CVE-2021-34244 – This CSRF vulnerability in Ice Hrm 29.0.0.OS al... (How to Fix)

Q: What is the severity of CVE-2021-34244?

CVE-2021-34244 has a CVSS score of 8.8 (HIGH). This CSRF vulnerability in Ice Hrm 29.0.0.OS allows attackers to create new administrator accounts or change existing user passwords without authorization. It affects organizations using the vulnerable version of Ice Hrm, potentially leading to complete system compromise.

📋 TL;DR

This CSRF vulnerability in Ice Hrm 29.0.0.OS allows attackers to create new administrator accounts or change existing user passwords without authorization. It affects organizations using the vulnerable version of Ice Hrm, potentially leading to complete system compromise.

💻 Affected Systems

Products:

Ice Hrm

Versions: 29.0.0.OS

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Ice Hrm 29.0.0.OS version specifically; other versions may be unaffected.

📦 What is this software?

Icehrm by Icehrm

View all CVEs affecting Icehrm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, creation of new admin accounts, privilege escalation, and full system compromise leading to data theft or ransomware deployment.

🟠

Likely Case

Attackers create backdoor admin accounts or reset passwords to gain unauthorized access, potentially leading to data exfiltration or further internal attacks.

🟢

If Mitigated

Limited impact with proper CSRF protections, though some risk remains if other vulnerabilities exist.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the victim to be logged in as an admin or have sufficient privileges; public proof-of-concept demonstrates the attack.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 29.0.1.OS or later

Vendor Advisory: https://github.com/gamonoid/icehrm/releases

Restart Required: No

Instructions:

1. Backup your current installation. 2. Download the latest version from the official repository. 3. Replace the vulnerable files with patched ones. 4. Verify the update by checking the version.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add anti-CSRF tokens to all state-changing requests in the application.

Use SameSite Cookies

all

Configure session cookies with SameSite=Strict attribute to prevent CSRF attacks.

Set-Cookie: session=value; SameSite=Strict; Secure; HttpOnly

🧯 If You Can't Patch

Implement a Web Application Firewall (WAF) with CSRF protection rules.
Restrict access to the Ice Hrm application to trusted networks only.

🔍 How to Verify

Check if Vulnerable:

Check the Ice Hrm version in the admin panel or configuration files; if it's 29.0.0.OS, it is vulnerable.

Check Version:

Check the version in the admin dashboard or review the application's version file.

Verify Fix Applied:

After patching, verify the version is 29.0.1.OS or later and test CSRF protection by attempting to replicate the exploit.

📡 Detection & Monitoring

Log Indicators:

Unusual admin account creation events
Multiple password reset requests from single IP
CSRF token validation failures

Network Indicators:

POST requests to user management endpoints without referrer headers
Suspicious cross-origin requests

SIEM Query:

source="icehrm_logs" AND (event="admin_created" OR event="password_reset") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2021-34244

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: June 22, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/xoffense/POC/blob/main/Account%20takeover%20using%20CSRF%20in%20ICE%20Hrm%20Version%2029.0.0.OS.md Exploit,Third Party Advisory
https://github.com/xoffense/POC/blob/main/Account%20takeover%20using%20CSRF%20in%20ICE%20Hrm%20Version%2029.0.0.OS.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34244, you might also want to check these: