{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/signalk-server--2.24.0/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["signalk-server (\u003c= 2.24.0)"],"_cs_severities":["high"],"_cs_tags":["credential-access","brute-force","websocket"],"_cs_type":"advisory","_cs_vendors":["Signal K"],"content_html":"\u003cp\u003eSignal K server versions 2.24.0 and earlier are vulnerable to credential brute-forcing via the WebSocket protocol. The vulnerability stems from the lack of rate limiting on the WebSocket login endpoint (\u003ccode\u003e/signalk/v1/stream\u003c/code\u003e), which allows attackers to bypass the existing HTTP rate limiting mechanism. By establishing a WebSocket connection, an attacker can send an unlimited number of login attempts, effectively bypassing the intended rate limiting defense of 100 attempts per 10 minutes on the HTTP login endpoints. This makes it feasible to conduct dictionary attacks and potentially gain unauthorized access to Signal K servers. Signal K servers are commonly deployed on boat networks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Signal K server.\u003c/li\u003e\n\u003cli\u003eAttacker establishes a WebSocket connection to \u003ccode\u003ews://server:3000/signalk/v1/stream?subscribe=none\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server sends a hello message, confirming the connection.\u003c/li\u003e\n\u003cli\u003eAttacker sends a series of login attempts via WebSocket messages using the following JSON format: \u003ccode\u003e{\u0026quot;requestId\u0026quot;: \u0026quot;1\u0026quot;, \u0026quot;login\u0026quot;: {\u0026quot;username\u0026quot;: \u0026quot;admin\u0026quot;, \u0026quot;password\u0026quot;: \u0026quot;guess1\u0026quot;}}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server processes each login attempt without rate limiting.\u003c/li\u003e\n\u003cli\u003eAttacker continues sending login attempts using different password guesses.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker gains unauthorized access to the Signal K server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass HTTP rate limiting and brute-force credentials to gain unauthorized access to Signal K servers. An attacker can achieve a brute-forcing speed of approximately 20 attempts per second, limited by the bcrypt hashing algorithm. A dictionary attack with 10,000 words can be completed in approximately 8 minutes over a single connection. Since Signal K servers are commonly deployed on boat networks, successful exploitation can lead to unauthorized access to sensitive maritime data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network connections to Signal K servers for unusually high rates of WebSocket login attempts. Create a detection rule that triggers when a single IP address sends more than 5 login attempts per second via the WebSocket protocol.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect High Volume SignalK WebSocket Login Attempts\u003c/code\u003e to identify potential brute-force attacks against Signal K servers.\u003c/li\u003e\n\u003cli\u003eUpgrade Signal K servers to a patched version that includes rate limiting on the WebSocket login endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-signalk-brute-force/","summary":"The Signal K server's WebSocket login endpoint lacks rate limiting, allowing attackers to bypass HTTP rate limiting by opening a WebSocket connection and attempting unlimited password guesses.","title":"Signal K Server WebSocket Login Brute-Force Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-signalk-brute-force/"}],"language":"en","title":"CraftedSignal Threat Feed — Signalk-Server (\u003c= 2.24.0)","version":"https://jsonfeed.org/version/1.1"}