CVE-2021-22117: RabbitMQ Server Privilege Escalation Flaw

CVE-2021-22117 Overview

RabbitMQ installers on Windows prior to version 3.8.16 do not harden plugin directory permissions, potentially allowing attackers with sufficient local filesystem permissions to add arbitrary plugins. This vulnerability represents a significant security risk for organizations running RabbitMQ on Windows systems, as it could enable local privilege escalation through malicious plugin injection.

Critical Impact
Local attackers with filesystem access can inject arbitrary plugins into RabbitMQ, potentially gaining code execution within the context of the RabbitMQ service and compromising message broker integrity.

Affected Products

Broadcom RabbitMQ Server (versions prior to 3.8.16)
Microsoft Windows (all supported versions running vulnerable RabbitMQ installations)

Discovery Timeline

2021-05-18 - CVE CVE-2021-22117 published to NVD
2025-04-02 - Last updated in NVD database

Technical Details for CVE-2021-22117

Vulnerability Analysis

This vulnerability stems from insecure permission configurations applied during the RabbitMQ installation process on Windows systems. The installer fails to properly restrict access to the plugin directory, leaving it accessible to local users who should not have modification rights. RabbitMQ's plugin architecture allows dynamically loaded plugins to execute code with the same privileges as the RabbitMQ service itself, making the plugin directory a critical security boundary.

When the installation completes, the plugin directory inherits overly permissive access controls that allow low-privileged local users to write files. An attacker who can place a malicious Erlang plugin in this directory can achieve code execution when RabbitMQ loads the plugin, either at service restart or through administrative plugin management operations.

This vulnerability is classified under CWE-732 (Incorrect Permission Assignment for Critical Resource) and CWE-94 (Improper Control of Generation of Code), highlighting both the root cause (permission misconfiguration) and the potential impact (code injection).

Root Cause

The root cause of CVE-2021-22117 lies in the Windows installer's failure to apply restrictive Access Control Lists (ACLs) to the RabbitMQ plugin directory during installation. By default, the installer does not ensure that only administrative or service accounts have write access to the plugins directory. This oversight allows any authenticated local user with basic filesystem permissions to add, modify, or replace plugin files.

The issue specifically affects the directory structure created by the Windows installer, where proper permission hardening was not implemented as part of the installation routine.

Attack Vector

The attack vector for this vulnerability is local, requiring an attacker to have authenticated access to the Windows system where RabbitMQ is installed. The attack flow typically involves:

An attacker gains local access to a Windows system running a vulnerable RabbitMQ version
The attacker identifies the RabbitMQ plugin directory with insecure permissions
A malicious Erlang plugin is crafted or obtained that contains arbitrary code
The malicious plugin is placed in the plugin directory
When the plugin is loaded (automatically or through administrator action), the attacker's code executes with RabbitMQ service privileges

The vulnerability does not require user interaction beyond the attacker's own actions on the local system, and exploitation complexity is low once local access is obtained.

Detection Methods for CVE-2021-22117

Indicators of Compromise

Unauthorized or unrecognized plugin files appearing in the RabbitMQ plugins directory
Unexpected file modification timestamps on existing plugins
RabbitMQ service loading plugins that are not part of the standard distribution
Unusual process activity spawned from the RabbitMQ service context

Detection Strategies

Monitor file system changes to the RabbitMQ plugin directory using endpoint detection tools
Audit ACLs on the RabbitMQ installation directories to identify overly permissive configurations
Implement file integrity monitoring (FIM) for critical RabbitMQ directories
Review Windows Security Event logs for unauthorized file write operations to protected directories

Monitoring Recommendations

Enable SentinelOne's file integrity monitoring capabilities to detect unauthorized changes to the plugin directory
Configure alerts for any new executable or plugin files created in RabbitMQ directories
Monitor RabbitMQ service for unexpected child processes or network connections
Regularly audit local user permissions and access patterns on systems running RabbitMQ

How to Mitigate CVE-2021-22117

Immediate Actions Required

Upgrade RabbitMQ to version 3.8.16 or later immediately on all Windows installations
Manually audit and correct plugin directory permissions on existing installations
Review all currently installed plugins for unauthorized or suspicious additions
Implement least-privilege access controls for accounts with local system access

Patch Information

Broadcom (formerly VMware) has addressed this vulnerability in RabbitMQ Server version 3.8.16 and later. The fix ensures that proper restrictive permissions are applied to the plugin directory during installation, preventing unauthorized users from adding or modifying plugins. Organizations should upgrade to the latest stable version of RabbitMQ to receive this fix along with other security improvements.

For detailed information, refer to the VMware CVE-2021-22117 Advisory.

Workarounds

Manually restrict plugin directory permissions using Windows ACLs to allow only administrators and the RabbitMQ service account
Implement application whitelisting to prevent execution of unauthorized plugins
Use file system auditing to log and alert on any changes to the plugin directory
Consider running RabbitMQ in a containerized environment where filesystem access is more strictly controlled

powershell

# Manually harden RabbitMQ plugin directory permissions
# Replace path with your actual RabbitMQ installation directory
$pluginPath = "C:\Program Files\RabbitMQ Server\rabbitmq_server-3.8.x\plugins"

# Remove inherited permissions and set restrictive ACLs
icacls $pluginPath /inheritance:r
icacls $pluginPath /grant "BUILTIN\Administrators:(OI)(CI)F"
icacls $pluginPath /grant "NT AUTHORITY\SYSTEM:(OI)(CI)F"

CVE-2021-22117 Overview

Critical Impact
Local attackers with filesystem access can inject arbitrary plugins into RabbitMQ, potentially gaining code execution within the context of the RabbitMQ service and compromising message broker integrity.

Affected Products

Broadcom RabbitMQ Server (versions prior to 3.8.16)
Microsoft Windows (all supported versions running vulnerable RabbitMQ installations)

Discovery Timeline

2021-05-18 - CVE CVE-2021-22117 published to NVD
2025-04-02 - Last updated in NVD database

Technical Details for CVE-2021-22117

Vulnerability Analysis

Root Cause

The issue specifically affects the directory structure created by the Windows installer, where proper permission hardening was not implemented as part of the installation routine.

Attack Vector

The attack vector for this vulnerability is local, requiring an attacker to have authenticated access to the Windows system where RabbitMQ is installed. The attack flow typically involves:

An attacker gains local access to a Windows system running a vulnerable RabbitMQ version
The attacker identifies the RabbitMQ plugin directory with insecure permissions
A malicious Erlang plugin is crafted or obtained that contains arbitrary code
The malicious plugin is placed in the plugin directory
When the plugin is loaded (automatically or through administrator action), the attacker's code executes with RabbitMQ service privileges

The vulnerability does not require user interaction beyond the attacker's own actions on the local system, and exploitation complexity is low once local access is obtained.

Detection Methods for CVE-2021-22117

Indicators of Compromise

Unauthorized or unrecognized plugin files appearing in the RabbitMQ plugins directory
Unexpected file modification timestamps on existing plugins
RabbitMQ service loading plugins that are not part of the standard distribution
Unusual process activity spawned from the RabbitMQ service context

Detection Strategies

Monitor file system changes to the RabbitMQ plugin directory using endpoint detection tools
Audit ACLs on the RabbitMQ installation directories to identify overly permissive configurations
Implement file integrity monitoring (FIM) for critical RabbitMQ directories
Review Windows Security Event logs for unauthorized file write operations to protected directories

Monitoring Recommendations

Enable SentinelOne's file integrity monitoring capabilities to detect unauthorized changes to the plugin directory
Configure alerts for any new executable or plugin files created in RabbitMQ directories
Monitor RabbitMQ service for unexpected child processes or network connections
Regularly audit local user permissions and access patterns on systems running RabbitMQ

How to Mitigate CVE-2021-22117

Immediate Actions Required

Upgrade RabbitMQ to version 3.8.16 or later immediately on all Windows installations
Manually audit and correct plugin directory permissions on existing installations
Review all currently installed plugins for unauthorized or suspicious additions
Implement least-privilege access controls for accounts with local system access

Patch Information

For detailed information, refer to the VMware CVE-2021-22117 Advisory.

Workarounds

Manually restrict plugin directory permissions using Windows ACLs to allow only administrators and the RabbitMQ service account
Implement application whitelisting to prevent execution of unauthorized plugins
Use file system auditing to log and alert on any changes to the plugin directory
Consider running RabbitMQ in a containerized environment where filesystem access is more strictly controlled

powershell

# Manually harden RabbitMQ plugin directory permissions
# Replace path with your actual RabbitMQ installation directory
$pluginPath = "C:\Program Files\RabbitMQ Server\rabbitmq_server-3.8.x\plugins"

# Remove inherited permissions and set restrictive ACLs
icacls $pluginPath /inheritance:r
icacls $pluginPath /grant "BUILTIN\Administrators:(OI)(CI)F"
icacls $pluginPath /grant "NT AUTHORITY\SYSTEM:(OI)(CI)F"

CVE-2021-22117: RabbitMQ Server Privilege Escalation Flaw

CVE-2021-22117 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-22117

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-22117

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-22117

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2021-22117: RabbitMQ Server Privilege Escalation Flaw

CVE-2021-22117 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-22117

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-22117

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-22117

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform