Bug 2246986 (CVE-2023-46129) - CVE-2023-46129 nkeys: xkeys Seal encryption used fixed key for all encryption
Summary: CVE-2023-46129 nkeys: xkeys Seal encryption used fixed key for all encryption
Keywords:
Status: NEW
Alias: CVE-2023-46129
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2246987 2246988 2246989 2246990 2246991 2246992 2247686 2247687 2247688 2247690 2247691 2247692 2247693 2247694 2247695 2247696 2247697 2247698 2247715 2247716
Blocks: 2247007
TreeView+ depends on / blocked
 
Reported: 2023-10-30 10:28 UTC by Avinash Hanwate
Modified: 2024-06-08 08:28 UTC (History)
35 users (show)

Fixed In Version: nats-server 2.10.4, nkeys 0.4.6
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nkeys. The nkeys library's "xkeys" encryption handling logic, mistakenly passed an array by value into an internal function, where the function mutated that buffer to populate the encryption key to use. As a result, all encryption was using an all-zeros key.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:7663 0 None None None 2023-12-06 05:00:47 UTC

Description Avinash Hanwate 2023-10-30 10:28:45 UTC
The nkeys library's "xkeys" encryption handling logic mistakenly passed an array by value into an internal function, where the function
mutated that buffer to populate the encryption key to use.  As a result, all encryption was actually to an all-zeros key.
This affects encryption only, not signing.

Within the nats-server, the encryption is used for the Auth Callouts feature, introduced with 2.10.0 (September 2023). The Auth Callout request includes the supplied user password. These messages are sent within NATS, and should typically be in a dedicated NATS Account used for callouts, but this is not required. Thus in scenarios where the Callouts are in an account shared with untrusted users or where the callout responders connect without TLS, this may lead to user credential exposure.

https://advisories.nats.io/CVE/secnote-2023-02.txt
https://security-tracker.debian.org/tracker/CVE-2023-46129

Comment 3 Anten Skrabec 2023-11-02 23:13:24 UTC
Created golang-github-nats-io-nkeys tracking bugs for this issue:

Affects: fedora-all [bug 2247715]


Created nats-server tracking bugs for this issue:

Affects: fedora-all [bug 2247716]

Comment 5 errata-xmlrpc 2023-12-06 05:00:43 UTC
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 3.0

Via RHSA-2023:7663 https://access.redhat.com/errata/RHSA-2023:7663


Note You need to log in before you can comment on or make changes to this bug.