Login Sign Up

CVE-2021-23921

9.1 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability in Devolutions Server allows attackers to bypass access controls on Password List entries, potentially exposing sensitive credentials. It affects all Devolutions Server installations before version 2020.3. Organizations using this privileged access management solution for credential storage are at risk.

💻 Affected Systems

Products:
  • Devolutions Server
Versions: All versions before 2020.3
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all deployments regardless of configuration. Password Lists are a core feature of Devolutions Server.

📦 What is this software?

Devolutions Server by Devolutions

View all CVEs affecting Devolutions Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all stored credentials, leading to lateral movement across the entire network and potential data exfiltration.

🟠

Likely Case

Unauthorized access to some password entries, enabling attackers to compromise specific systems or accounts.

🟢

If Mitigated

Limited credential exposure if strong network segmentation and additional authentication layers are in place.

🌐 Internet-Facing: HIGH - If the Devolutions Server is exposed to the internet, attackers can directly exploit this vulnerability.
🏢 Internal Only: HIGH - Even internally, any compromised user account or insider threat could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires some level of access to the Devolutions Server interface, but the access control bypass itself is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2020.3 and later

Vendor Advisory: https://devolutions.net/security/advisories/devo-2021-0002

Restart Required: Yes

Instructions:

1. Backup your Devolutions Server configuration and database. 2. Download and install Devolutions Server 2020.3 or later from the official website. 3. Run the installer and follow upgrade prompts. 4. Restart the Devolutions Server service.

🔧 Temporary Workarounds

Restrict Access to Devolutions Server

all

Limit network access to only trusted IP addresses and require VPN for remote connections.

Implement Additional Authentication

all

Require multi-factor authentication for all Devolutions Server users.

🧯 If You Can't Patch

  • Isolate the Devolutions Server on a separate network segment with strict firewall rules.
  • Implement comprehensive logging and monitoring for all access to Password List entries.

🔍 How to Verify

Check if Vulnerable:

Check the Devolutions Server version in the web interface under Administration > About, or examine the installation directory for version files.

Check Version:

On Windows: Check registry at HKEY_LOCAL_MACHINE\SOFTWARE\Devolutions\Server\Version. On Linux: Check /opt/devolutions/server/version.txt or similar.

Verify Fix Applied:

Confirm the version is 2020.3 or later, then test access controls by attempting to view Password List entries you shouldn't have permissions for.

📡 Detection & Monitoring

Log Indicators:

  • Unusual access patterns to Password List entries
  • Failed access control checks in audit logs
  • Multiple credential access attempts from single user

Network Indicators:

  • Unexpected connections to systems using credentials from Devolutions Server
  • Traffic spikes to the Devolutions Server web interface

SIEM Query:

source="devolutions_server" AND (event_type="password_access" OR event_type="access_control_failure") | stats count by user, target_resource

📊 Metadata

CVE ID: CVE-2021-23921
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Published: April 1, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON