Login Sign Up

CVE-2021-41393

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability in Teleport allows attackers to forge SSH host certificates in certain configurations, potentially enabling unauthorized access to systems. It affects Teleport versions before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1.

💻 Affected Systems

Products:
  • Teleport
Versions: Versions before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1
Operating Systems: All platforms running Teleport
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all Teleport deployments using SSH host certificates in the vulnerable versions.

📦 What is this software?

Teleport by Goteleport

View all CVEs affecting Teleport →

Teleport by Goteleport

View all CVEs affecting Teleport →

Teleport by Goteleport

View all CVEs affecting Teleport →

Teleport by Goteleport

View all CVEs affecting Teleport →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of SSH infrastructure allowing attackers to impersonate any host, intercept traffic, and gain unauthorized access to all systems managed by Teleport.

🟠

Likely Case

Unauthorized access to specific systems through forged host certificates, potentially leading to data exfiltration or lateral movement.

🟢

If Mitigated

Limited impact with proper network segmentation and certificate validation controls in place.

🌐 Internet-Facing: HIGH - Teleport often serves as an access proxy to internal systems, making internet-facing instances prime targets.
🏢 Internal Only: HIGH - Even internal-only deployments are vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires specific conditions and knowledge of Teleport's certificate handling.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.4.11, 5.2.4, 6.2.12, or 7.1.1 depending on your major version

Vendor Advisory: https://github.com/gravitational/teleport/releases

Restart Required: Yes

Instructions:

1. Identify your Teleport version. 2. Upgrade to the patched version for your major release. 3. Restart Teleport services. 4. Verify the upgrade was successful.

🔧 Temporary Workarounds

Restrict certificate authority access

all

Limit access to Teleport's certificate authority to only trusted administrators

# Review and restrict CA access permissions in Teleport configuration

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Teleport infrastructure
  • Enhance monitoring for unusual certificate issuance or SSH connection patterns

🔍 How to Verify

Check if Vulnerable:

Check Teleport version using 'teleport version' command and compare against affected versions

Check Version:

teleport version

Verify Fix Applied:

Verify version is 4.4.11+, 5.2.4+, 6.2.12+, or 7.1.1+ depending on major version

📡 Detection & Monitoring

Log Indicators:

  • Unusual certificate issuance patterns
  • SSH connections from unexpected hosts
  • Failed certificate validation attempts

Network Indicators:

  • SSH connections with unexpected host keys
  • Traffic to/from unauthorized systems

SIEM Query:

source="teleport" AND (event="certificate.issued" OR event="ssh.session.start") | stats count by host, user

📊 Metadata

CVE ID: CVE-2021-41393
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: September 18, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON