Login Sign Up

CVE-2021-36794

9.8 CRITICAL

📋 TL;DR

This vulnerability in Siren Investigate disables TLS certificate verification globally when enabling the cluster feature in Siren Alert application, allowing man-in-the-middle attacks. It affects all Siren Investigate deployments before version 11.1.4 where the cluster feature is enabled. Attackers can intercept and manipulate encrypted communications.

💻 Affected Systems

Products:
  • Siren Investigate
Versions: All versions before 11.1.4
Operating Systems: All supported platforms
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when the cluster feature of Siren Alert application is enabled. Default installations without this feature enabled are not affected.

📦 What is this software?

Investigate by Siren

View all CVEs affecting Investigate →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Siren Investigate communications, allowing attackers to intercept sensitive data, inject malicious commands, or redirect traffic to attacker-controlled systems.

🟠

Likely Case

Man-in-the-middle attacks leading to data interception, credential theft, and potential unauthorized access to the Siren platform.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though TLS bypass remains a significant risk.

🌐 Internet-Facing: HIGH - Internet-facing instances are vulnerable to external attackers intercepting communications.
🏢 Internal Only: HIGH - Internal attackers or compromised systems can exploit this to intercept sensitive internal communications.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires network access to intercept communications and the cluster feature to be enabled. No authentication bypass is needed once the feature is active.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.1.4

Vendor Advisory: https://docs.siren.io/siren-platform-user-guide/11.1/release-notes.html#_security_fixes_3

Restart Required: Yes

Instructions:

1. Upgrade Siren Investigate to version 11.1.4 or later. 2. Restart the Siren Investigate service. 3. Verify TLS verification is functioning properly.

🔧 Temporary Workarounds

Disable Cluster Feature

all

Disable the Siren Alert cluster feature to prevent TLS verification from being disabled.

Consult Siren documentation for disabling cluster feature configuration

Network Segmentation

all

Isolate Siren Investigate instances from untrusted networks to reduce attack surface.

🧯 If You Can't Patch

  • Disable the Siren Alert cluster feature immediately
  • Implement strict network controls and monitor for unusual TLS/SSL traffic patterns

🔍 How to Verify

Check if Vulnerable:

Check if Siren Investigate version is below 11.1.4 and if Siren Alert cluster feature is enabled in configuration.

Check Version:

Check Siren Investigate web interface or configuration files for version information

Verify Fix Applied:

Verify version is 11.1.4 or later and test TLS certificate verification functionality.

📡 Detection & Monitoring

Log Indicators:

  • TLS/SSL verification errors or warnings
  • Unusual certificate validation failures

Network Indicators:

  • Unencrypted traffic to/from Siren Investigate ports
  • Suspicious certificate validation bypass attempts

SIEM Query:

Search for Siren Investigate process logs containing TLS verification disablement or certificate validation errors

📊 Metadata

CVE ID: CVE-2021-36794
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: November 2, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON