^{CVE-2021-3844:}Rapid7 InsightVM has insufficient session expiration when administrators edit user security settings, allowing compromised accounts to remain active after credential changes.

Rapid7 InsightVM contains a session management vulnerability (CWE-613) where the application fails to properly invalidate existing sessions after security-relevant changes are made to user accounts. When an administrator changes a user's password or other security-relevant settings in response to a potential compromise, the system does not terminate existing sessions for that user. This means that if an attacker has already gained access to a user's account, they can continue to use the compromised session even after the administrator has changed the password. This vulnerability undermines the effectiveness of administrator interventions during security incidents and could allow attackers to maintain unauthorized access to the system despite remediation attempts.

Overview

This vulnerability (CVE-2021-3844) in Rapid7 InsightVM allows existing user sessions to remain active even after security-critical changes are made to the user account by an administrator. In a typical scenario, if a credential leak is discovered and an administrator changes a user's password as a security measure, any active sessions associated with that compromised account will not be terminated. This means that an attacker who has already logged in using the leaked credentials can continue to operate within the system despite the password change, potentially causing further damage or maintaining unauthorized access. This issue is related to a previous vulnerability (CVE-2019-5638) and represents a significant session management flaw that could undermine security incident response efforts.

Remediation

To mitigate this vulnerability, Rapid7 recommends enabling the Platform Login feature for InsightVM. This feature provides improved session management capabilities that help address the insufficient session expiration issue. Organizations using InsightVM should:

1. Enable the Platform Login feature following the instructions in Rapid7's documentation.
2. Ensure that all InsightVM instances are updated to the latest version that includes fixes for this vulnerability.
3. Implement additional security controls such as IP restrictions, multi-factor authentication, and session timeout policies where possible.
4. Monitor for suspicious activity in user sessions, especially after security-relevant changes are made to user accounts.
5. As a best practice during security incidents, manually terminate all active sessions for affected users in addition to changing credentials.

References

1. Rapid7 InsightVM Platform Login Documentation: https://docs.rapid7.com/insightvm/enable-insightvm-platform-login
2. Related Vulnerability CVE-2019-5638: https://www.cve.org/cverecord?id=CVE-2019-5638
3. CWE-613: Insufficient Session Expiration: https://cwe.mitre.org/data/definitions/613.html