CVE-2023-28799
📋 TL;DR
This vulnerability allows an attacker to inject a malicious domain into a URL parameter during login, causing post-authentication redirection to the attacker's domain with the user's authorization token. This affects Zscaler Client Connector users across multiple platforms who haven't applied the security patches.
💻 Affected Systems
- Zscaler Client Connector
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal valid authentication tokens and gain unauthorized access to protected resources, potentially leading to account takeover, data exfiltration, or lateral movement within the network.
Likely Case
Targeted phishing attacks where users are redirected to malicious sites that capture their authentication tokens, enabling session hijacking.
If Mitigated
With proper input validation and URL whitelisting, the injection is prevented and tokens remain secure within the intended domain.
🎯 Exploit Status
Exploitation requires user interaction (login) but the injection itself is straightforward once the vulnerable parameter is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux: 1.4+ (2022-10-31), Android: 1.10.2+ (2023-03-09), Chrome OS: 1.10.1+ (2023-03-10), iOS: 1.9.3+ (2023-03-03), macOS: 3.9+ (2023-01-25)
Vendor Advisory: https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023
Restart Required: Yes
Instructions:
1. Identify your platform and current Zscaler Client Connector version. 2. Visit the Zscaler help portal for your platform. 3. Download and install the patched version listed in the release notes. 4. Restart the application or device as required.
🔧 Temporary Workarounds
Implement URL validation at proxy/WAF
allConfigure web application firewall or proxy to validate and sanitize URL parameters in login requests, blocking redirects to unauthorized domains.
Restrict redirect domains
allConfigure application to only allow redirects to pre-approved, trusted domains within the organization's control.
🧯 If You Can't Patch
- Implement network segmentation to limit the impact of token theft
- Enable multi-factor authentication to reduce risk from stolen tokens
🔍 How to Verify
Check if Vulnerable:
Check your Zscaler Client Connector version against the patched versions listed in the vendor advisories. If running older versions, you are vulnerable.Check Version:
Platform dependent: Check application settings or use system commands like 'zscaler --version' on Linux or check About section in mobile apps.Verify Fix Applied:
After updating, verify the installed version matches or exceeds the patched version for your platform. Test login flows to ensure redirects only go to approved domains.📡 Detection & Monitoring
Log Indicators:
- Unusual redirect URLs in authentication logs
- Login attempts with malformed URL parameters containing external domains
Network Indicators:
- HTTP 302 redirects to unexpected domains post-authentication
- Authentication tokens being sent to non-approved domains
SIEM Query:
source="authentication_logs" AND (url_parameter CONTAINS "http://" OR url_parameter CONTAINS "https://") AND url_parameter NOT CONTAINS "trusted-domain.com"🔗 References
- https://help.zscaler.com/client-connector/client-connector-app-release-summary-2022?applicable_category=Linux&applicable_version=1.4&deployment_date=2022-10-31&id=1420246
- https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=Android&applicable_version=1.10.2&deployment_date=2023-03-09&id=1447706
- https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=Chrome%20OS&applicable_version=1.10.1&deployment_date=2023-03-10&id=1447771
- https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=iOS&applicable_version=1.9.3&deployment_date=2023-03-03&id=1447071
- https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=macOS&applicable_version=3.9&deployment_date=2023-01-25&id=1443546
- https://help.zscaler.com/zscaler-client-connector/client-connector-app-release-summary-2021?applicable_category=Windows&applicable_version=3.7&deployment_date=2021-11-26&id=1386541
- https://help.zscaler.com/client-connector/client-connector-app-release-summary-2022?applicable_category=Linux&applicable_version=1.4&deployment_date=2022-10-31&id=1420246
- https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=Android&applicable_version=1.10.2&deployment_date=2023-03-09&id=1447706
- https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=Chrome%20OS&applicable_version=1.10.1&deployment_date=2023-03-10&id=1447771
- https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=iOS&applicable_version=1.9.3&deployment_date=2023-03-03&id=1447071
- https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=macOS&applicable_version=3.9&deployment_date=2023-01-25&id=1443546
- https://help.zscaler.com/zscaler-client-connector/client-connector-app-release-summary-2021?applicable_category=Windows&applicable_version=3.7&deployment_date=2021-11-26&id=1386541
