Login Sign Up

CVE-2021-3325

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

CVE-2021-3325 is an authentication bypass vulnerability in Monitorix 3.13.0 that allows remote attackers to access the web interface without credentials. This affects default installations where the new hosts_deny access control feature wasn't configured after updating from earlier versions.

💻 Affected Systems

Products:
  • Monitorix
Versions: Version 3.13.0 only
Operating Systems: Linux, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations that updated to 3.13.0 without configuring the new hosts_deny option. Fresh installations with default config are vulnerable.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Monitorix by Fibranet

View all CVEs affecting Monitorix →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the monitoring system, allowing attackers to view sensitive system metrics, potentially leading to further system reconnaissance and lateral movement.

🟠

Likely Case

Unauthorized access to system monitoring data, exposing internal network information and system performance metrics to attackers.

🟢

If Mitigated

No impact if proper access controls are configured or the system is patched.

🌐 Internet-Facing: HIGH - Default installations exposed to the internet are completely vulnerable to unauthenticated access.
🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but require network access; risk depends on internal network segmentation.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is trivial - simply accessing the Monitorix web interface without authentication bypasses the basic auth protection.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.13.1

Vendor Advisory: https://github.com/mikaku/Monitorix/issues/309

Restart Required: Yes

Instructions:

1. Update Monitorix to version 3.13.1 or later. 2. Restart the Monitorix service. 3. Verify the hosts_deny option is properly configured in /etc/monitorix/monitorix.conf.

🔧 Temporary Workarounds

Configure hosts_deny option

linux

Manually configure the hosts_deny option in monitorix.conf to restrict access

Edit /etc/monitorix/monitorix.conf and add: hosts_deny = all
Then restart: systemctl restart monitorix

Network access control

linux

Use firewall rules to restrict access to Monitorix web interface

iptables -A INPUT -p tcp --dport 8080 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

🧯 If You Can't Patch

  • Immediately configure the hosts_deny option in monitorix.conf to restrict access
  • Implement network-level access controls using firewall rules to limit Monitorix access to trusted IPs only

🔍 How to Verify

Check if Vulnerable:

Check if accessing http://[monitorix_host]:8080/monitorix without credentials shows the dashboard. If it does, the system is vulnerable.

Check Version:

monitorix -v or check /usr/share/monitorix/version

Verify Fix Applied:

After patching, attempt to access the Monitorix interface without credentials - you should be prompted for authentication or receive an access denied message.

📡 Detection & Monitoring

Log Indicators:

  • Unauthenticated access attempts to Monitorix web interface
  • Successful access without authentication logs

Network Indicators:

  • HTTP requests to Monitorix port (default 8080) without authentication headers
  • Traffic from unexpected sources to Monitorix interface

SIEM Query:

source="monitorix" AND (event="access" OR event="auth") AND user="-" AND response="200"

📊 Metadata

CVE ID: CVE-2021-3325
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: January 27, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON