CVE-2023-46129: NATS.io Encryption Vulnerability in nkeys Library Versions .4. - .4.5, Impacting NATS Server 2.10. - 2.10.3

NATS.io is a high-performance, open-source, publish-subscribe distributed communication technology built for various environments, including the cloud, on-premise, IoT, and edge computing. Recently, the cryptographic key handling library (nkeys) used by NATS.io gained support for encryption, in addition to its previous functionality for signing and authentication. However, a critical vulnerability was discovered in the encryption process, specifically impacting nkeys library versions .4. through .4.5, which correlates with NATS server versions 2.10. through 2.10.3. This vulnerability compromises the integrity of encryption in these versions.

Details

The main issue lies in the nkeys library's xkeys encryption handling logic. In affected versions, the library mistakenly passes an array by value into an internal function instead of passing it by reference. This internal function is supposed to populate the encryption key, but due to this error, it ends up modifying a copy of the passed array instead of the original buffer. The outcome is that all encryption is effectively performed with an all-zeros key, as demonstrated in the code snippet below:

func encrypt(data []byte) ([]byte, error) {
    // ... omitted...

    // BUG: The array is passed by value.
    key := make([]byte, 32)
    populateEncryptionKey(key)

    // ... encryption using the zeroed key.
}

func populateEncryptionKey(key []byte) {
    // ... omitted...

    // BUG: The mutated buffer doesn't affect the original key variable.
    for i := range key {
        key[i] = 
    }
}

Impact

This vulnerability has a significant impact on the security of NATS server authentication callouts. Since the encryption key is effectively an all-zeroes key, encrypted data can be easily decrypted by anyone who knows about the vulnerability, rendering the encryption process useless and exposing sensitive information. It is important to note that this vulnerability only affects encryption and not the signing functionality of the nkeys library.

Fix and Recommendations

To address this issue, the nkeys Go library version .4.6 was released, which corresponds with NATS Server 2.10.4. This patched version of the library resolves the encryption vulnerability. Unfortunately, there are no known workarounds available for those affected by the vulnerability in the previous versions.

Users and developers who handle authentication callouts in Go and use the nkeys library should take immediate action. They should update the nkeys dependencies in their applications to version .4.6, recompile their programs, and deploy the updated versions in a coordinated manner.

Original References

1. NATS.io official website: https://nats.io
2. nkeys library on GitHub: https://github.com/nats-io/nkeys
3. NATS Server repository: https://github.com/nats-io/nats-server
4. NATS Server release notes: https://github.com/nats-io/nats-server/releases/tag/v2.10.4

Full details on CVE-2023-46129: (link_to_cve_database_entry)

In conclusion, this NATS.io encryption vulnerability is a critical issue that affects the security of authentication callouts in the nkeys library versions .4. through .4.5 and NATS server versions 2.10. through 2.10.3. Users and developers should take prompt action to update their dependencies and deployment to ensure the security and integrity of their systems. The issue is fixed in nkeys Go library .4.6 and NATS Server 2.10.4.

Timeline

Published on: 10/31/2023 00:15:09 UTC
Last modified on: 11/29/2023 03:15:42 UTC