CVE-2021-30147 – This CSRF vulnerability in DMA Softlab Radius M... (How to Fix)

Q: What is the severity of CVE-2021-30147?

CVE-2021-30147 has a CVSS score of 8.8 (HIGH). This CSRF vulnerability in DMA Softlab Radius Manager 4.4.0 allows attackers to trick authenticated administrators into performing unauthorized actions, such as creating new manager accounts. The attack requires the victim to be logged into the admin interface and visit a malicious page. This affects all deployments of Radius Manager 4.4.0 with the admin.php interface accessible.

📋 TL;DR

This CSRF vulnerability in DMA Softlab Radius Manager 4.4.0 allows attackers to trick authenticated administrators into performing unauthorized actions, such as creating new manager accounts. The attack requires the victim to be logged into the admin interface and visit a malicious page. This affects all deployments of Radius Manager 4.4.0 with the admin.php interface accessible.

💻 Affected Systems

Products:

DMA Softlab Radius Manager

Versions: 4.4.0

Operating Systems: Any OS running Radius Manager

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 4.4.0 are vulnerable. The admin.php endpoint must be accessible, which is typical for administration.

📦 What is this software?

Radius Manager by Dmasoftlab

View all CVEs affecting Radius Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through creation of attacker-controlled administrator accounts, leading to data theft, service disruption, or lateral movement within the network.

🟠

Likely Case

Unauthorized administrative account creation allowing attackers to gain persistent access to the Radius Manager system and potentially compromise network authentication services.

🟢

If Mitigated

Limited impact if proper CSRF protections, network segmentation, and access controls are implemented, though the vulnerability still exists.

🌐 Internet-Facing: HIGH - The admin.php interface is typically internet-accessible for remote administration, making exploitation trivial if administrators visit malicious sites.

🏢 Internal Only: MEDIUM - Even internally, administrators could be tricked via phishing or compromised internal sites, though attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the victim to be authenticated as an administrator. Public exploit code exists on Packet Storm Security and GitHub repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://dmasoftlab.com/

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds. Check vendor website for updates.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add anti-CSRF tokens to all admin.php forms and validate them server-side

Manual code modification required - add unique tokens to forms and validate on submission

SameSite Cookie Attribute

all

Set SameSite=Strict or SameSite=Lax attributes on session cookies

Set-Cookie: session=value; SameSite=Strict; Secure; HttpOnly

🧯 If You Can't Patch

Restrict access to admin.php interface using network ACLs or firewall rules to only trusted IP addresses
Implement web application firewall (WAF) rules to detect and block CSRF attempts

🔍 How to Verify

Check if Vulnerable:

Check if admin.php forms lack CSRF tokens by inspecting form HTML or using browser developer tools

Check Version:

Check version in web interface or configuration files. Default location may vary by installation.

Verify Fix Applied:

Verify that all admin.php forms include unique CSRF tokens that are validated server-side

📡 Detection & Monitoring

Log Indicators:

Multiple administrator account creations from same IP in short time
Admin account creation without corresponding admin login from same session

Network Indicators:

HTTP POST requests to admin.php with account creation parameters from unexpected referrers

SIEM Query:

source="radius_manager.log" AND (event="admin_account_create" AND NOT referer="*admin.php*")

📊 Metadata

CVE ID: CVE-2021-30147

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: April 7, 2021

Last Updated: November 21, 2024

🔗 References

http://dmasoftlab.com/ Product
http://packetstormsecurity.com/files/162136/DMA-Radius-Manager-4.4.0-Cross-Site-Request-Forgery.html Exploit,Third Party Advisory,VDB Entry
https://github.com/1d8/publications/tree/main/cve-2021-30147 Exploit,Third Party Advisory
http://dmasoftlab.com/ Product
http://packetstormsecurity.com/files/162136/DMA-Radius-Manager-4.4.0-Cross-Site-Request-Forgery.html Exploit,Third Party Advisory,VDB Entry
https://github.com/1d8/publications/tree/main/cve-2021-30147 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-30147, you might also want to check these: