CVE-2022-23132 - Zabbix Vulnerability Involving DAC_OVERRIDE SELinux Capability, Exploit and Mitigation Details

CVE-2022-23132 seems to be a critical security vulnerability that has been discovered in the widely used Zabbix monitoring system. Specifically, this vulnerability is related to the use of DAC_OVERRIDE (Discretionary Access Control Override) SELinux capability when installing Zabbix from an RPM package. The usage of this capability could allow processes like Zabbix Proxy or Server to bypass file read, write, and execute permission checks on the filesystem level in the [/var/run/zabbix] folder. This post aims to discuss the technical details, exploit scenarios, and provide mitigation steps for this vulnerability.

SELinux security context of Zabbix PID files in an affected configuration looks like this

# ls -Z /var/run/zabbix/*.pid
-rw-r----- zabbix:zabbix system_u:object_r:initrc_var_run_t:s zabbix_agentd.pid
-rw-r----- zabbix:zabbix system_u:object_r:initrc_var_run_t:s zabbix_server.pid

As you can see, the "/var/run/zabbix" folder contains several files owned by the "zabbix" user and group with restricted permissions, which might be bypassed due to the DAC_OVERRIDE capability.

Original References

This vulnerability has been documented in several credible sources, which can provide more in-depth explanation and technical specifications of the issue:

1. CVE-2022-23132 - Official NVD Entry
2. Zabbix Official Documentation
3. SELinux Reference

Exploit Details

An attacker who can execute arbitrary code within the context of the Zabbix Proxy or Server process could exploit this vulnerability. By placing a specially crafted payload inside the vulnerable [/var/run/zabbix] folder, the attacker might be able to execute arbitrary code, even if it would not be permitted by the file system's access control settings in a regular scenario. This could lead to privilege escalation, unauthorized access to sensitive data, or even a complete takeover of the Zabbix monitoring system.

To mitigate the impact of CVE-2022-23132, it is advisable to follow the steps below

1. Ensure that your Zabbix installation is up-to-date with the latest security patches. It is important to keep track of security announcements and update your system regularly.
2. Restrict the capabilities provided by SELinux to the Zabbix Proxy and Server processes. You can remove the DAC_OVERRIDE capability by adjusting the SELinux policy. The official SELinux documentation can help you with this task.
3. Review file permissions for the [/var/run/zabbix] folder, and ensure that only necessary access rights are granted to the Zabbix user and group.
4. Monitor the contents of the [/var/run/zabbix] folder regularly and look for any unexpected or suspicious files.

In conclusion, CVE-2022-23132 presents a significant security risk for Zabbix monitoring system installations that were performed using the RPM package. By understanding the vulnerability, exploit scenarios, and applying the proper mitigation steps, administrators can ensure the security and integrity of their monitoring infrastructure.

Timeline

Published on: 01/13/2022 16:15:00 UTC
Last modified on: 02/10/2022 15:01:00 UTC