From 6035ece49941f02cef1d201893ba2ab2f4170cb8 Mon Sep 17 00:00:00 2001 From: Paolo Barbolini Date: Fri, 24 Mar 2023 16:38:47 +0100 Subject: [PATCH] async-nats MitM vulnerability (#1661) * Create RUSTSEC-0000-0000.md * Add category Co-authored-by: Tony Arcieri * Improve title * Improve the description and reintroduce formatting * Update RUSTSEC-0000-0000.md * Update RUSTSEC-0000-0000.md --------- Co-authored-by: Tony Arcieri --- crates/async-nats/RUSTSEC-0000-0000.md | 37 ++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 crates/async-nats/RUSTSEC-0000-0000.md diff --git a/crates/async-nats/RUSTSEC-0000-0000.md b/crates/async-nats/RUSTSEC-0000-0000.md new file mode 100644 index 0000000..2b91b3d --- /dev/null +++ b/crates/async-nats/RUSTSEC-0000-0000.md @@ -0,0 +1,37 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "async-nats" +date = "2023-03-24" +url = "https://github.com/nats-io/nats.rs/commit/817a7b942c462fa9d9938dcb62124173634132fb#diff-767d442397fcaaf2f83e8f924d4a70317a2ce4703a49964d6007707949cfa5f5L303-R304" +categories = ["crypto-failure"] +keywords = ["tls", "mitm"] + +[versions] +patched = [">= 0.29.0"] +``` + +# TLS certificate common name validation bypass + +The NATS official Rust clients are vulnerable to MitM when using TLS. + +The common name of the server's TLS certificate is validated against +the `host`name provided by the server's plaintext `INFO` message +during the initial connection setup phase. A MitM proxy can tamper with +the `host` field's value by substituting it with the common name of a +valid certificate it controls, fooling the client into accepting it. + +## Reproduction steps + +1. The NATS Rust client tries to establish a new connection +2. The connection is intercepted by a MitM proxy +3. The proxy makes a separate connection to the NATS server +4. The NATS server replies with an `INFO` message +5. The proxy reads the `INFO`, alters the `host` JSON field and passes + the tampered `INFO` back to the client +6. The proxy upgrades the client connection to TLS, presenting a certificate issued + by a certificate authority present in the client's keychain. + In the previous step the `host` was set to the common name of said certificate +7. `rustls` accepts the certificate, having verified that the common name matches the + attacker-controlled value it was given +9. The client has been fooled by the MitM proxy into accepting the attacker-controlled certificate