Flaw Found in Moodle Online Learning PlatformVulnerability in Authentication Module Patched
The bug hunting team at pentesting firm Haxolot.com uncovered a remote code execution vulnerability in Moodle, an open-source online learning platform used by universities worldwide. The flaw has since been patched.
The flaw is present in the logout feature in Moodle's authentication module Shibboleth, which helps universities using the platform to authenticate students' identities before they're allowed to attend external courses, Haxolot researchers say. The flaw causes the logout function to invalidate the session.
The flaw arises from a parsing issue in serialized value when a user attempts to log in to the platform.
The vulnerability could enable attackers to perform PHP web injection to enter a malicious code, the researchers say. "The unserializesession function [used to read every file and deserialize its contents] will detect the xxx| string as a new session key although it belongs to the serialized value of another session key," the report notes. This prematurely cuts off the serialized value mid-parsing and results in a broken deserialization." This could allow an attacker to execute any code of their choice. Other RCE flaws elsewhere, for example, have been exploited to deliver ransomware malware.
The researchers, who reported the bug to Moodle in February, note the company released a patch July 7. They did not report any examples of the flaw being exploited in the wild.
Targeting Education Sector
In a June alert, the U.K.'s National Cyber Security Center warned that unpatched software and hardware devices are one of the most common vectors for threat actors to gain access to a victim's network (see: NCSC Warns of Surge in Ransomware Attacks Against Schools).
A recent report by security firm Emsisoft found that schools were the most targeted ransomware victims in 2020, with almost 1,700 hacks against colleges and universities (see: Fueled by Profits, Ransomware Persists in New Year).