CVE-2020-35358 in DomainMod
Summary
by MITRE • 03/15/2021
DomainMOD domainmod-v4.15.0 is affected by an insufficient session expiration vulnerability. On changing a password, both sessions using the changed password and old sessions in any other browser or device do not expire and remain active. Such flaws frequently give attackers unauthorized access to some system data or functionality.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/01/2021
The vulnerability identified as CVE-2020-35350 affects DomainMOD version 4.15.0 and represents a critical session management flaw that undermines the security of user authentication processes. This issue manifests when users change their passwords, creating a scenario where existing sessions remain valid despite the password change, thereby allowing unauthorized access to system resources. The vulnerability stems from inadequate session invalidation mechanisms within the application's authentication framework, creating a persistent security risk that extends across multiple browser sessions and devices.
From a technical perspective, this vulnerability aligns with CWE-613, which addresses insufficient session expiration, and represents a failure in proper session management protocols. The flaw occurs because the system does not properly invalidate existing sessions when password changes occur, allowing attackers who have obtained session tokens to continue accessing protected resources even after legitimate users have changed their credentials. This behavior violates fundamental security principles of least privilege and principle of least privilege enforcement, where session tokens should be immediately revoked upon credential changes.
The operational impact of this vulnerability is significant as it enables attackers to maintain persistent access to system resources through compromised session tokens. An attacker who has obtained a valid session token can continue accessing the system even after the legitimate user has changed their password, potentially leading to data breaches, unauthorized modifications, or complete system compromise. This vulnerability particularly affects web applications that rely on session-based authentication mechanisms, where session tokens are stored in cookies or other client-side storage mechanisms.
Security practitioners should implement immediate mitigations including enforcing session invalidation upon password changes, implementing proper session management protocols, and ensuring that all active sessions are terminated when credential updates occur. The mitigation strategies should align with ATT&CK technique T1566 which addresses credential access through session hijacking and related attacks. Organizations should also consider implementing additional security controls such as multi-factor authentication, session timeout mechanisms, and regular session token rotation to reduce the attack surface and prevent exploitation of similar session management vulnerabilities.