Sensitive data exposure in NATS

説明

Preview versions of two NPM packages and one Deno package from the NATS project contain an information disclosure flaw, leaking options to the NATS server; for one package, this includes TLS private credentials.

The _connection_ configuration options in these JavaScript-based implementations were fully serialized and sent to the server in the client's CONNECT message, immediately after TLS establishment.

The nats.js client supports Mutual TLS and the credentials for the TLS client key are included in the connection configuration options; disclosure of the client's TLS private key to the server has been observed.

Most authentication mechanisms are handled after connection, instead of as part of connection, so other authentication mechanisms are unaffected. For clarity: NATS account NKey authentication is NOT affected.

Neither the nats.ws nor the nats.deno clients support Mutual TLS: the affected versions listed below are those where the logic flaw is present. We are including the nats.ws and nats.deno versions out of an abundance of caution, as library maintainers, but rate as minimal the likelihood of applications leaking sensitive data.

Security impact:

  • NPM package nats.js:
  • mainline is unaffected
  • beta branch is vulnerable from 2.0.0-201, fixed in 2.0.0-209

Logic flaw:

  • NPM package nats.ws:
  • status: preview
  • flawed from 1.0.0-85, fixed in 1.0.0-111
  • Deno repository https://github.com/nats-io/nats.deno
  • status: preview
  • flawed in all git tags prior to fix
  • fixed with git tag v1.0.0-9

Impact:

For deployments using TLS client certificates (for mutual TLS), private key material for TLS is leaked from the client application to the server. If the server is untrusted (run by a third party), or if the client application also disables TLS verification (and so the true identity of the server is unverifiable) then authentication credentials are leaked.

基本情報

タイプ
reviewed
深刻度
high
GitHub 上のアドバイザリ
アドバイザリを開く ↗
リポジトリのアドバイザリ
ソースコード
ソースを見る ↗
公開(アドバイザリ)
2020-10-08 22:11:32 UTC
更新
2023-09-11 20:18:19 UTC
GitHub レビュー済み
2020-10-08 22:11:09 UTC

EPSS Score

Score Percentile
0.34% 56.51%

CVSS Scores

Base score Version Severity Vector
7.5 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N クリックして展開
攻撃ベクター (AV:N)
インターネットなど、ルーティングされたネットワーク越しに遠隔から悪用しうる。端末の前にいる必要はない。
攻撃の複雑さ (AC:L)
攻撃者が条件を満たせば、レース条件や珍しい構成に依存せずに再現しやすい。
必要な権限 (PR:N)
事前のログインや昇格は不要で、匿名アクセスのまま踏み台にしうる。
ユーザーの関与 (UI:N)
メールのリンクを開く、マクロを有効にするなど、被害者の協力がなくても成立しうる。
スコープ (S:U)
影響は脆弱コンポーネントと同一のセキュリティ権限・信頼境界の内側に収まる。
機密性への影響 (C:H)
広範な機微データの読み取りや持ち出しが現実的。
完全性への影響 (I:N)
改ざん・なりすましによる信頼毀損は軽微か、想定されない。
可用性への影響 (A:N)
業務継続に支障が出るレベルの停止や劣化は想定されない。

Identifiers

CWEs

CWE id Name
CWE-522 Insufficiently Protected Credentials

Affected packages (2)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
npm nats >= 2.0.0-201, <= 2.0.0-206 2.0.0-209
npm nats.ws >= 1.0.0-85, <= 1.0.0-110 1.0.0-111

References

cvelogic Threat Intelligence