adacam

Sulkta-Coop/adacam

Fork 0

Commit graph

Author	SHA1	Message	Date
Kayos	9c4b0e26b9	docs: security hardening plan v1.0 Addresses all 4 open CVEs with specific implementations: - CVE-2: Per-device WiFi password derived from serial/MAC + salt - CVE-11: SSH key-only auth, ADACAM_PUBKEY injection at liberation - CVE-14: adacam-api bearer token derived from device serial - CVE-7/16: Kill usb-updater, no OTA for single-owner device Also covers: firewall rules, tunnel security assessment, data-at-rest recommendations, priority order for implementation.	2026-03-14 11:27:23 -07:00
Kayos	8e2596d6cf	docs: deep audit report — CVE-6 through CVE-15 10 additional vulnerabilities from odc-api source + bee-plugins audit: - CVE-6: Plugin secret exfil (API returns key + ciphertext together) - CVE-7: Firmware install without signature verification (MD5 only) - CVE-8: Unauthenticated plugin upload (attacker provides own hash) - CVE-9: cronconfig mass RCE backdoor (CVSS 10.0 — ALL devices globally) - CVE-10: Unauthenticated destructive endpoints (rm -rf, no auth) - CVE-11: Root SSH no password confirmed in source - CVE-12: Gateway proxy queue manipulation - CVE-13: Auth cookie exposed in response body - CVE-14: Unauthenticated config write incl. LTE APN credentials - CVE-15: HERE search API token in public globalconfig	2026-03-14 10:00:56 -07:00

Author

SHA1

Message

Date

Kayos

9c4b0e26b9

docs: security hardening plan v1.0

Addresses all 4 open CVEs with specific implementations:
- CVE-2: Per-device WiFi password derived from serial/MAC + salt
- CVE-11: SSH key-only auth, ADACAM_PUBKEY injection at liberation
- CVE-14: adacam-api bearer token derived from device serial
- CVE-7/16: Kill usb-updater, no OTA for single-owner device

Also covers: firewall rules, tunnel security assessment,
data-at-rest recommendations, priority order for implementation.

2026-03-14 11:27:23 -07:00

Kayos

8e2596d6cf

docs: deep audit report — CVE-6 through CVE-15

10 additional vulnerabilities from odc-api source + bee-plugins audit:
- CVE-6: Plugin secret exfil (API returns key + ciphertext together)
- CVE-7: Firmware install without signature verification (MD5 only)
- CVE-8: Unauthenticated plugin upload (attacker provides own hash)
- CVE-9: cronconfig mass RCE backdoor (CVSS 10.0 — ALL devices globally)
- CVE-10: Unauthenticated destructive endpoints (rm -rf, no auth)
- CVE-11: Root SSH no password confirmed in source
- CVE-12: Gateway proxy queue manipulation
- CVE-13: Auth cookie exposed in response body
- CVE-14: Unauthenticated config write incl. LTE APN credentials
- CVE-15: HERE search API token in public globalconfig

2026-03-14 10:00:56 -07:00

2 commits