CVE-2023-28801 – CVE-2023-28801 is an improper cryptographic sig... (How to Fix)

Q: What is the severity of CVE-2023-28801?

CVE-2023-28801 has a CVSS score of 9.6 (CRITICAL). CVE-2023-28801 is an improper cryptographic signature verification vulnerability in Zscaler's SAML authentication for the Admin UI. This allows attackers to bypass authentication and escalate privileges to administrative access. It affects Zscaler Admin UI versions from 6.2 before 6.2r.

📋 TL;DR

CVE-2023-28801 is an improper cryptographic signature verification vulnerability in Zscaler's SAML authentication for the Admin UI. This allows attackers to bypass authentication and escalate privileges to administrative access. It affects Zscaler Admin UI versions from 6.2 before 6.2r.

💻 Affected Systems

Products:

Zscaler Admin UI

Versions: from 6.2 before 6.2r

Operating Systems: Not OS-specific

Default Config Vulnerable: ⚠️ Yes

Notes: Affects SAML authentication configuration in the Admin UI interface.

📦 What is this software?

Zscaler Internet Access Admin Portal by Zscaler

View all CVEs affecting Zscaler Internet Access Admin Portal →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Zscaler administration with ability to modify security policies, access sensitive data, and potentially compromise the entire Zscaler infrastructure.

🟠

Likely Case

Unauthorized administrative access leading to policy manipulation, data exfiltration, and lateral movement within the Zscaler environment.

🟢

If Mitigated

Limited impact if proper network segmentation, monitoring, and multi-factor authentication are in place to detect and contain unauthorized access attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires understanding of SAML authentication and access to the Admin UI interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.2r or later

Vendor Advisory: https://help.zscaler.com/zia/release-upgrade-summary-2023

Restart Required: Yes

Instructions:

1. Log into Zscaler Admin UI. 2. Navigate to Administration > Upgrade. 3. Upgrade to version 6.2r or later. 4. Restart the Admin UI service.

🔧 Temporary Workarounds

Disable SAML Authentication

all

Temporarily disable SAML authentication and use local authentication only

Restrict Admin UI Access

all

Limit Admin UI access to specific IP addresses or internal networks only

🧯 If You Can't Patch

Implement strict network segmentation to isolate Admin UI from untrusted networks
Enable comprehensive logging and monitoring for all Admin UI authentication attempts

🔍 How to Verify

Check if Vulnerable:

Check Admin UI version in Administration > About. If version is between 6.2 and before 6.2r, system is vulnerable.

Check Version:

Not applicable - check via Admin UI interface

Verify Fix Applied:

Verify version is 6.2r or later in Administration > About and test SAML authentication functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual SAML authentication attempts
Multiple failed authentication attempts followed by successful login
Authentication from unexpected IP addresses

Network Indicators:

SAML authentication requests with malformed signatures
Unusual traffic patterns to Admin UI endpoints

SIEM Query:

source="zscaler-admin" AND (event_type="authentication" AND (result="success" AND source_ip NOT IN ["trusted_ips"]))

📊 Metadata

CVE ID: CVE-2023-28801

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

CWE: CWE-347

Published: August 31, 2023

Last Updated: November 21, 2024

🔗 References

https://help.zscaler.com/zia/release-upgrade-summary-2023 Release Notes
https://help.zscaler.com/zia/release-upgrade-summary-2023 Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28801, you might also want to check these: