Source: security-advisories@github.com
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state (`restoreFilePath`) of the server via the `/skServer/validateBackup` endpoint. This allows the attacker to hijack the administrator's "Restore" functionality to overwrite critical server configuration files (e.g., `security.json`, `package.json`), leading to account takeover and Remote Code Execution (RCE). Version 2.19.0 patches this vulnerability.
Unauthenticated attackers can exploit a critical vulnerability in Signal K Server versions prior to 2.19.0, allowing them to hijack the server's restore functionality. This leads to account takeover and remote code execution (RCE) by overwriting critical configuration files.
Step 1: Payload Delivery: The attacker crafts a malicious HTTP request to the /skServer/validateBackup endpoint. This request includes a crafted restoreFilePath parameter.
Step 2: File Path Manipulation: The attacker sets the restoreFilePath to point to a critical server configuration file, such as security.json or package.json.
Step 3: Malicious Content Injection: The attacker prepares malicious content to overwrite the targeted configuration file. For security.json, this might include a new administrator account. For package.json, this might include a malicious script to be executed.
Step 4: Administrator Trigger: The attacker waits for an administrator to initiate a backup restore operation.
Step 5: File Overwrite: The server, using the attacker-controlled restoreFilePath, overwrites the targeted configuration file with the attacker's malicious content.
Step 6: Account Takeover/RCE: Depending on the targeted file and injected content, the attacker gains administrator access or achieves remote code execution.
The vulnerability stems from insufficient input validation on the /skServer/validateBackup endpoint. Specifically, the server fails to properly sanitize the restoreFilePath parameter, which dictates where the server will restore configuration files from a backup. An attacker can craft a malicious request to this endpoint, providing a crafted restoreFilePath that points to critical server configuration files (e.g., security.json, package.json). When the administrator later initiates a restore, the server blindly uses the attacker-controlled restoreFilePath, overwriting these files with attacker-controlled content. This leads to account takeover (by modifying security.json to include a backdoor administrator account) and RCE (by injecting malicious code into package.json and triggering its execution). The root cause is a lack of proper input validation and sanitization of the restoreFilePath parameter, combined with a flawed design that allows arbitrary file overwrites during the restore process.
No specific APT groups are known to be actively exploiting this vulnerability at this time. However, due to the ease of exploitation and high impact, it is likely to be targeted by various threat actors. CISA KEV status: Not Listed.
Monitor HTTP traffic for suspicious requests to the /skServer/validateBackup endpoint with unusual restoreFilePath values.
Analyze server logs for file modification events, particularly those affecting critical configuration files like security.json and package.json.
Implement file integrity monitoring to detect unauthorized changes to critical configuration files.
Monitor network traffic for unusual outbound connections from the server after a restore operation, which could indicate RCE.
Upgrade Signal K Server to version 2.19.0 or later.
Implement robust input validation and sanitization for the restoreFilePath parameter in the /skServer/validateBackup endpoint.
Restrict access to the /skServer/validateBackup endpoint to only authenticated users.
Implement a secure backup and restore process that verifies the integrity of backup files before restoring.
Regularly audit server configuration files for any unauthorized modifications.
Implement a Web Application Firewall (WAF) to filter malicious requests.