NervesHub Brute-Force Vulnerability in User API Token Management Allowing Unauthorized Access
Vulnerability
A vulnerability in NervesHub's API token management was identified, allowing for brute-force attacks on user API tokens. This issue was present in NervesHub versions 1.0.0 through 2.2.9. The vulnerability arose because the format of the tokens was predictable and included user-identifiable components, making them easy to guess or enumerate. As a result, attackers could potentially gain unauthorized access to user accounts or API actions protected by these tokens.
Impact
Exploitation of this vulnerability could lead to unauthorized access to user accounts or API actions, allowing attackers to perform actions on behalf of the user or access sensitive information.
Remediation
Users can upgrade to NervesHub version 2.3.0, which addresses this vulnerability by introducing strong, cryptographically secure tokens, hashing tokens before database storage, and context-aware token management. For those unable to upgrade immediately, temporarily firewalling access to the NervesHub server can help limit exposure.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.