CISA: Zabbix servers under attack with recently disclosed vulnerability

The US Cybersecurity Infrastructure and Security Agency has asked federal agencies to patch any Zabbix servers they may be operating after it learned that threat actors have started using two vulnerabilities disclosed last week to take over unpatched systems.

The vulnerabilities references in the CISA alert are tracked as CVE-2022-23131 and CVE-2022-23134, and both were disclosed last week in a write-up from security firm SonarSource.

The first is a bug in how Zabbix stores session data, allowing an attacker to bypass authentication procedures, while the second bug has its root in the incorrect handling of the Zabbix installer files that allows unauthenticated users (attackers) to access some of these resources and re-configure servers.

They impact Zabbix, which is a very popular open-source web-based app that can be used to monitor and receive telemetry from a wide array of IT systems deployed inside large enterprise networks, supporting acquisition from workstations, servers, and cloud resources alike.

In its technical write-up last week, SonarSource described the exploitation of these two bugs as "straightforward," as attackers only had to access a Zabbix's setup.php file to take over a server.

The Zabbix team released updates last week, but as has been the recent trend, threat actors were quick to move to weaponize the disclosed vulnerabilities in the hopes of gaining footholds inside large corporate networks, access they could use to escalate intrusions or sell to other criminal groups.

While CISA has not released details about the current exploitation attempts, proof-of-concept for at least one of the vulnerabilities has been available on GitHub for at least a few days.

According to a Shodan Trends page, there are currently more than 3,800 Zabbix instances connected to the internet, which if left unpatched, are at serious risk of getting hacked.

A day after SonarSource published its Zabbix write-up, fellow security firm White Oak Security published a report detailing a hardcoded backdoor account in Extensis Portfolio, another IT monitoring and management tool. Exploitation of this vulnerability (CVE-2022-24255) has not been observed—yet—but it's just as an attractive target as Zabbix systems and even easier to exploit.