Error sending command: deviceInfo TypeError: RSA _PKCS1_PADDING is no longer supported for private decryption, this can be reverted with --security-revert=CVE-2023-46809
Closed this issue · 11 comments
Describe The Bug
Unable to control my Tapo P100.
Hardware version: 1.0.0
Firmware version: 1.3.0 Build 20210310 Rel. 63416
Expected behavior
Plug should turn off and on.
Logs
[18/02/2024, 8:04:11 pm]
[TPLink Tapo Platform]
Error
sending command: deviceInfo TypeError: RSA
_PKCS1_PADDING is no longer supported for
private decryption, this can be reverted with --security-revert=CVE-2023-46809
at Object.privateDecrypt (node:internal/crypto/cipher:79:12) at LegacyAPI.decodeHandshakeKey (/var/lib/homebridge/node
_modules/homebridge-tp-link-tapo/src/api/LegacyAPI.ts: 183:30)
at LegacyAPI.handshake (/var/lib/homebridge/node_modules/homebridge-tp-link-tapo/src/api/LegacyAPI.ts: 173:30)
at processTicksAndRejections
(node: internal/process/task_queues: 95:5 )
at LegacyAPI sendSecureRequest (/var/lib/homebridge/node _modules/homebridge-tp-link-tapo/src/api/LegacyAPI.ts:83:7)
at LegacyAPI. login (/var/lib/homebridge/node _modules/homebridge-tp-link-tapo/src/api/LegacyAPI.ts:20:22)
at TPLink.sendCommandWithNoLock (/var/lib/homebridge/node.
_modules/homebridge-tp-link-tapo/src/api/TPLink. ts: 208:9) {
code: 'ERR INVALID ARG VALUE'
[18/02/2024, 8:04:11 pm]
[TPLink Tapo Platform]
Failed to get info about: 192.168.0.104
[18/02/2024,
8:04:11 pm]
[TPLink Tapo Platform]
Retry to connect in 10s: 192.168.0.104
Plugin Config
{
"name": "TPLink Tapo Platform",
"email": "",
"password": "",
"addresses": [
"192.168.0.103",
"192.168.0.104",
"192.168.0.107",
"192.168.0.111",
"192.168.0.108",
"192.168.0.110",
"192.168.0.105",
"192.168.0.106"
],
"_bridge": {
"username": "0E:17:51:23:24:47",
"port": 54338
},
"platform": "HomebridgeTPLinkTapo"
}
Plugin Version
4.1.0
Homebridge Version
1.7.0
Node.js Version
20.11.1
NPM Version
9.2.0
Operating System
Debian 12, Kernel 6.1.0-18-amd64
Same issue. I dont know whats going on and can fix it...
Hello, I had this problem when uploading a version of a web application that uses Docker, it seems that on 02/14/2024 a fix was released on the node that does not allow RSA encryption with pkcs1 padding to be used, the simplest way to solve it is to run in the terminal a node --security-revert=CVE-2023-46809 that will remove this security rule...
Remembering that this is an ideal palliative solution and no longer use RSA encryption with pkcs1 padding
https://nodejs.org/en/blog/vulnerability/february-2024-security-releases
Hello, I had this problem when uploading a version(版本) of a web(网络) application(应用) that uses Docker, it seems that on 02/14/2024 a fix(修复) was released on the node that does not allow(允许) RSA encryption with pkcs1 padding to be used(使用), the simplest way to solve(解决) it is to run in the terminal(终端) a node --security(安全)-revert(复归)=CVE-2023-46809 that will remove(删除) this security(安全) rule(规则)...
Remembering that this is an ideal(理想) palliative(姑息性) solution(解决方案) and no longer use RSA encryption with pkcs1 padding
https://nodejs.org/en/blog/vulnerability/february-2024-security-releases
@giovanijfc
Hello, could you please tell me in detail how to solve it? I cloned someone else's backend code, using nestjs, and then deployed it to my server. Such a problem also occurred. I first built a Image of the backend service, and then use docker-compose to start this image together with images such as mysql
Likewise, I am not a coder by any means and accidentally broke my pi's SD card, resulting in starting back up and now it's 5am and I'm running in circles through this. Ive put in --security-revert=CVE-2023-46809 and yet, command not found. Please, may a god help me in simple terms.
Likewise, I am not a coder by any means and accidentally broke my pi's SD card, resulting in starting back up and now it's 5am and I'm running in circles through this. Ive put in --security-revert=CVE-2023-46809 and yet, command not found. Please, may a god help me in simple terms.
Are you trying to run an app with npm run start and it fails with this error? It was my case, and I fixed it by going to package.json and in the start: node index.js script, I changed it to start: node --security-revert=CVE-2023-46809 index.js
Basically, to whatever thing you are trying to run with node, just add the flag before the file that you will run
same here I'm not a coder and tried to add above mentioned "security-revert=CVE-2023-46809" in raspberry terminal but it show "security-revert=CVE-2023-46809
bash: security-revert=CVE-2023-46809: command not found" can somebody explain me how to resolve step by step in layman language
Hello, sorry for the delay in responding, github is not very good with notifications.
Image node without this rule: in your docker file change node:18-alpine to FROM node:18-alpine@sha256:aacbcec05180c1dd8c33dba8a9c42b75dbfdd659aa57617497f1ce2c5d83d889 AS base which references the image before this security addition
If your image is not alpine or node 18 you only need to use an image released before 02/14/2024
Remove security rule from the environment: must run on the ending node security-revert=CVE-2023-46809
Just downgrade to latest node version that worked
sudo hb-service update-node 20.11.0Just downgrade to latest node version that worked
sudo hb-service update-node 20.11.0
Thank you!
I've noticed that error is gone after updating the firmware of the device to 1.5.5 Build 20230927 Rel.40646
Release notes include:
- Updated security for local communications
I used the Tapo iOS app to upgrade the firmware