Source: security-advisories@github.com
Signal K Server is a server application that runs on a central hub in a boat. A Denial of Service (DoS) vulnerability in versions prior to 2.19.0 allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint (`/signalk/v1/access/requests`). This causes a "JavaScript heap out of memory" error due to unbounded in-memory storage of request objects. Version 2.19.0 fixes the issue.
Signal K Server versions prior to 2.19.0 are vulnerable to a Denial of Service (DoS) attack. An unauthenticated attacker can crash the server by flooding the /signalk/v1/access/requests endpoint, leading to a JavaScript heap out of memory error and service unavailability. This vulnerability poses a significant risk to boat owners relying on Signal K for critical navigation and monitoring functions.
Step 1: Target Identification: The attacker identifies a Signal K Server instance running a vulnerable version (prior to 2.19.0). This can be achieved through port scanning or other reconnaissance techniques.
Step 2: Request Generation: The attacker crafts a large number of HTTP requests targeting the /signalk/v1/access/requests endpoint. These requests can be simple, valid HTTP requests, as the vulnerability does not require any specific content.
Step 3: Request Flooding: The attacker sends the crafted requests to the target server at a high rate, overwhelming the server's capacity to process them.
Step 4: Memory Exhaustion: The server, lacking rate limiting or memory management, attempts to store each request object in memory, leading to a rapid increase in memory consumption.
Step 5: Heap Overflow and Crash: The server's memory allocation eventually exceeds the available JavaScript heap space, triggering a 'JavaScript heap out of memory' error. This error causes the Signal K Server process to crash, resulting in a Denial of Service.
The vulnerability stems from a lack of rate limiting and unbounded storage of access request objects within the Signal K Server. Specifically, the server fails to implement any mechanism to limit the number of requests processed or the memory allocated to store them. When an attacker floods the /signalk/v1/access/requests endpoint with a large number of requests, the server attempts to store each request object in memory. This leads to an exponential growth in memory consumption, eventually exhausting the available JavaScript heap space. The 'JavaScript heap out of memory' error is a direct consequence of this unbounded memory allocation, causing the server to crash and become unresponsive. The root cause is a missing input validation and resource management within the access request handling logic.
While no specific APTs are directly linked to this vulnerability at this time, the ease of exploitation and potential impact (disruption of maritime navigation and monitoring) make it attractive to various threat actors. This could be used by nation-state actors, cybercriminals seeking to disrupt operations, or even disgruntled individuals. CISA KEV status: Not Applicable (as of the provided date).
Network traffic analysis: Monitor for a high volume of HTTP requests to the /signalk/v1/access/requests endpoint from a single source IP address or a small number of source IPs.
Server-side logging: Examine Signal K Server logs for a high frequency of access request entries, especially those preceding a crash or service outage.
System monitoring: Monitor server resource utilization (CPU, memory) for unusual spikes, particularly memory consumption, which may indicate a DoS attack.
Alerting: Configure alerts to trigger on 'JavaScript heap out of memory' errors in server logs.
Intrusion Detection Systems (IDS): Implement IDS rules to detect anomalous traffic patterns targeting the vulnerable endpoint.
Upgrade to Signal K Server version 2.19.0 or later, which includes a fix for the vulnerability.
Implement rate limiting on the /signalk/v1/access/requests endpoint to restrict the number of requests from a single source within a given time period.
Implement input validation to sanitize and validate request data, preventing malformed or excessive requests.
Monitor server resource utilization and set up alerts to detect and respond to unusual spikes in memory consumption.
Consider deploying a Web Application Firewall (WAF) in front of the Signal K Server to filter malicious traffic.
Regularly review and update security configurations and software to address known vulnerabilities.