CVE-2023-37504 – HCL Compass fails to properly invalidate user s... (How to Fix)

Q: What is the severity of CVE-2023-37504?

CVE-2023-37504 has a CVSS score of 7.1 (HIGH). HCL Compass fails to properly invalidate user sessions upon logout, allowing session hijacking. Attackers who obtain valid session identifiers can reuse them to impersonate authenticated users. This affects all HCL Compass deployments using vulnerable versions.

📋 TL;DR

HCL Compass fails to properly invalidate user sessions upon logout, allowing session hijacking. Attackers who obtain valid session identifiers can reuse them to impersonate authenticated users. This affects all HCL Compass deployments using vulnerable versions.

💻 Affected Systems

Products:

HCL Compass

Versions: All versions prior to 23.1.2

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with default session management settings are vulnerable. Custom configurations may also be affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain unauthorized access to sensitive data, perform privileged actions, or compromise entire systems by reusing stolen session tokens of administrators or high-privilege users.

🟠

Likely Case

Attackers with network access or insider knowledge steal session cookies/tokens and gain unauthorized access to user accounts, potentially accessing confidential information or performing unauthorized actions.

🟢

If Mitigated

With proper network segmentation, session monitoring, and short session timeouts, impact is limited to potential unauthorized access within the application's scope.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires obtaining valid session identifiers through network sniffing, XSS, or other means, then replaying them. No authentication bypass needed once session ID is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 23.1.2 and later

Vendor Advisory: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0107511

Restart Required: Yes

Instructions:

1. Download HCL Compass version 23.1.2 or later from HCL support portal. 2. Backup current installation and data. 3. Run installer with administrative privileges. 4. Restart all Compass services. 5. Verify successful upgrade.

🔧 Temporary Workarounds

Implement Session Timeout

all

Configure short session timeout values to limit window for session replay attacks

Modify session timeout in Compass configuration files (typically web.xml or server configuration)

Network Segmentation

all

Restrict access to Compass application to trusted networks only

Configure firewall rules to limit access to Compass ports (typically 8080, 8443)

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the Compass application
Deploy web application firewall with session fixation protection rules
Monitor for unusual session activity and implement alerting
Educate users to clear browser sessions and use private browsing when accessing sensitive applications

🔍 How to Verify

Check if Vulnerable:

Check HCL Compass version via administration console or by examining installed version in program files. Versions below 23.1.2 are vulnerable.

Check Version:

Check Compass version via administration interface or examine version.txt in installation directory

Verify Fix Applied:

After patching, verify version is 23.1.2 or later. Test logout functionality to confirm sessions are properly invalidated.

📡 Detection & Monitoring

Log Indicators:

Multiple successful logins from same session ID after logout events
Session IDs being used from unexpected IP addresses or geolocations
Unusual session duration exceeding configured timeout

Network Indicators:

HTTP requests with same session cookie from multiple IP addresses
Session tokens transmitted over unencrypted connections

SIEM Query:

source="compass_logs" AND (event="logout" OR event="session_invalidate") | stats count by session_id | where count > 1

📊 Metadata

CVE ID: CVE-2023-37504

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

CWE: CWE-613

Published: October 19, 2023

Last Updated: November 21, 2024

🔗 References

https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0107511 Vendor Advisory
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0107511 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37504, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Hcl Compass by Hcltech

Hcl Compass by Hcltech

Hcl Compass by Hcltech

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Implement Session Timeout

Network Segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities