SatNOGS Network Security Update

SatNOGS Software
1

We recently discovered a security bug in SatNOGS Network source code. The bug allowed for unauthorized access to station API keys, specifically in the HTML source code of the user page (not visible in the UI though).

The issue is now fixed in our production instance. The SatNOGS Operations team has analyzed the incident, and no malicious action has been discovered with the exposed API keys.

All API keys have been regenerated to secure and protect the network. As a result, you must update your station(s) with the new API key issued for your account.

SatNOGS Raspberry Pi image users can perform the following steps:

  1. Find your new API key from https://network.satnogs.org (login and it should be accessible top-right).
  2. Login via SSH into your RPi
  3. Run ā€œsudo apt-get updateā€ to fetch a new list of latest distro packages
  4. Run ā€œsudo apt-get -y upgradeā€ to upgrade the distro packages
  5. Run ā€œsudo rebootā€
  6. Login again via SSH into your RPi
  7. Run ā€œsudo satnogs-setupā€
  8. Select ā€œUpdateā€ to update SatNOGS software
  9. Change your API key in ā€œBasic Configurationā€ -> ā€œSATNOGS_API_TOKENā€
  10. Select the ā€œApplyā€ button to apply the changes
  11. Select ā€œBackā€ to exit ā€œsatnogs-setupā€
  12. Check back in SatNOGS Network that the status of your station is ā€œOnlineā€ or ā€œTestingā€

In case you have any questions or require assistance, please contact us via email, IRC/Matrix channel or here.

We are sorry for any inconvenience!

The SatNOGS Team

11 Likes
2

Thanks for the update. I rebooted the RPI3 twice before I decided to look here.

When all else fails, ā€˜read the instructionsā€™

3 Likes
3

My 2 updated all ok :slight_smile:

3 Likes
4

I seem to be having some problems reconnecting to the network with my new API keys. First, the update process complains about not finding the ā€œrng-toolsā€ package, so Iā€™m not sure if that failure is causing my other problems. In my logs, I see the following:

Sep 01 11:47:03 satcather-vhf satnogs-client[552]: 2018-09-01 11:47:03,844 - apscheduler.executors.default - ERROR - Job "get_jobs (trigger: interval[0:01:00], next run at: 2018-09-01 15:48:03 UTC)" raised an exception
Sep 01 11:47:03 satcather-vhf satnogs-client[552]: Traceback (most recent call last):
Sep 01 11:47:03 satcather-vhf satnogs-client[552]:   File "/var/lib/satnogs/local/lib/python2.7/site-packages/apscheduler/executors/base.py", line 125, in run_job
Sep 01 11:47:03 satcather-vhf satnogs-client[552]:     retval = job.func(*job.args, **job.kwargs)
Sep 01 11:47:03 satcather-vhf satnogs-client[552]:   File "/var/lib/satnogs/local/lib/python2.7/site-packages/satnogsclient/scheduler/tasks.py", line 169, in get_jobs
Sep 01 11:47:03 satcather-vhf satnogs-client[552]:     'Status code: {0} on request: {1}'.format(response.status_code, url))
Sep 01 11:47:03 satcather-vhf satnogs-client[552]: Exception: Status code: 401 on request: https://network.satnogs.org/api/jobs/

Iā€™ve checked my API key in /etc/ansible/host_vars/localhost and itā€™s been updated properly.

Any suggestions of what might be going on? Thanks!

5

Could you please run apt search rng-tools and share the result?

6

Sure, nothing is found:

pi@satcather-vhf:~ $ apt search rng-tools
Sorting... Done
Full Text Search... Done
pi@satcather-vhf:~ $

Iā€™m on raspbian stretch.

7

Hmm. Interestingā€¦ cat /etc/apt/sources.list?

P.S. The packet is available in the Raspbian repo: http://raspbian.raspberrypi.org/raspbian/pool/main/r/rng-tools/

8

Huh, strange that my apt canā€™t find it, given that I think my sources look fine:

pi@satcather-vhf:~ $ cat /etc/apt/sources.list
deb http://raspbian.raspberrypi.org/raspbian/ stretch main contrib non-free rpi
# Uncomment line below then 'apt-get update' to enable 'apt-get source'
#deb-src http://raspbian.raspberrypi.org/raspbian/ stretch main contrib non-free rpi
pi@satcather-vhf:~ $

And this is what I get when I try and run sudo apt-get install rng-tools:

pi@satcather-vhf:~ $ sudo apt-get install rng-tools
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Package rng-tools is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Package 'rng-tools' has no installation candidate
pi@satcather-vhf:~ $

This happens for both of my installations.

9

Iā€™m able to install the rng-tools package by hand without problems, so Iā€™m not sure why apt isnā€™t able to find itā€¦

10

Thatā€™s very strange indeed. Iā€™m not sure whatā€™s going onā€¦ if you havenā€™t tried them already:

  1. reboot rpi
  2. apt-get update
  3. apt-get install --fix-missing
1 Like
11

apt-get install --fix-missing, and then apt-get install rng-tools seemed to fix the problem. Not sure how things got so borked up, thanks for the help, apologies for the noise!

12

Glad to hear that the problem is fixed :smiley: