CVE-2022-23131
📋 TL;DR
This vulnerability allows unauthenticated attackers to modify session data and escalate privileges to admin access in Zabbix Frontend when SAML SSO authentication is enabled. It affects Zabbix instances with non-default SAML authentication configured. Attackers need to know a valid Zabbix username or exploit the guest account (disabled by default).
💻 Affected Systems
- Zabbix
📦 What is this software?
Zabbix by Zabbix
Zabbix by Zabbix
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Zabbix Frontend with admin privileges, allowing data manipulation, system access, and potential lateral movement to connected systems.
Likely Case
Unauthorized admin access to Zabbix monitoring system, enabling configuration changes, data exfiltration, and disruption of monitoring services.
If Mitigated
Limited impact if SAML authentication is disabled or proper network segmentation isolates Zabbix systems.
🎯 Exploit Status
Exploitation requires SAML authentication enabled and knowledge of a valid username. CISA has added this to Known Exploited Vulnerabilities catalog.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Zabbix 5.4.9, 6.0.3, and later versions
Vendor Advisory: https://support.zabbix.com/browse/ZBX-20350
Restart Required: Yes
Instructions:
1. Backup Zabbix configuration and database. 2. Upgrade to Zabbix 5.4.9 or 6.0.3+. 3. Restart Zabbix server and frontend services. 4. Verify SAML configuration remains functional.
🔧 Temporary Workarounds
Disable SAML Authentication
allTemporarily disable SAML SSO authentication until patching is possible
Edit zabbix.conf.php and set SAML authentication to disabled
Disable Guest Account
allEnsure guest account is disabled to reduce attack surface
Navigate to Administration -> Users -> Guest -> Disable
🧯 If You Can't Patch
- Disable SAML authentication immediately
- Implement strict network access controls to limit Zabbix frontend access to trusted IPs only
🔍 How to Verify
Check if Vulnerable:
Check Zabbix version and SAML configuration. If version is 5.4.0-5.4.8 or 6.0.0-6.0.2 with SAML enabled, system is vulnerable.Check Version:
grep ZABBIX_VERSION /usr/share/zabbix/include/defines.inc.phpVerify Fix Applied:
Verify Zabbix version is 5.4.9+ or 6.0.3+ and test SAML authentication functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication patterns, multiple failed login attempts followed by successful admin login from same IP
- SAML authentication errors followed by privilege escalation
Network Indicators:
- Unusual HTTP POST requests to Zabbix frontend SAML endpoints
- Traffic from unexpected sources to Zabbix admin interfaces
SIEM Query:
source="zabbix" AND (event="authentication failure" OR event="privilege escalation")