Bitaxe Firmware (ESP-Miner) v2.5.0: Critical Fix for CSRF Vulnerability
ESP Miner is an open source firmware designed to run on a Bitaxe devices. v2.5.0 includes a patch for Cross Site Request Forgery (CSRF) vulnerability that allows a malicious website to replace user's pool or wallet info. AxeOS users are urged to upgrade as soon as possible.
- This firmware update protects against a potential Cross Site Request Forgery (CSRF) vulnerability that was recently discovered.
"This one is a very important update for all Bitaxe users as it contains a fix for a recently discovered CSRF vulnerability in AxeOS," said skot9000.
NOTE: You will no longer be able to access AxeOS by hostname, you must use the Bitaxe IP. (ex: http://192.168.1.21).
- According to the developer, this vulnerability allows a specially crafted malicious website to change Bitaxe settings on your local network, including the stratum server and user credentials. These changes can occur in the background without any visible indication on the malicious website.
"Yeah, it's crazy. There is a "feature" of nearly all browsers that support javascript where an arbitrary website that you visit can make requests to other machines on your local network. It is up to those machines to make sure it's legit. This is called a Cross Site Request Forgery (CSRF)."
- The Bitaxe firmware exposes an API (Application Programming Interface) that controls all Bitaxe settings. This API enables AxeOS and other tools to manage Bitaxe devices. It is typically secure because users local network is isolated from the public internet by your router's firewall.
- ESP-miner v2.5.0 now checks headers to see if requests come from a local machine or outside the local network and reject the latter.
"This might cause some problems for people with esoteric networking setups, but we have done a lot of testing so far. Please let me know if you experience any problems using AxeOS!" added skot9000.
What's new
- CSRF vulnerability patch by @benjamin-wilson in #637.
- Huge thanks to @shaunography for discovering and reporting this issue.
- typo: small typo fix by @b-rowan in #629.
- check psram on self test by @WantClue in #628.
- test: fix stratum alternative error unit test by @tdb3 in #608.
- fix: Use this.uri for edit restart by @mrv777 in #642.
- Add instructions for development by @pRizz in #641.
Announcement / Archive
GitHub Repo
- Do you want more? Subscribe and get No Bullshit GM report straight to your mailbox and No Bullshit Bitcoin on Nostr.
- Feedback or news tips? Drop it here.
