Today during an onging internal security audit being conducted by Radically Open Security it was discovered that authentication is not being properly applied to the
settings route / endpoint. The flaw has been fixed and now released.
The impact is that data from the settings page could be accessed without authentication, allowing attackers access to the sensitive information stored via that page. A mitigating factor is that the attacker must have access to the network upon which Control Center is running, and know the address of a running instance.
All versions of Control Center between 1.1.0 and before 1.5.1 are affected by this flaw.
If an upgrade to Control Center 1.5.1 is not possible, a mitigation strategy is to restrict access to the web interface to safe clients, for example by using an allow-list of IP addresses. Access logs of the web server should be checked for evidence of attacks exploiting this flaw. Any token or password which may have been accessible via the Settings page should be cycled.
Missing your favourite packaging system? Request it in the comments.
This project has received funding from the European Union’s Horizon 2020 research and innovation programme within the framework of the NGI-ZERO Project.