https://feed.craftedsignal.io/tags/websocket/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSun, 03 May 2026 17:16:13 +0000https://feed.craftedsignal.io/briefs/2026-05-pixera-code-injection/Sun, 03 May 2026 17:16:13 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-pixera-code-injection/A remote code injection vulnerability exists in AV Stumpfl Pixera Two Media Server versions up to 25.2 R2 due to improper handling within the Websocket API, potentially allowing unauthenticated attackers to execute arbitrary code.A code injection vulnerability, tracked as CVE-2026-7703, has been identified in AV Stumpfl Pixera Two Media Server impacting versions up to 25.2 R2. The vulnerability resides within an unspecified function of the Websocket API component. Successful exploitation allows a remote attacker to inject and execute arbitrary code on the affected system. Given that an exploit has been published, the risk of exploitation is elevated. Organizations using the Pixera Two Media Server should upgrade to version 25.2 R3 or later to mitigate the risk. This vulnerability poses a significant threat to media production environments relying on the affected software.

Attack Chain

1. The attacker identifies a vulnerable AV Stumpfl Pixera Two Media Server instance running a version prior to 25.2 R3.
2. The attacker crafts a malicious payload designed to exploit the code injection vulnerability within the Websocket API.
3. The attacker sends the malicious payload to the Pixera Two Media Server instance via a Websocket connection.
4. The vulnerable function within the Websocket API fails to properly sanitize or validate the input.
5. The malicious payload is processed, resulting in the injection of attacker-controlled code into the server’s process.
6. The injected code executes with the privileges of the Pixera Two Media Server process.
7. The attacker gains arbitrary code execution on the server, potentially leading to complete system compromise.
8. The attacker can then install malware, exfiltrate sensitive data, or disrupt media server operations.

Impact

Successful exploitation of CVE-2026-7703 can result in arbitrary code execution on the AV Stumpfl Pixera Two Media Server. This could allow an attacker to gain complete control over the server, potentially disrupting media presentations, stealing sensitive data, or using the compromised server as a launchpad for further attacks within the network. The impact is significant due to the critical role media servers play in various entertainment and presentation environments.

Recommendation

• Upgrade AV Stumpfl Pixera Two Media Server to version 25.2 R3 or later to patch CVE-2026-7703 (reference: AV Stumpfl advisory).
• Monitor network traffic for suspicious Websocket connections originating from or targeting AV Stumpfl Pixera Two Media Servers using the “Detect Suspicious Pixera Websocket Activity” Sigma rule.
• Implement network segmentation to limit the blast radius of a potential compromise of the Pixera Two Media Server.
• Review and harden the configuration of the Pixera Two Media Server to minimize the attack surface.

]]>highadvisorycode-injectionwebsocketcve-2026-7703https://feed.craftedsignal.io/briefs/2026-04-openclaw-dos/Tue, 28 Apr 2026 19:37:43 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-dos/OpenClaw before 2026.3.28 is vulnerable to a denial-of-service attack by accepting unbounded concurrent unauthenticated WebSocket upgrades, allowing attackers to exhaust server resources.OpenClaw, in versions prior to 2026.3.28, suffers from a denial-of-service vulnerability due to a lack of pre-authentication budget allocation for WebSocket upgrades. This flaw allows unauthenticated network attackers to initiate a large number of concurrent WebSocket upgrade requests without any resource constraints. By exploiting this, an attacker can exhaust the server’s socket and worker capacity, effectively preventing legitimate clients from establishing WebSocket connections and disrupting normal service operation. This vulnerability poses a risk to any OpenClaw deployment accessible over a network, as it can be exploited without requiring any prior authentication or privileged access.

