Executive Summary

This vulnerability affects FLIR thermal traffic cameras' WebSocket implementation, which lacks proper authentication and authorization controls. Attackers can bypass security by sending crafted WebSocket messages without authentication, allowing them to manipulate device configurations, access sensitive system information, and potentially cause denial of service by rebooting the device. Additionally, the devices do not support secure WebSocket connections (wss://), transmitting data in plaintext and exposing communications to man-in-the-middle attacks. The WebSocket service also fails to validate the Origin header, making it vulnerable to Cross-Site WebSocket Hijacking (CSWSH) attacks. [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including unauthorized exposure of sensitive system information, unauthorized modification of device configurations, and denial of service by remotely rebooting the devices. Attackers can gain full control over affected FLIR thermal traffic cameras, which can disrupt Intelligent Transportation Systems (ITS) operations, compromise traffic monitoring, and potentially cause safety and operational issues. [1, 2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to connect to the device's WebSocket endpoint without authentication and observing if unauthorized commands are accepted. The WebSocket endpoint is typically ws://<device_ip>:13042/ws/xml2. Commands such as GetProductInformation, GetConfiguration, GetSystemLogs can be sent to retrieve sensitive information. Lack of HTTP 401 Unauthorized responses when connecting to the WebSocket endpoint indicates the vulnerability. A proof-of-concept Python script exists that demonstrates connecting and sending commands like GetProductInformation to confirm the vulnerability. [2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include applying the vendor-released patches and firmware updates available since September 17, 2018, which address the authentication and authorization issues. Additionally, network-level controls such as restricting access to the WebSocket port (13042) to trusted hosts, disabling WebSocket services if not needed, and monitoring for unusual WebSocket traffic can help reduce risk. Implementing network segmentation and using VPNs or secure tunnels to access devices can also mitigate exposure. Since the devices do not support secure WebSocket (wss://), encrypting traffic via other means is recommended. [1, 2]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthorized access to sensitive system information and device configurations, which could lead to exposure of personal or sensitive data. This unauthorized access and potential data exposure may result in non-compliance with data protection regulations such as GDPR or HIPAA, which require strict controls over access to sensitive information and device security. However, specific impacts on compliance are not detailed in the provided resources. [1, 2]

Useful 0 Not Useful 0