CVE-2023-47090
Authorization Bypass vulnerability in v2 (Go)
What is CVE-2023-47090 About?
This vulnerability allows unauthenticated access to the nats-server under specific configuration scenarios due to improper handling of authorization rules. It enables users to connect without authentication, making exploitation relatively easy. The impact is a complete bypass of intended access control.
Affected Software
- github.com/nats-io/nats-server/v2
- >2.2.0, <2.9.23
- >2.10.0, <2.10.2
Technical Details
The vulnerability is an authorization bypass in the nats-server where clients can connect without authentication. This occurs due to specific interactions between older 'authorization' blocks and newer 'accounts' blocks for defining users. Prior to nats-server 2.2.0, all authentication and authorization rules resided in an 'authorization' block. Post 2.2.0, users are typically placed in 'accounts' blocks. However, if an 'accounts' block is defined and only includes the system account ('$SYS'), the nats-server inadvertently creates an implicit user in the '$G' (implicit global) account and assigns it as the 'no_auth_user'. This replicates the 'without authentication' behavior, even when an 'authorization' block is defined with login rules, effectively disabling authentication for users in the global account. The fix involves preventing the implicit creation of a '$G' user and its assignment as 'no_auth_user' when an 'authorization' block is present.
What is the Impact of CVE-2023-47090?
Successful exploitation may allow attackers to connect to the nats-server without any authentication or authorization, leading to unauthorized access to messages, data manipulation, or disruption of services reliant on NATS.
What is the Exploitability of CVE-2023-47090?
Exploitation of this vulnerability is relatively easy and straightforward. The prerequisites involve a nats-server instance configured with a conflicting authorization setup (using an 'authorization' block while an 'accounts' block exists, often only for the system account, in versions prior to the fix). No specific authentication is required, as the vulnerability itself allows for unauthenticated connections. There are no privilege requirements, as the attack is to bypass these. The attack is typically remote, as clients connect to the nats-server over the network. The key special condition is the specific server configuration. The likelihood of exploitation is significantly increased if administrators are unaware of this implicit 'no_auth_user' behavior when migrating or configuring NATS servers with mixed authorization paradigms.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-47090?
Available Upgrade Options
- github.com/nats-io/nats-server/v2
- >2.2.0, <2.9.23 → Upgrade to 2.9.23
- github.com/nats-io/nats-server/v2
- >2.10.0, <2.10.2 → Upgrade to 2.10.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/nats-io/nats-server/commit/fa5b7afcb64e7e887e49afdd032358802b5c4478
- https://github.com/nats-io/nats-server/security/advisories/GHSA-fr2g-9hjm-wr23
- https://osv.dev/vulnerability/GHSA-fr2g-9hjm-wr23
- https://github.com/nats-io/nats-server/pull/4605
- https://github.com/nats-io/nats-server/discussions/4535
- https://advisories.nats.io/CVE/secnote-2023-01.txt
- https://github.com/nats-io/nats-server/pull/4605
- https://github.com/nats-io/nats-server
- https://github.com/nats-io/nats-server/commit/fa5b7afcb64e7e887e49afdd032358802b5c4478
- http://www.openwall.com/lists/oss-security/2023/10/30/1
What are Similar Vulnerabilities to CVE-2023-47090?
Similar Vulnerabilities: CVE-2022-4171 , CVE-2022-26133 , CVE-2021-4112 , CVE-2020-15160 , CVE-2020-14030
