{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/monitoring-port/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["NATS server"],"_cs_severities":["high"],"_cs_tags":["nats","credential-exposure","monitoring-port"],"_cs_type":"advisory","_cs_vendors":["NATS.io"],"content_html":"\u003cp\u003eNATS.io is a high-performance, open-source messaging system designed for cloud, on-premise, IoT, and edge computing environments. A vulnerability exists where credentials passed via command-line arguments (\u003ccode\u003eargv\u003c/code\u003e) to the \u003ccode\u003enats-server\u003c/code\u003e are exposed through the server's monitoring port. Specifically, if a NATS server is launched with client authentication details specified directly in the command line, this information becomes visible via the \u003ccode\u003e/debug/vars\u003c/code\u003e endpoint. This affects NATS server versions prior to 2.11.15 and versions 2.12.0-RC.1 through 2.12.6. Attackers with access to the monitoring port can extract these credentials and potentially gain unauthorized access to the NATS messaging system. This exposure represents a significant security risk, especially in environments where the monitoring port is accessible from untrusted networks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA NATS server is deployed with the \u003ccode\u003e--user\u003c/code\u003e and \u003ccode\u003e--pass\u003c/code\u003e parameters in the command line (\u003ccode\u003eargv\u003c/code\u003e) to configure client authentication.\u003c/li\u003e\n\u003cli\u003eThe monitoring port is enabled on the NATS server, typically on port 8222.\u003c/li\u003e\n\u003cli\u003eAn attacker gains access to the monitoring port, either through network access or by exploiting a separate vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP GET request to the \u003ccode\u003e/debug/vars\u003c/code\u003e endpoint on the monitoring port (e.g., \u003ccode\u003ehttp://nats-server:8222/debug/vars\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server responds with a JSON payload containing system information, including the command-line arguments used to launch the server.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the JSON response and extracts the credentials specified in the \u003ccode\u003e--user\u003c/code\u003e and \u003ccode\u003e--pass\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted credentials to authenticate with the NATS server as a legitimate client.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the NATS messaging system, enabling them to publish, subscribe, and manage messages within the system, potentially leading to data breaches or service disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows unauthorized access to the NATS messaging system. The number of affected deployments is unknown, but any NATS server running a vulnerable version with command-line credentials and an exposed monitoring port is at risk. Compromised NATS deployments can lead to data breaches, service disruption, or the use of the messaging system for malicious purposes. Organizations in any sector utilizing NATS for inter-service communication or real-time data streaming are potentially affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eConfigure NATS server credentials within a dedicated configuration file instead of passing them via command-line arguments, as recommended in the advisory's \u0026quot;Workarounds\u0026quot; section.\u003c/li\u003e\n\u003cli\u003eDisable the monitoring port if command-line arguments are used for credential management, as mentioned in the advisory's \u0026quot;Workarounds\u0026quot; section.\u003c/li\u003e\n\u003cli\u003eImplement network access controls to restrict access to the monitoring port from untrusted networks, as stated in the advisory's \u0026quot;Workarounds\u0026quot; section.\u003c/li\u003e\n\u003cli\u003eUpgrade to NATS server version 2.11.15 or 2.12.6 or later to patch CVE-2026-33247 as described in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-nats-credential-exposure/","summary":"NATS servers configured with command-line credentials expose them through the `/debug/vars` endpoint on the monitoring port, affecting versions prior to 2.11.15 and between 2.12.0-RC.1 and 2.12.6, potentially leading to unauthorized access.","title":"NATS Server Credentials Exposure via Monitoring Port","url":"https://feed.craftedsignal.io/briefs/2024-01-nats-credential-exposure/"}],"language":"en","title":"CraftedSignal Threat Feed - Monitoring-Port","version":"https://jsonfeed.org/version/1.1"}