Bug 2246986 (CVE-2023-46129)

Summary: CVE-2023-46129 nkeys: xkeys Seal encryption used fixed key for all encryption
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: amctagga, anjoseph, aoconnor, bdettelb, bniver, dfreiber, dhanak, doconnor, drow, dsimansk, dymurray, flucifre, gmeno, jburrell, jmatthew, jprabhak, kingland, kverlaen, lball, lmauda, matzew, mbenjamin, mhackett, mnovotny, muagarwa, mwringe, nbecker, odf-bz-bot, pierdipi, rguimara, rhuss, rjohnson, rogbas, shbose, skontopo, sostapov, teagle, vereddy, vkumar, whayutin, wtam
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nats-server 2.10.4, nkeys 0.4.6 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nkeys. The nkeys library's "xkeys" encryption handling logic, mistakenly passed an array by value into an internal function, where the function mutated that buffer to populate the encryption key to use. As a result, all encryption was using an all-zeros key.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2246987, 2246988, 2246989, 2246990, 2246991, 2246992, 2247686, 2247687, 2247688, 2247690, 2247691, 2247692, 2247693, 2247694, 2247695, 2247696, 2247697, 2247698, 2247715, 2247716    
Bug Blocks: 2247007    

Description Avinash Hanwate 2023-10-30 10:28:45 UTC 
The nkeys library's "xkeys" encryption handling logic mistakenly passed an array by value into an internal function, where the function
mutated that buffer to populate the encryption key to use.  As a result, all encryption was actually to an all-zeros key.
This affects encryption only, not signing.

Within the nats-server, the encryption is used for the Auth Callouts feature, introduced with 2.10.0 (September 2023). The Auth Callout request includes the supplied user password. These messages are sent within NATS, and should typically be in a dedicated NATS Account used for callouts, but this is not required. Thus in scenarios where the Callouts are in an account shared with untrusted users or where the callout responders connect without TLS, this may lead to user credential exposure.

https://advisories.nats.io/CVE/secnote-2023-02.txt
https://security-tracker.debian.org/tracker/CVE-2023-46129
Comment 3 Anten Skrabec 2023-11-02 23:13:24 UTC 
Created golang-github-nats-io-nkeys tracking bugs for this issue:

Affects: fedora-all [bug 2247715]


Created nats-server tracking bugs for this issue:

Affects: fedora-all [bug 2247716]
Comment 5 errata-xmlrpc 2023-12-06 05:00:43 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 3.0

Via RHSA-2023:7663 https://access.redhat.com/errata/RHSA-2023:7663
Comment 8 Abhishek Raj 2025-01-29 07:49:50 UTC 
The CVE is related to the NATS go library, which is not used by Argo CD. The Nats go library is unused dependency of a dependency, and thus appears in the 'go.sum', but the actual library itself is not consumed and thus is not vulnerable in openshift-gitops-argocd-container.