Bitaxe ESP-Miner Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Bitaxe ESP-Miner versions prior to 2.5.0, specifically in the AxeOS environment. This vulnerability allows an attacker to manipulate miner settings, such as the payout address for Bitcoin mining, by exploiting the lack of authentication and CSRF protections in the web interface. The issue arises when a user on the same local network visits a malicious website that sends unauthorized requests to the miner's API. As a result, the attack can silently change critical settings without the user's knowledge.

Impact

Exploitation of this vulnerability allows for unauthorized changes to the Bitaxe miner's configuration, including the Stratum user, which determines where mined Bitcoin rewards are sent. Additionally, it could disrupt the miner's operation by altering power and frequency settings, potentially damaging the hardware. There is also a risk of uploading malicious firmware, although this has not been tested.

Reproduction

To reproduce this vulnerability, access a Bitaxe miner running ESP-Miner version 2.5.0 or earlier on AxeOS, and ensure it is connected to a local network. Visit a website that hosts the CSRF exploit, which can be crafted to send PATCH requests to the miner's API. The exploit can be automated to target multiple miners on the network, updating their settings to values controlled by the attacker.

Remediation

Users are advised to update to Bitaxe ESP-Miner version 2.5.0 or later, which includes a patch for this CSRF vulnerability. After updating, access the AxeOS interface via the miner's IP address instead of by hostname.