CVE-2021-3311 in October
Summary
by MITRE • 02/05/2021
An issue was discovered in October through build 471. It reactivates an old session ID (which had been invalid after a logout) once a new login occurs. NOTE: this violates the intended Auth/Manager.php authentication behavior but, admittedly, is only relevant if an old session ID is known to an attacker.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/24/2021
This vulnerability represents a session management flaw that undermines the fundamental security principles of authentication systems. The issue manifests when a user logs out of a system and subsequently attempts to access resources using a previously valid session identifier that should have been invalidated upon logout. The vulnerability affects October CMS through build 471 and demonstrates a critical failure in session lifecycle management where the system fails to properly invalidate session tokens when users terminate their authenticated sessions.
The technical implementation of this flaw involves the authentication manager component within October CMS's Auth/Manager.php file. When a user logs out, the system should invalidate the current session ID and ensure that any subsequent attempts to use that identifier result in authentication failures. However, this vulnerability allows the system to accept and reactivate session identifiers that were previously marked as invalid, effectively bypassing the logout mechanism and maintaining access to protected resources. This behavior violates the expected security model where session termination should be absolute and irreversible.
From an operational impact perspective, this vulnerability creates a significant security risk when an attacker can obtain a valid session ID from a previous user session. The flaw essentially enables session replay attacks where malicious actors can continue to access system resources even after legitimate users have logged out. The vulnerability's relevance is directly tied to whether an attacker can obtain a valid session ID, but once obtained, the attacker can maintain persistent access to the system without needing to perform additional authentication attempts. This presents a particular risk in environments where session IDs might be exposed through network monitoring, browser caching, or other information disclosure vulnerabilities.
The security implications align with CWE-613, which addresses insufficient session expiration and the improper handling of session identifiers. This vulnerability also maps to ATT&CK technique T1563.002, which covers credentials from password reuse, as attackers can leverage previously valid session tokens to maintain access. The flaw essentially creates a backdoor that allows unauthorized access through legitimate session management pathways, making it particularly dangerous in multi-user environments where session tokens might be intercepted or harvested through various means. Organizations should consider this vulnerability as part of their broader session management security posture and implement additional monitoring for unauthorized session usage patterns.
Mitigation strategies should focus on implementing robust session invalidation mechanisms that immediately terminate all session identifiers upon user logout and ensure that session tokens cannot be reused even if they are known to unauthorized parties. Organizations should implement session timeout mechanisms, enforce strict session management policies, and consider implementing additional authentication layers such as multi-factor authentication to reduce the risk associated with session token compromise. Regular security audits of authentication systems should include verification of proper session lifecycle management, and developers should ensure that all session identifiers are properly tracked and invalidated according to established security best practices.