<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Mqtt - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/mqtt/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 24 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/mqtt/feed.xml" rel="self" type="application/rss+xml"/><item><title>NATS.io MQTT ACL Bypass Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-nats-mqtt-acl-bypass/</link><pubDate>Wed, 24 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-nats-mqtt-acl-bypass/</guid><description>A vulnerability in NATS.io versions before v2.12.6 or v2.11.15 allows MQTT clients to bypass ACL checks for MQTT subjects due to ACLs not being applied in the `$MQTT.&gt;` namespace, potentially allowing unauthorized access and control of MQTT communications.</description><content:encoded><![CDATA[<p>NATS.io is a high-performance open-source pub-sub distributed communication technology used in cloud, on-premise, IoT, and edge computing environments. A critical vulnerability exists in the NATS server that allows MQTT clients to bypass Access Control List (ACL) checks when using the MQTT client interface. Specifically, ACLs are not enforced in the <code>$MQTT.&gt;</code> namespace, which handles MQTT subjects. This flaw affects NATS server versions prior to v2.12.6 and v2.11.15, potentially enabling malicious MQTT clients to publish or subscribe to topics they should not have access to, leading to information disclosure or unauthorized control of the NATS messaging system. The vulnerability is identified as CVE-2026-33217 and presents a significant security risk for organizations relying on NATS for secure communication.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a NATS server running a vulnerable version (prior to v2.12.6 or v2.11.15) with MQTT enabled.</li>
<li>The attacker establishes an MQTT client connection to the NATS server.</li>
<li>The attacker crafts MQTT PUBLISH or SUBSCRIBE messages targeting subjects within the <code>$MQTT.&gt;</code> namespace.</li>
<li>The NATS server, due to the vulnerability, fails to apply configured ACLs to the MQTT messages.</li>
<li>The attacker successfully publishes or subscribes to MQTT topics without proper authorization.</li>
<li>The attacker gains unauthorized access to MQTT data or control over MQTT devices connected to the NATS server.</li>
<li>The attacker can then leverage the unauthorized access for malicious purposes such as data exfiltration or disruption of services.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability (CVE-2026-33217) can lead to unauthorized access to sensitive MQTT data within the NATS messaging system. This can affect any organization using NATS for MQTT communication, especially in IoT environments where MQTT is prevalent. The impact ranges from information disclosure to complete compromise of MQTT-controlled devices or services. The number of potential victims is dependent on the number of NATS deployments using MQTT functionality and running vulnerable versions, but given the widespread adoption of NATS, the potential impact is significant.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade NATS server instances to version v2.12.6 or v2.11.15 or later to remediate CVE-2026-33217.</li>
<li>Deploy the provided Sigma rule <code>Detect Suspicious MQTT Namespace Access</code> to identify potential exploitation attempts targeting the <code>$MQTT.&gt;</code> namespace.</li>
<li>Monitor NATS server logs for suspicious activity related to MQTT connections and subject access using the <code>$MQTT.&gt;</code> namespace.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>nats.io</category><category>mqtt</category><category>acl-bypass</category><category>vulnerability</category></item><item><title>NATS Server MQTT Password Disclosure Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-23-nats-mqtt-disclosure/</link><pubDate>Tue, 23 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-23-nats-mqtt-disclosure/</guid><description>The NATS server exposes MQTT passwords in plaintext via monitoring endpoints due to incorrect classification as JWTs, affecting versions before v2.12.6 or v2.11.15.</description><content:encoded><![CDATA[<p>NATS.io is a high-performance open-source pub-sub distributed communication technology. The NATS server provides an MQTT client interface. A vulnerability exists where MQTT passwords, when used with usercodes, are incorrectly classified as non-authenticating identity statements (JWT) and exposed via monitoring endpoints. This vulnerability affects NATS server versions before v2.12.6 and v2.11.15. Successful exploitation allows unauthorized access to MQTT credentials, potentially leading to broader access within the NATS environment. Defenders should prioritize patching and securing monitoring endpoints to mitigate this risk. The reported CVE is CVE-2026-33216.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a NATS server instance running a vulnerable version (prior to v2.12.6 or v2.11.15) with MQTT enabled.</li>
<li>MQTT is configured to use usercodes/passwords for authentication.</li>
<li>Attacker accesses the monitoring endpoint of the NATS server. This could be via a direct connection or through a proxy.</li>
<li>The NATS server incorrectly classifies the MQTT password as a non-authenticating JWT.</li>
<li>The server exposes the plaintext MQTT password in the monitoring endpoint's output.</li>
<li>The attacker retrieves the plaintext MQTT password from the monitoring endpoint.</li>
<li>Attacker uses the compromised MQTT credentials to authenticate to the NATS server via the MQTT client interface.</li>
<li>Attacker gains unauthorized access to NATS server resources and pub-sub channels accessible to the compromised MQTT user.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability (CVE-2026-33216) allows an attacker to gain unauthorized access to MQTT credentials. This can lead to the attacker gaining access to sensitive data being transmitted through the NATS pub-sub system. The impact depends on the privileges associated with the compromised MQTT user and the data accessible through the NATS channels it can access. If the monitoring endpoint is exposed to the internet, the risk is significantly increased.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade NATS server instances to version v2.12.6 or v2.11.15 or later to remediate the vulnerability (CVE-2026-33216).</li>
<li>Implement strong access controls on the NATS server monitoring endpoints as suggested in the advisory to prevent unauthorized access.</li>
<li>Deploy the Sigma rule <code>Detect NATS Server Monitoring Endpoint Access</code> to identify suspicious access attempts to the monitoring endpoint.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>nats</category><category>mqtt</category><category>credential-access</category><category>vulnerability</category></item></channel></rss>