Security Advisory: scsynth and supernova listen on all network interfaces by default


#1

Hi all,

There’s a network security issue in scsynth and supernova in the form of a unsafe default configuration.

scsynth and supernova, by default, listen to OSC messages on all network interfaces. For most average users running laptops on WiFi with no special additional configuration, anyone on your local network can send OSC messages to your SC server. This is probably not what you want.

scsynth and supernova are NOT secure against untrusted OSC input. An attacker can easily overwrite files, and I think there are even remote code execution vulnerabilities in the buffer commands.

To my knowledge, the networking configuration of the servers has been wide open since the beginning of SC3.

I doubt that SuperCollider servers on a local network are much of a worthwhile avenue for hackers, but you all at least deserve information on how to protect yourselves from this just in case.

scsynth 3.8+

scsynth in 3.8 introduced the -B command-line option that allows picking a socket address. Setting it to 127.0.0.1 ensures that you only listen to traffic coming from the host, which fixes the issue. Unfortunately, when it was introduced, the default was still kept at 0.0.0.0. This was chosen for backward compatibility reasons, but the consequences of this default were not really considered.

So, if you boot scsynth from the command line, or run an alternate client of some sort, the fix is easy:

scsynth -B 127.0.0.1 ...

ServerOptions is the sclang front-end to the command-line options. Due to a oversight, ServerOptions doesn’t actually expose the -B option, nor does it provide generic functionality for arbitrary command-line options (argh!). I have found this terrible hack that you can add to your startup file that fixes this:

Server.program = Server.program + "-B 127.0.0.1";

So do that immediately if you are concerned about untrusted network traffic.

scsynth before 3.8, or supernova

Here are some things you can do to patch this hole:

  • If using supernova 3.8+, consider switching to scsynth. supernova does not support the -B option.
  • Configure your machine’s firewall to block outside traffic to port 57110, the default port that scsynth/supernova listens on.
  • As a last resort, disable networking whenever running the SuperCollider server.

Thanks for reading. I’ve made this a priority to fix for 3.10.3, tracked by this issue: https://github.com/supercollider/supercollider/issues/4496

As a final note, I am in no way an expert in network security, so please don’t hesitate to correct me if I’ve gotten something wrong here.