The online learning and course management platform Moodle has released important updates that close a security hole that with activated Shibboleth plugin – and only then – remote code execution (RCE) would be possible. According to the discoverers of the vulnerability, who contacted heise Security via email, no user interaction is required for the RCE.
A aktuelles Moodle Security Announcement lists Moodle versions 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier, no longer supported versions as vulnerable. the Versions 3.11.1, 3.10.5 and 3.9.8 are protected against attacks. The gap discoverers want to come soon technical details on their blog deliver later.
Shibboleth not active by default
In the default setting, the plug-in for authentication with Shibboleth is not activated, according to the announcement; however, the functionality is used by many universities and institutions. The discoverers of the CVE-2021-36394 vulnerability, Robin Peraglie and Johannes Moritz, advise applying the patches immediately or, if this is not possible, at least deactivating the previously manually activated Shibboleth plug-in. Further Information on authentication via Shibboleth can be found in the Moodle documentation.
Since the code of the open source Moodle is publicly available on GitHub, including the vulnerability and the patch code that was added almost three weeks ago, potential attackers could very easily get an idea of CVE-2021-36394 there and develop an exploit, warn Moritz and Peraglie . In their email they also pointed out that it took Moodle almost five months to develop the patch after the vulnerability was reported.