CVE-2022-23131 SAML SSO authentication can be modified by a malicious actor if a user login is not verified.

CVE-2022-23131 SAML SSO authentication can be modified by a malicious actor if a user login is not verified.

The user would not be notified when Zabbix starts to send data to the Back-End server, because the warning messages are not shown to the user. Step by step instructions for performing the attack is described in the following diagram: Here is an example of the notification that is shown to the user when Zabbix starts to send data to the Back-End server: After logging into the Front-End server via an external link, an actor can use the browser’s menu options to navigate to the Back-End server. After successful authentication, the actor can use the browser’s menu options to navigate to the Front-End server, and log in as an admin user. After successfully authenticating, the actor can use the browser’s menu options to navigate to the Zabbix Back-End server, and start to send data. After successful authentication, the actor can use the browser’s menu options to navigate to the Front-End server, and start to receive data. After successful authentication, the actor can use the browser’s menu options to navigate to the Zabbix Back-End server, and start to send data. After successful authentication, the actor can use the browser’s menu options to navigate to the Back-End server, and start to receive data. After the actor successfully receives data from the Back-End server, the actor can use the browser’s menu options to navigate to the Zabbix Front-

Step 2: Obtain user credentials

This attack is generally performed by an actor who may have obtained a user’s credentials. The actor can also use the browser’s menu options to navigate to the Front-End server and log in as an admin user.

Summary:##

- An attacker can log into the Front-End server and use browser menu options to navigate to the Back-End server.
- The actor could authenticate to the Front-End server, then authenticate to the Zabbix Back-End server, then send data.
- After successful authentication, the actor could then use browser menu options to navigate to the Front-End server, and start receiving data.
In order to mitigate this vulnerability, do not allow external access of Zabbix servers from the Front-End servers for all users except for admin users.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe