Login Sign Up

CVE-2021-3825

9.6 CRITICAL
Authentication Bypass

📋 TL;DR

CVE-2021-3825 is a critical configuration exposure vulnerability in LiderAhenk's Lider module that allows attackers to retrieve LDAP credentials via an unsecured API. This affects all LiderAhenk deployments running Lider module version 2.1.15 and below. Attackers can obtain valid LDAP credentials, potentially compromising the entire directory service infrastructure.

💻 Affected Systems

Products:
  • LiderAhenk Lider module
Versions: 2.1.15 and below
Operating Systems: Pardus Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all default installations of LiderAhenk with Lider module. The vulnerable API endpoint is typically accessible to any network user who can reach the service.

📦 What is this software?

Liderahenk by Pardus

View all CVEs affecting Liderahenk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full domain compromise via LDAP credential theft leading to lateral movement, privilege escalation, and complete system takeover across all managed Pardus clients.

🟠

Likely Case

LDAP credential exposure enabling unauthorized access to directory services, user account compromise, and potential data exfiltration.

🟢

If Mitigated

Limited impact if API access is restricted through network segmentation and proper authentication controls.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only HTTP access to the vulnerable API endpoint. No authentication or special privileges needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.16 or later

Vendor Advisory: https://www.usom.gov.tr/bildirim/tr-21-0795

Restart Required: Yes

Instructions:

1. Update LiderAhenk Lider module to version 2.1.16 or later. 2. Restart the Lider service. 3. Verify the API endpoint now requires proper authentication.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to the Lider module API using firewall rules

iptables -A INPUT -p tcp --dport [LIDER_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [LIDER_PORT] -j DROP

Reverse Proxy Authentication

all

Place the Lider module behind a reverse proxy with authentication

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Lider module from untrusted networks
  • Monitor API access logs for unauthorized configuration retrieval attempts

🔍 How to Verify

Check if Vulnerable:

Attempt to access the configuration API endpoint without authentication: curl http://[LIDER_HOST]:[PORT]/api/configurations

Check Version:

dpkg -l | grep lider-module

Verify Fix Applied:

Verify the same API endpoint now returns authentication error or requires valid credentials

📡 Detection & Monitoring

Log Indicators:

  • Unauthenticated access to /api/configurations endpoint
  • LDAP credential retrieval patterns in application logs

Network Indicators:

  • HTTP GET requests to configuration API from unauthorized IPs
  • Unusual LDAP queries following configuration access

SIEM Query:

source="lider.log" AND (uri="/api/configurations" OR message="configuration access") AND NOT user="authenticated"

📊 Metadata

CVE ID: CVE-2021-3825
CVSS v3 Score: 9.6 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-306
Published: October 1, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3825, you might also want to check these:

CVE-2025-32433 10.0

This CVE describes a critical vulnerability in Erlang/OTP's SSH server that allows unauthenticated r...

Same vulnerability type (CWE-306)
CVE-2026-23693 10.0

The ElementsKit Lite WordPress plugin versions before 3.7.9 expose an unauthenticated REST endpoint ...

Same vulnerability type (CWE-306)
CVE-2025-58083 10.0

The General Industrial Controls Lynx+ Gateway has a critical authentication bypass vulnerability in ...

Same vulnerability type (CWE-306)