CVE-2021-43136
published 2021-11-10CVE-2021-43136: An authentication bypass issue in FormaLMS <= 2.4.4 allows an attacker to bypass the authentication mechanism and obtain a valid access to the platform.
PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
15.72%
96.5th percentile
An authentication bypass issue in FormaLMS <= 2.4.4 allows an attacker to bypass the authentication mechanism and obtain a valid access to the platform.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| formalms | formalms | <= 2.4.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
https://gist.github.com/hacktivesec/d2160025d24c5689d1bc60173914e004#file-formalms-authbypass-yaml
- →Monitor HTTP requests to /index.php containing all three query parameters: login_user, time, and token simultaneously — this pattern is specific to the SSO token-based authentication bypass attack flow. ↗
- →The exploit generates an MD5 token (uppercased) from 'username,timestamp,secret'. Detect requests where the token parameter is a 32-character uppercase hex string paired with login_user and time parameters. ↗
- →Alert on SSO login attempts using the known hardcoded default secret value '8ca0f69afeacc7022d1e589221072d6bcf87e39c' — tokens computed with this secret will match a predictable pattern. ↗
- →Also detect exploitation attempts using an empty secret value (token computed from 'username,timestamp,'). These requests are distinguishable because the token will differ from one computed with any non-empty secret. ↗
- →The time parameter in exploit requests is set to current Unix time + 5000 seconds (future timestamp). Requests with a time value significantly ahead of the server clock alongside login_user and token parameters should be flagged. ↗
- ·Exploitation requires the 'Enable SSO with a third party software through a token' setting to be enabled in FormaLMS. Instances with SSO disabled are not vulnerable to this specific bypass. ↗
- ·The hardcoded default secret '8ca0f69afeacc7022d1e589221072d6bcf87e39c' is the known weak default; installations that have changed this secret to a strong, unique value reduce (but may not eliminate) risk if the empty-secret variant is also patched. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/164930/FormaLMS-2.4.4-Authentication-Bypass.htmlhttps://blog.hacktivesecurity.comhttps://blog.hacktivesecurity.com/index.php/2021/10/05/cve-2021-43136-formalms-the-evil-default-value-that-leads-to-authentication-bypass/https://formalms.orghttp://packetstormsecurity.com/files/164930/FormaLMS-2.4.4-Authentication-Bypass.htmlhttps://blog.hacktivesecurity.comhttps://blog.hacktivesecurity.com/index.php/2021/10/05/cve-2021-43136-formalms-the-evil-default-value-that-leads-to-authentication-bypass/https://formalms.org
2021-11-10
Published