CVE-2021-43834
📋 TL;DR
This vulnerability allows attackers to authenticate as existing users in eLabFTW instances configured with LDAP or SAML single sign-on authentication. It affects eLabFTW versions before 4.2.0 where LDAP/SAML authentication is enabled instead of the default local password mechanism. The vulnerability enables unauthorized access to user accounts and their associated lab notebook data.
💻 Affected Systems
- eLabFTW
📦 What is this software?
Elabftw by Elabftw
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all user accounts using LDAP/SAML authentication, allowing attackers to access, modify, or delete sensitive research data, intellectual property, and lab records.
Likely Case
Unauthorized access to multiple user accounts, leading to data theft, data manipulation, or privilege escalation within the eLabFTW system.
If Mitigated
Limited impact with proper network segmentation, monitoring, and quick patch deployment preventing successful exploitation.
🎯 Exploit Status
The advisory suggests authentication bypass is possible, but specific exploit details are not publicly documented. Attackers would need to understand the LDAP/SAML implementation flaw.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.2.0
Vendor Advisory: https://github.com/elabftw/elabftw/security/advisories/GHSA-98rp-gx76-33ph
Restart Required: Yes
Instructions:
1. Backup your eLabFTW database and configuration. 2. Download eLabFTW version 4.2.0 or later from GitHub releases. 3. Replace existing installation files with new version. 4. Run database update scripts if required. 5. Restart web server services.
🔧 Temporary Workarounds
Disable LDAP/SAML Authentication
allTemporarily disable LDAP and SAML authentication methods and revert to local password authentication only.
Edit eLabFTW configuration to set 'auth_type' to 'local' and disable LDAP/SAML settings
Network Access Restrictions
allRestrict network access to eLabFTW instances to only trusted IP addresses or internal networks.
Configure firewall rules to limit access to eLabFTW web interface
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to limit access to eLabFTW instances
- Enable detailed authentication logging and monitor for suspicious login attempts
🔍 How to Verify
Check if Vulnerable:
Check eLabFTW version and authentication configuration. If version < 4.2.0 and LDAP/SAML authentication is enabled, the system is vulnerable.Check Version:
Check eLabFTW web interface admin panel or examine version files in installation directoryVerify Fix Applied:
Verify eLabFTW version is 4.2.0 or higher and test LDAP/SAML authentication functionality.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful LDAP/SAML logins
- Unusual user login patterns or locations
- Authentication logs showing bypass patterns
Network Indicators:
- Unusual authentication traffic patterns to LDAP/SAML endpoints
- Authentication requests from unexpected sources
SIEM Query:
source="elabftw" AND (event_type="auth" OR event_type="login") AND (result="success" AND auth_method="ldap" OR auth_method="saml") | stats count by user, src_ip