Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/nats-io/nkeys #2164

Closed
1 task done
bruth opened this issue Oct 31, 2023 · 2 comments
Closed
1 task done

x/vulndb: potential Go vuln in github.com/nats-io/nkeys #2164

bruth opened this issue Oct 31, 2023 · 2 comments
Labels
Direct External Report

Comments

@bruth
Copy link

bruth commented Oct 31, 2023
edited
Loading

Acknowledgement

  • The maintainer(s) of the affected project have already been made aware of this vulnerability.

Description

(This advisory is canonically https://advisories.nats.io/CVE/secnote-2023-02.txt)

Background

NATS.io is a high performance open source pub-sub distributed communication
technology, built for the cloud, on-premise, IoT, and edge computing.

The cryptographic key handling library, nkeys, recently gained support
for encryption, not just for signing/authentication. This is used
in nats-server 2.10 (Sep 2023) and newer for authentication callouts.

Problem Description

The nkeys library's "xkeys" encryption handling logic mistakenly
passed an array by value into an internal function, where the function
mutated that buffer to populate the encryption key to use. As a result,
all encryption was actually to an all-zeros key.

This affects encryption only, not signing.
All usage of nkeys prior to the January 2023 0.4.0 release was
signing-only.

Within the nats-server, the encryption is used for the Auth
Callouts feature, introduced with 2.10.0 (September 2023).
The Auth Callout request includes the supplied user password.
These messages are sent within NATS, and should typically be in a
dedicated NATS Account used for callouts, but this is not required.
Thus in scenarios where the Callouts are in an account shared with
untrusted users or where the callout responders connect without TLS,
this may lead to user credential exposure.

Affected versions

nkeys Go library:

  • 0.4.0 up to and including 0.4.5
  • Fixed with nats-io/nkeys: 0.4.6

NATS Server:

  • 2.10.0 up to and including 2.10.3
  • Fixed with nats-io/nats-server: 2.10.4

Workarounds

None available.

Solution

Upgrade the nats-server.
For any application handling auth callouts in Go, if using the nkeys
library, update the dependency, recompile and deploy that in lockstep.

Credits

Problem reported by Quentin Matillat (GitHub @tinou98).

References

Affected Modules, Packages, Versions and Symbols

Module: github.com/nats-io/nkeys
Package: github.com/nats-io/nkeys
Versions:
  - Introduced: 0.4.0
  - Fixed: 0.4.6
Symbols:
  - CreateCurveKeys
  - CreateCurveKeysWithRand

Module: github.com/nats-io/nats-server
Package: github.com/nats-io/nats-server/v2/server
Versions:
  - Introduced: 2.10.0
  - Fixed: 2.10.4

CVE/GHSA ID

CVE-2023-46129, GHSA-mr45-rx8q-wcm9

Fix Commit or Pull Request

nats-io/nkeys#59

References

Additional information

No response
@neild
Copy link
Contributor

neild commented Nov 2, 2023

Thanks for the report! I'd just finished writing the report for the automation-generated issue (#2163), so I'm going to mark this issue as a duplicate, but I appreciate the second notice.

@neild
Copy link
Contributor

neild commented Nov 2, 2023

Duplicate of #2163

@neild neild marked this as a duplicate of #2163 Nov 2, 2023
@neild neild closed this as completed Nov 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Direct External Report
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@neild @bruth