{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/network-ai/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Network-AI (\u003c= 5.1.2)"],"_cs_severities":["critical"],"_cs_tags":["cwe-306","authentication-bypass","network-ai"],"_cs_type":"advisory","_cs_vendors":["Jovancoding"],"content_html":"\u003cp\u003eThe \u003ccode\u003eJovancoding/Network-AI\u003c/code\u003e project is susceptible to a critical vulnerability due to missing authentication on the MCP HTTP endpoint. This flaw, present in version 5.1.2 and earlier (commit \u003ccode\u003ec344f2053eb0d49395988f803bf92f2a86b2a0d0\u003c/code\u003e), allows unauthenticated access to the orchestrator\u0026rsquo;s management tools. The default bind address of \u003ccode\u003e0.0.0.0\u003c/code\u003e exacerbates the issue, enabling any party with network reachability to enumerate and invoke privileged functions. This includes reading and mutating the live orchestrator configuration, listing registered agents, creating/revoking security tokens, and adjusting global budget ceilings, posing a significant risk to the system\u0026rsquo;s integrity and availability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains network access to the Network-AI instance.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP GET request to \u003ccode\u003e/tools\u003c/code\u003e endpoint (e.g., \u003ccode\u003ehttp://localhost:13001/tools\u003c/code\u003e) to enumerate available tools.\u003c/li\u003e\n\u003cli\u003eThe server responds with a list of available tools including \u003ccode\u003econfig_get\u003c/code\u003e, \u003ccode\u003econfig_set\u003c/code\u003e, \u003ccode\u003eagent_list\u003c/code\u003e, etc.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a JSON-RPC \u003ccode\u003etools/call\u003c/code\u003e request to the \u003ccode\u003e/mcp\u003c/code\u003e endpoint (e.g., \u003ccode\u003ehttp://localhost:13001/mcp\u003c/code\u003e) without any authentication headers.\u003c/li\u003e\n\u003cli\u003eThe attacker specifies the desired tool name (\u003ccode\u003econfig_get\u003c/code\u003e, \u003ccode\u003econfig_set\u003c/code\u003e, \u003ccode\u003eagent_list\u003c/code\u003e, etc.) and arguments within the JSON-RPC request body.\u003c/li\u003e\n\u003cli\u003eThe server processes the request and dispatches the call to the orchestrator\u0026rsquo;s tool registry without authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker can now read sensitive configuration data using \u003ccode\u003econfig_get\u003c/code\u003e or modify the configuration using \u003ccode\u003econfig_set\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker can further enumerate agents or manipulate the system by using available tool calls like \u003ccode\u003eagent_list\u003c/code\u003e, \u003ccode\u003eagent_spawn\u003c/code\u003e, and \u003ccode\u003eagent_stop\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to completely compromise the Network-AI orchestrator. Unauthenticated network access enables full enumeration and invocation of the orchestrator\u0026rsquo;s management functionality. An attacker can change runtime configuration (e.g., \u003ccode\u003edefaultTimeout\u003c/code\u003e, \u003ccode\u003eenableTracing\u003c/code\u003e), dispatch or stop agents, mutate the shared blackboard, mint or revoke security tokens, and adjust global budget ceilings. The default \u003ccode\u003e0.0.0.0\u003c/code\u003e bind increases the likelihood of accidental exposure on any host with a routable interface.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Unauthenticated Access to Network-AI MCP Endpoint\u0026rdquo; to identify suspicious requests to the \u003ccode\u003e/mcp\u003c/code\u003e endpoint without authentication (see rule below).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests to \u003ccode\u003e/tools\u003c/code\u003e and \u003ccode\u003e/mcp\u003c/code\u003e endpoints originating from unexpected IP addresses, especially those outside the internal network.\u003c/li\u003e\n\u003cli\u003eApply remediation steps suggested by the vendor, including enforcing authentication on the \u003ccode\u003e/mcp\u003c/code\u003e endpoint and restricting the bind address to \u003ccode\u003e127.0.0.1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eUse the IOCs provided in this brief to identify potential exploitation attempts by blocking access to the identified URLs and IP addresses.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-network-ai-auth-bypass/","summary":"Network-AI is vulnerable to missing authentication on the MCP HTTP endpoint, allowing unauthenticated privileged tool calls that could lead to configuration changes and agent manipulation.","title":"Network-AI Unauthenticated Access to MCP HTTP Endpoint","url":"https://feed.craftedsignal.io/briefs/2024-01-network-ai-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Network-Ai","version":"https://jsonfeed.org/version/1.1"}