CVE-2021-38562 – This vulnerability in Best Practical Request Tr... (How to Fix)

Q: What is the severity of CVE-2021-38562?

CVE-2021-38562 has a CVSS score of 7.5 (HIGH). This vulnerability in Best Practical Request Tracker (RT) allows attackers to perform timing attacks against the REST2 authentication middleware, potentially exposing sensitive information like valid usernames. It affects RT installations running vulnerable versions of the software. Organizations using RT for ticketing systems are at risk.

📋 TL;DR

This vulnerability in Best Practical Request Tracker (RT) allows attackers to perform timing attacks against the REST2 authentication middleware, potentially exposing sensitive information like valid usernames. It affects RT installations running vulnerable versions of the software. Organizations using RT for ticketing systems are at risk.

💻 Affected Systems

Products:

Best Practical Request Tracker (RT)

Versions: RT 4.2 before 4.2.17, RT 4.4 before 4.4.5, RT 5.0 before 5.0.2

Operating Systems: All operating systems running RT

Default Config Vulnerable: ⚠️ Yes

Notes: Affects RT installations with REST2 API enabled (default in affected versions).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could enumerate valid user accounts through timing analysis, then use this information for credential stuffing, targeted phishing, or brute force attacks against identified accounts.

🟠

Likely Case

Attackers with network access to the RT instance could identify valid usernames, potentially compromising accounts with weak passwords or enabling social engineering attacks.

🟢

If Mitigated

With proper network segmentation and strong authentication controls, the impact is limited to potential username enumeration without direct system compromise.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Timing attacks require statistical analysis of response times and network access to the RT instance.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: RT 4.2.17, RT 4.4.5, RT 5.0.2 or later

Vendor Advisory: https://docs.bestpractical.com/release-notes/rt/index.html

Restart Required: Yes

Instructions:

1. Backup your RT installation and database. 2. Download the patched version from Best Practical. 3. Follow the RT upgrade documentation for your version. 4. Restart RT services after upgrade.

🔧 Temporary Workarounds

Disable REST2 API

all

Temporarily disable the vulnerable REST2 API endpoint if not required

Edit RT configuration to disable REST2 or block access to /REST/2.0/ endpoints

Network Access Control

all

Restrict access to RT REST API endpoints to trusted networks only

Configure firewall rules to limit access to RT port (default 80/443) to authorized IPs

🧯 If You Can't Patch

Implement rate limiting and WAF rules to detect timing attack patterns
Enable multi-factor authentication for all RT user accounts

🔍 How to Verify

Check if Vulnerable:

Check RT version via web interface or command line: rt-server --version

Check Version:

rt-server --version 2>/dev/null || grep 'Set\|\$VERSION' /path/to/rt/lib/RT.pm

Verify Fix Applied:

Verify version is 4.2.17+, 4.4.5+, or 5.0.2+ and test REST2 authentication endpoints

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts with varying usernames
Unusual timing patterns in REST2 authentication logs

Network Indicators:

High volume of POST requests to /REST/2.0/authentication
Requests with varying usernames but consistent timing patterns

SIEM Query:

source="rt_logs" AND (uri_path="/REST/2.0/authentication" OR uri_path="/REST/2.0/auth") | stats count by src_ip, username | where count > threshold

📊 Metadata

CVE ID: CVE-2021-38562

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-203

Published: October 18, 2021

Last Updated: November 21, 2024

🔗 References

https://docs.bestpractical.com/release-notes/rt/index.html Vendor Advisory
https://github.com/bestpractical/rt/commit/70749bb66cb13dd70bd53340c371038a5f3ca57c Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/06/msg00019.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2JK57CEEXLQF7MGBCUX76DZHXML7LUSQ/
https://docs.bestpractical.com/release-notes/rt/index.html Vendor Advisory
https://github.com/bestpractical/rt/commit/70749bb66cb13dd70bd53340c371038a5f3ca57c Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/06/msg00019.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2JK57CEEXLQF7MGBCUX76DZHXML7LUSQ/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38562, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Fedora by Fedoraproject

Request Tracker by Bestpractical

Request Tracker by Bestpractical

Request Tracker by Bestpractical

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable REST2 API

Network Access Control

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities