CVE-2021-36711 – CVE-2021-36711 is a critical remote code execut... (How to Fix)

Q: What is the severity of CVE-2021-36711?

CVE-2021-36711 has a CVSS score of 9.8 (CRITICAL). CVE-2021-36711 is a critical remote code execution vulnerability in OctoBot's WebInterface that allows attackers to upload malicious Tentacles (plugins) and execute arbitrary code on the server. This affects all OctoBot instances with WebInterface enabled before version 0.4.4. Attackers can gain complete control of affected systems.

📋 TL;DR

CVE-2021-36711 is a critical remote code execution vulnerability in OctoBot's WebInterface that allows attackers to upload malicious Tentacles (plugins) and execute arbitrary code on the server. This affects all OctoBot instances with WebInterface enabled before version 0.4.4. Attackers can gain complete control of affected systems.

💻 Affected Systems

Products:

OctoBot

Versions: All versions before 0.4.4

Operating Systems: All platforms running OctoBot

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances with WebInterface enabled. The vulnerability exists in the Tentacles upload functionality.

📦 What is this software?

Octobot by Octobot

View all CVEs affecting Octobot →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, steal sensitive data, install persistent backdoors, pivot to other systems, and potentially use the system for cryptocurrency mining or botnet activities.

🟠

Likely Case

Remote code execution leading to cryptocurrency wallet theft, trading bot manipulation, system takeover for resource abuse, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact if proper network segmentation, strict firewall rules, and authentication controls are implemented, though the vulnerability remains exploitable.

🌐 Internet-Facing: HIGH - WebInterface exposed to internet allows unauthenticated remote attackers to execute arbitrary code without user interaction.

🏢 Internal Only: HIGH - Even internally, any attacker with network access can exploit this vulnerability to gain complete control of the OctoBot instance.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploit tools available including 'Sashimi - Evil OctoBot Tentacle' that automate exploitation. Exploitation requires no authentication and is trivial for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.4.4 and later

Vendor Advisory: https://github.com/Drakkar-Software/OctoBot/blob/master/CHANGELOG.md

Restart Required: Yes

Instructions:

1. Stop OctoBot service. 2. Update OctoBot to version 0.4.4 or later using pip: 'pip install --upgrade OctoBot'. 3. Restart OctoBot service. 4. Verify version is 0.4.4+.

🔧 Temporary Workarounds

Disable WebInterface

all

Completely disable the vulnerable WebInterface component

Edit OctoBot config to set 'web_interface_enabled': false
Or run OctoBot with --no-web-interface flag

Network Access Control

all

Restrict network access to OctoBot WebInterface

Configure firewall to block external access to OctoBot port (default 5001)
Use VPN or IP whitelisting for required access

🧯 If You Can't Patch

Immediately disable WebInterface in configuration or via command line flag
Implement strict network segmentation and firewall rules to isolate OctoBot from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check OctoBot version: if version < 0.4.4 AND WebInterface is enabled, system is vulnerable

Check Version:

octobot --version or check config.json for version

Verify Fix Applied:

Verify OctoBot version is 0.4.4 or higher and test that Tentacles upload functionality validates file types properly

📡 Detection & Monitoring

Log Indicators:

Unusual Tentacles upload activity
Suspicious file uploads to /tentacles endpoint
Execution of unexpected system commands
Failed authentication attempts to WebInterface

Network Indicators:

POST requests to /tentacles upload endpoint with unusual file types
Outbound connections from OctoBot to unexpected destinations
Sudden increase in network traffic from OctoBot host

SIEM Query:

source="octobot.log" AND ("tentacles upload" OR "/tentacles" POST) | stats count by src_ip

📊 Metadata

CVE ID: CVE-2021-36711

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: July 16, 2022

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/167780/OctoBot-WebInterface-0.4.3-Remote-Code-Execution.html Exploit,Third Party Advisory
https://github.com/Drakkar-Software/OctoBot/blob/master/CHANGELOG.md Third Party Advisory
https://github.com/Drakkar-Software/OctoBot/issues/1966 Exploit,Third Party Advisory
https://github.com/Nwqda/Sashimi-Evil-OctoBot-Tentacle Exploit,Third Party Advisory
https://packetstormsecurity.com/files/167721/Sashimi-Evil-OctoBot-Tentacle.html Third Party Advisory,VDB Entry
https://www.octobot.online/ Vendor Advisory
http://packetstormsecurity.com/files/167780/OctoBot-WebInterface-0.4.3-Remote-Code-Execution.html Exploit,Third Party Advisory
https://github.com/Drakkar-Software/OctoBot/blob/master/CHANGELOG.md Third Party Advisory
https://github.com/Drakkar-Software/OctoBot/issues/1966 Exploit,Third Party Advisory
https://github.com/Nwqda/Sashimi-Evil-OctoBot-Tentacle Exploit,Third Party Advisory
https://packetstormsecurity.com/files/167721/Sashimi-Evil-OctoBot-Tentacle.html Third Party Advisory,VDB Entry
https://www.octobot.online/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36711, you might also want to check these: