this post was submitted on 12 Aug 2024

258 points (99.2% liked)

Selfhosted

39980 readers

430 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago

MODERATORS

[email protected]

258

"PSA: Update Vaultwarden as soon as possible" (lemmy.ca)

submitted 2 months ago* (last edited 2 months ago) by [email protected] to c/[email protected]

25 comments fedilink hide all child comments

See this post from another website for more context.

Important: Make a backup first, at least one user mentioned the update breaking their install

A new version (1.32.0) of Vaultwarden is out with security fixes:

This release has several CVE Reports fixed and we recommend everybody to update to the latest version as soon as possible.

CVE-2024-39924 Fixed via #4715

CVE-2024-39925 Fixed via #4837

CVE-2024-39926 Fixed via #4737

Release page

top 25 comments

sorted by: hot top controversial new old

[–] [email protected] 4 points 2 months ago* (last edited 2 months ago) (1 children)

this update broke my installation :(. I have not updated it in a while. Now I have to rollback until I fix this. Hope the backup will work. EDIT: It was the reverse proxy. Check the developer notes before updating.

[–] [email protected] 3 points 2 months ago

I'll include a note in the post about making a backup first, sorry about that!

[–] [email protected] 3 points 2 months ago

sudo systemctl restart vaultwarden.service

Done. :)

Thanks for the heads up.

[–] [email protected] 5 points 2 months ago

Thanks for the psa op

[–] [email protected] 12 points 2 months ago

Interesting the CVEs don't have information yet and didn't appear to affect bitwarden and it's containers. Haven't seen a security release from them since around March.

[–] [email protected] 8 points 2 months ago

Watchtower took care of that for me 👍

[–] [email protected] 7 points 2 months ago

updated a little while ago due to this post.. as the release number is not a .1, i wasn't expecting this addressing cves. thanks :)

[+] [email protected] -7 points 2 months ago (6 children)

Not to flame on anyone, and without reading the details on the specific CVE. But, to share as an advice: this reason is why I prefer keepass + syncthing for my needs. Security for a full blown web app is not trivial and has a bigger "attack surface" than a kdbx file moving p2p through my devices via syncthing.

[–] [email protected] 4 points 2 months ago

Good for you man, I mean it. I would also use Keepass, but I share a lot of logins with my wife, and some with my kids, so having a self-hosted app that can sync seamlessly without added friction, like Bitwarden, is the next best thing.

[–] [email protected] 1 points 2 months ago (1 children)

I might try vaultwarden myself, given that my life partner is always asking me for some platform password I already shared. Is possible to use just on LAN to sync and keep using the passwords from the android client while out of reach? I was just reading about 30-days sessions in the docs. Apparently, yes. That's huge (for me, I'd like not to expose anything, even with VPN)

[–] [email protected] 2 points 2 months ago

Yes, you could run it in LAN only. You could access it via VPN only.

Obviously this adds friction in addition to security, but if that's fine with you, you can.

[–] [email protected] 12 points 2 months ago

If that works for you, great. But a self-hosted service offers a lot of convenience for a relatively small amount of added risk. Some things I like about Bitwarden/Vaultwarden:

can share logins easily w/ my wife, while each having our own passwords
nice UX for my phone and desktop (prompts for most apps that require passwords)
web vault so I can access my logins if I don't have my phone with me (e.g. lost phone while traveling)

And since it's self-hosted, I'm far less likely to be targeted than the official Bitwarden instance since an attacker would need to know my domain, as well as being able to exploit the vulnerability through my multiple layers (requests go through HAProxy, my VPN, and Caddy before getting to Vaultwarden). I can make it even more secure by putting it inside my VPN (I have mine routed outside my VPN for the web vault access).

[–] [email protected] 15 points 2 months ago

Security for a full blown web app is not trivial and has a bigger “attack surface” than a kdbx file moving p2p through my devices via syncthing.

Absolutely.

My Vaultwarden instance is only accessible via LAN or VPN though, I don't think I'd want to expose it to the internet.

[–] [email protected] 8 points 2 months ago* (last edited 2 months ago) (1 children)

Explain how can you use KeePass+Syncthing with 10-50 people (possibly different groups for different passwords) having different sets of access level while maintaining sane ease of use?

The passwords are encrypted in the first place so the security for them is only on the client side.

[–] [email protected] 6 points 2 months ago (2 children)

I do not have to share passwords with 10-50 people and neither did the op imply this. I am having trouble figuring out the reasoning behind your message. Why would this be a normal use case?

[–] [email protected] 4 points 2 months ago* (last edited 2 months ago)

10-50 people normal use case?

For KeePass no, for VaultWarden yes.

Just got triggered for the comment above suggesting a solution that doesn't work for quite a lot of deployments/users, but yes, my comment was a little bit out of place as for single user deployments KeePass is probably way simpler/better.

[–] [email protected] 5 points 2 months ago (1 children)

I said my needs. I was just sharing. Hardly understanding your normal use case of 10-50 users on a same kdbx. The best you could do is having multiple kdbx, fro subgroups of users. Since not everyone should have the master password to all those kdbx... But I am sure that if those were my needs I'd jump to vaultwarden too. That's why I specifically added the disclaimer sentences on my post. I didn't mean to rob vaultwarden of its value. Just pointed out the tradeoff. Your comments adds on to those tradeoffs, they're just different solutions with different pros and cons. The user who mentioned using vaultwarden behind a VPN gave great input, I wasn't considering that. Anyway, have a nice day.

[–] [email protected] 3 points 2 months ago

Totally agreed, but there are pros and cons.

File - harder to steal but once stolen hacker can bruteforce it as much as it wants. Web service - with proper rate limits (and additional IP whitelist so you can only sync on VPN/local network) - its harder to bruteforce. (But yes, you (sometimes) have also full copy locally in the local client, but ...)

If it was only for me I probably would also go with KeePass as you will not update the same db at the same time, but with with multiple users it's getting unmanageable.

I just got triggered as those CVEs are not that bad due to the nature that the app encrypts stuff on the client side so web server is more like shared file storage, while your answer suggested to switch to a solution that doesn't work for a lot of people (as we already tried that).

[–] [email protected] 6 points 2 months ago (2 children)

syncthing also relies on a web server for device discovery, it's just that you're probably using someone else's server instead of hosting your own.

Correct me if I'm wrong, but I also think that Vaultwarden itself doesn't have access to the unencrypted password database. In that sense it's E2EE similar to KeePass, the only difference being that KeePass is a desktop app and Vaultwarden a web app.

[–] [email protected] 2 points 2 months ago

The syncthing server only gives metadata (no files, only IPs) between the devices, so they can connect to each other. And it's self-hostable.

[–] [email protected] 3 points 2 months ago

You can use Syncthing without relays or discovery servers.

[–] [email protected] 4 points 2 months ago

Thanks for the head's up!

[–] [email protected] 4 points 2 months ago

Thanks

[–] [email protected] 9 points 2 months ago

Thanks for the post OP, updating my VaultWarden docker instance ASAP.

[–] [email protected] 35 points 2 months ago

Docker image is already updated.