Source: security-advisories@github.com
Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore interface allow administrators to install npm packages through a REST API endpoint. While the endpoint validates that the package name exists in the npm registry as a known plugin or webapp, the version parameter accepts arbitrary npm version specifiers including URLs. npm supports installing packages from git repositories, GitHub shorthand syntax, and HTTP/HTTPS URLs pointing to tarballs. When npm installs a package, it can automatically execute any `postinstall` script defined in `package.json`, enabling arbitrary code execution. The vulnerability exists because npm's version specifier syntax is extremely flexible, and the SignalK code passes the version parameter directly to npm without sanitization. An attacker with admin access can install a package from an attacker-controlled source containing a malicious `postinstall` script. Version 2.19.0 contains a patch for the issue.
Signal K Server versions prior to 2.19.0 are vulnerable to remote code execution (RCE). An attacker with administrative privileges can exploit a flaw in the appstore interface to install malicious npm packages, leading to complete system compromise. This vulnerability allows for arbitrary code execution on the boat's central hub, potentially impacting navigation, communication, and other critical functions.
Step 1: Admin Access Required: The attacker must have administrative access to the Signal K Server's appstore interface.
Step 2: Crafting the Malicious Package: The attacker creates a malicious npm package. This package is hosted on a Git repository, GitHub, or a web server and includes a package.json file with a postinstall script containing the attacker's payload (e.g., reverse shell, data exfiltration, etc.).
Step 3: Exploiting the REST API: The attacker uses the Signal K Server's REST API endpoint for installing npm packages. They provide the legitimate package name and a crafted version parameter pointing to their malicious package source (e.g., a Git repository URL).
Step 4: Package Installation: The Signal K Server, due to the vulnerability, downloads and installs the attacker's malicious package using npm install.
Step 5: Post-Installation Code Execution: Upon installation, npm executes the postinstall script defined in the attacker's package.json file, triggering the attacker's payload and granting them control over the server.
The vulnerability stems from insufficient input validation in the Signal K Server's appstore interface when handling the version parameter during npm package installation. The code directly passes the user-supplied version specifier to the npm install command without proper sanitization. This allows an attacker to specify a malicious package source, such as a Git repository, GitHub shorthand, or a URL pointing to a tarball containing a crafted package.json file. The package.json file includes a postinstall script, which npm automatically executes after the package is installed. This script can contain arbitrary commands, enabling the attacker to execute malicious code on the server. The root cause is a lack of input validation and improper sanitization of the version parameter, combined with the inherent flexibility of npm's version specifier syntax and the automatic execution of postinstall scripts.
While no specific APTs are known to be actively exploiting this vulnerability, the nature of the target (boat's central hub) suggests potential interest from threat actors targeting maritime infrastructure. The vulnerability could be leveraged for espionage, sabotage, or financial gain. CISA KEV status: Not Listed.
Monitor Signal K Server logs for suspicious activity related to npm package installations, especially those originating from unexpected sources or with unusual version specifiers.
Analyze network traffic for connections to external repositories or servers during package installation attempts.
Implement file integrity monitoring to detect changes to critical system files or the addition of new files in the Signal K Server's installation directory.
Review the package.json files of installed plugins for suspicious postinstall scripts.
Upgrade to Signal K Server version 2.19.0 or later, which contains a patch for this vulnerability.
Implement strict input validation and sanitization of the version parameter in the appstore interface to prevent the use of arbitrary version specifiers.
Review and audit all installed npm packages for malicious code or vulnerabilities.
Restrict administrative access to the Signal K Server's appstore interface to only trusted users.
Implement a web application firewall (WAF) to filter malicious requests to the REST API endpoint.