CVE-2023-45672 in frigate
Summary
by MITRE • 10/31/2023
Frigate is an open source network video recorder. Prior to version 0.13.0 Beta 3, an unsafe deserialization vulnerability was identified in the endpoints used to save configurations for Frigate. This can lead to unauthenticated remote code execution. This can be performed through the UI at `/config` or through a direct call to `/api/config/save`. Exploiting this vulnerability requires the attacker to both know very specific information about a user's Frigate server and requires an authenticated user to be tricked into clicking a specially crafted link to their Frigate instance. This vulnerability could exploited by an attacker under the following circumstances: Frigate publicly exposed to the internet (even with authentication); attacker knows the address of a user's Frigate instance; attacker crafts a specialized page which links to the user's Frigate instance; attacker finds a way to get an authenticated user to visit their specialized page and click the button/link. Input is initially accepted through `http.py`. The user-provided input is then parsed and loaded by `load_config_with_no_duplicates`. However, `load_config_with_no_duplicates` does not sanitize this input by merit of using `yaml.loader.Loader` which can instantiate custom constructors. A provided payload will be executed directly at `frigate/util/builtin.py:110`. This issue may lead to pre-authenticated Remote Code Execution. Version 0.13.0 Beta 3 contains a patch.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 10/31/2023
The vulnerability CVE-2023-45672 represents a critical unsafe deserialization flaw in Frigate, an open source network video recorder system that has gained significant adoption in security monitoring environments. This vulnerability exists in versions prior to 0.13.0 Beta 3 and exposes a dangerous path for remote code execution through the configuration saving endpoints. The flaw specifically targets the `/config` and `/api/config/save` interfaces that administrators use to manage system configurations, creating a pathway for attackers to execute arbitrary code on affected systems. The vulnerability's exploitation requires a combination of specific conditions including public internet exposure of the Frigate instance, knowledge of the target server's address, and social engineering to convince an authenticated user to interact with a maliciously crafted link. This attack vector aligns with ATT&CK technique T1059.001 for command and scripting interpreter and CWE-502 which describes unsafe deserialization vulnerabilities where untrusted data is deserialized without proper validation. The technical implementation occurs through the http.py module where user-provided input is initially accepted and then processed by load_config_with_no_duplicates function, which fails to sanitize input properly by utilizing yaml.loader.Loader that can instantiate custom constructors. This design flaw allows malicious payloads to be executed directly at frigate/util/builtin.py line 110, effectively creating a pre-authenticated remote code execution vulnerability that can be exploited by attackers who can reach the Frigate instance over the internet.
The operational impact of this vulnerability extends beyond simple code execution to encompass complete system compromise and potential data exfiltration. Attackers who successfully exploit this vulnerability can gain full control over the Frigate server, potentially accessing all recorded video feeds, modifying system configurations, and using the compromised device as a pivot point for further attacks within the network. The vulnerability's requirement for an authenticated user to click a malicious link introduces a social engineering component that makes it particularly dangerous in environments where users may not be security-aware. This weakness is especially concerning for organizations that deploy Frigate in internet-facing environments without proper network segmentation or additional security controls. The vulnerability affects not just the local system but could also potentially impact connected devices and networks, as video surveillance systems often serve as critical infrastructure components in enterprise and industrial environments. The patch released in version 0.13.0 Beta 3 addresses the root cause by implementing proper input sanitization and removing the unsafe deserialization practices that enabled the vulnerability. Organizations using Frigate should immediately upgrade to this patched version and conduct security assessments to identify any potential exploitation attempts. The vulnerability demonstrates the importance of input validation in web applications and highlights how seemingly benign configuration management features can become attack vectors when proper security controls are not implemented. Security teams should also consider implementing network monitoring to detect suspicious patterns of traffic to the configuration endpoints and establish proper access controls to limit exposure of these interfaces to untrusted networks.