Kunbus-2025-0000002: Missing Authentication in Node-RED integration
TLP: WHITE
| Publisher: KUNBUS PSIRT | Document category: csaf_security_advisory |
| Initial release date: 2025-04-01T17:01:33.529447791Z | Engine: csaf-cms-backend 1.0.0 |
| Current release date: 2025-05-07T11:04:38.212602931Z | Build Date: 2025-05-07T11:02:21.591Z |
| Current version: 2.1.0 | Status: final |
| CVSSv3.1 Base Score: 10 | Severity: Critical |
| Original language: | Language: en-US |
| Also referred to: | |
Vulnerabilities
Lack of Authentication in Revolution Pi Node-RED (CVE-2025-24522)
Summery
Authentication is not configured by default for the Node-RED server on Revolution Pi. An unauthenticated remote attacker has full access to the Node-RED server and can run arbitrary commands on the underlying operating system.
Details
The integration of Node-RED in Revolution PI OS is activated by default since the Bookworm release. It does not configure any authentication. This enables an attacker to not only view but create and alter flows. Since flows can contain code blocks that leads to an unauthenticated remote code execution with the low priority user running Node-RED.
| CWE: | CWE-306:Missing Authentication for Critical Function |
|---|
Product status
Known affected
| Product | CVSS-Vector | CVSS Base Score |
|---|---|---|
| KUNBUS Revolution Pi Revolution Pi OS Bookworm 01/2025 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 10 |
| KUNBUS Revolution Pi revpi-nodered 1.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 10 |
Fixed
- KUNBUS Revolution Pi Revolution Pi OS Bookworm 04/2025
- KUNBUS Revolution Pi revpi-nodered 1.7
Remediations
Vendor fix (2025-04-30T10:00:00.000Z)
By end of april we plan to release a new cockpit plugin that guides make the above mentioned configurations available in a consistant graphical interface like you now it from RevPi.
For products:
- KUNBUS Revolution Pi Revolution Pi OS Bookworm 01/2025
- KUNBUS Revolution Pi revpi-nodered 1.6
Mitigation (2025-03-27T11:00:00.000Z)
Activate authentication
For products:
- KUNBUS Revolution Pi Revolution Pi OS Bookworm 01/2025
- KUNBUS Revolution Pi revpi-nodered 1.6
https://www.kunbus.com/files/media/misc/kunbus-2025-0000002-remediation.pdf
Restart required: service
Node-RED needs to be restarted.
Workaround (2025-03-27T11:00:00.000Z)
Deactivate unnecessary services
For products:
- KUNBUS Revolution Pi Revolution Pi OS Bookworm 01/2025
- KUNBUS Revolution Pi revpi-nodered 1.6
https://www.kunbus.com/files/media/misc/kunbus-2025-0000002-remediation.pdf
Workaround (2025-03-27T11:00:00.000Z)
Restrict network access
For products:
- KUNBUS Revolution Pi Revolution Pi OS Bookworm 01/2025
- KUNBUS Revolution Pi revpi-nodered 1.6
https://www.kunbus.com/files/media/misc/kunbus-2025-0000002-remediation.pdf
Acknowledgments
- Adam Bromiley from Pen Test Partners
Acknowledgments
KUNBUS PSIRT thanks the following parties for their efforts:
- Adam Bromiley from Pen Test Partners for Found and reported the vulnerabilities
KUNBUS PSIRT
Namespace: https://www.kunbus.com
product-security@kunbus.com
KUNBUS GmbH develops and produces the Revolution Pi Family, Revolution Pi OS and the extension modules for RevPi amongst others. KUNBUS PSIRT is responsible for vulnerability handling across all KUNBUS products and services.
References
- URL generated by system (self): https://psirt.kunbus.com/.well-known/csaf/white/2025/kunbus-2025-0000002.json
- CISA ICS Advisory ICSA-25-121-01 : https://www.cisa.gov/news-events/ics-advisories/icsa-25-121-01
- HTML-Version : https://www.kunbus.com/en/productsecurity/kunbus-2025-0000002-missing-authentication-in-node-red-integration
Revision history
| Version | Date of the revision | Summary of the revision |
|---|---|---|
| 1.0.0 | 2025-04-01T17:01:33.529447791Z | Initial Publication |
| 1.1.0 | 2025-05-05T07:33:00.000Z | Add assigned CVE Number |
| 2.0.0 | 2025-05-07T10:52:41.819669674Z | Add new image release that contains the fixes |
| 2.1.0 | 2025-05-07T11:04:38.212602931Z | Added HTML Version as reference |
Sharing rules
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/
Legal Disclaimer
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. KUNBUS RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.