Attack Chain

1. An unauthenticated attacker identifies an OpenClaw server accessible over the network.
2. The attacker sends a large number of WebSocket upgrade requests to the server. These requests are crafted to initiate the WebSocket handshake process.
3. The OpenClaw server accepts these requests without pre-authentication checks or resource limits.
4. Each incoming WebSocket upgrade request consumes server resources, including sockets and worker threads.
5. The attacker continues to flood the server with upgrade requests, rapidly exhausting available resources.
6. As resources become scarce, the server’s ability to handle legitimate client requests degrades.
7. Eventually, the server’s socket and worker capacity is fully exhausted, leading to a denial-of-service condition.
8. Legitimate clients are unable to establish WebSocket connections, disrupting application functionality.

Impact

Successful exploitation of this vulnerability results in a denial-of-service condition, preventing legitimate users from accessing OpenClaw services. The number of affected users depends on the scale of the OpenClaw deployment and the number of concurrent users it typically supports. Organizations relying on OpenClaw for critical functions could experience significant disruptions and potential data loss if the service becomes unavailable. The vulnerability allows a single attacker to disrupt the service without requiring any credentials or prior access.

Recommendation

• Upgrade OpenClaw to version 2026.3.28 or later to remediate the vulnerability (CVE-2026-41399).
• Implement rate limiting on WebSocket upgrade requests to mitigate the impact of malicious requests. Deploy the Sigma rule Detect Excessive WebSocket Upgrade Requests to identify suspicious activity.
• Monitor network traffic for a high volume of WebSocket upgrade requests originating from a single source IP address. Use the Sigma rule Detect High Volume of WebSocket Upgrade Requests from Single IP to detect this pattern.

]]>mediumadvisorydenial-of-servicewebsocketcvehttps://feed.craftedsignal.io/briefs/2026-04-praisonai-rce/Tue, 14 Apr 2026 04:18:47 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-praisonai-rce/PraisonAI versions before 4.5.139 and praisonaiagents versions before 1.5.140 are vulnerable to unauthenticated remote session hijacking due to missing authentication and a bypassable origin check on the /ws WebSocket endpoint, enabling unauthorized remote control and data leakage.PraisonAI, a multi-agent team system, is affected by a critical vulnerability (CVE-2026-40289) in versions prior to 4.5.139 and praisonaiagents versions prior to 1.5.140. The vulnerability lies in the browser bridge component (“praisonai browser start”), which lacks proper authentication and has a bypassable origin check on its /ws WebSocket endpoint. The server, binding to 0.0.0.0 by default, inadequately validates the Origin header, permitting connections from non-browser clients omitting this header. This flaw allows an unauthenticated attacker to remotely hijack sessions and broadcast automation actions and outputs. This can lead to unauthorized remote control of connected browser automation sessions, leakage of sensitive page context and automation results, and misuse of model-backed browser actions. Defenders must prioritize patching affected systems to mitigate this severe risk.

Attack Chain

1. Attacker identifies a vulnerable PraisonAI instance with network access to the browser bridge component.
2. Attacker establishes a direct WebSocket connection to the /ws endpoint of the browser bridge, omitting the Origin header to bypass the weak origin check.
3. Attacker sends a “start_session” message to the WebSocket endpoint.
4. The server routes the attacker’s “start_session” request to the first idle browser-extension WebSocket, effectively hijacking that session.
5. The hijacked browser session begins executing commands dictated by the attacker.
6. All automation actions and outputs resulting from the hijacked session are broadcast back to the attacker via the WebSocket connection.
7. Attacker gains unauthorized remote control of the connected browser automation session.
8. Attacker exfiltrates sensitive data and/or misuses model-backed browser actions.

Impact

Successful exploitation of CVE-2026-40289 can lead to complete compromise of PraisonAI browser automation sessions. An attacker can gain unauthorized remote control, potentially leading to leakage of sensitive page context and automation results. Furthermore, they can misuse model-backed browser actions. The vulnerability affects all environments where the bridge is network-reachable. The severity of the impact is high, as it allows for unauthenticated remote code execution within the context of the PraisonAI browser extension.

