Qingqiao Information

top

Open source GPS system exposes two high-risk vulnerabilities
Release time:2024-09-29 Source: Qingqiao Number of views:

According to foreign reports,Open SourceTraccar GPS System DisclosurehaveTwo security vulnerabilities,Unauthenticated attackers may exploit these vulnerabilities to achieve remote code execution in certain situations.

TraccarIt is an open-source projectGPSsystemIt is caused byFrom different backgrounds and professional fieldsThe developers worked together to complete it,Anton·TannaevandAndre·One of the important developers of the Kunixin project.Traccar GPS tracking systemIts source code and documentation are publicly available and comply with specific open source license agreements. It is mainly composed ofJavaLanguage writing with good cross platform compatibilityThereforeUsers are free to use, modify, and distribute their source code, countries around the worldCompany or teamFinebe based onTraccarSecondary development of open-source code to meet specific needs. for exampleGuangzhou Ange International Freight Forwarding Co., Ltd. has developed a product calledAngeTraccar”The logistics positioning application software.

6329458b8bf1a924a10a1f37a5166179.png

Open SourceTraccar GPS system

TraccarProvides powerful location tracking capabilitiescanReal time positioning and tracking meet the tracking and positioning needs of various industries such as taxis, trucks, agricultural equipment, fleets, containers, ships, and individuals.TraccarSupport beyondtwo hundredvariedGPSThe protocol can be compatible with the vast majority of the marketGPSTracking device compatibility. Apart from traditionalGPSOutside of tracking devices,TraccarAlso supports exceedingtwo thousandMultiple modelsGPSTracking devices, includingiOSandAndroidWaiting for mobile devices. in additionTraccarIt also supports multiple functions such as satellite switching, map switching, tracking motion trajectories, tracking itineraries, stopping points, etc., to meet the different needs of users.

thisTraccarTwo of themSecurity vulnerabilitiesIt is from the United StatesNetwork security solution providerHorizon3.aiofchief architect Naveen SunkavallyDiscovered.These two vulnerabilities are respectivelyCVE-2024-24809andCVE-2024-31214All of them are path traversal vulnerabilities.

CVE-2024-24809The vulnerability allows uploading files of dangerous types. Attackers can upload malicious files through specific attack paths, posing a threat to the system. The vulnerabilityCVSSThe score iseight point fiveThis indicates that it has a high degree of severity.CVE-2024-31214The vulnerability lies in the device's image upload function, which allows unrestricted file uploads and may result in remote code execution. Attackers can exploit this vulnerability to upload malicious files and trigger code execution, thereby gaining complete control over the affected system. The vulnerabilityCVSSScore as high asnine point sevenIt is an extremely serious security vulnerability.

640 (1).pngHorizon3.aiThe Chief ArchitectNaveen Sunkavally

Naveen SunkavallyAfter discovering these vulnerabilities, a detailed analysis was conducted, and the causes of the vulnerabilities and possible attack methods were identified. He reminded to useTraccarUsers of the system should be aware of these vulnerabilities and advised to take appropriate protective measures. In response to these vulnerabilities,Horizon3.aiThe company also provided proof of concept attack examples, demonstrating how attackers can exploit these vulnerabilities to carry out attacks.Including utilizationContent-TypePath traversal vulnerability upload in the headercrontabFile to obtain reverse on attacker's hostshell; stayWindowsOn the system, remote code execution is achieved by placing shortcut files in specific directories.

at presentTraccarofThe development team has actively fixed these issues and released a new versionBut stillleadhairI got itThe public is concernedOpen source resourcesIntense discussion on securityWhen introducing open source resources into a project,We must attach great importance to safety reviewandThoroughly understand and evaluate its dependency relationships. An open source project may rely on multiple other open source libraries or components, which may also have security vulnerabilities. Therefore, usersstayConduct a security assessment of the entire dependency chainofAt the same time, it is also necessary toRegularly monitor the security notices and update logs of the open source projects used to reduce the risk of attacks and ensure that all components are secure and reliable.

This incident has also attracted widespread attention in the entire field of IoT security. IoT devices not only bring convenience, but also existmultipleAn undeniable safety hazard. Each enterprise andteamNeed to strengthen the understanding of IoT devicesOverall supply chainofcomprehensiveSecurity management to prevent similar security incidents from happening again.


Laos:+856 2026 885 687     domestic:+0086-27-81305687-0     Consultation hotline:400-6689-651    

E-mail:qingqiaoint@163.com   /   qingqiaog5687@gmail.com

Copyright: Qingqiao International Security Group     备案号:鄂ICP备2021010908号

Service number

G5687
Telephone
400-6689-651

Code scanning plus WeChat

home

WeChat

Code scanning plus WeChat

Telephone

facebook

LinkedIn