Security issue: session hijack during first wizard

A security issue has been reported and fixed in FreedomBox by Kirill Schmidt mentored by Dominik George.

Impacted users: Users performing initial setup of FreedomBox on untrusted networks

Description: After entering the first run wizard secret, other web-sessions can continue the first run wizard without being asked for the first run wizard secret.

Mitigation Advice: Perform initial FreedomBox setup only on trusted networks unless using a version with a fix (see below).

Explanation: The first run wizard in FreedomBox is available during the initial setup of FreedomBox the primary function of which is to allow the user to create an administrator account. We have introduced the feature of asking for a passphrase for this wizard so that administrators can run it safely. A secret available only to an administrator of the system (in /var/lib/plinth/firstboot-wizard-secret) needs to be entered during the first step of the first wizard. On the next step, an administrator account will be created by the first wizard. The second step is meant to be protected by the secret requested during first step. The first wizard is no longer available after finishing it. A valid login is required by the first wizard after administrator account is created so the remaining (trivial) steps are protected.

The feature of providing first wizard secret is only available and relevant users who install FreedomBox via apt. This feature is not available/relevant to users who use FreedomBox images for various hardware including users of FreedomBox Pioneer Edition hardware. We believe this category of users are the majority.

Exploit: The vulnerability can be exploited by an adversary without any tool or code. In a typical home server setup, an adversary in the home network, during the initial setup of FreedomBox (at the right time), can create an administrator account for themselves and gain full access. In case of FreedomBox cloud instances (unusual), an adversary can remotely exploit the vulnerability from public internet.

Affected/Fixed versions:

  • All versions >= 0.22.0.
  • unstable (21.4.1). Fixed in 21.4.2.
  • bullseye/testing (21.4). Fixed 21.4.2 will flow from unstable soon.
  • buster-backports (21.4~bpo10+1). Fix will flow soon after bullseye.
  • buster (19.1+deb10u1). Fix will be available soon.
  • stretch (0.13.1+ds-1) is not affected.

CVE ID: Requested, not allotted yet.

1 Like