Vulnerability disclosure: JupyterHub's proxied code-server sessions have no authentication and can be taken over #173

New issue

Closed

opened 2022-08-04 17:53:54 +00:00 by a · 0 comments

a commented

2022-08-04 17:53:54 +00:00

Owner

This security vulnerability has been fixed. It is unknown if it was exploited in the past.

In exohub, you can easily start a code-server session proxied by jupyter-server-proxy, which starts code-server on a random port and redirects you to the proxied code-server session. Since code-server has no GET authentication support, we disabled authentication for code-server entirely when we set it up about 10 months ago (really bad idea, I know).

Attackers can scan our open ports and find the code-server's port and access the code-server without any authentication 😱.

I totally forgot about this bad decision for a few months, and then recently when I was investigating JupyterHub's security after #172, I rediscovered the bug and quickly fixed it by enabling authentication for code-server. Now when you try to access the code-server, code-server will generate a random password in ~/.config/code-server/config.yaml, and it'll tell you instructions to find the password in the file and type it in.

Since code-server was rarely used anyways, I think it's very unlikely that this vulnerability was exploited in the past. An attacker also would not be able to find or change the victim's password and gain further access to their account.

**This security vulnerability has been fixed. It is unknown if it was exploited in the past.** In exohub, you can easily start a code-server session proxied by [jupyter-server-proxy](https://github.com/jupyterhub/jupyter-server-proxy), which starts code-server on a random port and redirects you to the proxied code-server session. Since [code-server has no GET authentication support](https://github.com/coder/code-server/pull/2428), we disabled authentication for code-server entirely when we set it up about 10 months ago (really bad idea, I know). Attackers can scan our open ports and find the code-server's port and access the code-server without any authentication 😱. I totally forgot about this bad decision for a few months, and then recently when I was investigating JupyterHub's security after #172, I rediscovered the bug and quickly fixed it by enabling authentication for code-server. Now when you try to access the code-server, code-server will generate a random password in `~/.config/code-server/config.yaml`, and it'll tell you instructions to find the password in the file and type it in. Since code-server was rarely used anyways, I think it's very unlikely that this vulnerability was exploited in the past. An attacker also would not be able to find or change the victim's password and gain further access to their account.