You are reading content from Scuttlebutt
@cel-desktop %KjTMSIYdBHj0pqmNaaXICgxp3iTAUfATJnOPtfR39gA=.sha256
#ssb

Security Notice: secret-stack RPC permission bypass

In March 2019, I found a security vulnerability in the ssb-server stack. I referred the bug to Dominic, who found the cause in the secret-stack package and fixed it. I notified maintainers of Patchwork, Manyverse, and other SSB apps, who updated their applications to use the patched secret-stack.

The vulnerability is with authenticating outgoing connections. Normally, when two different ssb-server instances connect to eachother, they use remote procedure calls (RPC) to conduct SSB replication, using a set of allowed RPC methods. ssb-server has additional privileged RPC methods that are only supposed to be used by the user or their applications locally. In the case of this vulnerability, when ssb-server initiated a connection to a peer, that peer was allowed to call the privileged RPC methods on the local ssb-server, rather than only being able to call the intended set of public methods. The implications for an attacker are:

  • Affected instances could have their private messages read, and messages published by them without the user's consent.
  • Manyverse instances could have their private key exfiltrated via a blobs method.
  • Pubs or ssb-server CLI instances could be made to execute arbitrary code via the plugins.install method.

An ssb-server instance that only received incoming connections and made no outgoing connections would be unaffected.

The issue is fixed in secret-stack v6.0.2 and later, as well as (backported) v5.1.1, v4.2.5, v3.3.3, and v2.5.3.

The following applications were updated to include the fix for this issue:

  • Patchbay
  • Patchwork
  • Manyverse
  • ssb-server
  • scuttlebot
  • ssb-pub

The following applications have not been updated (Electron builds or Docker images contain affected versions of secret-stack):

  • TickTack
  • Infinite Game
  • Tale:net
  • Gester
  • lite-ssb-pub
  • easy-ssb-pub

To see if your ssb-server instance is currently affected by this vulnerability, here is a program to use: ssb-permission-check. It is a shell script using a version of sbotc released today.

User has not chosen to be hosted publicly
User has not chosen to be hosted publicly
@cel-desktop %B1cuRQbnNRa7x9kWot6IpGnHBEXLWDtehzahrCdpRbw=.sha256
#ssb

@Freifunk Muenchen (Test)

What last vulnerable version numbers?

Patchwork: 3.11.4

Patchbay: 7.16.1

Manyverse: 0.1902.27-beta (I am not sure about 0.1903.13-beta and 0.1903.19-beta)

Ticktack: Ticktack-0.4.1

Infinite Game: 1.0.1

Tale:net: 0.9.0-beta1.1

Gester: 1.1.1 (assumed)

Join Scuttlebutt now
AGPLv3 © ssb-viewer 38c61a5