Security Update: P1IB – New firmware release (54aaa555 20240922)
Summery of vulnerabilites
The following security vulnerabilities were discovered in a previous version of P1IBs firmware:
Vulnerability 1 : A flaw in the handling of authorization of restAPI endpoints for configuration could allow unauthorized access under certain conditions.
Vulnerability 2 : Risk of cross site request forgery in targeted attacks.
Vulnerability 3 : Configuration api could expose user information.
Vulnerability 4: Flash other firmware than P1IB officiall ones possible.
New firmware features & fixes
Fix for vulnerability 1: Authorization bug is fixed and additional authorization is added to all critical restAPI endpoints.
Fix for vulnerability 2: CRSF token added to all critical restAPI endpoints.
Fix for vulnerability 3: User information handling changed to “set and forget”.
Fix for vulnerability 4: Remove possibility to flash other firmware than official P1IB firmwares. This “flaw” was from old code to help other developers be able to push firmwares to their devices easier during development of forks of the P1IB repos (at one point in time, P1IB was going to be open source). This code is now removed.
Call to action
For your security, we strongly recommend to update to the latest firmware (54aaa555 20240922 or better) as soon as possible.
Firmware can be updated by going to the “Firmware” menu in your P1IB device and selecting the download icon in the table of available firmwares.