a4004
commented
5 months ago Hi @elated-emu
It seems that Umbrel's new update mechanism is at fault here. Since version 1.0 they have switched to Mender which is an image based update solution, and for some reason it seems the update includes the /etc/shadow file which effectively resets the password to the default one until the Umbrel daemon changes it back after the user logs in.
This should probably be a simple fix, ie just to omit the /etc/shadow file from the Mender update package. If that isn't possible, then maybe SSH should be disabled until the password is changed back after the update.
The vulnerability affects SSH and physical logins from any IP range including Docker, etc. I've provided more details in the Discord channel relating to this issue. <#1254380706105135175>
IF YOU UPDATED UMBREL TO 1.2.1 DOUBLE CHECK YOUR SSH PASSWORD
It seems like the default SSH password when OTA updating is being set to "umbrel", regardless of prior settings.
Any device on the network can get root access to your umbrel. If you port forward 22 (not recommended), any device with your public IP can get access to your internal network with your umbrel's insecure default username and password.
I haven't tested a docker container's ability to SSH into the host, but that might be possible as well. It wouldn't be hard for a malicious app to take advantage of this vulnerability, and it is a valid target for an attacker (since you would have crypto on your umbrel).