CVE-2024-45495
📋 TL;DR
MSA FieldServer Gateway versions 5.0.0 through 6.5.2 have a cross-origin WebSocket hijacking vulnerability that allows attackers to establish WebSocket connections from malicious websites to the gateway. This affects industrial control systems and building automation networks using these gateways for protocol translation.
💻 Affected Systems
- MSA FieldServer Gateway
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could intercept or manipulate real-time industrial control data, potentially causing operational disruptions or safety incidents in critical infrastructure.
Likely Case
Unauthorized data exfiltration from industrial control systems, exposure of sensitive operational data, or injection of false data into monitoring systems.
If Mitigated
Limited impact due to network segmentation and proper WebSocket origin validation, with only non-critical data exposure possible.
🎯 Exploit Status
Exploitation requires tricking users into visiting malicious websites while authenticated to the gateway, but no authentication is needed for the WebSocket connection itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.5.3 or later
Vendor Advisory: https://us.msasafety.com/security-notices
Restart Required: Yes
Instructions:
1. Download latest firmware from MSA FieldServer support portal. 2. Backup current configuration. 3. Apply firmware update via web interface or local console. 4. Restart gateway. 5. Verify version shows 6.5.3 or higher.
🔧 Temporary Workarounds
Implement WebSocket Origin Validation
allConfigure reverse proxy or web server to validate WebSocket origin headers before forwarding to FieldServer Gateway.
# Example nginx configuration:
location /ws {
if ($http_origin !~ "^https?://trusted-domain\.com$") {
return 403;
}
proxy_pass http://fieldserver:port;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
Disable Unnecessary WebSocket Endpoints
allDisable WebSocket functionality for non-essential services in FieldServer configuration.
# Access FieldServer web interface > Configuration > Web Services > Disable WebSocket for non-critical protocols
🧯 If You Can't Patch
- Network segmentation: Isolate FieldServer Gateway from user workstations and internet access.
- Implement strict Same-Origin Policy enforcement at network perimeter or reverse proxy.
🔍 How to Verify
Check if Vulnerable:
Check FieldServer Gateway web interface > About page for version number. If version is between 5.0.0 and 6.5.2 inclusive, system is vulnerable.Check Version:
curl -k https://fieldserver-ip/about | grep -i versionVerify Fix Applied:
After patching, verify version shows 6.5.3 or higher in web interface > About page. Test WebSocket connections only accept requests from configured origins.📡 Detection & Monitoring
Log Indicators:
- WebSocket connection attempts from unexpected origins
- Multiple failed WebSocket handshakes
- Unusual WebSocket traffic patterns
Network Indicators:
- WebSocket traffic to FieldServer Gateway from non-authorized sources
- Cross-origin WebSocket requests without proper validation
SIEM Query:
source="fieldserver-logs" AND (event="websocket_connection" AND origin!="*trusted-domain*")