CVE-2023-35133
📋 TL;DR
This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Moodle's cURL blocked hosts list logic. The flaw allows attackers to bypass IP address restrictions by using 0.0.0.0, potentially accessing internal network resources. It affects multiple Moodle versions including 4.2, 4.1-4.1.3, 4.0-4.0.8, 3.11-3.11.14, and 3.9-3.9.21.
💻 Affected Systems
- Moodle
📦 What is this software?
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services, sensitive data, or perform internal network reconnaissance by bypassing IP restrictions.
Likely Case
Unauthorized access to internal web services or APIs that should be blocked by Moodle's security controls.
If Mitigated
Limited impact if network segmentation and proper access controls are already in place for internal services.
🎯 Exploit Status
Exploitation requires ability to trigger Moodle's cURL functionality with controlled parameters
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Moodle 4.2.1, 4.1.4, 4.0.9, 3.11.15, 3.9.22
Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=447831
Restart Required: No
Instructions:
1. Backup your Moodle installation and database. 2. Download the patched version from moodle.org. 3. Replace affected files with patched versions. 4. Clear Moodle caches. 5. Verify functionality.
🔧 Temporary Workarounds
Block 0.0.0.0 at network level
allConfigure network firewalls to block outbound connections to 0.0.0.0 from Moodle servers
Restrict Moodle server network access
allImplement strict outbound firewall rules limiting Moodle server connections to only necessary external services
🧯 If You Can't Patch
- Implement network segmentation to isolate Moodle servers from sensitive internal resources
- Deploy web application firewall (WAF) rules to detect and block SSRF attempts
🔍 How to Verify
Check if Vulnerable:
Check Moodle version via Administration > Site administration > Notifications page or by examining version.php fileCheck Version:
grep "\$release" /path/to/moodle/version.phpVerify Fix Applied:
Verify Moodle version is updated to patched versions: 4.2.1, 4.1.4, 4.0.9, 3.11.15, or 3.9.22📡 Detection & Monitoring
Log Indicators:
- Unusual outbound connections from Moodle server to internal IP ranges
- HTTP requests with 0.0.0.0 in URLs
Network Indicators:
- Outbound connections from Moodle server to unexpected internal services
- Traffic patterns suggesting SSRF attempts
SIEM Query:
source="moodle-logs" AND (url="*0.0.0.0*" OR dest_ip IN (private_ip_ranges))🔗 References
- https://bugzilla.redhat.com/show_bug.cgi?id=2214373
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7A72KX4WU6GK2CX4TKYFGFASPKOEOJFC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5QAEAGJ44NVXLAJFJXKARKC45OGEDXT/
- https://moodle.org/mod/forum/discuss.php?d=447831
- https://bugzilla.redhat.com/show_bug.cgi?id=2214373
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7A72KX4WU6GK2CX4TKYFGFASPKOEOJFC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5QAEAGJ44NVXLAJFJXKARKC45OGEDXT/
- https://moodle.org/mod/forum/discuss.php?d=447831
