CVE-2021-32096 – CVE-2021-32096 is a Cross-Site Request Forgery ... (How to Fix)

Q: What is the severity of CVE-2021-32096?

CVE-2021-32096 has a CVSS score of 8.8 (HIGH). CVE-2021-32096 is a Cross-Site Request Forgery (CSRF) vulnerability in NSA Emissary's ConsoleAction component that allows attackers to inject arbitrary Ruby code via the CONSOLE_COMMAND_STRING parameter, leading to remote code execution. This affects Emissary 5.9.0 installations where the console component is accessible. Organizations using vulnerable Emissary deployments for workflow automation are at risk.

📋 TL;DR

CVE-2021-32096 is a Cross-Site Request Forgery (CSRF) vulnerability in NSA Emissary's ConsoleAction component that allows attackers to inject arbitrary Ruby code via the CONSOLE_COMMAND_STRING parameter, leading to remote code execution. This affects Emissary 5.9.0 installations where the console component is accessible. Organizations using vulnerable Emissary deployments for workflow automation are at risk.

💻 Affected Systems

Products:

NSA Emissary

Versions: 5.9.0

Operating Systems: Any OS running Emissary

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with ConsoleAction component enabled and accessible.

📦 What is this software?

Emissary by Nsa

View all CVEs affecting Emissary →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the Emissary server, executing arbitrary commands, accessing sensitive data, and pivoting to other systems.

🟠

Likely Case

Remote code execution leading to data theft, system manipulation, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact with proper CSRF protections, input validation, and network segmentation preventing exploitation.

🌐 Internet-Facing: HIGH - If Emissary console is exposed to the internet, attackers can exploit this without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the attacker to trick an authenticated user into visiting a malicious page, but no authentication is needed for the actual code execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.10.0 or later

Vendor Advisory: https://github.com/NationalSecurityAgency/emissary/releases

Restart Required: Yes

Instructions:

1. Backup current Emissary installation and data. 2. Download Emissary 5.10.0 or later from official repository. 3. Stop Emissary service. 4. Replace with patched version. 5. Restart Emissary service. 6. Verify functionality.

🔧 Temporary Workarounds

Disable ConsoleAction Component

all

Remove or disable the vulnerable ConsoleAction component if not required.

# Edit Emissary configuration to disable ConsoleAction
# Remove or comment out ConsoleAction references in config files

Implement CSRF Protection

all

Add CSRF tokens to all forms and validate them server-side.

# Add CSRF protection middleware to Emissary configuration
# Implement anti-CSRF tokens in web interface

🧯 If You Can't Patch

Network segmentation: Isolate Emissary servers from internet and restrict access to trusted IPs only.
Web Application Firewall: Deploy WAF with CSRF protection rules and input validation for Ruby code execution patterns.

🔍 How to Verify

Check if Vulnerable:

Check Emissary version: if running 5.9.0 and ConsoleAction is enabled, system is vulnerable.

Check Version:

Check Emissary configuration files or admin interface for version information, or run: `emissary --version` if available.

Verify Fix Applied:

Verify version is 5.10.0 or later and test that CONSOLE_COMMAND_STRING parameter no longer accepts arbitrary Ruby code.

📡 Detection & Monitoring

Log Indicators:

Unusual Ruby code execution in logs
Multiple requests to ConsoleAction endpoint with CONSOLE_COMMAND_STRING parameter
CSRF token validation failures

Network Indicators:

POST requests to /console or ConsoleAction endpoints with Ruby code in parameters
Requests from unexpected sources to administrative interfaces

SIEM Query:

source="emissary.log" AND (CONSOLE_COMMAND_STRING OR eval OR "ruby code")

📊 Metadata

CVE ID: CVE-2021-32096

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: May 7, 2021

Last Updated: November 21, 2024

🔗 References

https://blog.sonarsource.com/code-vulnerabilities-in-nsa-application-revealed Exploit,Third Party Advisory
https://portswigger.net/daily-swig/nsa-workflow-application-emissary-vulnerable-to-malicious-takeover Exploit,Third Party Advisory
https://blog.sonarsource.com/code-vulnerabilities-in-nsa-application-revealed Exploit,Third Party Advisory
https://portswigger.net/daily-swig/nsa-workflow-application-emissary-vulnerable-to-malicious-takeover Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32096, you might also want to check these: