Skip to content

Latest commit

 

History

History
 
 

漏洞环境搭建

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
env_vars
env_vars
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 

README.md

Zabbix Environment for CVE-2022-23131

In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Malicious unauthenticated actor may exploit this issue to escalate privileges and gain admin access to Zabbix Frontend. To perform the attack, SAML authentication is required to be enabled and the actor has to know the username of Zabbix user (or use the guest account, which is disabled by default).

Affected Version

CVE Range
CVE-2022-23131 [5.4.0, 5.4.8] 6.0.0alpha1

Usage

Run following command to startup the zabbix

docker-compose up

Configure SAML SSO for Zabbix

Remember, this step is a little tedious, and I have no way to auto-configure it right now.

In this case, we use keycloak as the SSO server for Zabbix.

Step 1 Create the crt file from IDP metadata

Access http://localhost with your brower, and login keycloak with

username: admin
password: admin

We use default relam (Master) here.

Now, access the http://localhost/realms/master/protocol/saml/descriptor, or you can access this url by

Main Page -> Realm Settings -> General -> Endpoints -> click `SAML 2.0 Identify Provider Metadata`

Create a file with name ipd.crt in ./zbx_env/usr/share/zabbix/conf/certs/

Copy the content you got form the above site to this file

# ipd.crt
-----BEGIN CERTIFICATE-----
<content of tag `ds:X509Certificate`>
-----END CERTIFICATE-----

and run

chmod 644 idp.crt
chmod +x idp.crt

Then we create a certificate sp.key and sp.crt for zabbix in the same folder

openssl req -x509 -sha256 -newkey rsa:2048 -keyout sp.key -out sp.crt -days 3650 -nodes -subj '/CN=my common name'

Step 2 Create A Client in Keycloak

Back to main page and click Client on left sidebar. Create a new client

Client ID: zabbix
Client Protocol: saml
Master SAML Processing URL: http://localhost:8080/index_sso.php?acs

and save.

After that, configure the client with

IDP Initiated SSO URL Name: zabbix

Open Fine Grain SAML Endpoint Configuration

Logout Service Redirect Binding URL: http://localhost:8080/index_sso.php?sls

click save again.

Go to the Mapper of the client we just created, create a new mapper with

Name: zabbixuser
Mapper Type: User Attribute
User Attribute: zabbixuser
Friendly Name: zabbixuser
SAML Attribute Name: zabbixuser

and save it.

Back to the main page

Main page -> Client Scopes -> role_list -> Mapper

click the role list and open Single Role Attribute, after that save it.

Step 3 Association with The User Attribute

Go to

Main page -> User -> View all users

Choose the user you want, in this case, is admin

Click the Attributes, add a new one with

Key: zabbixuser
Value: <username of zabbix, you can use `Admin` here>

Step 4 Configuration Zabbix with SAML SSO

Access http://localhost:8080 and login with

Username: Admin
Password: zabbix

Click

Adminstration -> Authentication -> SAML settings

and configure with

IdP entity ID: http://localhost/realms/master
SSO service URL: http://localhost/realms/master/protocol/saml/clients/zabbix
Username attribute: zabbixuser
SP entity ID: zabbix

click Update.

After these step, you have finished the configuration of Zabbix with SAML SSO. And you can choose Sign in with Single Sign-On (SAML) when you want to login Zabbix.

Reference

  1. https://support.zabbix.com/browse/ZBX-20350