Recommendation

• Upgrade PraisonAI to version 4.5.139 or later, and praisonaiagents to version 1.5.140 or later to patch CVE-2026-40289.
• Monitor network connections to the /ws endpoint on PraisonAI servers (logsource category: network_connection, product: windows/linux).
• Deploy the Sigma rule to detect suspicious websocket connections without origin header (see rule below).
• Implement network segmentation to limit network access to the PraisonAI browser bridge component.

]]>criticaladvisorycve-2026-40289websocketremote-code-executionpraisonaihttps://feed.craftedsignal.io/briefs/2026-04-praisonai-websocket-vuln/Thu, 09 Apr 2026 22:16:35 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-praisonai-websocket-vuln/PraisonAI before version 4.5.128 is vulnerable to resource exhaustion and API credit draining due to the `/media-stream` WebSocket endpoint accepting unauthenticated connections, allowing attackers to exhaust server resources and drain OpenAI API credits.PraisonAI, a multi-agent teams system, contains a vulnerability in versions prior to 4.5.128 that exposes the /media-stream WebSocket endpoint in its call module. This endpoint lacks authentication or Twilio signature validation, allowing any client to establish a connection. Each successful connection initiates an authenticated session to OpenAI’s Realtime API, utilizing the server’s API key. Due to the absence of rate limits, connection limits, or message size restrictions, a malicious actor can exploit this vulnerability by creating numerous concurrent connections. This can lead to the exhaustion of server resources and a significant drain on the victim’s OpenAI API credits. This vulnerability is addressed and patched in version 4.5.128.

Attack Chain

1. Attacker identifies a PraisonAI instance running a vulnerable version (prior to 4.5.128).
2. Attacker establishes a WebSocket connection to the /media-stream endpoint of the PraisonAI instance without providing any authentication credentials.
3. The PraisonAI server, upon receiving the unauthenticated WebSocket connection, creates an authenticated session with the OpenAI Realtime API using its own API key.
4. Attacker sends a large volume of messages through the WebSocket connection, exploiting the lack of message rate limits.
5. Attacker initiates multiple concurrent WebSocket connections to the /media-stream endpoint.
6. The PraisonAI server becomes overloaded due to the excessive number of connections and message processing demands.
7. The victim’s OpenAI API credits are rapidly depleted as the PraisonAI server processes requests from the attacker’s connections.
8. The PraisonAI server experiences degraded performance or becomes completely unresponsive, impacting legitimate users.

Impact

Successful exploitation of this vulnerability results in resource exhaustion on the PraisonAI server, potentially causing denial of service for legitimate users. Furthermore, it leads to the unauthorized consumption of the victim’s OpenAI API credits, resulting in unexpected charges and potential disruption of services reliant on the OpenAI API. The number of affected organizations depends on the prevalence of vulnerable PraisonAI instances deployed.

Recommendation

• Upgrade PraisonAI installations to version 4.5.128 or later to patch CVE-2026-40116.
• Implement rate limiting on WebSocket connections to the /media-stream endpoint to mitigate resource exhaustion.
• Monitor OpenAI API usage for unexpected spikes in activity that may indicate exploitation of this vulnerability.
• Deploy the Sigma rule DetectSuspiciousPraisonAIWebSocketConnections to identify potential exploitation attempts by detecting a high number of connections to the /media-stream endpoint.

