Login Sign Up

CVE-2021-43799

8.6 HIGH
Remote Code Execution Authentication Bypass

📋 TL;DR

This vulnerability in Zulip Server allows remote attackers to brute-force RabbitMQ's weak authentication cookie (only ~20 bits of entropy) to gain code execution as the rabbitmq user and read all message traffic. It affects Zulip Server installations prior to version 4.9 where port 25672 is exposed without proper firewalling.

💻 Affected Systems

Products:
  • Zulip Server
Versions: All versions prior to 4.9
Operating Systems: All platforms running Zulip Server
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerable only during initial installation until first reboot or RabbitMQ restart. Requires port 25672 to be accessible.

📦 What is this software?

Zulip by Zulip

View all CVEs affecting Zulip →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attacker gains full control of RabbitMQ service, executes arbitrary code as rabbitmq user, reads all user message traffic, and potentially pivots to other systems.

🟠

Likely Case

Attacker reads all message traffic passing through RabbitMQ and gains control of the RabbitMQ service.

🟢

If Mitigated

If port 25672 is properly firewalled, the vulnerability cannot be exploited remotely.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Brute-force attack against weak 20-bit entropy cookie. Public exploit tools like erl-matter exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.9

Vendor Advisory: https://github.com/zulip/zulip/security/advisories/GHSA-p663-wxvv-2fjp

Restart Required: Yes

Instructions:

1. Upgrade Zulip Server to version 4.9 or later. 2. Restart RabbitMQ service or reboot the server.

🔧 Temporary Workarounds

Firewall port 25672

linux

Block external access to RabbitMQ distribution port 25672

sudo iptables -A INPUT -p tcp --dport 25672 -j DROP
sudo iptables -A INPUT -p tcp --dport 5672 -j DROP

🧯 If You Can't Patch

  • Ensure firewalls block external access to ports 25672 and 5672
  • Restart RabbitMQ service or reboot server to apply proper port restrictions

🔍 How to Verify

Check if Vulnerable:

Check if Zulip Server version is below 4.9 AND port 25672 is accessible without firewall protection.

Check Version:

cat /home/zulip/deployments/current/version.py | grep ZULIP_VERSION

Verify Fix Applied:

Verify Zulip Server version is 4.9+ AND port 25672 is not accessible from external networks.

📡 Detection & Monitoring

Log Indicators:

  • Failed RabbitMQ authentication attempts on port 25672
  • Unusual RabbitMQ process activity

Network Indicators:

  • External connections to port 25672
  • Brute-force patterns against port 25672

SIEM Query:

destination_port=25672 AND (authentication_failure OR connection_attempts > threshold)

📊 Metadata

CVE ID: CVE-2021-43799
CVSS v3 Score: 8.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CWE: CWE-338
Published: January 25, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43799, you might also want to check these:

CVE-2020-28642 9.8

CVE-2020-28642 is a critical vulnerability in InfiniteWP Admin Panel that allows remote attackers to...

Same vulnerability type (CWE-338)
CVE-2025-59390 9.8

Apache Druid's Kerberos authenticator uses a weak random fallback secret when cookieSignatureSecret ...

Same vulnerability type (CWE-338)
CVE-2026-2439 9.8

CVE-2026-2439 is a session ID generation vulnerability in Concierge::Sessions for Perl that allows a...

Same vulnerability type (CWE-338)