ID: ZBV-2022-10-1

CVE: CVE-2022-43515

Synopsis: X-Forwarded-For header is active by default causes access to Zabbix sites in maintenance mode

Description: Zabbix Frontend provides a feature that allows admins to maintain the installation and ensure that only certain IP addresses can access it. In this way, any user will not be able to access the Zabbix Frontend while it is being maintained and possible sensitive data will be prevented from being disclosed.

An attacker can bypass this protection and access the instance using IP address not listed in the defined range.

CVSS score: 5.3

Zabbix Severity: Medium

Known Attack Vectors: An attacker can fabricate X-Forwarded-For header and thereby gain access to Zabbix Frontend in maintenance mode.

Resolution: To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products or use the workaround

Additional information:

Any user with or without an account in the app can access the Zabbix app while in maintenance mode. Zabbix admins active maintenance mode the site in when of when performing sensitive actions, and this bypass can result in many data disclosures.
 
 
The vulnerability is caused by a misconfiguration at line 243 (getIp function) of the /zabbix/include/classes/user/CWebUser.php file.

public static function getIp(): string {
return (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER) && $_SERVER['HTTP_X_FORWARDED_FOR'] !== '')
? $_SERVER['HTTP_X_FORWARDED_FOR']
: $_SERVER['REMOTE_ADDR'];
  }
}