]]>highadvisorycve-2026-40116resource-exhaustionwebsocketapi-abusecloudhttps://feed.craftedsignal.io/briefs/2026-04-mesop-dos/Sat, 04 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-mesop-dos/An unauthenticated attacker can exploit an uncontrolled resource consumption vulnerability in Mesop versions 1.2.3 to 1.2.4 by sending a rapid succession of WebSocket messages, leading to thread exhaustion and a denial-of-service condition.Mesop, a Python-based UI framework, is vulnerable to a denial-of-service (DoS) attack due to uncontrolled resource consumption in its WebSocket implementation. Specifically, versions 1.2.3 and 1.2.4 are affected. An unauthenticated attacker can exploit this vulnerability (CVE-2026-34824) by sending a rapid succession of WebSocket messages. The server, in turn, spawns an unbounded number of operating system threads to handle these messages. This leads to thread exhaustion and Out of Memory (OOM) errors, effectively crashing the Mesop application and causing a complete DoS. The vulnerability was patched in version 1.2.5, so upgrading is the primary mitigation. This DoS can impact any application built on the vulnerable versions of the framework.

Attack Chain

1. The attacker identifies a Mesop application running a vulnerable version (1.2.3 or 1.2.4).
2. The attacker establishes a WebSocket connection to the Mesop application server.
3. The attacker crafts and sends a high volume of WebSocket messages to the server.
4. The server attempts to process each message by spawning a new OS thread.
5. The rapid influx of messages causes the server to spawn threads at an unsustainable rate.
6. The server’s thread pool becomes exhausted, preventing it from servicing legitimate requests.
7. The server’s memory usage increases dramatically as it attempts to manage the excessive threads.
8. The server runs out of memory (OOM) and crashes, resulting in a denial-of-service.

Impact

Successful exploitation of CVE-2026-34824 results in a complete denial-of-service for applications built on the Mesop framework. This can lead to downtime, loss of productivity, and potential reputational damage. The impact is particularly severe for critical applications that rely on the Mesop framework for availability. While specific victim numbers are unavailable, any organization using Mesop versions 1.2.3 or 1.2.4 is potentially vulnerable.

Recommendation

• Upgrade Mesop to version 1.2.5 or later to patch CVE-2026-34824.
• Implement rate limiting on WebSocket connections to mitigate rapid message flooding.
• Deploy the Sigma rule Detect Mesop Excessive WebSocket Connections to identify potential exploitation attempts based on network connection patterns.
• Monitor server resource utilization (CPU, memory, threads) for Mesop applications and alert on unusual spikes to proactively identify potential DoS conditions.

]]>highadvisorydenial-of-servicewebsocketcve-2026-34824https://feed.craftedsignal.io/briefs/2026-04-praisonai-auth-bypass/Fri, 03 Apr 2026 23:17:06 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-praisonai-auth-bypass/PraisonAI Gateway server versions prior to 4.5.97 allow unauthenticated access to WebSocket connections and agent topology, enabling unauthorized message sending and agent enumeration.CVE-2026-34952 exposes a critical vulnerability in PraisonAI, a multi-agent teams system. Specifically, versions of the PraisonAI Gateway server prior to 4.5.97 lack authentication for WebSocket connections at the /ws endpoint and for serving agent topology information at the /info endpoint. This absence of authentication means that any client on the network can connect to these endpoints. Attackers could exploit this vulnerability to enumerate registered agents, send arbitrary messages to agents and their associated tool sets, and potentially gain unauthorized control over the PraisonAI system. The vulnerability was reported on April 3, 2026, and is addressed in version 4.5.97 of PraisonAI.

Attack Chain

1. An attacker identifies a vulnerable PraisonAI Gateway server running a version prior to 4.5.97.
2. The attacker establishes a WebSocket connection to the /ws endpoint of the server without providing any credentials.
3. The server, lacking authentication, accepts the connection.
4. The attacker sends a request to the /info endpoint to enumerate registered agents and their topology.
5. The server responds with the agent topology data.
6. The attacker crafts arbitrary messages and sends them to specific agents through the established WebSocket connection.
7. The targeted agent receives the message and executes the corresponding actions, potentially including tool usage or data modification.
8. The attacker achieves unauthorized control over the PraisonAI system by manipulating agents and their tool sets.

