CVE-2021-40494 – This vulnerability involves a hardcoded JWT sec... (How to Fix)

Q: What is the severity of CVE-2021-40494?

CVE-2021-40494 has a CVSS score of 9.8 (CRITICAL). This vulnerability involves a hardcoded JWT secret key in AdaptiveScale LXDUI that allows attackers to forge authentication tokens and gain administrative access to the host system. Any system running vulnerable versions of LXDUI is affected, potentially giving attackers full control over the LXD container management platform.

📋 TL;DR

This vulnerability involves a hardcoded JWT secret key in AdaptiveScale LXDUI that allows attackers to forge authentication tokens and gain administrative access to the host system. Any system running vulnerable versions of LXDUI is affected, potentially giving attackers full control over the LXD container management platform.

💻 Affected Systems

Products:

AdaptiveScale LXDUI

Versions: through 2.1.3

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All installations using the default configuration are vulnerable. The hardcoded secret is in metadata.py.

📦 What is this software?

Lxdui by Adaptivescale

View all CVEs affecting Lxdui →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full administrative access to the host system, allowing them to create, modify, or delete containers, access host filesystems, and potentially pivot to other systems on the network.

🟠

Likely Case

Unauthorized users gain administrative privileges to the LXDUI interface, enabling container manipulation, privilege escalation, and potential lateral movement within the environment.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the LXDUI service itself, though container compromise remains possible.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires network access to LXDUI but no authentication. Attackers can forge JWT tokens using the hardcoded secret.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.4 and later

Vendor Advisory: https://github.com/AdaptiveScale/lxdui/pull/353

Restart Required: Yes

Instructions:

1. Update to LXDUI version 2.1.4 or later. 2. Restart the LXDUI service. 3. Regenerate all existing JWT tokens.

🔧 Temporary Workarounds

Manual Secret Replacement

linux

Manually replace the hardcoded JWT secret with a strong, unique value

sed -i "s/\"SECRET_KEY\": \"[^\"]*\"/\"SECRET_KEY\": \"$(openssl rand -hex 32)\"/" /path/to/lxdui/metadata.py
systemctl restart lxdui

🧯 If You Can't Patch

Isolate LXDUI behind strict network access controls and firewall rules
Implement additional authentication layers such as VPN or reverse proxy with authentication

🔍 How to Verify

Check if Vulnerable:

Check metadata.py for hardcoded JWT secret: grep -r 'SECRET_KEY' /path/to/lxdui/

Check Version:

lxdui --version or check package manager

Verify Fix Applied:

Verify the secret has been changed and is no longer hardcoded to the vulnerable value

📡 Detection & Monitoring

Log Indicators:

Unusual authentication patterns
Multiple failed login attempts followed by successful admin access
Unexpected container creation/modification

Network Indicators:

Unusual API calls to LXDUI endpoints
Traffic from unexpected sources to LXDUI port

SIEM Query:

source="lxdui" AND (event="admin_login" OR event="container_create") AND user="unknown"

📊 Metadata

CVE ID: CVE-2021-40494

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: September 3, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/AdaptiveScale/lxdui/pull/353 Third Party Advisory
https://github.com/AdaptiveScale/lxdui/pull/353 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-40494, you might also want to check these: