Recent security assessments have revealed critical vulnerabilities in the open-source Traccar GPS tracking system that could leave users exposed to remote code execution attacks. The vulnerabilities, identified as CVE-2024-24809 and CVE-2024-31214, are classified as path traversal flaws and could be exploited when guest registration is enabled. This setting, which is the default configuration for Traccar 5, could potentially allow unauthenticated attackers to execute arbitrary code on the affected systems.
CVE-2024-24809 allows attackers to exploit path traversal weaknesses and upload dangerous files, while CVE-2024-31214 involves unrestricted file uploads that could lead to remote code execution. The flaws enable malicious actors to place files with arbitrary content on the file system, posing a serious security risk. For example, an attacker could upload files with specific naming formats to trigger code execution or overwrite crucial system files.
Horizon3.ai’s proof-of-concept (PoC) demonstrated that these vulnerabilities could be exploited by uploading a crontab file or configuring an udev rule on vulnerable systems. On Windows instances, attackers could place a malicious shortcut file in the startup folder, which would execute upon user login. However, the PoC attack does not work on Debian/Ubuntu systems due to their file naming restrictions.
Traccar versions 5.1 to 5.12 are impacted by these vulnerabilities. Users are advised to upgrade to Traccar 6, which was released in April 2024. The new version addresses these issues by disabling self-registration by default, thereby reducing the attack surface. As cybersecurity threats continue to evolve, it is crucial for organizations to keep their systems updated and follow best practices to safeguard against potential exploits.
Reference:
