Raspberry Pi Imager Public-Key Authentication Vulnerability Reintroducing Deleted SSH Keys

A vulnerability exists in Raspberry Pi Imager version 1.9.6 for Windows, specifically within the OS customization feature. The issue arises when the 'public-key authentication' option is enabled. Despite users being able to delete the automatically added id_rsa.pub key from the interface, the imager reverts this change by restoring the key to the authorized_keys file on the Raspberry Pi. This flaw could potentially allow unauthorized access if an attacker exploits the situation by using a different key to log into the device.

Impact

This vulnerability creates an unintended security risk by allowing an additional, unrecognized method of access to the Raspberry Pi. Users may believe their device is secured with only their custom key, while in reality, a second key from their Windows machine is also authorized. If an attacker gains access to the private key stored on the Windows system, they could use it to log into the Raspberry Pi, bypassing the user's intended security measures.

Reproduction

To reproduce this vulnerability, first ensure that an id_rsa.pub key is present in the .ssh directory on a Windows machine. Open the Raspberry Pi Imager and navigate to the OS customization section. Enable SSH and select the option for public-key authentication. Add a custom public key, then use the 'DELETE KEY' button to remove the default Windows key. After confirming that no keys are left (be aware of a potential UI glitch that might hide some keys), click 'Save' and write the image to an SD card. Once the Raspberry Pi is booted, SSH into the device and check the authorized_keys file. The default Windows key will have been re-added, alongside any custom keys.

Remediation

Users can update to Raspberry Pi Imager version 2.0.0-rc3, where this vulnerability has been fixed.