Signal K Server WebSocket Enumeration and Unauthenticated Token Theft Vulnerability

A vulnerability in Signal K Server versions prior to 2.19.0 allows for the theft of JWT authentication tokens without any prior authentication. This is achieved by chaining two exposed features: WebSocket-based request enumeration and unauthenticated polling of access request status. When a WebSocket client connects to the Signal K stream endpoint with the 'serverevents=all' query parameter, the server broadcasts all cached server events, including 'ACCESS_REQUEST' events. These events contain details about pending access requests, such as request IDs, client identifiers, requested permissions, and IP addresses, without verifying authorization. Additionally, the access request status endpoint at '/signalk/v1/access/requests/:id' returns the full state of an access request without authentication. When an administrator approves a request, the response includes the JWT token in plaintext. This vulnerability allows attackers to either create and poll their own access requests or hijack tokens from legitimate devices by monitoring the WebSocket stream.

Impact

Exploitation of this vulnerability allows attackers to obtain JWT tokens issued by the server without authentication, bypassing authentication entirely. This could lead to unauthorized access to protected resources and functionalities, including administrative privileges, depending on the stolen token's associated rights.

Reproduction

To reproduce this vulnerability, connect to the Signal K WebSocket stream endpoint with the 'serverevents=all' query parameter. This will trigger the server to send all cached events, including 'ACCESS_REQUEST' details. Once an access request ID is obtained, poll the '/signalk/v1/access/requests/:id' endpoint to retrieve the JWT token when the request is approved by an administrator.

Remediation

Users are advised to update Signal K Server to version 2.19.0 or later, where this vulnerability has been fixed.