This is a critical security release to address a bug in the Socket.io implementation of the daemon. You should update immediately.
Due to an oversight in how the websockets were configured in the daemon, the last person to load the console socket would apply their permissions for anyone who had the console loaded. This caused anyone who should not have had permissions to send commands to the console to suddenly have permissions to do so.
The root cause of this exploit was setting the authentication token on line 34 of
socket.js which applied it globally to the socket, rather than locally to the connected client. This issue has been rectified to read the token passed on each call to the Socket, and removes the global token apply which should not have existed.
This exploit required a valid user authentication token to be provided in order to even authenticate with the websocket, as such any non-subusers would not have been able to access data from or send data to the websocket. However, due to the structure of the code, a user could spam the websocket connection and cause all other authenticated users to be de-authenticated with the spammed invalid token. This method would still have required a user to know a server's UUID, which is generally not public information unless the user already had some type of access to that server. Users who had both a valid server UUID and authentication token would have been able to bypass their own lower permissions if a user with higher permissions loaded the websocket in their browser.
This was a fairly unique "edge" case, but is none-the-less something that should not have been introduced. Moving forward we will be sure to include this type of dual-user load testing on the application and daemon to ensure that permissions are not overwritten when a new user loads the page.
Thank you to Mohron#9350 who discovered this issue and reported it to us on Discord. This vulnerability was disclosed on June 14, 2017 at 20:44 U.S. Central Time and a fix was pushed to Github at 21:34.
This bug was introduced in
c73056ff; this exploit is present in all versions of the Daemon from
0.4.1 and is patched in
- Fixes security hole which set the active socket permissions to the last user to request the socket, potentially allowing users without permissions to access different console options.