Signal K Server Unauthenticated Information Disclosure Vulnerability

A vulnerability allowing unauthenticated information disclosure has been identified in Signal K Server versions prior to 2.19.0. This issue arises because several sensitive API endpoints are not properly protected by authentication middleware, allowing any user to access confidential system information. The exposed data includes the complete Signal K data schema, details about connected serial devices, and information on installed analyzer tools. Such exposure could facilitate reconnaissance for further attacks.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive system information, including the full Signal K data schema, connected serial devices, and installed analyzer tools. This information could be used to plan and execute further attacks.

Reproduction

The vulnerability can be reproduced by sending requests to the unprotected endpoints '/skServer/serialports', '/skServer/availablePaths', and '/skServer/hasAnalyzer' without any authentication headers. These endpoints will respond with sensitive information, such as the full Signal K data schema, connected serial devices, and the presence of installed analyzer tools.

Remediation

Users are advised to update to Signal K Server version 2.19.0 or later. After updating, ensure that the missing paths are added to the authentication middleware's protection list in 'src/tokensecurity.js'.