<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>NATS - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/nats/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 23 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/nats/feed.xml" rel="self" type="application/rss+xml"/><item><title>NATS Server MQTT Password Disclosure Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-23-nats-mqtt-disclosure/</link><pubDate>Tue, 23 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-23-nats-mqtt-disclosure/</guid><description>The NATS server exposes MQTT passwords in plaintext via monitoring endpoints due to incorrect classification as JWTs, affecting versions before v2.12.6 or v2.11.15.</description><content:encoded><![CDATA[<p>NATS.io is a high-performance open-source pub-sub distributed communication technology. The NATS server provides an MQTT client interface. A vulnerability exists where MQTT passwords, when used with usercodes, are incorrectly classified as non-authenticating identity statements (JWT) and exposed via monitoring endpoints. This vulnerability affects NATS server versions before v2.12.6 and v2.11.15. Successful exploitation allows unauthorized access to MQTT credentials, potentially leading to broader access within the NATS environment. Defenders should prioritize patching and securing monitoring endpoints to mitigate this risk. The reported CVE is CVE-2026-33216.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a NATS server instance running a vulnerable version (prior to v2.12.6 or v2.11.15) with MQTT enabled.</li>
<li>MQTT is configured to use usercodes/passwords for authentication.</li>
<li>Attacker accesses the monitoring endpoint of the NATS server. This could be via a direct connection or through a proxy.</li>
<li>The NATS server incorrectly classifies the MQTT password as a non-authenticating JWT.</li>
<li>The server exposes the plaintext MQTT password in the monitoring endpoint's output.</li>
<li>The attacker retrieves the plaintext MQTT password from the monitoring endpoint.</li>
<li>Attacker uses the compromised MQTT credentials to authenticate to the NATS server via the MQTT client interface.</li>
<li>Attacker gains unauthorized access to NATS server resources and pub-sub channels accessible to the compromised MQTT user.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability (CVE-2026-33216) allows an attacker to gain unauthorized access to MQTT credentials. This can lead to the attacker gaining access to sensitive data being transmitted through the NATS pub-sub system. The impact depends on the privileges associated with the compromised MQTT user and the data accessible through the NATS channels it can access. If the monitoring endpoint is exposed to the internet, the risk is significantly increased.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade NATS server instances to version v2.12.6 or v2.11.15 or later to remediate the vulnerability (CVE-2026-33216).</li>
<li>Implement strong access controls on the NATS server monitoring endpoints as suggested in the advisory to prevent unauthorized access.</li>
<li>Deploy the Sigma rule <code>Detect NATS Server Monitoring Endpoint Access</code> to identify suspicious access attempts to the monitoring endpoint.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>nats</category><category>mqtt</category><category>credential-access</category><category>vulnerability</category></item><item><title>NATS Server Panic via Malicious Compression on Leafnode Port</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-nats-server-panic/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-nats-server-panic/</guid><description>A vulnerability exists in NATS servers configured to accept leafnode connections where a malicious remote NATS server can trigger a server panic by exploiting compression negotiation on the leafnode port.</description><content:encoded><![CDATA[<p>NATS.io is a high-performance open-source pub-sub distributed communication technology. A vulnerability exists when a NATS server is configured to accept leafnode connections, which is not the default setting. In this configuration, a malicious remote NATS server can trigger a server panic by exploiting the compression negotiation process on the leafnode port (default 7422). This vulnerability, identified as CVE-2026-29785, occurs pre-authentication, meaning an attacker does not need valid credentials. The vulnerability affects NATS server versions prior to v2.11.14 and versions between v2.12.0-RC.1 and v2.12.5. Defenders should disable compression on the leafnode port to mitigate this risk.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies a NATS server with leafnode configuration enabled and compression active on port 7422.</li>
<li>The attacker establishes a connection to the leafnode port (7422) of the target NATS server.</li>
<li>The attacker initiates a compression negotiation handshake with the target server.</li>
<li>The attacker sends a crafted message during the compression negotiation, designed to exploit a vulnerability in the NATS server's compression handling logic.</li>
