Lightmeter 1.5.1: Important security fixes

Sam Tuke Apr 1 2021 Share

Lightmeter Control Center settings authentication flaw

Today during an onging internal security audit being conducted by Radically Open Security it was discovered that authentication is not being properly applied to the settings route / endpoint. The flaw has been fixed and now released.

The impact is that data from the settings page could be accessed without authentication, allowing attackers access to the sensitive information stored via that page. A mitigating factor is that the attacker must have access to the network upon which Control Center is running, and know the address of a running instance.

Affected Versions

All versions of Control Center between 1.1.0 and before 1.5.1 are affected by this flaw.

Solutions and Mitigations

If an upgrade to Control Center 1.5.1 is not possible, a mitigation strategy is to restrict access to the web interface to safe clients, for example by using an allow-list of IP addresses. Access logs of the web server should be checked for evidence of attacks exploiting this flaw. Any token or password which may have been accessible via the Settings page should be cycled.

CVEs

• CVE-2021-30126

Timeline

• 2021-04-01 10:36 GMT+2: Flaw reported internally by Radically Open Security
• 2021-04-01 19:32 GMT+2: Fixes provided by Leandro Santiago, reviewed by Nico Jean, and merged
• 2021-04-01 20:51 GMT+2: Lightmeter Control Center 1.5.1 released

Download

• Docker Hub: https://hub.docker.com/r/lightmeter/controlcenter/tags
• Binaries & source code: https://gitlab.com/lightmeter/controlcenter/-/releases

Missing your favourite packaging system? Request it in the comments.

Supported by

This project has received funding from the European Union’s Horizon 2020 research and innovation programme within the framework of the NGI-ZERO Project.