Mitigation Strategies

To mitigate this vulnerability immediately, upgrade Hermes WebUI to version 0.51.358 or later, where the issue has been fixed by restricting the first-run password setup to local or private network clients.

If upgrading is not immediately possible, restrict network access to the Hermes WebUI instance so that only trusted local or private network clients can reach the /api/settings endpoint during the first-run setup.

Avoid exposing the WebUI to untrusted networks during initial setup to prevent remote attackers from exploiting the vulnerability.

After upgrading, the first-run password bootstrap action is gated behind a locality check, and remote bootstrap requires explicit operator opt-in via the HERMES_WEBUI_ONBOARDING_OPEN=1 environment variable.

Verify that authentication is enabled as soon as possible after setup to prevent unauthorized access.

Useful 0 Not Useful 0

Executive Summary

Hermes WebUI versions before 0.51.358 have an improper access control vulnerability in the initial setup process. Specifically, unauthenticated remote attackers can hijack the first-run setup by sending a POST request with the _set_password parameter to the /api/settings endpoint without any network origin restrictions.

This allows attackers on any reachable network to set an arbitrary password hash, obtain a valid session cookie, and lock out the legitimate operator from accessing their own instance.

The vulnerability exists because the endpoint does not properly restrict access during the first-run password bootstrap when authentication is disabled.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized takeover of the Hermes WebUI instance during its initial setup.

An attacker can set a password of their choice remotely without authentication, gain a valid session cookie, and effectively lock out the legitimate operator from managing their own system.

This leads to loss of control over the WebUI, potential disruption of services, and unauthorized access to sensitive configurations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized POST requests to the /api/settings endpoint that include the _set_password parameter during the first-run setup window of Hermes WebUI before version 0.51.358.

To detect potential exploitation attempts, you can look for network traffic or logs showing POST requests to /api/settings from non-local IP addresses when authentication is disabled.

• Use network monitoring tools (e.g., tcpdump, Wireshark) to capture POST requests to /api/settings.
• Example tcpdump command to capture HTTP POST requests to /api/settings: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /api/settings'
• Check Hermes WebUI server logs for POST requests containing the _set_password parameter from remote IP addresses during initial setup.

Since the vulnerability occurs only during the first-run setup window when authentication is disabled, verifying if the system is in this state is also important.

Useful 0 Not Useful 0