CVE-2021-41268 : Security Advisory and Response
Learn about CVE-2021-41268, a vulnerability in Symfony SecurityBundle allowing attackers to maintain post-password change access. Find mitigation steps and upgrade to version 5.3.12.
Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. This vulnerability allows attackers to maintain access to an account even after the password is changed, due to a flaw in the handling of Remember me cookies.
Understanding CVE-2021-41268
What is CVE-2021-41268?
Symfony 5.3.0 to 5.3.11 has a security issue where the Remember me cookie is not invalidated upon a password change, enabling attackers to retain access to an account.
The Impact of CVE-2021-41268
This vulnerability poses a medium severity risk with high confidentiality impact. Attackers with minimal privileges can exploit this issue without user interaction.
Technical Details of CVE-2021-41268
Vulnerability Description
After Symfony 5.3.0, changing a password does not render the Remember me cookie invalid, allowing attackers to persist access post-password change.
Affected Systems and Versions
- Product: Symfony
- Vendor: Symfony
- Versions Affected: >= 5.3.0, < 5.3.12
Exploitation Mechanism
- Attack Vector: Network
- Privileges Required: Low
- User Interaction: None
Mitigation and Prevention
Immediate Steps to Take
- Upgrade Symfony to version 5.3.12 or later.
- Regenerate Remember me cookies for all users after a password change.
- Monitor account activities for any signs of unauthorized access.
Long-Term Security Practices
- Regularly review and update security configurations.
- Educate users about strong password practices and the importance of timely updates.
- Implement multi-factor authentication where possible.
Patching and Updates
- Symfony released version 5.3.12, which makes the password part of the Remember me cookie signature by default, mitigating this vulnerability.