OwnTone Server Race Condition Denial-of-Service Vulnerability via DAAP Login
Vulnerability
A race condition vulnerability has been identified in OwnTone Server versions 28.4 prior to 29.1. This vulnerability resides in the DAAP login handler, where unsynchronized access to the global DAAP session list allows unauthenticated attackers to crash the server. By flooding the DAAP /login endpoint with concurrent requests, attackers can exploit this race condition to create a remote denial-of-service situation, without the need for authentication.
Impact
Exploitation of this vulnerability leads to a remote denial-of-service condition, causing the server to crash.
Reproduction
To reproduce this vulnerability, send a high volume of concurrent requests to the DAAP /login endpoint. This can be done using a tool that supports sending multiple simultaneous requests, such as a load testing tool or a custom script. The requests can be sent without authentication, exploiting the race condition in the login handler.
Remediation
Users can upgrade to OwnTone Server version 29.1 or later, where this vulnerability has been addressed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.