CVE-2021-27228 – This vulnerability allows attackers to bypass a... (How to Fix)

Q: What is the severity of CVE-2021-27228?

CVE-2021-27228 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to bypass authentication in Shinobi video surveillance software by exploiting JavaScript prototype pollution. Attackers can use JavaScript method names like 'constructor' or 'hasOwnProperty' to trick the system into accepting invalid API keys, granting them full administrative access. All Shinobi installations through ocean version 1 are affected.

📋 TL;DR

This vulnerability allows attackers to bypass authentication in Shinobi video surveillance software by exploiting JavaScript prototype pollution. Attackers can use JavaScript method names like 'constructor' or 'hasOwnProperty' to trick the system into accepting invalid API keys, granting them full administrative access. All Shinobi installations through ocean version 1 are affected.

💻 Affected Systems

Products:

Shinobi Video Surveillance System

Versions: All versions through ocean version 1

Operating Systems: All platforms running Shinobi

Default Config Vulnerable: ⚠️ Yes

Notes: All Shinobi installations with the vulnerable lib/auth.js file are affected regardless of configuration.

📦 What is this software?

Shinobi Pro by Shinobi

View all CVEs affecting Shinobi Pro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to access all surveillance feeds, modify system configurations, create/delete user accounts, and potentially pivot to other systems on the network.

🟠

Likely Case

Unauthorized access to surveillance feeds and administrative functions, potentially exposing sensitive video footage and system data.

🟢

If Mitigated

No impact if patched or properly isolated from untrusted networks.

🌐 Internet-Facing: HIGH - Web-accessible Shinobi instances can be exploited remotely without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The exploit is demonstrated in the CVE description with a specific URI pattern (/super/constructor/accounts/list). Attackers can easily craft similar requests to bypass authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after ocean version 1

Vendor Advisory: https://gitlab.com/Shinobi-Systems/Shinobi/-/merge_requests/286

Restart Required: Yes

Instructions:

1. Update Shinobi to the latest version from the official GitLab repository. 2. Restart the Shinobi service. 3. Verify the fix by checking that the vulnerable authentication logic has been replaced.

🔧 Temporary Workarounds

Network Isolation

linux

Restrict access to Shinobi web interface to trusted networks only

iptables -A INPUT -p tcp --dport [SHINOBI_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [SHINOBI_PORT] -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit Shinobi access to trusted IP addresses only
Deploy a web application firewall (WAF) with rules to block requests containing JavaScript prototype method names in API key parameters

🔍 How to Verify

Check if Vulnerable:

Check if your Shinobi version is ocean version 1 or earlier by examining the version in the web interface or checking package metadata.

Check Version:

Check Shinobi web interface dashboard or examine package.json in Shinobi installation directory

Verify Fix Applied:

After updating, test authentication with invalid API keys containing JavaScript method names like 'constructor' - these should be rejected.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication attempts with API keys containing 'constructor', 'hasOwnProperty', or other JavaScript method names
Access to administrative endpoints from unauthorized IP addresses

Network Indicators:

HTTP requests to Shinobi API endpoints with suspicious parameter values
Patterns of failed authentication followed by successful administrative access

SIEM Query:

source="shinobi" AND (uri="*constructor*" OR uri="*hasOwnProperty*" OR (status=200 AND uri="/super/*" AND NOT user=authorized_user))

📊 Metadata

CVE ID: CVE-2021-27228

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: February 22, 2021

Last Updated: November 21, 2024

🔗 References

https://gitlab.com/Shinobi-Systems/Shinobi/-/merge_requests/286 Patch,Third Party Advisory
https://gitlab.com/Shinobi-Systems/Shinobi/-/tags Patch,Third Party Advisory
https://shinobi.video/ Product
https://gitlab.com/Shinobi-Systems/Shinobi/-/merge_requests/286 Patch,Third Party Advisory
https://gitlab.com/Shinobi-Systems/Shinobi/-/tags Patch,Third Party Advisory
https://shinobi.video/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27228, you might also want to check these: