CVE-2022-23134
published 2022-01-13CVE-2022-23134: After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious…
PriorityP183medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-03-08
Exploited in the wild
EPSS
84.66%
99.7th percentile
After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | zabbix | < zabbix 1:6.0.7+dfsg-2 (bookworm) | zabbix 1:6.0.7+dfsg-2 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| zabbix | frontend | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | >= 0 < 1:6.0.7+dfsg-2 | 1:6.0.7+dfsg-2 |
| zabbix | zabbix | >= 0 < 1:6.0.7+dfsg-2 | 1:6.0.7+dfsg-2 |
| zabbix | zabbix | >= 0 < 1:6.0.7+dfsg-2 | 1:6.0.7+dfsg-2 |
| zabbix | zabbix | 5.4.0 – 5.4.8 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Send a GET request to /zabbix/setup.php or /setup.php with the crafted zbx_session cookie containing an INVALID sessionid but check_fields_result:true and step:6. A 200 response containing the words 'Database', 'host', 'port', and 'Zabbix' (all present) indicates a vulnerable instance. ↗
- →Shodan fingerprinting queries for exposed Zabbix instances: search for favicon hash 892542951 or title 'zabbix-server'. ↗
- →FOFA fingerprinting queries for exposed Zabbix instances: icon_hash=892542951, app="zabbix-监控系统" with SAML body, or title="zabbix-server". ↗
- →Google dork for exposed Zabbix server login pages: intitle:"zabbix-server". ↗
- →The vulnerability is in setup.php: after initial setup, unauthenticated users can reach later setup steps by manipulating the zbx_session cookie (setting check_fields_result to true and advancing the step value), bypassing authentication checks. ↗
- ·The exploit only works if the Zabbix Frontend setup.php is accessible post-installation (i.e., the setup process has been completed but setup.php has not been removed or restricted). The vulnerability is exploitable only when the setup file remains reachable. ↗
- ·The crafted zbx_session cookie uses an INVALID sessionid and sign, meaning the bypass relies on the server not validating these fields — this behavior may differ across Zabbix versions. Confirmed fixed in Debian packages at version 1:6.0.7+dfsg-2. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv5.3MEDIUM
vulncheck3.7LOW
cisa5.3MEDIUM
vendor_debian3.7LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Zabbix Frontend Improper Access Control Vulnerability
cisa·2022-02-22·CVSS 5.3
CVE-2022-23134 [MEDIUM] CWE-284 Zabbix Frontend Improper Access Control Vulnerability
Vulnerability: Zabbix Frontend Improper Access Control Vulnerability
Affected: Zabbix Frontend
Malicious actors can pass step checks and potentially change the configuration of Zabbix Frontend.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2022-23134
Remediation Due Date: 2022-03-08
Debian
CVE-2022-23134: zabbix - After the initial setup process, some steps of setup.php file are reachable not ...
vendor_debian·2022·CVSS 3.7
CVE-2022-23134 [LOW] CVE-2022-23134: zabbix - After the initial setup process, some steps of setup.php file are reachable not ...
After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.
Scope: local
bookworm: resolved (fixed in 1:6.0.7+dfsg-2)
bullseye: resolved
forky: resolved (fixed in 1:6.0.7+dfsg-2)
sid: resolved (fixed in 1:6.0.7+dfsg-2)
trixie: resolved (fixed in 1:6.0.7+dfsg-2)
GHSA
GHSA-mv97-qj5h-25f3: After the initial setup process, some steps of setup
ghsa_unreviewed·2022-02-09
CVE-2022-23134 [MEDIUM] CWE-284 GHSA-mv97-qj5h-25f3: After the initial setup process, some steps of setup
After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.
OSV
CVE-2022-23134: After the initial setup process, some steps of setup
osv·2022-01-13·CVSS 5.3
CVE-2022-23134 [MEDIUM] CVE-2022-23134: After the initial setup process, some steps of setup
After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.
VulnCheck
Zabbix Frontend Improper Access Control Vulnerability
vulncheck·2022·CVSS 3.7
CVE-2022-23134 [LOW] CWE-284 Zabbix Frontend Improper Access Control Vulnerability
Zabbix Frontend Improper Access Control Vulnerability
Malicious actors can pass step checks and potentially change the configuration of Zabbix Frontend.
Affected: Zabbix Frontend
Required Action: Apply updates per vendor instructions.
Exploitation References: https://cert.gov.ua/article/37287; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/ed8b1935dc35
Remediation Due: 2022-03-08
No detection rules found.
Nuclei
Zabbix Setup Configuration Authentication Bypass
nuclei·CVSS 5.3
CVE-2022-23134 [MEDIUM] Zabbix Setup Configuration Authentication Bypass
Zabbix Setup Configuration Authentication Bypass
After the initial setup process, some steps of setup.php file are reachable not only by super-administrators but also by unauthenticated users. A malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.
Template:
id: CVE-2022-23134
info:
name: Zabbix Setup Configuration Authentication Bypass
author: bananabr
severity: medium
description: After the initial setup process, some steps of setup.php file are reachable not only by super-administrators but also by unauthenticated users. A malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information and poten
https://lists.debian.org/debian-lts-announce/2022/02/msg00008.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SZYHXINBKCY42ITFSNCYE7KCSF33VRA/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VB6W556GVXOKUYTASTDGL3AI7S3SJHX7/https://support.zabbix.com/browse/ZBX-20384https://lists.debian.org/debian-lts-announce/2022/02/msg00008.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SZYHXINBKCY42ITFSNCYE7KCSF33VRA/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VB6W556GVXOKUYTASTDGL3AI7S3SJHX7/https://support.zabbix.com/browse/ZBX-20384https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-23134
2022-01-13
Published
2022-02-22
Added to CISA KEV
Exploited in the wild