{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/misconfiguration/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["nornicdb"],"_cs_severities":["critical"],"_cs_tags":["network-binding","misconfiguration","graph-database"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eNornicDB versions prior to 1.0.42-hotfix are vulnerable to an improper network binding issue affecting the Bolt server. The vulnerability stems from the \u003ccode\u003e--address\u003c/code\u003e CLI flag (and \u003ccode\u003eNORNICDB_ADDRESS\u003c/code\u003e / \u003ccode\u003eserver.host\u003c/code\u003e config key) not being correctly applied to the Bolt server configuration. Consequently, the Bolt listener always binds to the wildcard address (0.0.0.0), irrespective of user-defined configurations. This default behavior exposes the graph database with its default \u003ccode\u003eadmin:password\u003c/code\u003e credentials to unauthorized access. An attacker on the same network can exploit this vulnerability to issue arbitrary Cypher queries, potentially leading to unauthorized data access, modification, or deletion. This issue was identified in version 1.0.39, built from commit afe7c9d, on macOS (darwin 25.4.0, arm64).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a NornicDB instance running on a local network (LAN).\u003c/li\u003e\n\u003cli\u003eThe attacker scans the network for open port 7687, the default Bolt port, on the target machine.\u003c/li\u003e\n\u003cli\u003eThe attacker connects to the open Bolt port (7687) on the target NornicDB instance using \u003ccode\u003enc -z 192.168.x.y 7687\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate to the Bolt server using the default credentials \u003ccode\u003eadmin:password\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication, the attacker issues arbitrary Cypher queries to read, write, or delete nodes within the graph database.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data from the database using Cypher queries.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies or deletes critical data within the database, causing data integrity issues or service disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows unauthorized remote access to NornicDB instances with default configurations. Attackers can exploit this flaw to issue arbitrary Cypher queries, potentially leading to complete database compromise. If the NornicDB instance contains sensitive information, successful exploitation could result in data breaches, financial losses, and reputational damage. Users following the README and reasonably assuming that \u003ccode\u003e--address 127.0.0.1\u003c/code\u003e (the documented default) binds \u003cem\u003eboth\u003c/em\u003e protocols to localhost are particularly at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade NornicDB to version 1.0.42-hotfix or later to patch the improper network binding vulnerability.\u003c/li\u003e\n\u003cli\u003eApply host-firewall rules (e.g., macOS \u003ccode\u003epf\u003c/code\u003e) blocking non-loopback connections to port 7687 as a workaround until the upgrade can be performed, as suggested in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect NornicDB Bolt Server Wildcard Binding\u003c/code\u003e to identify instances with exposed Bolt ports on all interfaces.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-02T18:23:00Z","date_published":"2024-11-02T18:23:00Z","id":"/briefs/2024-11-nornicdb-bolt-binding/","summary":"NornicDB versions prior to 1.0.42-hotfix have an improper network binding vulnerability in its Bolt server, allowing unauthorized remote access because the `--address` CLI flag is not correctly plumbed through to the Bolt server config, causing the Bolt listener to always bind to the wildcard address and expose the database with default credentials.","title":"NornicDB Improper Network Binding Exposes Bolt Server","url":"https://feed.craftedsignal.io/briefs/2024-11-nornicdb-bolt-binding/"}],"language":"en","title":"CraftedSignal Threat Feed — Misconfiguration","version":"https://jsonfeed.org/version/1.1"}