Security vulnerability: Update to 1.3.6 ASAP!


#1

If you still haven’t updated to OctoPrint 1.3.6, please update ASAP.

There is a security vulnerability present in OctoPrint version 1.3.0rc1 through 1.3.5 that puts your instance at risk if it is accessible directly via the internet or another untrusted network, e.g. through a port forward in your router.

OctoPrint version 1.3.6 fixes this vulnerability.

Who is affected by it?

If you have your OctoPrint 1.3.0rc1 through 1.3.5 directly accessible over the internet through a port forward or something similar (without additional protection through a reverse proxy and/or a VPN) then you are affected. Update to 1.3.6 as soon as possible.

Note that other ways of accessing OctoPrint remotely are not affected, e.g. PolarCloud, OctoPrint Anywhere, Telegram etc.

What are the details of this vulnerability? What is the attack vector?

I’m not going to go into details to protect vulnerable installations that even now still might be out there. What I will say is that the issue allows unprivileged admin access to your OctoPrint instance over the network, bypassing access control.

Who found this vulnerability? When was it found?

I discovered it myself during maintenance work towards 1.3.6. I didn’t disclose it until now to first allow as many people as possible to update to 1.3.6 in order to reduce the risk of active exploitation to an absolute minimum.

To my knowledge nobody else has discovered this vulnerability and I’m not aware of anyone exploiting it.

How can I update?

Use the built-in Software Update mechanism.

If that should not be available to you for some reason then you may follow these manual steps:

  • OctoPi: SSH into your Pi. Then run these commands:

    source ~/oprint/bin/activate
    cd ~/OctoPrint
    git pull
    pip install .
    sudo service octoprint restart
    

    Verify that it now says “OctoPrint 1.3.6” in the lower left corner of the web interface.

  • Manual install: Please substitute /path/to/OctoPrint with the path to your OctoPrint checkout. On a command line run these commands:

    cd /path/to/OctoPrint
    source venv/bin/activate
    git pull
    pip install .
    

    Then restart your server. Verify that it now says “OctoPrint 1.3.6” in the lower left corner of the web interface.


This is a companion discussion topic for the original entry at https://octoprint.org/blog/2018/03/15/security-issue-update-to-1.3.6/

#2

Just to be sure I'm understanding this correctly: The two code blocks in your post (OctoPi and Manual Install) are two alternate ways of updating, correct? You don't need to do both of them. (I understand that most people will not need to do either of them, since the built-in software update mechanism should take care of it.)


#3

Yep, correct. It's an "either ... or ...", not an "and".


#4

Oh, cool, posts on the website have the same comments as here, that's slick.

I've been at 1.3.6 for a while so I'm :+1: but would it still be a vulnerability if the octoprint instance were behind a proxy, especially if the proxy were authenticated? Just idle curiosity on my part.


#5

If you have any form of additional password protection in front of things you should be fine.

Still, updating is always a good idea in general :wink:


#6

Definitely agreed on the updating!


#7

Hi Gina! Firstly, thanks for your awesome work. I'm new to 3d printing -- excellent and useful hobby.

So, this isn't related to the bloke on github with the purported 0day, right? It would be ironic (and unlikely) that it was related, but just curious.

Cheers!


#8

Not as far as I know. That bloke never provided any concrete vulnerability, it only ever boiled down to "there are OctoPrint instances discoverable on the internet via shodan". Which isn't news, if you put something on the internet it will be found, hence my repeated advice to secure things further through traditional means.

As I said, this wasn't reported to me, I found it myself. If this had been reported to me I'd of course have mentioned the reporter and given proper credit.


#9

Yes. Exactly as I figured. He came across more as a posturer than a serious researcher. I was almost waiting for the ransom demand from him.

Thanks,
-Mike


#10

Hi,
okay update - BUT since December 2017 has 1.3.6 a problem with pip ... updates for plugins are not possible and nobody has a idea - thats pitty. :frowning:
[https://groups.google.com/forum/#!topic/octoprint/GZYw0pCnM0I]

Regards
Rabis


#11

I'm not aware of any general issues like what you describe there.

It sounds similar to this topic however which was also a manual install, so maybe adding some more info of your setup to that might help narrow this down. Especially the used linux distribution and the exact installation steps.


#12

A post was merged into an existing topic: Pluggin Manager - PIP


#14

is there a video of this how to do this ?


#15

This procedure does not work on OctoPi. After that, the startup script will not work anymore. The solution is in a post by Gina here: https://groups.google.com/d/msg/octoprint/zKydJ69vEgI/RDiLncDtAAAJ