CVE-2021-43145

8.1 HIGH

Authentication Bypass

📋 TL;DR

Zammad 5.0.1 with certain LDAP configurations allows unauthorized access using existing user accounts. This authentication bypass vulnerability affects organizations using Zammad with LDAP integration, potentially exposing sensitive ticket data and user information.

💻 Affected Systems

Products:

• Zammad

Versions: 5.0.1

Operating Systems: All platforms running Zammad

Default Config Vulnerable: ✅ No

Notes: Only affects systems with specific LDAP configurations. Standard authentication methods are not vulnerable.

📦 What is this software?

Zammad by Zammad

View all CVEs affecting Zammad →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access to the Zammad instance, allowing them to view all tickets, modify configurations, access sensitive customer data, and potentially pivot to other systems.

🟠

Likely Case

Unauthorized users access tickets and customer information they shouldn't have permission to view, leading to data breaches and privacy violations.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to the Zammad instance itself with no lateral movement.

🌐 Internet-Facing: HIGH - If Zammad is exposed to the internet with vulnerable LDAP configuration, attackers can bypass authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could exploit this, but requires specific LDAP configuration.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires knowledge of existing user accounts and specific LDAP configuration details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0.2 and later

Vendor Advisory: https://zammad.com/de/advisories/zaa-2021-20

Restart Required: Yes

Instructions:

1. Backup your Zammad instance and database. 2. Update to Zammad 5.0.2 or later using your package manager or deployment method. 3. Restart Zammad services. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable LDAP Authentication

all

Temporarily disable LDAP authentication until patching is complete

Copy

Edit Zammad configuration to remove or comment out LDAP settings
Restart Zammad services

Network Segmentation

all

Restrict access to Zammad instance to trusted networks only

Copy

Configure firewall rules to limit Zammad access
Implement IP whitelisting for Zammad web interface

🧯 If You Can't Patch

• Implement strict network access controls to limit who can reach the Zammad instance
• Enable detailed logging and monitoring for authentication attempts and unusual access patterns

🔍 How to Verify

Check if Vulnerable:

Copy

Check if running Zammad 5.0.1 with LDAP authentication enabled. Review configuration files for LDAP settings.

Check Version:

Copy

zammad version or check package manager (apt show zammad, yum info zammad, etc.)

Verify Fix Applied:

Copy

Verify Zammad version is 5.0.2 or later. Test LDAP authentication functionality works correctly.

📡 Detection & Monitoring

Log Indicators:

• Multiple failed authentication attempts followed by successful LDAP authentication
• User logins from unusual IP addresses or locations
• Access to tickets/resources beyond user's normal permissions

Network Indicators:

• Unusual authentication traffic patterns to LDAP servers
• Multiple authentication requests in short timeframes

SIEM Query:

Copy

source="zammad.log" AND ("authentication" OR "login") AND ("success" OR "failed") | stats count by src_ip, user

📊 Metadata

CVE ID: CVE-2021-43145

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Published: February 4, 2022

Last Updated: November 21, 2024

🔗 References

• https://zammad.com/de/advisories/zaa-2021-20 Vendor Advisory
• https://zammad.com/de/advisories/zaa-2021-20 Vendor Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON