As a result, if a hacker had access to a cookie or variable stored in the Octopus Server application, the hacker would also have access to the data stored in that variable. To protect against this issue, an additional encryption step was added to the process that encrypted session cookies.
It was determined that the encryption process was vulnerable to a downgrade attack. For a more detailed explanation of the vulnerability and how it was fixed, see the Octopus Server Vulnerability Fixes blog post. End users upgrading to versions of Octopus Server 14.0.2 and later should upgrade to the latest version to avoid this issue. In a nutshell, the upgrade process changed the encryption key used to protect session cookies.
When a new upgrade of Octopus Server is installed, the upgrade process generates a new encryption key. If an end user or administrator upgrades their Octopus Server installation and the new installation uses a different encryption key than the old installation, then the data in session cookies that were saved to the old installation will be decrypted when the session is next accessed.
What’s an encryption key?
An encryption key is a random number that keeps your data safe. The more random the number, the harder it is for hackers to break into an encrypted file. With encryption keys, you can use a password to protect your data and keep your files private and secure.
What to do if you are running an older version of Octopus Server
If you are running a version of Octopus Server that is older than 14.0.2, upgrade your installation to the latest version using the instructions in this blog post.
If you had previously upgraded to a newer version of Octopus Server, and are now running an older version, before installing the upgrade process will generate new encryption keys for session cookies that were saved on the old installation. This will allow data stored in those session cookies to be decrypted when next accessed.
How to verify your installation is secure
1) If you are using Octopus Server 14.0.2 or later, verify that the upgrade process generated a new encryption key to protect session cookies by doing the following:
a) Access your Octopus Server installation and go to the General settings tab on the left side of the screen. In general settings, verify that the Encryption key (session cookies) is set to "generated during upgrade."
b) Restart Octopus Server and check that the same setting is observed in general settings.
How does this Vulnerability occur?
This vulnerability occurs when an end user or administrator upgrades their Octopus Server installation and the new installation uses a different encryption key than the old installation. When this occurs, data in session cookies that were saved to the old installation will be decrypted when the session is next accessed.
As a result, if a hacker had access to a cookie or variable stored in the Octopus Server application, the hacker would also have access to the data stored in that variable.
How to detect if you are susceptible to the downgrade attack
The most reliable way to detect if you are susceptible to the downgrade attack is to check the "Protocol Version" and "Encryption Key Version" fields in the /octopus/app_server/conf/config.ini file. If these values don't match, you may be susceptible.
To fix this issue, follow the instructions from the blog post mentioned above to change the values of those settings in your /octopus/app_server/conf/config.ini file, or upgrade your Octopus Server installation to version 14.0.2 and later.
Under a section titled "Mitigation", it states that when an end user upgrades their Octopus Server installation, if they're using a different encryption key than the old installation, then session cookies saved during that upgrade will be decrypted when accessed again.
Timeline
Published on: 10/06/2022 18:15:00 UTC
Last modified on: 11/10/2022 04:09:00 UTC