CVE-2021-36396
📋 TL;DR
This vulnerability in Moodle allows attackers to bypass cURL security restrictions through insufficient redirect handling, enabling blind Server-Side Request Forgery (SSRF). Attackers can make Moodle send requests to internal systems that should be blocked. All Moodle installations with vulnerable versions are affected.
💻 Affected Systems
- Moodle
📦 What is this software?
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services, scan internal networks, interact with internal APIs, or exploit other vulnerabilities in internal systems through Moodle's server.
Likely Case
Information disclosure from internal services, port scanning of internal networks, or interaction with metadata services in cloud environments.
If Mitigated
Limited impact if proper network segmentation, firewall rules, and cURL restrictions are already in place to block internal access.
🎯 Exploit Status
Exploitation requires attacker to control a URL that Moodle will fetch, typically through features like URL resource, SCORM packages, or other URL-fetching functionality.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.9.9, 3.10.6, 3.11.2
Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=424802
Restart Required: No
Instructions:
1. Backup your Moodle installation and database. 2. Download the patched version from moodle.org. 3. Replace files with patched version. 4. Run the upgrade process through the web interface or CLI.
🔧 Temporary Workarounds
Restrict URL fetching features
allDisable or restrict features that allow URL fetching by untrusted users
Strengthen network controls
allImplement strict firewall rules to limit Moodle server's outbound connections
🧯 If You Can't Patch
- Implement strict network segmentation to limit Moodle server's access to internal systems
- Review and restrict user permissions for URL-fetching features in Moodle
🔍 How to Verify
Check if Vulnerable:
Check Moodle version in Site administration > Notifications page or via CLI: php admin/cli/check_database_schema.phpCheck Version:
grep \$release /path/to/moodle/version.php | head -1Verify Fix Applied:
Verify version is 3.9.9+, 3.10.6+, or 3.11.2+ and check that the security fix is listed in the release notes📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from Moodle server
- Multiple failed connection attempts to internal IPs
Network Indicators:
- Moodle server making unexpected requests to internal services
- Traffic to blocked hosts or non-standard ports
SIEM Query:
source="moodle_logs" AND (event="url_fetch" OR event="curl_request") AND (dest_ip IN internal_subnets OR dest_port NOT IN allowed_ports)