CVE-2021-42086

8.8 HIGH

Authentication Bypass

📋 TL;DR

This vulnerability allows authenticated Agent accounts in Zammad to escalate privileges to Administrator level by modifying account data through crafted requests. It affects all Zammad installations running versions before 4.1.1 where Agent accounts exist.

💻 Affected Systems

Products:

• Zammad

Versions: All versions before 4.1.1

Operating Systems: All platforms running Zammad

Default Config Vulnerable: ⚠️ Yes

Notes: Requires at least one Agent account to exist. Administrator accounts are not vulnerable to this specific escalation path.

📦 What is this software?

Zammad by Zammad

View all CVEs affecting Zammad →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with Agent credentials gains full administrative control over the Zammad instance, allowing them to access all tickets, modify system settings, create/delete users, and potentially compromise the underlying server.

🟠

Likely Case

Malicious or compromised Agent accounts escalate to Administrator privileges, enabling unauthorized access to sensitive customer data and system configuration.

🟢

If Mitigated

With proper access controls and monitoring, privilege escalation attempts are detected and blocked before successful exploitation.

🌐 Internet-Facing: HIGH if Zammad instance is internet-accessible, as attackers can target Agent accounts through credential attacks or compromised sessions.

🏢 Internal Only: MEDIUM as it still requires Agent credentials, but insider threats or compromised internal accounts could exploit it.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated Agent access. The vulnerability is in the account modification logic, making it relatively straightforward to exploit once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.1

Vendor Advisory: https://zammad.com/en/advisories/zaa-2021-09

Restart Required: Yes

Instructions:

1. Backup your Zammad instance and database. 2. Update to Zammad 4.1.1 or later using your deployment method (package manager, Docker, manual). 3. Restart Zammad services. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Restrict Agent Account Permissions

all

Temporarily reduce Agent account privileges to minimum required functions while planning upgrade.

Enhanced Monitoring

all

Implement strict monitoring of account modification activities and privilege changes.

🧯 If You Can't Patch

• Implement strict access controls and monitoring for all Agent accounts
• Consider temporarily disabling non-essential Agent accounts until patching is possible

🔍 How to Verify

Check if Vulnerable:

Copy

Check Zammad version via web interface Admin > System > About, or run: grep 'VERSION' /path/to/zammad/config/initializers/version.rb

Check Version:

Copy

grep 'VERSION' /path/to/zammad/config/initializers/version.rb 2>/dev/null || echo 'Check web interface Admin > System > About'

Verify Fix Applied:

Copy

Confirm version is 4.1.1 or later and test that Agent accounts cannot modify privilege levels.

📡 Detection & Monitoring

Log Indicators:

• Unusual account modification requests from Agent accounts
• Privilege escalation attempts in authentication logs
• Multiple failed privilege modification attempts

Network Indicators:

• HTTP POST requests to account modification endpoints from Agent accounts

SIEM Query:

Copy

source="zammad" AND (event_type="account_update" OR event_type="privilege_change") AND user_role="agent"

📊 Metadata

CVE ID: CVE-2021-42086

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Published: October 7, 2021

Last Updated: November 21, 2024

🔗 References

• https://zammad.com/en/advisories/zaa-2021-09 Vendor Advisory
• https://zammad.com/en/advisories/zaa-2021-09 Vendor Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON