Security

The following list of major security enhancements have been implemented within the 2.4 release:

Issue

Description

Resolution

Password reset and email verification procedures can be exploited by an adversary that acquired a user ID

Hardened action link generation with UUIDs

Cloud services do not log sensitive events occurred during runtime

Implemented security logs to collect evidence that can help with incident investigation

Weak password hash computation is vulnerable to rainbow table attacks

Hardened password hash computation with salting

Hardcoded default password is vulnerable to password guessing attacks

Implemented password change procedure on first login and replaced hardcoded password with a hash

Some API responses leak user secrets by revealing password hashes

Removed password hashes from API responses

Some API responses reveal server version which can be leveraged by an adversary to compromise it using exploits

Removed server version from API responses

API ‘system’ command leak internal file tree by revealing absolute paths of certificate files

Replaced absolute paths of certificates with file names

Cloud services are vulnerable to black box exploitation attempts, brute forcing, credential stuffing and DDoS

Implemented IP-based rate limit for API endpoints

Weak UUID generation with reduced entropy

Hardened UUID by increasing entropy

RTTY-enabled APs can be overtaken by an adversary accessing RTTYS dedicated management interface using default hardcoded credentials

Hardened RTTYS access by randomizing default credentials at deployment

Known security issues

  • WIFI-5770 - RTTYS version used has security flaws which are to be resolved in next releases

Last updated

TIP OpenWiFi