Login Sign Up

CVE-2021-37705

10.0 CRITICAL
Authentication Bypass

📋 TL;DR

CVE-2021-37705 is an authorization bypass vulnerability in OneFuzz that allows authenticated users from any Azure AD tenant to make authorized API calls to vulnerable instances. This can lead to unauthorized access to sensitive data including proprietary code, vulnerability information, and potentially code execution on Azure resources. Only deployments running version 2.12.0+ with the non-default --multi_tenant_domain option are affected.

💻 Affected Systems

Products:
  • OneFuzz
Versions: 2.12.0 to 2.30.x
Operating Systems: All platforms running OneFuzz
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when deployed with the non-default --multi_tenant_domain option

📦 What is this software?

Onefuzz by Microsoft

View all CVEs affecting Onefuzz →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the OneFuzz instance including unauthorized code execution on Azure compute resources, exfiltration of proprietary source code and vulnerability data, and tampering with security testing results.

🟠

Likely Case

Unauthorized access to sensitive fuzzing data, proprietary code, and vulnerability information from other organizations using the same OneFuzz deployment.

🟢

If Mitigated

No impact if proper authorization checks are in place or if using default configuration without --multi_tenant_domain.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires Azure AD authentication but bypasses tenant authorization checks

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.31.0

Vendor Advisory: https://github.com/microsoft/onefuzz/security/advisories/GHSA-q5vh-6whw-x745

Restart Required: Yes

Instructions:

1. Upgrade OneFuzz to version 2.31.0 or later. 2. Restart the OneFuzz service. 3. Verify the fix by checking that bearer token issuer validation is enforced.

🔧 Temporary Workarounds

Redeploy without multi-tenant domain

all

Remove the --multi_tenant_domain option and redeploy OneFuzz in default single-tenant configuration

onefuzz deploy --resource_group <your_rg> --region <your_region>

🧯 If You Can't Patch

  • Restrict network access to OneFuzz API endpoints to trusted IP ranges only
  • Implement additional API gateway or WAF with strict authentication and authorization controls

🔍 How to Verify

Check if Vulnerable:

Check if running OneFuzz version 2.12.0-2.30.x and deployed with --multi_tenant_domain option

Check Version:

onefuzz --version

Verify Fix Applied:

Verify version is 2.31.0+ and test that Azure AD tokens from unauthorized tenants are rejected

📡 Detection & Monitoring

Log Indicators:

  • Failed authorization attempts from unexpected Azure AD tenants
  • API calls with bearer tokens from unauthorized issuers

Network Indicators:

  • Unusual API access patterns from external Azure AD tenants
  • Increased data transfer from OneFuzz API endpoints

SIEM Query:

source="onefuzz" AND (event_type="auth_failure" OR event_type="unauthorized_access") AND tenant_id NOT IN [allowed_tenants]

📊 Metadata

CVE ID: CVE-2021-37705
CVSS v3 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
CWE: CWE-285
Published: August 13, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37705, you might also want to check these:

CVE-2025-65041 10.0

CVE-2025-65041 is an improper authorization vulnerability in Microsoft Partner Center that allows un...

Same vulnerability type (CWE-285)
CVE-2023-33189 10.0

CVE-2023-33189 is an authorization bypass vulnerability in Pomerium identity-aware access proxy. Att...

Same vulnerability type (CWE-285)
CVE-2021-28799 10.0

CVE-2021-28799 is an improper authorization vulnerability in QNAP's HBS 3 backup software that allow...

Same vulnerability type (CWE-285)