CVE-2021-23923
📋 TL;DR
This vulnerability allows Windows domain users to bypass authentication in Devolutions Server, potentially gaining unauthorized access. It affects organizations using Devolutions Server with Windows domain authentication configured. The broken authentication mechanism could allow attackers to impersonate legitimate users.
💻 Affected Systems
- Devolutions Server
📦 What is this software?
Devolutions Server by Devolutions
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Devolutions Server instance, allowing attackers to access all stored credentials, sessions, and sensitive data managed by the platform.
Likely Case
Unauthorized access to privileged accounts and sensitive information stored in Devolutions Server, potentially leading to lateral movement within the network.
If Mitigated
Limited impact if strong network segmentation, monitoring, and additional authentication layers are in place to detect and prevent unauthorized access attempts.
🎯 Exploit Status
Exploitation requires access to Windows domain authentication flow but appears straightforward based on the CWE-287 classification.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2020.3 and later
Vendor Advisory: https://devolutions.net/security/advisories/devo-2021-0002
Restart Required: Yes
Instructions:
1. Backup your Devolutions Server configuration and data. 2. Download Devolutions Server 2020.3 or later from the official portal. 3. Run the installer to upgrade. 4. Restart the Devolutions Server service. 5. Verify authentication is working correctly.
🔧 Temporary Workarounds
Disable Windows Domain Authentication
allTemporarily disable Windows domain authentication and use alternative authentication methods until patched.
Navigate to Administration > Authentication > Windows Domain and disable
Network Segmentation
allRestrict access to Devolutions Server to only trusted networks and implement firewall rules.
🧯 If You Can't Patch
- Implement multi-factor authentication for all accounts if supported
- Enable detailed authentication logging and monitor for suspicious login attempts
🔍 How to Verify
Check if Vulnerable:
Check Devolutions Server version in Administration > About. If version is below 2020.3 and Windows domain authentication is enabled, the system is vulnerable.Check Version:
Check version in Devolutions Server web interface under Administration > AboutVerify Fix Applied:
After upgrading to 2020.3 or later, test Windows domain authentication with test accounts to ensure proper authentication flow.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful logins from same source
- Unusual authentication patterns for Windows domain accounts
- Logins from unexpected locations or times
Network Indicators:
- Authentication requests bypassing normal flow
- Unusual traffic patterns to authentication endpoints
SIEM Query:
source="devolutions-server" AND (event_type="authentication" AND result="success") | stats count by user, source_ip | where count > threshold