Impact

Successful exploitation of this vulnerability could lead to complete compromise of the PraisonAI system. Attackers can enumerate and control agents, manipulate data, and potentially use the agents’ tool sets for malicious purposes, such as data theft or system disruption. This could impact organizations relying on PraisonAI for critical functions, leading to financial losses, reputational damage, and operational downtime. The severity is high due to the ease of exploitation and the potential for widespread damage.

Recommendation

• Upgrade all PraisonAI Gateway servers to version 4.5.97 or later to patch CVE-2026-34952.
• Deploy the Sigma rules provided to detect unauthorized connections to the /ws and /info endpoints.
• Monitor network traffic for suspicious WebSocket connections to the PraisonAI Gateway server to detect potential exploitation attempts.

]]>criticaladvisoryvulnerabilityauthentication bypasswebsockethttps://feed.craftedsignal.io/briefs/2026-03-nats-websocket-dos/Thu, 26 Mar 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-nats-websocket-dos/A vulnerability in NATS server allows a remote, unauthenticated attacker to cause a denial of service by sending a crafted WebSocket frame, leading to a server crash due to missing validation on WebSocket frame length.A critical vulnerability exists in NATS server versions 2.2.0 through 2.11.13 and 2.12.0 through 2.12.4, enabling unauthenticated remote attackers to trigger a denial-of-service (DoS) condition. The vulnerability stems from a missing sanity check on WebSocket frame lengths, allowing malicious clients to send crafted frames that cause a server panic and crash. This issue impacts deployments that utilize WebSockets and expose the network port to untrusted endpoints. The attack requires no authentication or credentials and can be executed with a single TCP connection sending a malicious WebSocket frame. This vulnerability was reported by GitHub users Mistz1 and jiayuqi7813.

Attack Chain

1. The attacker establishes a TCP connection to the NATS server’s WebSocket port.
2. The attacker sends a WebSocket upgrade request to initiate the WebSocket handshake.
3. The NATS server completes the WebSocket handshake, establishing a WebSocket connection.
4. The attacker sends a crafted WebSocket frame with a 64-bit extended payload length field where the most significant bit (MSB) is set (e.g., 0x8000000000000001).
5. The server reads the 8-byte payload length but fails to validate that the MSB is zero, resulting in a negative integer value.
6. The negative value bypasses the bounds clamp in the wsRead function.
7. A slice operation with the negative length triggers a runtime panic due to out-of-bounds access.
8. The unrecovered panic propagates to the Go runtime, causing the entire NATS server process to terminate, disconnecting all clients.

Impact

Successful exploitation of this vulnerability results in a complete denial of service, crashing the entire NATS server process. All connected clients, including NATS, WebSocket, MQTT, cluster routes, gateways, and leaf nodes, are immediately disconnected. JetStream in-flight acknowledgments are lost, and Raft consensus is disrupted in clustered deployments. The attack is repeatable on every server restart, causing significant disruption to services relying on the NATS server. Any NATS server deployment with WebSocket listeners enabled is vulnerable.

Recommendation

• Upgrade the NATS server to version 2.11.14, 2.12.5, or later to patch CVE-2026-27889.
• If upgrading is not immediately feasible, restrict access to the WebSocket port to trusted endpoints as a defense-in-depth measure, as mentioned in the overview.
• Deploy the Sigma rule to detect connections with crafted websocket frame to your SIEM and tune for your environment.

]]>highadvisorynatswebsocketdenial-of-serviceCVE-2026-27889server-crashhttps://feed.craftedsignal.io/briefs/2026-02-switch-ev-vulns/Fri, 27 Feb 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-02-switch-ev-vulns/Multiple vulnerabilities in SWITCH EV swtchenergy.com charging stations could allow attackers to impersonate stations, hijack sessions, cause denial of service, and manipulate backend data due to missing authentication, rate limiting issues, session expiration flaws, and exposed credentials.SWITCH EV’s swtchenergy.com charging stations are affected by multiple vulnerabilities that could allow attackers to gain unauthorized access and disrupt services. These vulnerabilities include missing authentication mechanisms, lack of rate limiting on authentication requests, predictable session identifiers, and publicly accessible authentication identifiers. Successful exploitation could lead to station impersonation, session hijacking, denial-of-service attacks, and manipulation of backend data. The affected product is swtchenergy.com versions all/* . The vendor did not respond to CISA’s request for coordination. The charging stations are deployed worldwide in the energy and transportation sectors.

