Login Sign Up

CVE-2021-34433

7.5 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in Eclipse Californium allows attackers to bypass certificate verification during DTLS handshakes, enabling man-in-the-middle attacks. It affects clients using certificate-based authentication (x509 or RPK) with vulnerable versions, potentially compromising secure communications.

💻 Affected Systems

Products:
  • Eclipse Californium
Versions: 2.0.0 to 2.6.4 and 3.0.0-M1 to 3.0.0-M3
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects certificate-based (x509 or RPK) DTLS handshakes. PSK-based handshakes are not affected.

📦 What is this software?

Californium by Eclipse

View all CVEs affecting Californium →

Californium by Eclipse

View all CVEs affecting Californium →

Californium by Eclipse

View all CVEs affecting Californium →

Californium by Eclipse

View all CVEs affecting Californium →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can intercept and manipulate encrypted DTLS communications, potentially stealing sensitive data or injecting malicious content into secure channels.

🟠

Likely Case

Man-in-the-middle attacks against DTLS-secured CoAP communications, allowing eavesdropping on IoT device communications.

🟢

If Mitigated

Limited impact if network segmentation prevents MITM positioning or if additional authentication layers are used.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network positioning for MITM attacks. No authentication needed to exploit the verification bypass.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.6.5 and 3.0.0-M4

Vendor Advisory: https://bugs.eclipse.org/bugs/show_bug.cgi?id=575281

Restart Required: Yes

Instructions:

1. Update Eclipse Californium to version 2.6.5 or 3.0.0-M4. 2. Restart affected services. 3. Verify certificate verification is now enforced.

🔧 Temporary Workarounds

Disable certificate-based DTLS

all

Switch to PSK-based DTLS handshakes which are not affected by this vulnerability

Configure CoAP/DTLS to use PSK instead of x509/RPK certificates

Network segmentation

all

Isolate vulnerable systems to prevent MITM positioning

Implement VLAN segmentation
Use firewall rules to restrict DTLS traffic

🧯 If You Can't Patch

  • Implement network monitoring for DTLS handshake anomalies
  • Use additional application-layer authentication mechanisms

🔍 How to Verify

Check if Vulnerable:

Check Californium version: if between 2.0.0-2.6.4 or 3.0.0-M1-3.0.0-M3 and using certificate-based DTLS, system is vulnerable.

Check Version:

Check build.gradle or pom.xml for Californium dependency version

Verify Fix Applied:

Verify version is 2.6.5+ or 3.0.0-M4+. Test DTLS handshake with invalid server certificate - should fail.

📡 Detection & Monitoring

Log Indicators:

  • DTLS handshake successes with invalid certificates
  • Certificate verification warnings/errors

Network Indicators:

  • Unusual DTLS handshake patterns
  • MITM detection alerts

SIEM Query:

Search for DTLS handshake events with certificate verification failures followed by successful connections

📊 Metadata

CVE ID: CVE-2021-34433
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-322
Published: August 20, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34433, you might also want to check these:

CVE-2026-1709 9.4

Keylime versions 7.12.0 and later have a critical authentication bypass vulnerability where the regi...

Same vulnerability type (CWE-322)
CVE-2025-20163 8.7

This vulnerability allows unauthenticated remote attackers to impersonate Cisco NDFC-managed devices...

Same vulnerability type (CWE-322)
CVE-2024-47519 8.3

CVE-2024-47519 is a man-in-the-middle vulnerability in Arista's ETM backup upload functionality that...

Same vulnerability type (CWE-322)