[Freedombox-discuss] Security issue: session hijack during first wizard

Sunil Mohan Adapa sunil at medhas.org
Thu Apr 1 01:58:15 BST 2021


A security issue has been reported and fixed in freedombox[1][2] by
Kirill Schmidt mentored by Dominik George.

Impacted users: Users performing initial setup of FreedomBox on
untrusted networks

Description: After entering the first run wizard secret, other
web-sessions can continue the first run wizard without being asked for
the first run wizard secret.

Mitigation Advice: Perform initial FreedomBox setup only on trusted
networks unless using a version with a fix (see below).

Explanation: The first run wizard in FreedomBox is available during the
initial setup of FreedomBox the primary function of which is to allow
the user to create an administrator account. We have introduced the
feature of asking for a passphrase for this wizard so that
administrators can run it safely. A secret available only to an
administrator of the system (in /var/lib/plinth/firstboot-wizard-secret)
needs to be entered during the first step of the first wizard. On the
next step, an administrator account will be created by the first wizard.
The second step is meant to be protected by the secret requested during
first step. The first wizard is no longer available after finishing it.
A valid login is required by the first wizard after administrator
account is created so the remaining (trivial) steps are protected.

The feature of providing first wizard secret is only available and
relevant users who install FreedomBox via apt. This feature is not
available/relevant to users who use FreedomBox images for various
hardware[3] including users of FreedomBox Pioneer Edition hardware[4].
We believe this category of users are the majority.

Exploit: The vulnerability can be exploited by an adversary without any
tool or code. In a typical home server setup, an adversary in the home
network, during the initial setup of FreedomBox (at the right time), can
create an administrator account for themselves and gain full access. In
case of FreedomBox cloud instances (unusual), an adversary can remotely
exploit the vulnerability from public internet.

Affected/Fixed versions:
- All versions >= 0.22.0.
- unstable (21.4.1). Fixed in 21.4.2.
- bullseye/testing (21.4). Fixed 21.4.2 will flow from unstable soon[5].
- buster-backports (21.4~bpo10+1). Fix will flow soon after bullseye.
- buster (19.1+deb10u1). Fix will be available soon.
- stretch (0.13.1+ds-1) is not affected.

CVE ID: Requested, not allotted yet.


1) https://salsa.debian.org/freedombox-team/freedombox/-/issues/2074


3) https://freedombox.org/download/


5) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986177

Thank you,


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/freedombox-discuss/attachments/20210331/58f69376/attachment.sig>

More information about the Freedombox-discuss mailing list