CVE-2022-23131
published 2022-01-13CVE-2022-23131: In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login…
PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-03-08
Exploited in the wild
EPSS
95.68%
99.9th percentile
In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Malicious unauthenticated actor may exploit this issue to escalate privileges and gain admin access to Zabbix Frontend. To perform the attack, SAML authentication is required to be enabled and the actor has to know the username of Zabbix user (or use the guest account, which is disabled by default).
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | zabbix | — | — |
| zabbix | frontend | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | 5.4.0 – 5.4.8 | — |
Detection & IOCsextracted from sources · hover to see the quote
path/zabbix/index_sso.php
cookiezbx_session=eyJzYW1sX2RhdGEiOnsidXNlcm5hbWVfYXR0cmlidXRlIjoiQWRtaW4ifSwic2Vzc2lvbmlkIjoiIiwic2lnbiI6IiJ9
cookiezbx_session=
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M1"; flow:established,to_server; http.uri; content:"/index_sso.php"; startswith; http.cookie; content:"zbx_session="; content:"InVzZXJuYW1lX2F0dHJpYnV0ZSI6"; distance:0; fast_pattern; pcre:"/(?:InNhbWxfZGF0YS|JzYW1sX2RhdGEi|ic2FtbF9kYXRhI)/"; reference:url,blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage; reference:cve,2022-23131; classtype:trojan-activity; sid:2035371; rev:2; metadata:attack_target Server, created_at 2022_03_02, cve CVE_2022_23131, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_03_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M2"; flow:established,to_server; http.uri; content:"/index_sso.php"; startswith; http.cookie; content:"zbx_session="; content:"J1c2VybmFtZV9hdHRyaWJ1dGUiO"; distance:0; fast_pattern; pcre:"/(?:InNhbWxfZGF0YS|JzYW1sX2RhdGEi|ic2FtbF9kYXRhI)/"; reference:url,blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage; reference:cve,2022-23131; classtype:trojan-activity; sid:2035372; rev:2; metadata:created_at 2022_03_02, cve CVE_2022_23131, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_03_02;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M3"; flow:established,to_server; http.uri; content:"/index_sso.php"; startswith; http.cookie; content:"zbx_session="; content:"idXNlcm5hbWVfYXR0cmlidXRlIj"; distance:0; fast_pattern; pcre:"/(?:InNhbWxfZGF0YS|JzYW1sX2RhdGEi|ic2FtbF9kYXRhI)/"; reference:url,blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage; reference:cve,2022-23131; classtype:trojan-activity; sid:2035373; rev:2; metadata:created_at 2022_03_02, cve CVE_2022_23131, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_03_02;)
bytes
InVzZXJuYW1lX2F0dHJpYnV0ZSI6 (base64 fragment in zbx_session cookie, M1)
bytes
J1c2VybmFtZV9hdHRyaWJ1dGUiO (base64 fragment in zbx_session cookie, M2)
bytes
idXNlcm5hbWVfYXR0cmlidXRlIj (base64 fragment in zbx_session cookie, M3)
bytes
PCRE: /(?:InNhbWxfZGF0YS|JzYW1sX2RhdGEi|ic2FtbF9kYXRhI)/ (saml_data base64 variants in zbx_session cookie)
- →Exploit targets GET requests to /index_sso.php (or /zabbix/index_sso.php) with a crafted zbx_session cookie containing a base64-encoded JSON payload with a saml_data.usernameAttribute field (e.g., 'Admin') and empty sessionid/sign fields, triggering a 302 redirect to zabbix.php?action=dashboard.view on success.
- →Three Snort/ET rules (SIDs 2035371, 2035372, 2035373) cover three base64 byte-boundary variants of the username_attribute key in the zbx_session cookie. All three share the same URI (/index_sso.php) and PCRE for saml_data base64 variants. Deploy all three to ensure full coverage regardless of cookie padding alignment.
- →Shodan fingerprinting can identify exposed Zabbix instances via favicon hash 892542951 or title 'zabbix-server'; FOFA queries combining app='ZABBIX-监控系统' with body='saml' can narrow to instances with SAML enabled.
- →A successful bypass results in an HTTP 302 redirect to the Zabbix dashboard. Monitor web server logs for 302 responses on /index_sso.php requests that contain the zbx_session cookie but originate from unauthenticated sessions.
- ·This vulnerability only affects Zabbix instances where SAML SSO authentication has been explicitly enabled — it is NOT enabled by default. Instances using only native Zabbix authentication are not affected. ↗
- ·The attacker must know a valid Zabbix username to forge the session. The guest account (which could be used without knowing a username) is disabled by default. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
vulncheck9.1CRITICAL
cisa9.8CRITICAL
vendor_debian9.1LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4g73-3mxf-j47w: In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user
ghsa_unreviewed·2022-01-14
CVE-2022-23131 [CRITICAL] CWE-290 GHSA-4g73-3mxf-j47w: In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user
In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Malicious unauthenticated actor may exploit this issue to escalate privileges and gain admin access to Zabbix Frontend. To perform the attack, SAML authentication is required to be enabled and the actor has to know the username of Zabbix user (or use the guest account, which is disabled by default).
VulnCheck
Zabbix Frontend Authentication Bypass Vulnerability
vulncheck·2022·CVSS 9.1
CVE-2022-23131 [CRITICAL] CWE-290 Zabbix Frontend Authentication Bypass Vulnerability
Zabbix Frontend Authentication Bypass Vulnerability
Unsafe client-side session storage leading to authentication bypass/instance takeover via Zabbix Frontend with configured SAML.
Affected: Zabbix Frontend
Required Action: Apply updates per vendor instructions.
Exploitation References: https://cert.gov.ua/article/37287; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/87a03dbcb4d4; https://vulncheck.com/xdb/a91a49f498d6; https://vulncheck.com/xdb/6bf41d728409; https://vulncheck.com/xdb/0eca8abcd488; https://vulncheck.com/xdb/4bcdfe77a9b2
Remediation Due: 2022-03-08
CISA
Zabbix Frontend Authentication Bypass Vulnerability
cisa·2022-02-22·CVSS 9.8
CVE-2022-23131 [CRITICAL] CWE-290 Zabbix Frontend Authentication Bypass Vulnerability
Vulnerability: Zabbix Frontend Authentication Bypass Vulnerability
Affected: Zabbix Frontend
Unsafe client-side session storage leading to authentication bypass/instance takeover via Zabbix Frontend with configured SAML.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2022-23131
Remediation Due Date: 2022-03-08
Debian
CVE-2022-23131: zabbix - In the case of instances where the SAML SSO authentication is enabled (non-defau...
vendor_debian·2022·CVSS 9.1
CVE-2022-23131 [CRITICAL] CVE-2022-23131: zabbix - In the case of instances where the SAML SSO authentication is enabled (non-defau...
In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Malicious unauthenticated actor may exploit this issue to escalate privileges and gain admin access to Zabbix Frontend. To perform the attack, SAML authentication is required to be enabled and the actor has to know the username of Zabbix user (or use the guest account, which is disabled by default).
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
Suricata
ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M2
suricata·2022-03-02·CVSS 9.1
CVE-2022-23131 [CRITICAL] ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M2
ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M2
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M2"; flow:established,to_server; http.uri; content:"/index_sso.php"; startswith; http.cookie; content:"zbx_session="; content:"J1c2VybmFtZV9hdHRyaWJ1dGUiO"; distance:0; fast_pattern; pcre:"/(?:InNhbWxfZGF0YS|JzYW1sX2RhdGEi|ic2FtbF9kYXRhI)/"; reference:url,blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage; reference:cve,2022-23131; classtype:trojan-activity; sid:2035372; rev:2; metadata:created_at 2022_03_02, cve CVE_2022_23131, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_03_02;)
Suricata
ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M1
suricata·2022-03-02·CVSS 9.1
CVE-2022-23131 [CRITICAL] ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M1
ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M1
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M1"; flow:established,to_server; http.uri; content:"/index_sso.php"; startswith; http.cookie; content:"zbx_session="; content:"InVzZXJuYW1lX2F0dHJpYnV0ZSI6"; distance:0; fast_pattern; pcre:"/(?:InNhbWxfZGF0YS|JzYW1sX2RhdGEi|ic2FtbF9kYXRhI)/"; reference:url,blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage; reference:cve,2022-23131; classtype:trojan-activity; sid:2035371; rev:2; metadata:attack_target Server, created_at 2022_03_02, cve CVE_2022_23131, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated
Suricata
ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M3
suricata·2022-03-02·CVSS 9.1
CVE-2022-23131 [CRITICAL] ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M3
ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M3
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M3"; flow:established,to_server; http.uri; content:"/index_sso.php"; startswith; http.cookie; content:"zbx_session="; content:"idXNlcm5hbWVfYXR0cmlidXRlIj"; distance:0; fast_pattern; pcre:"/(?:InNhbWxfZGF0YS|JzYW1sX2RhdGEi|ic2FtbF9kYXRhI)/"; reference:url,blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage; reference:cve,2022-23131; classtype:trojan-activity; sid:2035373; rev:2; metadata:created_at 2022_03_02, cve CVE_2022_23131, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_03_02;)
Nuclei
Zabbix - SAML SSO Authentication Bypass
nuclei·CVSS 9.8
CVE-2022-23131 [CRITICAL] Zabbix - SAML SSO Authentication Bypass
Zabbix - SAML SSO Authentication Bypass
When SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor because a user login stored in the session was not verified.
Template:
id: CVE-2022-23131
info:
name: Zabbix - SAML SSO Authentication Bypass
author: For3stCo1d,spac3wh1te
severity: critical
description: When SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor because a user login stored in the session was not verified.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information and potential compromise of the Zabbix monitoring system.
remediation: Upgrade to 5.4.9rc2, 6.0.0beta1, 6.0 (plan) or higher.
reference:
- https://support.zabbix.com/br
2022-01-13
Published
2022-02-22
Added to CISA KEV
Exploited in the wild