CVE-2021-29012 – CVE-2021-29012 is a critical authentication byp... (How to Fix)

Q: What is the severity of CVE-2021-29012?

CVE-2021-29012 has a CVSS score of 9.8 (CRITICAL). CVE-2021-29012 is a critical authentication bypass vulnerability in DMA Softlab Radius Manager 4.4.0 where the same static session cookie is assigned to all admin sessions, functioning like a permanent password. If stolen, attackers gain persistent administrative access without needing credentials. This affects all organizations using the vulnerable version of Radius Manager for network authentication management.

📋 TL;DR

CVE-2021-29012 is a critical authentication bypass vulnerability in DMA Softlab Radius Manager 4.4.0 where the same static session cookie is assigned to all admin sessions, functioning like a permanent password. If stolen, attackers gain persistent administrative access without needing credentials. This affects all organizations using the vulnerable version of Radius Manager for network authentication management.

💻 Affected Systems

Products:

DMA Softlab Radius Manager

Versions: 4.4.0

Operating Systems: Any OS running Radius Manager

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 4.4.0 are vulnerable regardless of configuration. The vulnerability is in the session management logic itself.

📦 What is this software?

Dma Radius Manager by Dmasoftlab

View all CVEs affecting Dma Radius Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Radius authentication system allowing attackers to create/manage user accounts, modify network policies, intercept authentication traffic, and potentially pivot to other network systems.

🟠

Likely Case

Unauthorized administrative access leading to privilege escalation, user account manipulation, and potential credential theft from the Radius authentication database.

🟢

If Mitigated

Limited impact with proper network segmentation, monitoring, and access controls preventing cookie theft and unauthorized access attempts.

🌐 Internet-Facing: HIGH - If the admin interface is exposed to the internet, attackers can easily steal the static cookie and gain persistent access.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could still exploit this, but requires initial network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires obtaining the static session cookie through XSS, network sniffing, or other means, but once obtained, provides permanent admin access. Public exploit details are available in the referenced GitHub repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds and monitoring.

🔧 Temporary Workarounds

Network Segmentation and Access Control

linux

Restrict access to the Radius Manager admin interface to only trusted IP addresses/networks using firewall rules.

iptables -A INPUT -p tcp --dport [admin_port] -s [trusted_ip] -j ACCEPT
iptables -A INPUT -p tcp --dport [admin_port] -j DROP

Web Application Firewall (WAF) Rules

all

Implement WAF rules to detect and block requests using the static session cookie or unusual admin access patterns.

🧯 If You Can't Patch

Implement strict network segmentation to isolate the Radius Manager from untrusted networks
Enable detailed logging and monitoring for all admin interface access and implement alerting for suspicious activities

🔍 How to Verify

Check if Vulnerable:

Check if you're running Radius Manager 4.4.0 by examining the application version in the admin interface or installation directory. Test by logging in as admin, copying the session cookie, logging out, then attempting to reuse the same cookie to access admin functions.

Check Version:

Check the application interface or consult installation documentation for version information. No standard command available.

Verify Fix Applied:

Verify that session cookies are now unique per session and expire properly after logout. Test that reused cookies no longer provide access.

📡 Detection & Monitoring

Log Indicators:

Multiple admin sessions from different IPs using the same session cookie
Admin access from unusual IP addresses or geolocations
Failed login attempts followed by successful access with cookie reuse

Network Indicators:

HTTP requests containing the static session cookie value in headers
Unusual admin interface traffic patterns

SIEM Query:

source="radius_manager.log" AND (cookie="[static_cookie_value]" OR (event="admin_login" AND src_ip NOT IN [allowed_ips]))

📊 Metadata

CVE ID: CVE-2021-29012

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: April 2, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/164154/DMA-Softlab-Radius-Manager-4.4.0-Session-Management-Cross-Site-Scripting.html Exploit,Third Party Advisory,VDB Entry
https://github.com/1d8/publications/tree/main/cve-2021-29012 Exploit,Third Party Advisory
https://sourceforge.net/projects/radiusmanager/ Product,Third Party Advisory
http://packetstormsecurity.com/files/164154/DMA-Softlab-Radius-Manager-4.4.0-Session-Management-Cross-Site-Scripting.html Exploit,Third Party Advisory,VDB Entry
https://github.com/1d8/publications/tree/main/cve-2021-29012 Exploit,Third Party Advisory
https://sourceforge.net/projects/radiusmanager/ Product,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29012, you might also want to check these: