Signal K Server Command Injection Vulnerability in Set-System-Time Plugin Allowing Arbitrary Command Execution

A command injection vulnerability has been identified in the Signal K Server's set-system-time plugin, prior to version 1.5.0. This vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server. Unauthenticated users can exploit this issue if security is disabled on the server. The vulnerability arises from the unsafe construction of shell commands when processing navigation.datetime values received via WebSocket delta messages. The issue is fixed in version 1.5.0.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the Signal K server. Commands are executed with the privileges of the Signal K process, or with root privileges if sudo is misconfigured. This could lead to a complete system compromise.

Reproduction

To reproduce this vulnerability, a Signal K server must be running with security disabled, or an authenticated user with write permissions must be available. The set-system-time plugin must be installed and enabled, and the server should be on a Linux operating system. If sudo is misconfigured to allow passwordless execution of the date command, this vulnerability can be exploited by interpolating a crafted datetime value into a command that is executed via the server's command injection vulnerability.

Remediation

Users are advised to update the Signal K set-system-time plugin to version 1.5.0 or later, where this vulnerability has been fixed.