CVE-2021-36394
📋 TL;DR
CVE-2021-36394 is a critical remote code execution vulnerability in Moodle's Shibboleth authentication plugin. Attackers can execute arbitrary code on Moodle servers by exploiting session fixation issues in the authentication flow. All Moodle installations using the Shibboleth plugin are affected.
💻 Affected Systems
- Moodle
📦 What is this software?
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing attackers to execute arbitrary code, steal sensitive data, install malware, pivot to internal networks, and maintain persistent access.
Likely Case
Unauthenticated remote code execution leading to data theft, defacement, or installation of cryptocurrency miners on vulnerable Moodle servers.
If Mitigated
Limited impact with proper network segmentation, web application firewalls, and intrusion detection systems in place.
🎯 Exploit Status
Exploitation requires no authentication and has been publicly documented. The vulnerability is in the session handling mechanism of the Shibboleth plugin.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Moodle 3.9.8, 3.10.5, 3.11.2
Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=424799
Restart Required: No
Instructions:
1. Backup your Moodle installation and database. 2. Upgrade to Moodle 3.9.8, 3.10.5, or 3.11.2. 3. Verify the upgrade completed successfully. 4. Test Shibboleth authentication functionality.
🔧 Temporary Workarounds
Disable Shibboleth Authentication
allTemporarily disable the Shibboleth authentication plugin until patching is possible.
Navigate to Site administration > Plugins > Authentication > Manage authentication. Set Shibboleth to 'Disabled'.
🧯 If You Can't Patch
- Implement strict network access controls to limit Moodle server exposure
- Deploy web application firewall with RCE protection rules
🔍 How to Verify
Check if Vulnerable:
Check Moodle version in Site administration > Notifications. If version is between 3.9-3.9.7, 3.10-3.10.4, or 3.11-3.11.1 and Shibboleth plugin is enabled, the system is vulnerable.Check Version:
Check Moodle config.php or visit Site administration > Notifications pageVerify Fix Applied:
Verify Moodle version is 3.9.8, 3.10.5, or 3.11.2 or higher in Site administration > Notifications.📡 Detection & Monitoring
Log Indicators:
- Unusual PHP execution patterns in web server logs
- Suspicious Shibboleth authentication attempts
- Unexpected process execution from web user context
Network Indicators:
- Unusual outbound connections from Moodle server
- HTTP requests with suspicious parameters to Shibboleth endpoints
SIEM Query:
source="moodle_logs" AND (event="shibboleth_auth" AND status="unusual") OR (process_execution FROM web_user)