Skip to content

Latest commit

 

History

History

CVE-2022-23131

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
env_vars
env_vars
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 

README.md

Zabbix Enviroment for CVE-2022-23131

In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified.

Affected Version

CVE Range
CVE-2022-23131 [5.4.0, 5.4.8] 6.0.0alpha1

Usage

Run following command to startup the zabbix

docker-compose up

Configure SAML SSO for Zabbix

Remeber, this step is a little bit tedious, and I have no way to auto-configure it right now.

In this case, we use keycloak as the SSO server for Zabbix.

Step 1 Create the crt file from IDP metadata

Access http://localhost with your brower, and login keycloak with

username: admin
password: admin

We use default relam (Master) here.

Now, access the http://localhost/realms/master/protocol/saml/descriptor, or you can access this url by

Main Page -> Realm Settings -> General -> Endpoints -> click `SAML 2.0 Identify Provider Metadata`

Create a file with name ipd.crt in ./zbx_env/usr/share/zabbix/conf/certs/

Copy the content you got form the above site to this file

# ipd.crt
-----BEGIN CERTIFICATE-----
<content of tag `ds:X509Certificate`>
-----END CERTIFICATE-----

and run

chmod 644 idp.crt
chmod +x idp.crt

Then we create a certificate sp.key and sp.crt for zabbix in the same folder

openssl req -x509 -sha256 -newkey rsa:2048 -keyout sp.key -out sp.crt -days 3650 -nodes -subj '/CN=my common name'

Step 2 Create A Client in Keycloak

Back to main page and click Client on left side bar. Create a new client

Client ID: zabbix
Client Protocol: saml
Master SAML Processing URL: http://localhost:8080/index_sso.php?acs

and save.

After that, configure the client with

IDP Initiated SSO URL Name: zabbix

Open Fine Grain SAML Endpoint Configuration

Logout Service Redirect Binding URL: http://localhost:8080/index_sso.php?sls

click save again.

Go to the Mapper of the client we just created, create a new mapper with

Name: zabbixuser
Mapper Type: User Attribute
User Attribute: zabbixuser
Friendly Name: zabbixuser
SAML Attribute Name: zabbixuser

and save it.

Back to the main page

Main page -> Client Scopes -> role_list -> Mapper

click the role list and open Single Role Attribute, after that save it.

Step 3 Associatation with The User Attribute

Go to

Main page -> User -> View all users

Choose the user you want, in this case, is admin

Click the Attributes, add a new one with

Key: zabbixuser
Value: <username of zabbix, you can use `Admin` here>

Step 4 Configuration Zabbix with SAML SSO

Access http://localhost:8080 and login with

Username: Admin
Password: zabbix

Click

Adminstration -> Authentication -> SAML settings

and configure with

IdP entity ID: http://localhost/realms/master
SSO service URL: http://localhost/realms/master/protocol/saml/clients/zabbix
Username attribute: zabbixuser
SP entity ID: zabbix

click Update.

After these step, you have finished the configuration of Zabbix with SAML SSO. And you can choose Sign in with Single Sign-On (SAML) when you want to login Zabbix.

Reference

  1. https://support.zabbix.com/browse/ZBX-20350