netbird icon indicating copy to clipboard operation
netbird copied to clipboard

Published 20 hours ago verified publisher icon netbirdio

Security Issue: Setup keys are stored unencrypted in database table "setup_keys"

Open florian-obradovic opened this issue 4 months ago • 0 comments

Describe the problem

The setup keys are stored unencrypted in the database (at least for sqlite3) which is very bad. If the backend or storage (Cloud & Selfhosted) gets compromised, anyone can use the setup keys to provision new peers.

To Reproduce

  1. sudo sqlite3 /var/lib/docker/volumes/artifacts_netbird-mgmt/_data/store.db Adjust the path to your docker volume
  2. select * from setup_keys;

Expected behavior Store the setup keys encrypted by using at least salted hashes (More infos: https://www.vaadata.com/blog/how-to-securely-store-passwords-in-database/)

Are you using NetBird Cloud?

Selfhsoted

NetBird version 0.30.2

florian-obradovic avatar Oct 20 '24 09:10 florian-obradovic