Attack Chain

1. Attacker identifies a charging station ID via public mapping platforms (CVE-2026-27773).
2. Attacker connects to the OCPP WebSocket endpoint of the charging station using the discovered ID (CVE-2026-27767).
3. Because no authentication is required, the attacker impersonates the charging station.
4. Attacker sends malicious commands to the backend, potentially manipulating charging parameters or data (CVE-2026-27767).
5. Alternatively, the attacker floods the authentication endpoint with requests, causing a denial-of-service condition by overwhelming the backend (CVE-2026-25113).
6. Attacker hijacks a legitimate session by establishing a new connection using the same session identifier (CVE-2026-25778).
7. The legitimate charging station is disconnected, and the attacker receives backend commands intended for the legitimate station.
8. Attacker manipulates charging station behavior or data, causing disruption or financial loss.

Impact

Successful exploitation of these vulnerabilities could have significant consequences. Attackers could impersonate charging stations, hijack sessions, suppress or misroute traffic to cause large-scale denial-of-service attacks, and manipulate data sent to the backend. This could lead to widespread disruption of EV charging services, financial losses for charging station operators and users, and potential damage to the electrical grid. Given the global deployment of these charging stations in the energy and transportation sectors, the impact could be widespread.

Recommendation

• Monitor network connections to OCPP WebSocket endpoints for connections without proper authentication to detect potential station impersonation attempts related to CVE-2026-27767.
• Implement rate limiting on authentication requests to the WebSocket API to mitigate denial-of-service attacks as described in CVE-2026-25113.
• Monitor for multiple connections using the same session identifier to detect potential session hijacking attempts related to CVE-2026-25778.
• Monitor for access to swtchenergy.com from unusual or unexpected geolocations.
• Consult SWITCH EV (swtchenergy.com) for potential mitigations or workarounds, as they did not respond to CISA’s request for coordination.

]]>criticaladvisoryelectric-vehiclecharging-stationwebsockethttps://feed.craftedsignal.io/briefs/2024-01-30-prefect-auth-bypass/Tue, 30 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-30-prefect-auth-bypass/PrefectHQ Prefect versions up to 3.6.13 are vulnerable to an authentication bypass via manipulation of the /api/events/in WebSocket endpoint, potentially allowing remote attackers to execute unauthorized actions.PrefectHQ Prefect, a workflow management system, is vulnerable to an authentication bypass vulnerability identified as CVE-2026-7723. The vulnerability exists in versions up to 3.6.13 and stems from a flaw within the /api/events/in WebSocket endpoint. A remote attacker can manipulate data sent to this endpoint, leading to a failure in authentication checks. This can allow the attacker to perform unauthorized actions within the Prefect system. The vulnerability was published on 2026-05-04 and a patch is available in version 3.6.14, specifically commit 0d3ab3c2d3f9f98abfafdf7b9f6d4f8ed3925e40. Defenders should upgrade affected Prefect installations to version 3.6.14 or later to mitigate this risk.

Attack Chain

1. Attacker identifies a PrefectHQ Prefect instance running a vulnerable version (<= 3.6.13) with an exposed /api/events/in WebSocket endpoint.
2. The attacker crafts a malicious WebSocket message specifically targeting the /api/events/in endpoint.
3. The attacker sends the manipulated message to the /api/events/in endpoint.
4. Due to the vulnerability, the authentication checks within the WebSocket endpoint fail to properly validate the attacker’s identity.
5. The Prefect system incorrectly processes the attacker’s request as authenticated.
6. The attacker exploits this lack of authentication to execute unauthorized actions within the Prefect system. These actions could include modifying workflows, accessing sensitive data, or disrupting operations.
7. The attacker may further leverage their access to compromise other connected systems or data stores.

Impact

Successful exploitation of CVE-2026-7723 allows an unauthenticated remote attacker to bypass authentication mechanisms in PrefectHQ Prefect. This can lead to unauthorized access to sensitive data, modification of workflows, and disruption of critical business processes. The CVSS v3.1 base score is 7.3, indicating a high severity vulnerability. The number of affected organizations depends on the adoption rate of PrefectHQ Prefect, but any organization running a vulnerable version is at risk.

Recommendation

• Immediately upgrade PrefectHQ Prefect to version 3.6.14 or later to apply the patch (0d3ab3c2d3f9f98abfafdf7b9f6d4f8ed3925e40) that resolves CVE-2026-7723.
• Monitor web server logs for suspicious activity targeting the /api/events/in endpoint to detect potential exploitation attempts. Deploy the Sigma rule Detect PrefectHQ Auth Bypass Attempt to identify unusual requests to the vulnerable endpoint.
• Implement network segmentation to limit the potential impact of a successful exploit by restricting access to sensitive resources from the Prefect server.

]]>highadvisoryCVE-2026-7723authentication-bypasswebsocketprefecthqhttps://feed.craftedsignal.io/briefs/2024-01-signalk-brute-force/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-signalk-brute-force/The Signal K server's WebSocket login endpoint lacks rate limiting, allowing attackers to bypass HTTP rate limiting by opening a WebSocket connection and attempting unlimited password guesses.Signal K server versions 2.24.0 and earlier are vulnerable to credential brute-forcing via the WebSocket protocol. The vulnerability stems from the lack of rate limiting on the WebSocket login endpoint (/signalk/v1/stream), which allows attackers to bypass the existing HTTP rate limiting mechanism. By establishing a WebSocket connection, an attacker can send an unlimited number of login attempts, effectively bypassing the intended rate limiting defense of 100 attempts per 10 minutes on the HTTP login endpoints. This makes it feasible to conduct dictionary attacks and potentially gain unauthorized access to Signal K servers. Signal K servers are commonly deployed on boat networks.

Attack Chain

1. Attacker identifies a vulnerable Signal K server.
2. Attacker establishes a WebSocket connection to ws://server:3000/signalk/v1/stream?subscribe=none.
3. The server sends a hello message, confirming the connection.
4. Attacker sends a series of login attempts via WebSocket messages using the following JSON format: {"requestId": "1", "login": {"username": "admin", "password": "guess1"}}.
5. The server processes each login attempt without rate limiting.
6. Attacker continues sending login attempts using different password guesses.
7. If successful, the attacker gains unauthorized access to the Signal K server.

Impact

Successful exploitation of this vulnerability allows attackers to bypass HTTP rate limiting and brute-force credentials to gain unauthorized access to Signal K servers. An attacker can achieve a brute-forcing speed of approximately 20 attempts per second, limited by the bcrypt hashing algorithm. A dictionary attack with 10,000 words can be completed in approximately 8 minutes over a single connection. Since Signal K servers are commonly deployed on boat networks, successful exploitation can lead to unauthorized access to sensitive maritime data.

Recommendation

• Monitor network connections to Signal K servers for unusually high rates of WebSocket login attempts. Create a detection rule that triggers when a single IP address sends more than 5 login attempts per second via the WebSocket protocol.
• Deploy the Sigma rule Detect High Volume SignalK WebSocket Login Attempts to identify potential brute-force attacks against Signal K servers.
• Upgrade Signal K servers to a patched version that includes rate limiting on the WebSocket login endpoint.

]]>highadvisorycredential-accessbrute-forcewebsocket