You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
NATS.io is a high performance open source pub-sub distributed communication
technology, built for the cloud, on-premise, IoT, and edge computing.
The cryptographic key handling library, nkeys, recently gained support
for encryption, not just for signing/authentication. This is used
in nats-server 2.10 (Sep 2023) and newer for authentication callouts.
Problem Description
The nkeys library's "xkeys" encryption handling logic mistakenly
passed an array by value into an internal function, where the function
mutated that buffer to populate the encryption key to use. As a result,
all encryption was actually to an all-zeros key.
This affects encryption only, not signing.
All usage of nkeys prior to the January 2023 0.4.0 release was
signing-only.
Within the nats-server, the encryption is used for the Auth
Callouts feature, introduced with 2.10.0 (September 2023).
The Auth Callout request includes the supplied user password.
These messages are sent within NATS, and should typically be in a
dedicated NATS Account used for callouts, but this is not required.
Thus in scenarios where the Callouts are in an account shared with
untrusted users or where the callout responders connect without TLS,
this may lead to user credential exposure.
Affected versions
nkeys Go library:
0.4.0 up to and including 0.4.5
Fixed with nats-io/nkeys: 0.4.6
NATS Server:
2.10.0 up to and including 2.10.3
Fixed with nats-io/nats-server: 2.10.4
Workarounds
None available.
Solution
Upgrade the nats-server.
For any application handling auth callouts in Go, if using the nkeys
library, update the dependency, recompile and deploy that in lockstep.
Credits
Problem reported by Quentin Matillat (GitHub @tinou98).
Thanks for the report! I'd just finished writing the report for the automation-generated issue (#2163), so I'm going to mark this issue as a duplicate, but I appreciate the second notice.
Acknowledgement
Description
(This advisory is canonically https://advisories.nats.io/CVE/secnote-2023-02.txt)
Background
NATS.io is a high performance open source pub-sub distributed communication
technology, built for the cloud, on-premise, IoT, and edge computing.
The cryptographic key handling library, nkeys, recently gained support
for encryption, not just for signing/authentication. This is used
in nats-server 2.10 (Sep 2023) and newer for authentication callouts.
Problem Description
The nkeys library's "xkeys" encryption handling logic mistakenly
passed an array by value into an internal function, where the function
mutated that buffer to populate the encryption key to use. As a result,
all encryption was actually to an all-zeros key.
This affects encryption only, not signing.
All usage of nkeys prior to the January 2023 0.4.0 release was
signing-only.
Within the nats-server, the encryption is used for the Auth
Callouts feature, introduced with 2.10.0 (September 2023).
The Auth Callout request includes the supplied user password.
These messages are sent within NATS, and should typically be in a
dedicated NATS Account used for callouts, but this is not required.
Thus in scenarios where the Callouts are in an account shared with
untrusted users or where the callout responders connect without TLS,
this may lead to user credential exposure.
Affected versions
nkeys Go library:
NATS Server:
Workarounds
None available.
Solution
Upgrade the nats-server.
For any application handling auth callouts in Go, if using the nkeys
library, update the dependency, recompile and deploy that in lockstep.
Credits
Problem reported by Quentin Matillat (GitHub @tinou98).
References
GHSA-mr45-rx8q-wcm9
Affected Modules, Packages, Versions and Symbols
CVE/GHSA ID
CVE-2023-46129, GHSA-mr45-rx8q-wcm9
Fix Commit or Pull Request
nats-io/nkeys#59
References
GHSA-mr45-rx8q-wcm9
Additional information
No response
The text was updated successfully, but these errors were encountered: