CVE-2021-38121 – This vulnerability allows attackers to intercep... (How to Fix)

Q: What is the severity of CVE-2021-38121?

CVE-2021-38121 has a CVSS score of 8.3 (HIGH). This vulnerability allows attackers to intercept or manipulate communications between NetIQ Advanced Authentication clients and servers by exploiting weak TLS protocol versions. It affects organizations using NetIQ Advanced Authentication versions before 6.3.5.1 for multi-factor authentication.

📋 TL;DR

This vulnerability allows attackers to intercept or manipulate communications between NetIQ Advanced Authentication clients and servers by exploiting weak TLS protocol versions. It affects organizations using NetIQ Advanced Authentication versions before 6.3.5.1 for multi-factor authentication.

💻 Affected Systems

Products:

NetIQ Advanced Authentication

Versions: All versions before 6.3.5.1

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the TLS implementation used for client-server communication when specific services are accessed.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full authentication bypass, credential theft, and complete compromise of the authentication infrastructure leading to unauthorized access to protected systems.

🟠

Likely Case

Man-in-the-middle attacks allowing interception of authentication tokens and credentials, potentially enabling unauthorized access to applications using this authentication system.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though communication confidentiality remains compromised.

🌐 Internet-Facing: HIGH - Internet-facing authentication endpoints are directly vulnerable to TLS downgrade attacks and interception.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could still exploit weak TLS to intercept authentication traffic.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to intercept TLS traffic but uses well-known TLS downgrade techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.3.5.1

Vendor Advisory: https://www.netiq.com/documentation/advanced-authentication-63/advanced-authentication-releasenotes-6351/data/advanced-authentication-releasenotes-6351.html

Restart Required: Yes

Instructions:

1. Download NetIQ Advanced Authentication 6.3.5.1 from official sources. 2. Backup current configuration and data. 3. Stop all Advanced Authentication services. 4. Install the update following vendor documentation. 5. Restart services and verify functionality.

🔧 Temporary Workarounds

TLS Protocol Restriction

all

Configure network devices or load balancers to only allow TLS 1.2 or higher for traffic to Advanced Authentication services.

Network Segmentation

all

Isolate Advanced Authentication servers in protected network segments with strict access controls.

🧯 If You Can't Patch

Implement network-level TLS inspection and blocking of weak protocol versions using firewalls or WAFs.
Monitor for unusual authentication patterns and TLS downgrade attempts in network traffic.

🔍 How to Verify

Check if Vulnerable:

Check the installed version of NetIQ Advanced Authentication and verify if it's below 6.3.5.1. Use TLS scanning tools to test if weak protocols are accepted.

Check Version:

Check the version in the Advanced Authentication administration console or review installation logs.

Verify Fix Applied:

Confirm version is 6.3.5.1 or higher and perform TLS handshake testing to verify only secure protocols are accepted.

📡 Detection & Monitoring

Log Indicators:

TLS protocol negotiation logs showing older protocol versions
Failed authentication attempts from unexpected locations

Network Indicators:

TLS handshakes using SSL 3.0, TLS 1.0, or TLS 1.1
Unusual traffic patterns to authentication endpoints

SIEM Query:

source="network_traffic" protocol="TLS" (version="SSLv3" OR version="TLSv1.0" OR version="TLSv1.1") dest_ip="[AUTH_SERVER_IP]"

📊 Metadata

CVE ID: CVE-2021-38121

CVSS v3 Score: 8.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

CWE: CWE-326

Published: August 28, 2024

Last Updated: September 13, 2024

🔗 References

https://www.netiq.com/documentation/advanced-authentication-63/advanced-authentication-releasenotes-6351/data/advanced-authentication-releasenotes-6351.html Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38121, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Netiq Advanced Authentication by Microfocus

Netiq Advanced Authentication by Microfocus

Netiq Advanced Authentication by Microfocus

Netiq Advanced Authentication by Microfocus

Netiq Advanced Authentication by Microfocus

Netiq Advanced Authentication by Microfocus

Netiq Advanced Authentication by Microfocus

Netiq Advanced Authentication by Microfocus

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

TLS Protocol Restriction

Network Segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities