A critical command injection vulnerability exists in the Signal K Server application, which serves as a central hub on marine vessels. This flaw allows an attacker to execute arbitrary commands on the server, potentially leading to a complete compromise of the boat's central data system. Exploitation is possible by unauthenticated attackers if security is disabled, or by authenticated users with write permissions, posing a severe risk to the vessel's operational integrity and safety.

This vulnerability is a command injection flaw within the set-system-time plugin of the Signal K Server. The server improperly validates user-supplied input when processing navigation.datetime values received through WebSocket delta messages. An attacker can craft a malicious navigation.datetime value containing arbitrary shell commands. When the server processes this message to set the system time, the embedded commands are executed on the underlying operating system with the privileges of the Signal K Server application. This can be exploited by an authenticated user with write permissions, or by an unauthenticated user if the server's security features are disabled.

This vulnerability is rated as critical severity with a CVSS score of 9.9, reflecting the extreme risk it poses. Successful exploitation grants an attacker remote code execution on the boat's central server hub. This could lead to catastrophic consequences, including the manipulation or disruption of critical navigation systems, theft of sensitive operational data, disabling of safety alerts, or using the compromised server to attack other connected onboard systems. The potential for complete system takeover poses a direct threat to the safety of the vessel, its cargo, and its crew.

Immediate Action: Immediately update the Signal K Server application to the patched version 1.5.0 or later. After updating, review server access and application logs for any signs of compromise or suspicious activity preceding the patch.

Proactive Monitoring: Implement enhanced monitoring of the Signal K Server. Specifically, look for unusual or unexpected processes being spawned by the server application. Monitor WebSocket traffic for malformed navigation.datetime values or payloads containing shell command syntax (e.g., semicolons, pipes, backticks).

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Disable the set-system-time plugin if it is not essential for operations.
• Ensure the Signal K Server's security is enabled and enforce strong authentication for all users, revoking unnecessary write permissions.
• Restrict network access to the Signal K Server, allowing connections only from trusted IP addresses and onboard systems.
• Deploy a Web Application Firewall (WAF) capable of inspecting WebSocket traffic to block malicious injection attempts.

Public Exploit Available: false

Given the critical CVSS score of 9.9 and the potential for complete system compromise, we strongly recommend that organizations patch this vulnerability with the highest priority. The risk of an attacker gaining control over a vessel's central server represents a severe operational and safety threat. All instances of Signal K Server versions prior to 1.5.0 should be updated to a secure version immediately. If patching is delayed, the compensating controls listed above, particularly disabling the vulnerable plugin and enforcing security, must be implemented without delay.