CVE-2023-28316 – A session fixation vulnerability in Rocket.Chat... (How to Fix)

Q: What is the severity of CVE-2023-28316?

CVE-2023-28316 has a CVSS score of 9.8 (CRITICAL). A session fixation vulnerability in Rocket.Chat's 2FA implementation allows attackers to maintain access to compromised accounts even after 2FA is enabled. This affects all Rocket.Chat users who enable 2FA without proper session invalidation. Attackers with stolen credentials can bypass the security enhancement.

📋 TL;DR

A session fixation vulnerability in Rocket.Chat's 2FA implementation allows attackers to maintain access to compromised accounts even after 2FA is enabled. This affects all Rocket.Chat users who enable 2FA without proper session invalidation. Attackers with stolen credentials can bypass the security enhancement.

💻 Affected Systems

Products:

Rocket.Chat

Versions: Versions prior to 6.0.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All Rocket.Chat deployments with 2FA enabled are affected unless patched.

📦 What is this software?

Rocket.chat by Rocket.chat

View all CVEs affecting Rocket.chat →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers maintain persistent access to compromised accounts, bypassing 2FA entirely, leading to data theft, privilege escalation, and complete account takeover.

🟠

Likely Case

Attackers with previously stolen credentials continue accessing accounts after victims enable 2FA, potentially accessing sensitive communications and data.

🟢

If Mitigated

With proper session management, attackers lose access immediately when 2FA is enabled, limiting the attack window to pre-2FA activation.

🌐 Internet-Facing: HIGH - Rocket.Chat instances exposed to the internet are directly vulnerable to credential theft attacks.

🏢 Internal Only: MEDIUM - Internal instances still vulnerable if attackers gain credentials through phishing or other means.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires stolen credentials before 2FA activation. The vulnerability is simple to exploit once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.0.0 and later

Vendor Advisory: https://github.com/RocketChat/Rocket.Chat/releases/tag/6.0.0

Restart Required: Yes

Instructions:

1. Backup your Rocket.Chat instance. 2. Update to Rocket.Chat 6.0.0 or later. 3. Restart the Rocket.Chat service. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Force logout all sessions

all

Manually invalidate all active sessions when enabling 2FA

Admin panel → Users → Select user → Logout from all devices

Disable 2FA temporarily

all

Disable 2FA, force logout all sessions, then re-enable 2FA

🧯 If You Can't Patch

Force logout all user sessions immediately after enabling 2FA for any user
Implement additional authentication monitoring and alert on suspicious session activity

🔍 How to Verify

Check if Vulnerable:

Check if Rocket.Chat version is below 6.0.0 and 2FA is enabled in settings

Check Version:

Admin panel → Info → Version or check package manager

Verify Fix Applied:

Verify version is 6.0.0 or later and test that enabling 2FA invalidates all other sessions

📡 Detection & Monitoring

Log Indicators:

Multiple active sessions for same user after 2FA enablement
Sessions persisting beyond 2FA activation time

Network Indicators:

Unusual authentication patterns
Session tokens used from multiple IPs after 2FA enablement

SIEM Query:

source="rocketchat" event="2fa_enabled" | stats count by user | where count>1

📊 Metadata

CVE ID: CVE-2023-28316

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-384

Published: May 9, 2023

Last Updated: January 28, 2025

🔗 References

https://hackerone.com/reports/992280 Third Party Advisory
https://hackerone.com/reports/992280 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28316, you might also want to check these: