<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>NATS.io - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/nats.io/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 24 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/nats.io/feed.xml" rel="self" type="application/rss+xml"/><item><title>NATS.io MQTT ACL Bypass Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-nats-mqtt-acl-bypass/</link><pubDate>Wed, 24 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-nats-mqtt-acl-bypass/</guid><description>A vulnerability in NATS.io versions before v2.12.6 or v2.11.15 allows MQTT clients to bypass ACL checks for MQTT subjects due to ACLs not being applied in the `$MQTT.&gt;` namespace, potentially allowing unauthorized access and control of MQTT communications.</description><content:encoded><![CDATA[<p>NATS.io is a high-performance open-source pub-sub distributed communication technology used in cloud, on-premise, IoT, and edge computing environments. A critical vulnerability exists in the NATS server that allows MQTT clients to bypass Access Control List (ACL) checks when using the MQTT client interface. Specifically, ACLs are not enforced in the <code>$MQTT.&gt;</code> namespace, which handles MQTT subjects. This flaw affects NATS server versions prior to v2.12.6 and v2.11.15, potentially enabling malicious MQTT clients to publish or subscribe to topics they should not have access to, leading to information disclosure or unauthorized control of the NATS messaging system. The vulnerability is identified as CVE-2026-33217 and presents a significant security risk for organizations relying on NATS for secure communication.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a NATS server running a vulnerable version (prior to v2.12.6 or v2.11.15) with MQTT enabled.</li>
<li>The attacker establishes an MQTT client connection to the NATS server.</li>
<li>The attacker crafts MQTT PUBLISH or SUBSCRIBE messages targeting subjects within the <code>$MQTT.&gt;</code> namespace.</li>
<li>The NATS server, due to the vulnerability, fails to apply configured ACLs to the MQTT messages.</li>
<li>The attacker successfully publishes or subscribes to MQTT topics without proper authorization.</li>
<li>The attacker gains unauthorized access to MQTT data or control over MQTT devices connected to the NATS server.</li>
<li>The attacker can then leverage the unauthorized access for malicious purposes such as data exfiltration or disruption of services.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability (CVE-2026-33217) can lead to unauthorized access to sensitive MQTT data within the NATS messaging system. This can affect any organization using NATS for MQTT communication, especially in IoT environments where MQTT is prevalent. The impact ranges from information disclosure to complete compromise of MQTT-controlled devices or services. The number of potential victims is dependent on the number of NATS deployments using MQTT functionality and running vulnerable versions, but given the widespread adoption of NATS, the potential impact is significant.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade NATS server instances to version v2.12.6 or v2.11.15 or later to remediate CVE-2026-33217.</li>
<li>Deploy the provided Sigma rule <code>Detect Suspicious MQTT Namespace Access</code> to identify potential exploitation attempts targeting the <code>$MQTT.&gt;</code> namespace.</li>
<li>Monitor NATS server logs for suspicious activity related to MQTT connections and subject access using the <code>$MQTT.&gt;</code> namespace.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>nats.io</category><category>mqtt</category><category>acl-bypass</category><category>vulnerability</category></item><item><title>NATS Server Credentials Exposure via Monitoring Port</title><link>https://feed.craftedsignal.io/briefs/2024-01-nats-credential-exposure/</link><pubDate>Tue, 23 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-nats-credential-exposure/</guid><description>NATS servers configured with command-line credentials expose them through the `/debug/vars` endpoint on the monitoring port, affecting versions prior to 2.11.15 and between 2.12.0-RC.1 and 2.12.6, potentially leading to unauthorized access.</description><content:encoded><![CDATA[<p>NATS.io is a high-performance, open-source messaging system designed for cloud, on-premise, IoT, and edge computing environments. A vulnerability exists where credentials passed via command-line arguments (<code>argv</code>) to the <code>nats-server</code> are exposed through the server's monitoring port. Specifically, if a NATS server is launched with client authentication details specified directly in the command line, this information becomes visible via the <code>/debug/vars</code> endpoint. This affects NATS server versions prior to 2.11.15 and versions 2.12.0-RC.1 through 2.12.6. Attackers with access to the monitoring port can extract these credentials and potentially gain unauthorized access to the NATS messaging system. This exposure represents a significant security risk, especially in environments where the monitoring port is accessible from untrusted networks.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A NATS server is deployed with the <code>--user</code> and <code>--pass</code> parameters in the command line (<code>argv</code>) to configure client authentication.</li>
<li>The monitoring port is enabled on the NATS server, typically on port 8222.</li>
<li>An attacker gains access to the monitoring port, either through network access or by exploiting a separate vulnerability.</li>
<li>The attacker sends an HTTP GET request to the <code>/debug/vars</code> endpoint on the monitoring port (e.g., <code>http://nats-server:8222/debug/vars</code>).</li>
<li>The server responds with a JSON payload containing system information, including the command-line arguments used to launch the server.</li>
<li>The attacker parses the JSON response and extracts the credentials specified in the <code>--user</code> and <code>--pass</code> parameters.</li>
<li>The attacker uses the extracted credentials to authenticate with the NATS server as a legitimate client.</li>
<li>The attacker gains unauthorized access to the NATS messaging system, enabling them to publish, subscribe, and manage messages within the system, potentially leading to data breaches or service disruption.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows unauthorized access to the NATS messaging system. The number of affected deployments is unknown, but any NATS server running a vulnerable version with command-line credentials and an exposed monitoring port is at risk. Compromised NATS deployments can lead to data breaches, service disruption, or the use of the messaging system for malicious purposes. Organizations in any sector utilizing NATS for inter-service communication or real-time data streaming are potentially affected.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Configure NATS server credentials within a dedicated configuration file instead of passing them via command-line arguments, as recommended in the advisory's &quot;Workarounds&quot; section.</li>
<li>Disable the monitoring port if command-line arguments are used for credential management, as mentioned in the advisory's &quot;Workarounds&quot; section.</li>
<li>Implement network access controls to restrict access to the monitoring port from untrusted networks, as stated in the advisory's &quot;Workarounds&quot; section.</li>
<li>Upgrade to NATS server version 2.11.15 or 2.12.6 or later to patch CVE-2026-33247 as described in the advisory.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>nats</category><category>credential-exposure</category><category>monitoring-port</category></item></channel></rss>