Zabbix servers under attack with recently disclosed vulnerability says CISA


By MYBRANDBOOK


Zabbix servers under attack with recently disclosed vulnerability says CISA

The US Cybersecurity Infrastructure and Security Agency( CISA) has expanded its Known Exploited Vulnerabilities Catalog with two critical flaws in the Zabbix enterprise monitoring solution has learned that threat actors have started using two vulnerabilities disclosed last week to take over unpatched systems.

 

It has tracked as CVE-2022-23131 and CVE-2022-23134, and both were disclosed last week in a write-up from security firm SonarSource and has gain administrator privileges, which could then allow an attacker to execute arbitrary commands.

 

The first is a bug in how Zabbix stores session data, allowing an attacker to bypass authentication procedures, while the second bug has its root in the incorrect handling of the Zabbix installer files that allows unauthenticated users (attackers) to access some of these resources and re-configure servers.

 

Zabbix is an open-source monitoring platform that organizations deploy within their networks to collect and centralize data such as CPU load and network traffic.

 

The web-based app that can be used to monitor and receive telemetry from a wide array of IT systems deployed inside large enterprise networks, supporting acquisition from workstations, servers, and cloud resources alike.

 

The Zabbix team released updates last week, but as has been the recent trend, threat actors were quick to move to weaponize the disclosed vulnerabilities in the hopes of gaining footholds inside large corporate networks, access they could use to escalate intrusions or sell to other criminal groups.

 

While CISA has not released details about the current exploitation attempts, proof-of-concept for at least one of the vulnerabilities has been available on GitHub for at least a few days. According to a Shodan Trends page, there are currently more than 3,800 Zabbix instances connected to the internet, which if left unpatched, are at serious risk of getting hacked.

 

CVE-2022-23131 exists because, although Zabbix has a mechanism of validating the user when accessing data stored client-side, that function is never called for the session entry (containing user attributes) created when SAML authentication is used.

 

A day after SonarSource published its Zabbix write-up, fellow security firm White Oak Security published a report detailing a hardcoded backdoor account in Extensis Portfolio, another IT monitoring and management tool. Exploitation of this vulnerability (CVE-2022-24255) has not been observed—yet—but it’s just as an attractive target as Zabbix systems and even easier to exploit.

 E-Magazine 
 VIDEOS  Placeholder image

Copyright www.mybrandbook.co.in @1999-2024 - All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission of Kalinga Digital Media Pvt. Ltd. is prohibited.
Other Initiatives : www.varindia.com | www.spoindia.org