Signal K Server Access Request Spoofing Vulnerability

A vulnerability in Signal K Server's access request system, present in versions prior to 2.19.0, allows for social engineering attacks against administrators. The issue arises because the system trusts the 'X-Forwarded-For' HTTP header without validation, enabling IP spoofing. Attackers can impersonate legitimate devices, craft misleading access request descriptions, and request elevated permissions. This vulnerability, combined with an information disclosure flaw, creates a convincing scenario for manipulating admin approvals.

Impact

Exploitation of this vulnerability could lead to unauthorized admin privileges being granted to an attacker, allowing them to gain elevated access and control within the Signal K Server environment.

Reproduction

To reproduce this vulnerability, first enumerate the available devices or sources using the information disclosure vulnerability. Then, send a spoofed access request by including a misleading description, requesting admin permissions, and spoofing the 'X-Forwarded-For' header with a trusted internal IP address. This will create an access request that appears legitimate but is actually malicious.

Remediation

Users should upgrade to Signal K Server version 2.19.0 or later, where this vulnerability has been addressed.