Eclipse KUKSA Databroker Authorization Bypass Vulnerability in OpenProviderStream API
Vulnerability
A vulnerability exists in the Eclipse KUKSA Databroker's implementation of the OpenProviderStream API, specifically in versions 0.5.0 prior to 0.6.0. This vulnerability allows a client with only read JWT scope to register as a signal provider. The exploitation involves sending a ProvideSignalRequest for a target signal ID, which can then be used to inject forged data into the system. This is achieved by responding to a GetProviderValueRequest with an attacker-controlled GetProviderValueResponse, which is then disseminated to other clients requesting the same signal.
Impact
Exploitation of this vulnerability allows for unauthorized manipulation of signal data, where clients can receive and act upon forged information as if it were legitimate.
Reproduction
To reproduce this vulnerability, first obtain a valid token with read-only scope. Connect to the production gRPC API of KUKSA Databroker and open the OpenProviderStream. Send a ProvideSignalRequest for a specific signal ID. Once the broker forwards a GetProviderValueRequest, respond with a GetProviderValueResponse that has been controlled by the attacker. Other clients that request the same signal will receive the injected, false data.
Remediation
Users are advised to upgrade to version 0.6.1.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.