Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.3150
Moodle security updates
21 September 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Moodle
Publisher: Moodle
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Access Confidential Data -- Unknown/Unspecified
Reduced Security -- Unknown/Unspecified
Unauthorised Access -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2021-40695 CVE-2021-40694 CVE-2021-40693
CVE-2021-40692 CVE-2021-40691
Original Bulletin:
https://moodle.org/mod/forum/discuss.php?d=427103&parent=1719325
https://moodle.org/mod/forum/discuss.php?d=427104&parent=1719326
https://moodle.org/mod/forum/discuss.php?d=427105&parent=1719327
https://moodle.org/mod/forum/discuss.php?d=427106&parent=1719328
https://moodle.org/mod/forum/discuss.php?d=427107&parent=1719329
Comment: This bulletin contains five (5) Moodle security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
MSA-21-0032: Session Hijack risk when Shibboleth authentication is enabled
A session hijack risk was identified in the Shibboleth authentication plugin. (
Note: Shibboleth authentication is disabled by default in Moodle.)
Severity/Risk: Serious
Versions affected: 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier
unsupported versions
Versions fixed: 3.11.3, 3.10.7 and 3.9.10
Reported by: Robin Peraglie and Johannes Moritz
CVE identifier: CVE-2021-40691
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71976
Tracker issue: MDL-71976 Session Hijack risk when Shibboleth authentication
is enabled
- --------------------------------------------------------------------------------
MSA-21-0033: Course participants download did not restrict which users could be
exported
Insufficient capability checks made it possible for teachers to download users
outside of their courses.
Severity/Risk: Minor
Versions affected: 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier
unsupported versions
Versions fixed: 3.11.3, 3.10.7 and 3.9.10
Reported by: Paul Holden
CVE identifier: CVE-2021-40692
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71726
Tracker issue: MDL-71726 Course participants download did not restrict which
users could be exported
- --------------------------------------------------------------------------------
MSA-21-0034: Authentication bypass risk when using external database
authentication
An authentication bypass risk was identified in the external database
authentication functionality, due to a type juggling vulnerability.
Severity/Risk: Serious
Versions affected: 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier
unsupported versions
Versions fixed: 3.11.3, 3.10.7 and 3.9.10
Reported by: adeadead
CVE identifier: CVE-2021-40693
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71160
Tracker issue: MDL-71160 Authentication bypass risk when using external
database authentication
- --------------------------------------------------------------------------------
MSA-21-0035: Arbitrary file read by site administrators via LaTeX preamble
Insufficient escaping of the LaTeX preamble made it possible for site
administrators to read files available to the HTTP server system account.
Severity/Risk: Serious
Versions affected: 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier
unsupported versions
Versions fixed: 3.11.3, 3.10.7 and 3.9.10
Reported by: raisin_bugbounty
Workaround: Hard-code the value of the LaTeX preamble into
$CFG->forced_plugin_settings['filter_tex']['
latexpreamble'] within the site's config.php
file.
CVE identifier: CVE-2021-40694
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71240
Tracker issue: MDL-71240 Arbitrary file read by site administrators via LaTeX
preamble
- --------------------------------------------------------------------------------
MSA-21-0036: Quiz unreleased grade disclosure via web service
It was possible for a student to view their quiz grade before it had been
released, using a quiz web service.
Severity/Risk: Serious
Versions affected: 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier
unsupported versions
Versions fixed: 3.11.3, 3.10.7 and 3.9.10
Reported by: Nadav Kavalerchik
CVE identifier: CVE-2021-40695
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71797
Tracker issue: MDL-71797 Quiz unreleased grade disclosure via web service
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYUkoVeNLKJtyKPYoAQit7w/5ASDPk9bSQ0C3mHMstZq4lkMnYUEDJtGV
DWhJIj1/YeFVgMCQzSySrWTSF5uVXBZtlBMZV/ISxBqT8MZUJUeXrkOGqrKkyZk6
klSvCmdErms3//lPBhrhpVjyGv2w7VvfVP5a/S12ZZSdgF01TSyW0I2WYAC1h/PU
Yv27eqQ8YirqcFiLKboRL7V4q+yPPIzhyufmgMY2wCK9N14NrSa1qtJohWB2+A+2
4zxJcGShUOb7YGhh6ZVP8+VegDxhM9EzmfuUSr299TmRPHEFwvCKN7nBTd8nlAal
hhigslMud1YrBhwSGhclIOsS7N3AAIAcdEUGJhtvmYIbXq3VpXJeE0UpP1WspI18
ytHOe5WwC4/y3RqkLoIIeWDVMGMwd2j/XUcXf4M2bSQzZFlzpcxTJTt9daGNY0jp
wyYzjy30MJl0ZriKlVpzy0F45w5PRBiptt09t6lo+6DAdfk9cmk2cwJCK6g82hR9
YANvG1BiuuA4hskEFMi0uBbkDgdiBxDqh6mLsLevPd/35HF+ptf33tkM3bD0j17M
fw40jh1wEwtGP7JMaRaiGqlhxfHIC1ib/j8Xt6nMjpwRvGTxOu3hbPNc7x9yhNyK
ESkg/YX+TZlgw5J38rRqNLLwIj891W1kkStJOZI5Oy/i/y35sXsWwxch29y7f7oc
A55oAmfnzLk=
=Ufpw
-----END PGP SIGNATURE-----