Users can create a new user and assign this user a very low (or non-existent) privilege level. Then, in an administrative context, this user can be used to access restricted resources.
To exploit this issue, a user must be authenticated via the "dynamically provisioned sandbox accounts" feature. This feature can be enabled on a per-user basis in the "NATS Cluster Configuration" UI. Once enabled, a user can be assigned a very low privilege level. An attacker can use this low privilege level to log in to specific administrative resources.
Impact
An attacker can exploit this issue to obtain the privileges of the System account.
Workaround
Disable "dynamically provisioned sandbox accounts" for the user.
Fix
nats-server before 2.7.2 has Incorrect Access Control.
17500 - Nat Server creates Forked Connection To Remote Node / Incorrect NATS Connection Handling.
In NATS 2.6 and earlier versions, an attacker could exploit an issue that allowed the connection from the client node to the server node to be forked. This allowed an attacker to create an infinite amount of connections that could be used to consume excessive amounts of memory on the server node and even crash the server node.
In order to exploit this issue, an attacker would have to send a connection request to the server node. This connection request would be forked by the NATS server.
What is the NATS Connection Handler?
The NATS Connection Handler is a feature that cannot be disabled. It decides if a client node can connect to the server node or not. This feature is enabled by default on a per-user basis in the "NATS Cluster Configuration" UI.
What happens if an attacker sends a connection request to the server and it forks?
If this attack succeeds, the server will create an infinite amount of connections that can be used to consume excessive amounts of memory on the server node and even crash it.
Impact
An attacker could crash the server node and consume excessive amounts of memory on the server node.
Workaround
Disable "forking connections" in the NATS configuration settings.
Fix
NATS 2.7.1
When NATS Client Requests Connection To The Server Node
, The Server Node May Fork This Connection
The NATS client node sends the connection request to the server node. The server node then forks this connection by creating a new connection. There is no limit on the number of connections that can be created, as this is not a limitation of the NATS protocol.
Impact: An attacker could exploit this issue to consume excessive amounts of memory on the NATS server and even crash the NATS server.
Workaround: Disable "use remote node for outgoing connections" in the "NATS Cluster Configuration" UI.
NATS Connection Handling
The NATS server creates a new connection to the client node in order to issue an RPC request. It does this by forking a UDP/TCP connection and then sending the client its own copy of the request. If an attacker tried to send requests at high volumes, this could cause memory exhaustion on the server node which may lead to it crashing.
Workaround: Use a lower volume of requests than what would be sent if the server was not forked.
Timeline
Published on: 02/08/2022 02:15:00 UTC
Last modified on: 02/11/2022 15:59:00 UTC