Skip to content

Latest commit

 

History

History
80 lines (61 loc) · 7.38 KB

mitigations.md

File metadata and controls

80 lines (61 loc) · 7.38 KB

Mitigation Strategies Analysis for dani-garcia/vaultwarden

Mitigation Strategy: Enforce Two-Factor Authentication (2FA) within Vaultwarden

  • Description:

    1. Access Admin Panel: Log in to the Vaultwarden admin panel (/admin).
    2. Enable 2FA: Navigate to the settings related to authentication or security. Enable the 2FA feature. Vaultwarden supports multiple 2FA methods:
      • TOTP (Time-Based One-Time Password): Compatible with apps like Google Authenticator, Authy, etc.
      • YubiKey: Supports hardware security keys from Yubico.
      • Duo Security: Integration with Duo's two-factor authentication service.
    3. Enforce 2FA: Crucially, change the setting to require 2FA for all users. This is typically a separate setting from simply enabling the feature. Look for options like "Enforce 2FA" or "Require 2FA for all users."
    4. User Setup: Users will then be prompted to set up 2FA the next time they log in. They will need to follow the instructions provided by Vaultwarden for their chosen 2FA method (scanning a QR code for TOTP, registering a YubiKey, etc.).
    5. Recovery Codes: Ensure users understand the importance of securely storing their 2FA recovery codes. These codes are essential if they lose access to their 2FA device.

  • Threats Mitigated:

    • Credential Stuffing Attacks (Severity: High): 2FA prevents access even with valid credentials.
    • Brute-Force Attacks (Severity: High): Makes brute-forcing passwords ineffective.
    • Phishing Attacks (Severity: High): Protects against attackers who have obtained credentials through phishing.
    • Compromised Passwords (Severity: High): Mitigates the impact of leaked or weak passwords.

  • Impact:

    • All Threats Listed Above: Dramatically reduces the risk of unauthorized access due to compromised credentials. This is a critical security control.

  • Currently Implemented (Hypothetical Example):

    • 2FA is enabled as an option in Vaultwarden's settings.

  • Missing Implementation (Hypothetical Example):

    • 2FA is not enforced for all users. This is the most significant missing piece. Users can choose not to use 2FA, leaving their accounts vulnerable.

Mitigation Strategy: Secure Vaultwarden Configuration Settings

  • Description:

    1. Access Configuration: Locate and access the Vaultwarden configuration. This is typically done through environment variables, but may also involve a configuration file depending on the deployment method.
    2. Review and Configure Key Settings:
      • SIGNUPS_ALLOWED: If you do not need open registration, set this to false. This prevents attackers from creating new accounts.
      • INVITATIONS_ALLOWED: Carefully control invitation settings. If you don't need invitations, set this to false. If you do use invitations, consider requiring admin approval (INVITATIONS_ADMIN_APPROVAL=true).
      • ADMIN_TOKEN: This is critical. Generate a strong, random token. Never commit this token to version control or expose it in logs. Store it securely as an environment variable.
      • DISABLE_ADMIN_TOKEN: If you are absolutely certain you will never need the admin panel, you can disable it entirely by setting this to true. This is the most secure option if the admin panel is not required, but it makes future configuration changes much more difficult.
      • WEBSOCKET_ENABLED: If you are not using features that require WebSockets (like live sync), set this to false to reduce the attack surface.
      • EMERGENCY_ACCESS_ALLOWED: Carefully consider whether to enable emergency access. If enabled, ensure users understand the security implications.
      • SHOW_PASSWORD_HINT: Set this to false to disable password hints.
    3. Environment Variable Security: Ensure that environment variables containing sensitive information (like ADMIN_TOKEN, DATABASE_URL) are set securely and are not exposed in logs or other accessible locations.

  • Threats Mitigated:

    • Data Exposure due to Misconfiguration (Severity: High): Prevents accidental exposure of sensitive data.
    • Unauthorized Access (Severity: High): Limits unauthorized actions by restricting features like signups and invitations.
    • Compromise of Admin Interface (Severity: Critical): Protects the ADMIN_TOKEN, which is the key to the admin panel.

  • Impact:

    • All Threats Listed Above: Reduces the risk of various attacks by hardening the Vaultwarden configuration.

  • Currently Implemented (Hypothetical Example):

    • SIGNUPS_ALLOWED is set to false.
    • ADMIN_TOKEN is stored in an environment variable.

  • Missing Implementation (Hypothetical Example):

    • INVITATIONS_ALLOWED is set to true without admin approval, allowing anyone with the invitation link to create an account.
    • WEBSOCKET_ENABLED is set to true even though WebSocket features are not being used.
    • SHOW_PASSWORD_HINT is set to true.

Mitigation Strategy: Disable User Enumeration (Indirectly via Vaultwarden's behavior)

  • Description:

    1. Understand the Default Behavior: By default, Vaultwarden (and the official Bitwarden server) may provide slightly different error messages for invalid usernames versus incorrect passwords during login attempts. This can allow an attacker to determine if a username exists.
    2. No Direct Vaultwarden Setting: Vaultwarden itself does not have a specific configuration option to directly disable user enumeration in the same way some other applications might. The mitigation relies on Vaultwarden's current behavior, which, while not perfectly preventing enumeration, makes it more difficult.
    3. Monitor for Changes: Because this relies on the current implementation, it's crucial to monitor future Vaultwarden releases. The developers might change the error handling, potentially making enumeration easier or providing a direct configuration option.
    4. (External Mitigation - For Context): The most robust way to prevent user enumeration is to use a reverse proxy (like Nginx) to modify the error responses to be completely generic, regardless of whether the username exists or the password is incorrect. This is not a Vaultwarden-specific setting, but it's the recommended approach. This mitigation strategy is omitted because it is not directly related to Vaultwarden.

  • Threats Mitigated:

    • User Enumeration (Severity: Low): Makes it more difficult for attackers to determine valid usernames, which can be used in targeted attacks.

  • Impact:

    • User Enumeration: Reduces the information leakage, but doesn't completely eliminate the possibility of enumeration.

  • Currently Implemented (Hypothetical Example):

    • Vaultwarden's default behavior is in place, which provides some resistance to user enumeration.

  • Missing Implementation (Hypothetical Example):

    • No specific actions have been taken beyond relying on the default behavior. There's no monitoring for changes in future Vaultwarden releases that might affect this.