CVE-2024-29868 in Popular IoT Toolbox StreamPipes Opens Door to Account Takeovers
A serious security vulnerability in StreamPipes, a widely-used Industrial Internet of Things (IIoT) data processing platform, has left potentially thousands of users at risk of account hijacking. The flaw, designated CVE-2024-29868, stems from the platform’s use of a weak random number generator in its user self-registration and password recovery processes.
The vulnerability allows a malicious actor to predict the recovery tokens generated by StreamPipes within a reasonable time frame. By guessing these tokens, attackers could gain unauthorized access to user accounts, enabling them to manipulate IoT data streams, exfiltrate sensitive information, or disrupt critical industrial processes.
All versions of StreamPipes from 0.69.0 to 0.93.0 are susceptible to this flaw. Given StreamPipes’ popularity for enabling non-technical users to work with IoT data, the potential impact is significant. Industries relying on StreamPipes, such as manufacturing, energy, and smart city infrastructure, may be particularly vulnerable.
The root cause of the issue lies in StreamPipes’ use of a pseudo-random number generator (PRNG) that lacks sufficient cryptographic strength. PRNGs are algorithms designed to produce sequences of numbers that appear random. However, a weak PRNG generates predictable patterns, making it feasible for attackers to deduce the next number in the sequence.
In the context of StreamPipes, the vulnerable PRNG is responsible for generating recovery tokens – unique codes sent to users who forget their passwords. By exploiting the PRNG’s weakness, attackers can guess these tokens before they expire, granting them access to the associated accounts.
The CVE-2024-29868 vulnerability was discovered by Alessandro Albani of Digital Security Division Var Group. StreamPipes has addressed the issue in version 0.95.0, which incorporates a cryptographically secure random number generator for recovery token creation.
StreamPipes users are strongly advised to upgrade to version 0.95.0 immediately. Administrators should prioritize patching systems where StreamPipes is deployed, especially in critical infrastructure environments.