CVE-2021-21399
📋 TL;DR
CVE-2021-21399 is an authentication bypass vulnerability in Ampache's Subsonic API that allows unauthenticated attackers to access the application using a non-existent username. This affects all Ampache installations with the Subsonic API enabled prior to version 4.4.1. Attackers can potentially access and manipulate audio/video content and file management functions without valid credentials.
💻 Affected Systems
- Ampache
📦 What is this software?
Ampache by Ampache
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Ampache instance allowing unauthorized access to all media files, potential data exfiltration, and unauthorized modifications to the media library.
Likely Case
Unauthorized access to media streaming and file management functions, potentially exposing sensitive media content to unauthenticated users.
If Mitigated
Limited impact if Subsonic API is disabled or proper network segmentation isolates the Ampache instance.
🎯 Exploit Status
Exploitation is straightforward - simply send requests to the Subsonic API endpoint with a non-existent username.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.4.1
Vendor Advisory: https://github.com/ampache/ampache/security/advisories/GHSA-p9pm-j95j-5mjf
Restart Required: Yes
Instructions:
1. Backup your Ampache configuration and database. 2. Download Ampache 4.4.1 or later from the official repository. 3. Replace existing files with the patched version. 4. Run any database migrations if required. 5. Restart the web server service.
🔧 Temporary Workarounds
Disable Subsonic API
allTemporarily disable the vulnerable Subsonic API endpoint until patching can be completed.
Edit config/ampache.cfg.php and set 'subsonic_backend' => false
Network Access Control
linuxRestrict access to Ampache's Subsonic API endpoint using firewall rules.
iptables -A INPUT -p tcp --dport [AMPACHE_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [AMPACHE_PORT] -j DROP
🧯 If You Can't Patch
- Disable the Subsonic API completely in Ampache configuration
- Implement strict network segmentation and firewall rules to restrict access to Ampache instance
🔍 How to Verify
Check if Vulnerable:
Check if Ampache version is below 4.4.1 and Subsonic API is enabled in configuration.Check Version:
Check the version.php file or Ampache web interface footer for version information.Verify Fix Applied:
Attempt to access Subsonic API with non-existent username - should receive authentication error.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts with non-existent usernames via Subsonic API
- Successful Subsonic API requests without preceding successful authentication
Network Indicators:
- Unusual Subsonic API traffic patterns
- Requests to /rest/ endpoints without authentication headers
SIEM Query:
source="ampache.log" AND ("subsonic" OR "/rest/") AND ("failed auth" OR "unauthorized")