Login Sign Up

CVE-2021-35342

7.5 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in Mender Enterprise's useradm service allows users to continue accessing the system with their JWT tokens after logout when JWT verification cache is enabled. This affects Mender Enterprise 2.6.x before 2.6.1 and 2.7.x before 2.7.1, potentially allowing unauthorized access to IoT device management systems.

💻 Affected Systems

Products:
  • Northern.tech Mender Enterprise
Versions: 2.6.x before 2.6.1, 2.7.x before 2.7.1
Operating Systems: Linux
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when JWT verification cache is enabled (not default). The useradm service versions 1.13.0 and 1.14.0 are affected.

📦 What is this software?

Useradm by Northern.tech

View all CVEs affecting Useradm →

Useradm by Northern.tech

View all CVEs affecting Useradm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Former employees or compromised accounts maintain persistent access to IoT device management infrastructure, enabling device manipulation, data exfiltration, or deployment of malicious firmware.

🟠

Likely Case

Users who should have been logged out retain access to the management interface, potentially accessing sensitive device information or making unauthorized configuration changes.

🟢

If Mitigated

With proper session management and monitoring, impact is limited to temporary unauthorized access until token expiration.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires a valid JWT token from a previously authenticated user and JWT verification cache enabled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Mender Enterprise 2.6.1, 2.7.1

Vendor Advisory: https://mender.io/blog/cve-2021-35342-useradm-logout-vulnerabililty

Restart Required: Yes

Instructions:

1. Upgrade to Mender Enterprise 2.6.1 or 2.7.1. 2. Restart useradm service. 3. Verify JWT verification cache is properly invalidating tokens on logout.

🔧 Temporary Workarounds

Disable JWT verification cache

linux

Disable the JWT verification cache feature to prevent token persistence after logout

Edit useradm configuration to set JWT verification cache to false

🧯 If You Can't Patch

  • Implement strict session timeout policies and force periodic re-authentication
  • Monitor for unusual access patterns from previously logged-out users

🔍 How to Verify

Check if Vulnerable:

Check Mender Enterprise version and verify if JWT verification cache is enabled in useradm configuration

Check Version:

mender version | grep -i enterprise

Verify Fix Applied:

After patching, test logout functionality and verify tokens become invalid immediately

📡 Detection & Monitoring

Log Indicators:

  • Multiple successful authentications from same user token after logout events
  • Access attempts with expired or revoked tokens

Network Indicators:

  • API calls with tokens that should be invalidated
  • Unusual access patterns from previously logged-out sessions

SIEM Query:

source="mender" AND (event="logout" OR event="token_invalidation") | stats count by user, token_id

📊 Metadata

CVE ID: CVE-2021-35342
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-613
Published: August 27, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-35342, you might also want to check these:

CVE-2024-8888 10.0

An attacker on the same network as a vulnerable CIRCUTOR Q-SMT device can steal authentication token...

Same vulnerability type (CWE-613)
CVE-2023-5865 9.8

This vulnerability in phpMyFAQ allows attackers to maintain access to user sessions beyond intended ...

Same vulnerability type (CWE-613)
CVE-2024-25718 9.8

This vulnerability in the Samly package for Elixir allows expired authentication sessions to remain ...

Same vulnerability type (CWE-613)