23134