CVE-2023-45672 – Frigate network video recorder versions before ... (How to Fix)

Q: What is the severity of CVE-2023-45672?

CVE-2023-45672 has a CVSS score of 7.5 (HIGH). Frigate network video recorder versions before 0.13.0 Beta 3 contain an unsafe YAML deserialization vulnerability in configuration endpoints. This allows unauthenticated remote code execution when attackers trick authenticated users into visiting malicious links to their Frigate instance. All Frigate installations exposed to the internet with authentication enabled are affected.

📋 TL;DR

Frigate network video recorder versions before 0.13.0 Beta 3 contain an unsafe YAML deserialization vulnerability in configuration endpoints. This allows unauthenticated remote code execution when attackers trick authenticated users into visiting malicious links to their Frigate instance. All Frigate installations exposed to the internet with authentication enabled are affected.

💻 Affected Systems

Products:

Frigate Network Video Recorder

Versions: All versions prior to 0.13.0 Beta 3

Operating Systems: All platforms running Frigate

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configuration when authentication is enabled. Requires /config or /api/config/save endpoints to be accessible.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the Frigate server and potentially pivoting to other systems.

🟠

Likely Case

Attacker executes arbitrary code on the Frigate server, potentially accessing video feeds, modifying configurations, or installing persistence mechanisms.

🟢

If Mitigated

No impact if Frigate is not internet-facing and proper network segmentation prevents user access to malicious external content.

🌐 Internet-Facing: HIGH - Publicly exposed instances with authentication are directly vulnerable to exploitation via social engineering.

🏢 Internal Only: MEDIUM - Internal instances still vulnerable if users can be tricked into clicking malicious links, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires social engineering to trick authenticated users, but technical payload execution is straightforward once user interaction is achieved.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.13.0 Beta 3 and later

Vendor Advisory: https://github.com/blakeblackshear/frigate/security/advisories/GHSA-qp3h-4q62-p428

Restart Required: Yes

Instructions:

1. Backup current Frigate configuration. 2. Stop Frigate service. 3. Update to version 0.13.0 Beta 3 or later using your deployment method (Docker, manual install, etc.). 4. Restart Frigate service. 5. Verify version is updated.

🔧 Temporary Workarounds

Network Isolation

linux

Restrict access to Frigate web interface to trusted networks only

iptables -A INPUT -p tcp --dport 5000 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 5000 -j DROP

Reverse Proxy Restrictions

all

Configure reverse proxy to block or restrict access to vulnerable endpoints

location ~ ^/(config|api/config/save) { deny all; }

🧯 If You Can't Patch

Implement strict network segmentation to prevent Frigate from being accessible from untrusted networks
Deploy web application firewall rules to block malicious YAML payloads targeting configuration endpoints

🔍 How to Verify

Check if Vulnerable:

Check Frigate version via web interface or API. If version is below 0.13.0 Beta 3, system is vulnerable.

Check Version:

curl -s http://frigate-host:5000/api/version | grep version

Verify Fix Applied:

Confirm version is 0.13.0 Beta 3 or higher. Test that /api/config/save endpoint properly validates and sanitizes YAML input.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /config or /api/config/save endpoints
YAML parsing errors containing suspicious Python class names
Unexpected process execution from Frigate service

Network Indicators:

HTTP requests with YAML payloads containing '!!python' tags or custom constructors
Traffic to Frigate from unexpected sources

SIEM Query:

source="frigate.logs" AND (uri_path="/config" OR uri_path="/api/config/save") AND (payload="!!python" OR payload="__import__" OR payload="os.system")

📊 Metadata

CVE ID: CVE-2023-45672

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: October 30, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-45672, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Frigate by Frigate

Frigate by Frigate

Frigate by Frigate

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Isolation

Reverse Proxy Restrictions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities