CVE-2021-35943 – CVE-2021-35943 allows externally managed users ... (How to Fix)

Q: What is the severity of CVE-2021-35943?

CVE-2021-35943 has a CVSS score of 9.8 (CRITICAL). CVE-2021-35943 allows externally managed users in Couchbase Server to authenticate with empty passwords, violating RFC4513 authentication requirements. This affects Couchbase Server versions 6.5.x and 6.6.x through 6.6.2. Attackers can gain unauthorized access to database systems configured with external authentication.

📋 TL;DR

CVE-2021-35943 allows externally managed users in Couchbase Server to authenticate with empty passwords, violating RFC4513 authentication requirements. This affects Couchbase Server versions 6.5.x and 6.6.x through 6.6.2. Attackers can gain unauthorized access to database systems configured with external authentication.

💻 Affected Systems

Products:

Couchbase Server

Versions: 6.5.x and 6.6.x through 6.6.2

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using external user authentication (LDAP/AD integration). Internal Couchbase users are not affected.

📦 What is this software?

Couchbase Server by Couchbase

View all CVEs affecting Couchbase Server →

Couchbase Server by Couchbase

View all CVEs affecting Couchbase Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Couchbase Server with administrative access, leading to data theft, data destruction, or ransomware deployment across the database cluster.

🟠

Likely Case

Unauthorized access to sensitive data stored in Couchbase databases, potentially leading to data exfiltration or privilege escalation within the system.

🟢

If Mitigated

Limited impact if proper network segmentation and authentication controls prevent external access, though internal threats remain possible.

🌐 Internet-Facing: HIGH - Internet-facing Couchbase instances are directly exploitable by attackers who can reach the authentication endpoint.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable to insider threats or attackers who have gained network access through other means.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires knowledge of externally managed usernames but no password. Attackers can attempt common usernames or enumerate users through other means.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.6.3 and later, 7.0.0 and later

Vendor Advisory: https://www.couchbase.com/alerts

Restart Required: Yes

Instructions:

1. Backup Couchbase Server configuration and data. 2. Download and install Couchbase Server 6.6.3 or later from official channels. 3. Follow Couchbase upgrade documentation for your deployment type. 4. Restart Couchbase services after installation.

🔧 Temporary Workarounds

Disable External Authentication

all

Temporarily switch to internal Couchbase user management until patching is possible

# Configure Couchbase to use internal authentication only
# Refer to Couchbase documentation for specific configuration steps

Network Access Controls

linux

Restrict access to Couchbase authentication endpoints using firewall rules

# Example: Restrict port 8091 (web console) and LDAP ports
iptables -A INPUT -p tcp --dport 8091 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 8091 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate Couchbase servers from untrusted networks
Enable comprehensive logging and monitoring of authentication attempts to detect exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Couchbase Server version and verify if external authentication is configured. Versions 6.5.x or 6.6.x through 6.6.2 with external auth are vulnerable.

Check Version:

couchbase-server --version  # or check web console at http://localhost:8091

Verify Fix Applied:

After patching, verify version is 6.6.3+ or 7.0.0+. Test authentication with empty passwords for externally managed users should be rejected.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts with empty passwords
Successful logins from unexpected sources
Multiple authentication attempts for the same user

Network Indicators:

Unusual authentication traffic to Couchbase ports
Connection attempts from unexpected IP ranges

SIEM Query:

source="couchbase" AND (event_type="authentication" OR event_type="login") AND (password="" OR password_length=0)

📊 Metadata

CVE ID: CVE-2021-35943

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: September 29, 2021

Last Updated: November 21, 2024

🔗 References

https://docs.couchbase.com/server/current/release-notes/relnotes.html Release Notes,Vendor Advisory
https://www.couchbase.com/alerts Vendor Advisory
https://docs.couchbase.com/server/current/release-notes/relnotes.html Release Notes,Vendor Advisory
https://www.couchbase.com/alerts Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-35943, you might also want to check these: