KnC released a new firmware with all my points emailed to them taken into account.
THANK YOU KNCHowever....The new firmware has a HUGE security flaw. BUT...
Since KnC
does not even thanks me for writing a detailed report, consuming several hours of my time, it's not worth it to me to write another one.
They DID implent every bugfix and security improvement i emailed them, and now taking credit for it... Lame ass f*ckers!
If the script kiddies find out this new (ridiculous) bug in the miners, rest assured that many rigs will be taken over.
We have a new firmware for you today, version 0.99.2 firmware which can be downloaded from our firmware page here:
https://www.kncminer.com/pages/firmware The firmware contains the following changes.
New features:
- Initial splash screen on first use now asks the user to specify a new administrator user name and password and also a enter a list of trusted addresses allowed to manage the miner. (Please note that by entering trusted addresses incorrectly you could block your access to the miner. The only way to regain access would be to perform a hard reset by pressing the button on the front of the miner 5 times, waiting 5 seconds and pressing another 5 times, as described in the user manual)
There you go, just as i suggested it.- Miner management can be configured to allow access for trusted addresses only. The trusted addresses should be specified by using space separated addresses from which the miner is allowed to be accessed via HTTP and SSH.
That's about time!!- List of trusted management addresses can be changed on the "Network" page of the miner interface.
- On the "Mining" page there is now a setting which allows to the user to specify which addresses can access the miner's API interface.
- Added support for BFGMiner, which is now selectable from the "Mining" page of the interface.
Thanks,
KnC team
Steve,
Would this new bug you found be a problem for only public facing miners or all miners?
Just wondering if an miner on a private network with all the api's turned off for cgminer would be vulnerable to such an attack.
Edit: Oh and im on .99.1-t.
Thanks.
KNC will never admit the security problem because that would legally make them potentially liable for loses suffered because of the breach. They could have at least sent ya a 1 BTC or something for your effort. Time is money and if they don't want to pay you anything its not worth your time.
Well, without trying to reveal to much details, the bugs in the newest firmware are major issues.
I found 3 critical exposures of user credentials in a very simple way.
1) This has something to do with a parameter that is not sanitized, making you read protected files (userfiles?)
2) Userfile is readable without login in to the system webinterface
3) Cross Site Scripting "prompt" methods are able to be executed
To answer your question, your miner itself will be well shielded from outside access. However, the biggest problem once again comes down to the user.
You may protect your miner with all available options, but what about your other hardware that is connected to your internet?
Almost every available router has at least one working exploit available out there on the internet. Piece of cake to login/hack/crack your router, and your miner is accessible.
The most recent problems are however using smart devices on the same network. For example, a smart TV, a WiFi printer, a NAS server, ....
Same here, almost all these devices have one or more security flaws. These are also known to be "less" secured by the user itself.
Once again, just by accessing these devices, your miner can be at risk.
Now, dont be a fool thinking your miner IP is unknown to the internet also. Even from behind a router, your end ip address gets submitted with every share on the internet....
There are many many huge lists available on the net with miner IP addresses. And then it's just a matter of scanning this specific network range for weak devices.
A very good solution comes from SickPig:
Never ever expose your miner directly to the internet.
Do not assign public IP to miner network interface.
Even if you're using a private address for your miner do not trust your router fw/firewall.
Router firmwares are updated once in very long while, they reach support EOL quite rapidly. Taking this into account implies using your router port forwarding is moot.
Use a bridge system between your router and your miner(s). Be it a linux hardened box or an OpenBSD one.
Set up a firewall on this machine that do both ingress/egress filtering. Set up a VPN service on this bridge box. Access to the miner only through this VPN service.
If you do not have a static IP spend a few bucks a month for a VPS with a static IP address and use n2n (a layer two p2p VPN) (
http://www.ntop.org/products/n2n/) to mimic a more classic VPN set up.
Keep your eyes open, and change your passwords of ALL devices in your network every now and then.
Dont be scared to use long passwords, for exmple, you can SHA-512 hash your current password.
Your basic password known as for example
"password"
then becomes
"b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976e
c049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86"
way more secure against bruteforce/dictionary hacking methods.
If you are not allowed this much characters, take a simple MD5 encryption of your current password.
