CVE-2021-20187
📋 TL;DR
This vulnerability allows Moodle site administrators to execute arbitrary PHP code via a PHP include during Shibboleth authentication. It affects Moodle installations with Shibboleth authentication enabled where administrators have access to configuration files. The risk is limited to authenticated administrators but could lead to full system compromise.
💻 Affected Systems
- Moodle
📦 What is this software?
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
⚠️ Risk & Real-World Impact
Worst Case
An attacker with administrator access could execute arbitrary PHP code, leading to complete system takeover, data theft, or deployment of persistent backdoors.
Likely Case
Malicious or compromised administrator could execute arbitrary code within the Moodle context, potentially accessing sensitive user data or modifying system behavior.
If Mitigated
With proper access controls and monitoring, impact is limited to administrators who already have high privileges within the system.
🎯 Exploit Status
Exploitation requires administrator-level access to Moodle. The vulnerability is in the Shibboleth authentication component's PHP include functionality.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.10.1, 3.9.4, 3.8.7, or 3.5.16
Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=417171
Restart Required: No
Instructions:
1. Backup your Moodle installation and database. 2. Download the patched version from moodle.org. 3. Replace affected files with patched versions. 4. Clear Moodle caches. 5. Verify functionality.
🔧 Temporary Workarounds
Disable Shibboleth Authentication
allTemporarily disable Shibboleth authentication if not required
Edit config.php and set $CFG->auth = 'manual' or another authentication method
Restrict Administrator Access
allLimit administrator accounts to trusted personnel only
Review and reduce administrator privileges in Moodle user management
🧯 If You Can't Patch
- Implement strict access controls for administrator accounts
- Monitor administrator activities and file modifications in Shibboleth configuration directories
🔍 How to Verify
Check if Vulnerable:
Check Moodle version in Site Administration > Notifications or via CLI: php admin/cli/version.phpCheck Version:
php admin/cli/version.php | grep 'Release'Verify Fix Applied:
Verify version is 3.10.1, 3.9.4, 3.8.7, or 3.5.16 or later. Test Shibboleth authentication functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual PHP file includes in Shibboleth authentication logs
- Administrator account modifications to authentication configuration files
Network Indicators:
- Unexpected outbound connections from Moodle server following administrator actions
SIEM Query:
source="moodle_logs" AND (event="config_modified" OR event="auth_shibboleth") AND user_role="admin"