ThingsBoard

2023年4月7日

管理員無法更新補丁ThingsBoard版本可以手動更改默認簽名密鑰。ThingsBoard的開發者,一個開源平台管理物聯網設備用於各種行業,有固定的漏洞可能允許攻擊者升級他們的權限管理權限的服務器和發送請求。脆弱性,追蹤cve - 2023 - 26462,由來自IBM的研究人員發現並私下報道安全X-Force。它源於平台使用一個靜態密鑰簽署JSON Web標記(jwt)發給客戶。知識的鑰匙,可以很容易地獲得,攻擊者可以建立有效的請求,允許他們識別係統更高的特權用戶。“因為ThingsBoard允許默認鍵不需要使用管理員改變它,因為默認關鍵也暴露出配置文件公開,門是打開的部分,攻擊者獲得未授權訪問的目的是什麼,“X-Force研究者在他們的報告中稱。缺陷是固定在ThingsBoard版本3.4.2通過生成一個隨機的關鍵每個新安裝或升級到3.4.2或更高版本。如果管理員不能立即升級,他們可以手動改變默認的簽名密鑰對舊版本的配置文件或通過管理儀表板。不安全的實現JSON Web標記JSON Web無狀態的身份驗證令牌是一個互聯網標準被廣泛采用在移動和Web應用程序中,尤其是在場景交互認證是不切實際的,如機器對機器或service - to - service溝通。無狀態的驗證不依賴於用戶名和密碼被估算和用戶的會話的狀態被存儲在服務器上。 Instead it relies on tokens or tickets that contain certain assertions or claims about an user that the server knows to be true. With JWT, the server generates a token for a client and signs it with its secret key. That token consists of a payload that identifies the user and their permissions. Every time the user or client wants to perform an action on the server, they send their signed token along with the request. It's easy to see in this workflow why keeping the signing key secure is important. Otherwise, someone who knows the server's key could take a valid payload, alter values in it, and then re-sign it with the key so the server will accept it as valid. In the case of ThingsBoard, an attacker can change the scope value from the JWT that identifies the user's role on the server and therefore dictates what privileges they have. Some of the high-privileged scopes can be TENANT_ADMIN or SYS_ADMIN. Tenants are organizational subdivisions on the platform and tenant admins can manage all devices belonging to a certain tenant. System admins, however, have control over the whole system, including the ability to manage all tenants. "By editing this role value and generating a new, valid signature for the payload, a user can escalate privileges within the platform to the highest level," the X-Force researchers said. "This grants access throughout the entirety of the platform, including other tenants, users, and devices not affiliated with the original account." ThingsBoard can manage and collect data from devices that support a variety of IoT gateways, cloud APIs, and communication protocols such as: MQTT, HTTP, CoAP, Webhooks, LwM2M, LoRaWAN, SigFox, NB IoT, SMS, OPC-UA, Modbus, BLE, Request, CAN, BACnet, ODBC, REST, and SNMP. It integrates with platforms such as Azure Event Hub, AWS IoT, Azure IoT Hub, and IBM Watson IoT. Due to the multitude of connectivity options, it supports both internet-enabled devices and devices that communicate over non-internet protocols. Use cases for ThingsBoard include collecting data from energy meters, soil monitors and farming equipment, smart irrigation systems, air quality monitors, fleet management systems, food storage monitors, water meters, and resource consumption monitors in offices. Its creators claim it’s used in energy, telecom, warehouse management, smart city projects, building automation, agriculture, and Industry 4.0 projects. "ThingsBoard is just one among many IoT platforms which, much like the devices that connect to them, all deserve further research and scrutiny," the X-Force researchers said. "Adoption of IoT devices in all industries will only continue to grow, and with it the need to ensure security in the platforms managing devices and collecting data." Next read this