FUXA Authentication Bypass Vulnerability in Node-RED Plugin Allowing Unauthenticated Remote Code Execution

An authentication bypass vulnerability has been identified in FUXA versions 1.2.8 prior to 1.2.11. When the Node-RED plugin is enabled, this vulnerability allows an unauthenticated, remote attacker to execute arbitrary code on the server. The issue arises from inadequate authentication checks on the Node-RED deployment API, particularly at the '/nodered/flows' endpoint. Exploitation of this vulnerability could lead to a full system compromise, especially in environments connected to ICS/SCADA systems.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the server, with potential for full system compromise, particularly in connected ICS/SCADA environments.

Reproduction

To reproduce this vulnerability, send a request to the '/nodered/flows' endpoint while the Node-RED plugin is enabled. The request can bypass authentication checks, granting access to the Node-RED deployment API. Once access is obtained, submit a malicious flow configuration to execute arbitrary code on the server.

Remediation

Users are advised to update FUXA to version 1.2.11 or later, where this vulnerability has been patched.