Security Advisories

Weak Session Validation for Long-Lived Connections

TinyPilot Security Advisory #003

Published: March 24, 2022

Overview

Versions of TinyPilot Pro before 2.4.0 suffer a vulnerability that allows an unauthenticated user to retain limited access to TinyPilot after an administrator has enabled password authentication.

Severity

Medium

Impact

If an unauthenticated user visits the TinyPilot web dashboard before an administrator adds a password requirement, the unauthenticated user can continue to send keystrokes and mouse input to TinyPilot's target device and see its display output for as long as they keep their TinyPilot browser tab open.

The unauthenticated user's access is limited in that they cannot view or change any TinyPilot administrative settings after authentication is enabled.

The unauthenticated user permanently loses access to TinyPilot if they lose their connection to the web interface. Any of the following events would cause the unauthenticated user to lose access:

  • Closing the browser tab that displays the TinyPilot web interface
  • A restart of the TinyPilot device or web server
  • A temporary loss of network connectivity between the unauthenticated user and TinyPilot device
  • A refresh of the unauthenticated user's browser

Who does this vulnerability affect?

Two scenarios allow an attacker to exploit this vulnerability:

Scenario 1: Unauthorized user on TinyPilot's local network

If an unauthorized user on the same local network as TinyPilot accesses the web interface before TinyPilot's owner enabled authentication, the unauthorized user would retain limited access. The unauthorized user would lose access after any break in network connectivity, such as a TinyPilot device reboot.

Scenario 2: TinyPilot exposed to public Internet without authentication

If a TinyPilot device was exposed to the public Internet (e.g., through port forwarding at the router level) without authentication and a malicious user visited the web interface, they would retain limited access after authentication is enabled. The attacker would lose access after any break in network connectivity, such as a TinyPilot device reboot.

What is the fix?

Permanent fix

Upgrade to TinyPilot Pro 2.4.0 or later to fix this issue.

Short-term workaround

If you can't upgrade to TinyPilot Pro 2.4.0 in the short term, restart your TinyPilot device after adding a password requirement.

Restarting the TinyPilot device breaks any ongoing network connections, forcing any connected users to reconnect. If a user does not have credentials to authenticate, they will lose access after the device restarts.

Detailed explanation

TinyPilot's web interface involves two long-lived connections between the web browser and the TinyPilot device: the video stream and the WebSockets connection.

TinyPilot's video stream displays the target computer's display output within the TinyPilot web interface. TinyPilot's WebSockets connection provides low-latency forwarding of keystrokes and mouse input between the user's browser and the target computer.

TinyPilot enforces authentication at the start of these connections, but versions of TinyPilot Pro prior to 2.4.0 failed to re-validate the connection when authentication settings changed.

To secure the video stream, TinyPilot Pro 2.4.0 and later restarts the video stream on any change to the device's authentication settings. Restarting the stream breaks any ongoing connections and forces clients to establish a new connection. Upon receiving a new connection to the video stream, TinyPilot verifies that the requesting user's session is valid and meets the server's security requirements.

To secure the WebSockets connection, TinyPilot Pro 2.4.0 adds a check every 10 seconds to verify that the associated user session is valid and meets the server's security requirements.

Questions

If you have any questions or concerns about this issue, please email me:

Written by Michael Lynch, Founder and Lead Developer of TinyPilot