Lernraum Berlin - Security Review

Recurity Labs conducted a white-box penetration test with full source code and infrastructure access of the Lernraum Berlin solution, a Moodle-based learning management system, used by over 400 schools in the Berlin region of Germany to enable and support digital teaching. The solution supports not only the creation of learning materials, but also the implementation of interactive tests and exercises, the provision of homework and collaborative tools for its completion, and a plethora of additional functions.

The assessment was initially requested by the Senate Department for Education, Youth and Family (SenBJF) to be conducted in direct cooperation with infra.run, the developers and operators of the solution, who have been supporting the project following a non-profit-maximizing approach since the Corona pandemic. Given that some of Recurity Labs’ consultants reside in and around Berlin, many with school-age children, supporting the project was a subject of particular interest.

The Lernraum Berlin solution is operated and developed by infra.run in alignment with the requirements of the SenBJF. The majority of the components in use are free third-party services hosted by infra.run, and, where necessary, their functionality can be further enhanced through plug-in interfaces. Should further supplementation be required, this can be facilitated by the various tools developed by infra.run. The resulting environment can roughly be divided into the following components:

• The PHP-based Moodle Learning Management System.
• Keycloak as an identity provider (IdP) and access management solution developed in Java.
• A set of custom plugins that allow Moodle and Keycloak to work together.
• An event queue system for importing events into the Moodle database.
• A range of external services that teachers can make available to students through Moodle, such as Collabora, Etherpad and BigBlueButton.

The platform is based on a multi-layered concept of user roles, with separation at school, teacher and student level, enforced from the application level through to the infrastructure. The application processes personal data that is considered highly sensitive, and user accounts are managed outside the application using the Keycloak identity and access management system.

Assessment Results

Recurity Labs recorded a total of 17 vulnerabilities, ranging from security-relevant observations to potentially critical defects. Specifically, the tests identified the following twelve application and integration flaws and an additional five infrastructure-related issues:

Applications and Services

• Cross-Site Scripting (XSS) through Keycloak-based profile management
• Deletion of enrolment keys through unregistered users
• Desynchronisation of usernames between Keycloak and Moodle
• Instant messages with external content
• Missing password policy in the Keycloak master realm
• Moodle session cookie without the HTTPOnly flag
• Potential command injection vulnerability
• Shared service users with global administrator rights
• Unauthorized querying of names and profile pictures of all users of a Moodle instance
• Unauthorized querying of names of all users of a course via guest access
• Unauthorized querying of names of all users of a Moodle instance through error messages
• Upload of files with arbitrary content instead of profile pictures

Infrastructure

• Event rate limit not set
• Insufficient network policies
• Insufficient pod security policies
• Kubernetes auditing not activated
• Secrets in Kubernetes configmaps

The most significant vulnerability within the content developed by infra.run was a widespread Cross-Site Scripting (XSS) issue in Moodle, due to the custom integration of Keycloak as an identity provider into the Moodle backend, and the inadvertent bypassing of the security measures Moodle has in place for its user data.

Other vulnerabilities were identified in the upstream Moodle codebase, including user information leaks and unprotected access to sensitive information via the built-in dynamic table feature. These issues were disclosed to Moodle on behalf of the SenBJF. Notably, most of the Moodle-related issues were discovered and reported in parallel by Frédéric Massart, a long-time Moodle contributor. However, Recurity Labs considers this a fortuitous occurrence, as it is undoubtedly more advantageous for more entities to identify the same problem, than no one.

Despite the identified security drawbacks, the Lernraum solution appeared to have a high level of security overall and to be well positioned to protect against typical threats to Web-based applications. In particular, the audited infrastructure configuration was largely consistent with security best practices.

As a concluding remark, Recurity Labs wishes to extend its gratitude to the devoted team at infra.run and to Jens Beckmann, project coordinator for the SenBJF, for their exemplary collaboration and seamless communication throughout the entire audit process, and for the opportunity to publish this article.