Kunbus-2025-0000002: Missing Authentication in Node-RED integration
TLP: WHITE
| Publisher: KUNBUS PSIRT | Document category: csaf_security_advisory |
| Initial release date: 2025-04-01T17:01:33.529447791Z | Engine: csaf-cms-backend 1.0.0 |
| Current release date: 2025-04-01T17:01:33.529447791Z | Build Date: 2025-04-01T17:00:05.711Z |
| Current version: 1.0.0 | Status: interim |
| CVSSv3.1 Base Score: 10 | Severity: Critical |
| Original language: | Language: en-US |
| Also referred to: | |
Vulnerabilities
Lack of Authentication in Revolution Pi Node-RED
Summery
Authentication is not configured by default for the Node-RED server on Revolution Pi. An unauthenticated remote attacker has full access to the Node-RED server and can run arbitrary commands on the underlying operating system.
Details
The integration of Node-RED in Revolution PI OS is activated by default since the Bookworm release. It does not configure any authentication. This enables an attacker to not only view but create and alter flows. Since flows can contain code blocks that leads to an unauthenticated remote code execution with the low priority user running Node-RED.
| CWE: | CWE-306:Missing Authentication for Critical Function |
|---|
Product status
Known affected
| Product | CVSS-Vector | CVSS Base Score |
|---|---|---|
| KUNBUS Revolution Pi Revolution Pi OS Bookworm (01/2025) | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 10 |
| KUNBUS Revolution Pi revpi-nodered 1.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 10 |
Remediations
Vendor fix (2025-04-30T10:00:00.000Z)
By end of april we plan to release a new cockpit plugin that guides make the above mentioned configurations available in a consistant graphical interface like you now it from RevPi.
For products:
- KUNBUS Revolution Pi Revolution Pi OS Bookworm (01/2025)
- KUNBUS Revolution Pi revpi-nodered 1.6
Mitigation (2025-03-27T11:00:00.000Z)
Activate authentication
For products:
- KUNBUS Revolution Pi Revolution Pi OS Bookworm (01/2025)
- KUNBUS Revolution Pi revpi-nodered 1.6
https://www.kunbus.com/files/media/misc/kunbus-2025-0000002-remediation.pdf
Restart required: service
Node-RED needs to be restarted.
Workaround (2025-03-27T11:00:00.000Z)
Deactivate unnecessary services
For products:
- KUNBUS Revolution Pi Revolution Pi OS Bookworm (01/2025)
- KUNBUS Revolution Pi revpi-nodered 1.6
https://www.kunbus.com/files/media/misc/kunbus-2025-0000002-remediation.pdf
Workaround (2025-03-27T11:00:00.000Z)
Restrict network access
For products:
- KUNBUS Revolution Pi Revolution Pi OS Bookworm (01/2025)
- KUNBUS Revolution Pi revpi-nodered 1.6
https://www.kunbus.com/files/media/misc/kunbus-2025-0000002-remediation.pdf
Acknowledgments
- Adam Bromiley from Pen Test Partners
Acknowledgments
KUNBUS PSIRT thanks the following parties for their efforts:
- Adam Bromiley from Pen Test Partners for Found and reported the vulnerabilities
KUNBUS PSIRT
Namespace: https://kunbus.com
product-security@kunbus.com
KUNBUS GmbH develops and produces the Revolution Pi Family, Revolution Pi OS and the extension modules for RevPi
References
- URL generated by system (self): https://psirt.kunbus.com/.well-known/csaf/white/2025/kunbus-2025-0000002.json
Revision history
| Version | Date of the revision | Summary of the revision |
|---|---|---|
| 1.0.0 | 2025-04-01T17:01:33.529447791Z | Initial Publication |
Sharing rules
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/