CVE-2023-47090: NATS.io Authentication Bypass Vulnerability

NATS.io is a popular cloud-native messaging system that is used by a wide variety of companies, including PayPal, Alibaba Group, and Capital One. However, a recent vulnerability has been discovered in NATS.io that could allow attackers to bypass authentication and gain access to the system.

CVE-2023-47090

The vulnerability, CVE-2023-47090, affects NATS.io servers before version 2.9.23 and 2.10.x before version 2.10.2. This bug is caused by the way that NATS.io handles authorization blocks. In older versions of NATS.io, all authentication and authorization rules were defined in an “authorization” block. However, in NATS.io 2.2.0, all users were moved to live inside accounts.

If a NATS.io server is configured with an “authorization” block and only the system account (“$SYS”) is added to the “accounts” block, then NATS.io will create an implicit user in the global account (“$G”) and set it as the no_auth_user account. This means that unauthenticated users will be able to connect to the NATS.io server.

This vulnerability could allow an attacker to gain access to a NATS.io server and send or receive messages without authorization. This could allow the attacker to disrupt the operation of the server or steal sensitive data.

The following versions of NATS.io are affected by the CVE-2023-47090 vulnerability:

  • NATS.io 2.2.0 up to and including 2.9.22
  • NATS.io 2.10.1

There are two ways to mitigate this vulnerability:

  1. Upgrade to NATS.io version 2.10.2 or later.
  2. If you are using an “authorization” block, define a second non-system account in the “accounts” block, even if you do not plan to use it.
    accounts {
    
    SYS: {
    users: [
    { user: sysuser, password: makemeasandwich }
    ]
    }
    DUMMY: {} # for security, before 2.10.2
    }
    system_account: SYS

The following solutions can be used to address this vulnerability:

  • Upgrade to NATS.io version 2.10.2 or later.
  • Define a dummy account in the “accounts” block if you are using an “authorization” block.
  • Complete the migration of authorization entries to be inside a named account in the “accounts” block.