<li>The NATS server attempts to process the malicious compression data.</li>
<li>Due to the crafted nature of the data, the NATS server's compression library triggers a panic.</li>
<li>The NATS server process terminates abruptly due to the panic.</li>
<li>The NATS server becomes unavailable, disrupting NATS-based communication.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability results in a denial-of-service (DoS) condition. Any NATS server configured to accept leafnode connections is vulnerable. This could impact cloud, on-premise, IoT, and edge computing environments using NATS for inter-service communication. The exact number of affected systems is unknown, but the impact is significant as it can disrupt critical communication pathways.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Disable compression on the leafnode port by setting <code>compression: off</code> in the NATS server configuration file as described in the advisory to remediate CVE-2026-29785.</li>
<li>Monitor network connections to port 7422, the default leafnode port, for unexpected connection attempts from untrusted sources (refer to the IOC table).</li>
<li>Deploy the Sigma rule to detect connections to the leafnode port with unexpected client IP addresses.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>nats</category><category>denial-of-service</category><category>compression</category></item><item><title>NATS Server Pre-Authentication Denial-of-Service via Leafnode Handling</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-nats-leafnode-panic/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-nats-leafnode-panic/</guid><description>A pre-authentication denial-of-service vulnerability exists in NATS servers before versions v2.12.6 and v2.11.15, allowing a remote client connected to the leafnode port to crash the server by sending a malformed message.</description><content:encoded><![CDATA[<p>NATS.io is a high-performance open-source pub-sub distributed communication technology widely used for cloud, on-premise, IoT, and edge computing environments. NATS servers utilize &quot;leafnode&quot; connections to enable hub/spoke topologies with other NATS servers. A critical vulnerability has been discovered affecting NATS servers prior to versions v2.12.6 and v2.11.15. This flaw allows an unauthenticated client capable of connecting to the leafnode port to trigger a server panic, resulting in a denial-of-service condition. This vulnerability, identified as CVE-2026-33218, highlights the importance of securing NATS deployments and promptly applying available patches or workarounds to prevent potential service disruptions.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a vulnerable NATS server with an exposed leafnode port.</li>
<li>The attacker establishes a network connection to the leafnode port (typically 7422).</li>
<li>The attacker sends a specially crafted, malformed message to the leafnode port. This message is designed to exploit a flaw in the pre-authentication handling of leafnode connections.</li>
<li>The NATS server attempts to process the malformed message without proper validation.</li>
<li>Due to the malformed nature of the message, a panic occurs within the NATS server's code, specifically related to leafnode message processing.</li>
<li>The panic causes the NATS server process to terminate abruptly.</li>
<li>The NATS server becomes unavailable, disrupting any applications or services relying on it.</li>
<li>This denial-of-service condition persists until the NATS server is manually restarted, and further attacks can repeat the process.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability leads to a denial-of-service condition affecting the NATS server. The impact scope depends on the criticality of the NATS server within the affected environment. Services relying on the NATS server for communication will become unavailable, potentially disrupting business operations. The vulnerability affects all environments using vulnerable NATS server instances, including cloud deployments, on-premise installations, and edge computing scenarios. Widespread exploitation could result in significant operational disruptions across various sectors relying on NATS for real-time data streaming and messaging.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade NATS servers to version v2.12.6 or v2.11.15 or later to patch CVE-2026-33218.</li>
<li>If upgrading is not immediately feasible, disable leafnode support on NATS servers if it is not required, mitigating the attack vector.</li>
<li>Restrict network connections to the leafnode port (default 7422) using firewalls or network access control lists, limiting potential attackers.</li>
<li>Monitor network connections to the leafnode port for unexpected or unauthorized access attempts, using network connection logs.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>nats</category><category>denial-of-service</category><category>leafnode</category></item></channel></rss>