A critical vulnerability exists in Signal K Server that allows an unauthenticated attacker to steal authentication tokens and gain complete control of the system. By chaining two information disclosure flaws, an attacker can monitor pending access requests and intercept the authentication token once an administrator approves it, leading to a full authentication bypass. This vulnerability poses a severe risk to the integrity and availability of the marine data systems managed by the server.

This vulnerability is a chain of two distinct flaws that, when combined, allow an unauthenticated attacker to steal valid JWT authentication tokens.

1. Unauthenticated WebSocket Request Enumeration: The server's WebSocket stream endpoint can be accessed by an unauthenticated user. By connecting with the serverevents=all query parameter, an attacker receives all cached server events, including sensitive ACCESS_REQUEST events. These events contain the unique request ID, client details, and requested permissions for any pending access request.
2. Unauthenticated Token Polling: The API endpoint /signalk/v1/access/requests/:id allows anyone, without authentication, to check the status of a specific access request. When an administrator approves a request, the response from this endpoint includes the newly generated JWT token in plaintext.

This vulnerability is rated as critical severity with a CVSS score of 9.1, reflecting the ease of exploitation and the potential for complete system compromise. Successful exploitation allows an attacker to bypass all authentication mechanisms and acquire a valid, and potentially high-privilege, authentication token. This could grant the attacker the ability to control connected marine systems, access sensitive navigational or operational data, and disrupt the functionality of the entire Signal K ecosystem on the vessel, posing significant operational and safety risks.

Immediate Action: Immediately upgrade all instances of Signal K Server to version 2.19.0 or a later version, which contains the necessary security fixes to address both underlying issues. After upgrading, review access logs for any signs of compromise or unusual activity related to the access request endpoints.

Proactive Monitoring:

• Monitor network logs for an unusual number of WebSocket connections, particularly those using the serverevents=all query parameter from unknown or untrusted IP addresses.
• Audit web server logs for repeated polling activity against the /signalk/v1/access/requests/ API endpoint.
• Review pending and approved access requests for any that appear suspicious, such as those with unusual descriptions or originating from unexpected IP addresses.

Compensating Controls:

• If immediate patching is not feasible, restrict network access to the Signal K Server's ports. Use a firewall to limit connections to trusted devices and IP ranges only.
• Disable anonymous readonly access by setting allow_readonly to false in the server's configuration. This will prevent unauthenticated users from accessing the vulnerable WebSocket stream and API endpoint.
• Place the server behind a reverse proxy or Web Application Firewall (WAF) with rules specifically designed to block requests to the /signalk/v1/access/requests/ endpoint from external sources.

Public Exploit Available: false

Given the critical CVSS score of 9.1 and the potential for a complete, unauthenticated system compromise, it is imperative that organizations patch this vulnerability with the highest priority. The attack requires no special privileges or user interaction, making it a significant and immediate threat. Although this CVE is not currently listed on the CISA KEV list, the severity and ease of exploitation warrant immediate remediation by upgrading to version 2.19.0 or later. If patching is delayed, implement the recommended compensating controls to reduce the attack surface.