In the event an administrator forgets to set up the SECRET_KEY environment variable, the server can be bypassed by cracking the server's session cookie using Flask-Unsign. An attacker can then create a crafted Flask cookie which bypasses any authentication mechanism and logging.
This patch ensures a random value is chosen on boot if the secret is not set, and disables DEBUG by default as that also allows an attacker to obtain remote code execution if the pin is obtained somehow.
An exploit guide on this particular piece of software was published on Exploit-DB (source: https://www.exploit-db.com/exploits/50267).
In the event an administrator forgets to set up the
SECRET_KEYenvironment variable, the server can be bypassed by cracking the server's session cookie using Flask-Unsign. An attacker can then create a crafted Flask cookie which bypasses any authentication mechanism and logging.This patch ensures a random value is chosen on boot if the secret is not set, and disables
DEBUGby default as that also allows an attacker to obtain remote code execution if the pin is obtained somehow.