According to foreign reports,Open SourceTraccar GPSSystem DisclosurehaveTwo security vulnerabilities,Unauthenticated attackers may exploit these vulnerabilities to achieve remote code execution in certain situations.

TraccarIt is an open-source projectGPSsystem，It is caused byFrom different backgrounds and professional fieldsofJointly completed by developers,Anton·TannaevandAndre·One of the important developers of the Kunixin project.Traccar GPStracking systemIts source code and documentation are publicly available and comply with specific open source license agreements. It is mainly composed ofJavaLanguage writing with good cross platform compatibility，thereforeUsers are free to use, modify, and distribute their source code，Countries around the worldCompany or teamFinebe based onTraccarSecondary development of open-source code to meet specific needs. for exampleGuangzhou Ange International Freight Forwarding Co., Ltd. has developed a product called“AngeTraccar”The logistics positioning application software.

Open SourceTraccar GPS system

TraccarProvides powerful location tracking capabilities，canReal time positioning and tracking meet the tracking and positioning needs of various industries such as taxis, trucks, agricultural equipment, fleets, containers, ships, and individuals.TraccarSupport beyondtwo hundredvariedGPSThe protocol can be compatible with the vast majority of the marketGPSTracking device compatibility. Apart from traditionalGPSOutside of tracking devices,TraccarAlso supports exceedingtwo thousandMultiple modelsGPSTracking devices, includingiOSandAndroidWaiting for mobile devices. in additionTraccarIt also supports multiple functions such as satellite switching, map switching, tracking motion trajectories, tracking itineraries, stopping points, etc., to meet the different needs of users.

thisTraccarofTwo of themSecurity vulnerabilitiesIt is from the United StatesNetwork security solution providerHorizon3.aiofchief architect Naveen SunkavallyDiscovered.These two vulnerabilities are respectivelyCVE-2024-24809andCVE-2024-31214All of them are path traversal vulnerabilities.

CVE-2024-24809The vulnerability allows uploading files of dangerous types. Attackers can upload malicious files through specific attack paths, posing a threat to the system. The vulnerabilityCVSSThe score iseight point fiveThis indicates that it has a high degree of severity.CVE-2024-31214The vulnerability lies in the device's image upload function, which allows unrestricted file uploads and may result in remote code execution. Attackers can exploit this vulnerability to upload malicious files and trigger code execution, thereby gaining complete control over the affected system. The vulnerabilityCVSSScore as high asnine point sevenIt is an extremely serious security vulnerability.

Horizon3.aiThe Chief ArchitectNaveen Sunkavally

Naveen SunkavallyAfter discovering these vulnerabilities, a detailed analysis was conducted, and the causes of the vulnerabilities and possible attack methods were identified. He reminded to useTraccarUsers of the system should be aware of these vulnerabilities and advised to take appropriate protective measures. In response to these vulnerabilities,Horizon3.aiThe company alsoProvided proof of concept attack examples, demonstrating how attackers can exploit these vulnerabilities to carry out attacks.Including utilizationContent-TypePath traversal vulnerability upload in the headercrontabFile to obtain reverse on attacker's hostshell； stayWindowsOn the system, remote code execution is achieved by placing shortcut files in specific directories.

at presentTraccarofThe development team has actively fixed these issues and released a new version，But stillleadhairI got itThe public is concernedOpen source resourcesIntense discussion on security，When introducing open source resources into a project,We must attach great importance to safety review，andThoroughly understand and evaluate its dependency relationships. An open source project may rely on multiple other open source libraries or components, which may also have security vulnerabilities. Therefore, usersstayConduct a security assessment of the entire dependency chainofAt the same time, it is also necessary toRegularly monitor the security notices and update logs of the open source projects used to reduce the risk of attacks and ensure that all components are secure and reliable.

This incident has also attracted widespread attention in the entire field of IoT security. IoT devices not only bring convenience, but also existmultipleAn undeniable safety hazard. Each enterprise andteamNeed to strengthen the understanding of IoT devicesOverall supply chainofcomprehensiveSecurity management to prevent similar security incidents from happening again.