CVE-2022-2888 If an attacker steals a victim's OctoPrint session cookie, they can use it to login to the account.

For example, an attacker might be able to replay a victim’s HTTPS OctoPrint session cookie if they have access to the OctoPrint server.

An attacker might also be able to use other information in the session to authenticate as the victim, such as the contents of the victim’s search query or channel. An attacker might also be able to replay other information that is unique to a victim, such as a hash of their SSH key.

OctoPrint does not protect session information with a cookie, so it is not difficult for an attacker to replay a victim’s session.

There are two ways to protect OctoPrint session information:

Use TLS encryption to protect the session data

OctoPrint uses TLS encryption to protect all user sessions. All this means is that when a user initiates a session, the TLS encryption will encrypt the data being sent to and from the client and server. This means that even if an attacker has access to a victim’s machine, they cannot read or alter any of their OctoPrint data.

The only downside of using TLS encryption is that it requires a certain amount of overhead in terms of CPU usage and power consumption.

Enable HTTPS

, and don't use session cookies
One way to protect your OctoPrint session is to enable HTTPS. Because HTTP is not secure, attackers are unable to replay a victim's session cookie.

Use 2-Factor Authentication

OctoPrint does not protect session information with a cookie, so it is not difficult for an attacker to replay a victim’s session.

Disable HTTPS Session Synchronisation

OctoPrint does not offer a way to disable HTTPS session synchronisation, so OctoPrint users should be cautious about sharing their passwords with other people.

OctoPrint HTTPS

Cookie Protection
OctoPrint does not protect session information with a cookie.
The reasons for this are because OctoPrint does not need to protect sensitive data such as passwords, but it is necessary to prevent an attacker from replaying a victim’s session.
There are two ways to protect the OctoPrint session cookies:
1) Set the path in which they are stored by using OctoPrint's HTTP authentication settings. This prevents those cookies from being accessible by anyone else on the server.
2) Use HTTPS and add a specific HTTP header that contains the user ID of the logged-in user. This will prevent an attacker from replaying any HTTP request made by that user, even if they have access to their server or have captured their unencrypted traffic on the network (for example, if someone has hacked into their system).

Timeline

Published on: 09/21/2022 12:15:00 UTC
Last modified on: 09/22/2022 15:40:00 UTC

References

• https://github.com/octoprint/octoprint/commit/40e6217ac1a85cc5ed592873ae49db01d3005da4
• https://huntr.dev/bounties/d27d232b-2578-4b32-b3b4-74aabdadf629
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2888