CVE-2022-23131 SAML SSO authentication can be modified by a malicious actor if a user login is not verified.

The user would not be notified when Zabbix starts to send data to the Back-End server, because the warning messages are not shown to the user. Step by step instructions for performing the attack is described in the following diagram: Here is an example of the notification that is shown to the user when Zabbix starts to send data to the Back-End server: After logging into the Front-End server via an external link, an actor can use the browser’s menu options to navigate to the Back-End server. After successful authentication, the actor can use the browser’s menu options to navigate to the Front-End server, and log in as an admin user. After successfully authenticating, the actor can use the browser’s menu options to navigate to the Zabbix Back-End server, and start to send data. After successful authentication, the actor can use the browser’s menu options to navigate to the Front-End server, and start to receive data. After successful authentication, the actor can use the browser’s menu options to navigate to the Zabbix Back-End server, and start to send data. After successful authentication, the actor can use the browser’s menu options to navigate to the Back-End server, and start to receive data. After the actor successfully receives data from the Back-End server, the actor can use the browser’s menu options to navigate to the Zabbix Front-

Step 2: Obtain user credentials

This attack is generally performed by an actor who may have obtained a user’s credentials. The actor can also use the browser’s menu options to navigate to the Front-End server and log in as an admin user.

Summary:##

- An attacker can log into the Front-End server and use browser menu options to navigate to the Back-End server.
- The actor could authenticate to the Front-End server, then authenticate to the Zabbix Back-End server, then send data.
- After successful authentication, the actor could then use browser menu options to navigate to the Front-End server, and start receiving data.
In order to mitigate this vulnerability, do not allow external access of Zabbix servers from the Front-End servers for all users except for admin users.

Timeline

Published on: 01/13/2022 16:15:00 UTC
Last modified on: 01/19/2022 21:08:00 UTC

References