You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
cargo deny is giving me below report. Is there a plan for a fix?
error[vulnerability]: TLS certificate common name validation bypass ┌─ /home/ctopinka1/git-test/di-apps/Cargo.lock:167:1 │ 167 │ nats 0.24.0 registry+https://github.com/rust-lang/crates.io-index │ ----------------------------------------------------------------- security vulnerability detected │ = ID: RUSTSEC-2023-0029 = Advisory: https://rustsec.org/advisories/RUSTSEC-2023-0029 = The NATS official Rust clients are vulnerable to MitM when using TLS.
A fix for the `nats` crate hasn't been released yet. Since the `nats` crate
is going to be deprecated anyway, consider switching to `async-nats` `>= 0.29`
which already fixed this vulnerability.
The common name of the server's TLS certificate is validated against
the `host`name provided by the server's plaintext `INFO` message
during the initial connection setup phase. A MitM proxy can tamper with
the `host` field's value by substituting it with the common name of a
valid certificate it controls, fooling the client into accepting it.
## Reproduction steps
1. The NATS Rust client tries to establish a new connection
2. The connection is intercepted by a MitM proxy
3. The proxy makes a separate connection to the NATS server
4. The NATS server replies with an `INFO` message
5. The proxy reads the `INFO`, alters the `host` JSON field and passes
the tampered `INFO` back to the client
6. The proxy upgrades the client connection to TLS, presenting a certificate issued
by a certificate authority present in the client's keychain.
In the previous step the `host` was set to the common name of said certificate
7. `rustls` accepts the certificate, having verified that the common name matches the
attacker-controlled value it was given
9. The client has been fooled by the MitM proxy into accepting the attacker-controlled certificate
= Solution: No safe upgrade is available!
= nats v0.24.0
├── coordination-service v0.0.1
│ └── di-app v0.3.0
├── cvr v0.1.0
│ └── di-app v0.3.0 (*)
└── microgrid-controller v0.2.0
└── di-app v0.3.0 (*)
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
cargo deny is giving me below report. Is there a plan for a fix?
error[vulnerability]: TLS certificate common name validation bypass ┌─ /home/ctopinka1/git-test/di-apps/Cargo.lock:167:1 │ 167 │ nats 0.24.0 registry+https://github.com/rust-lang/crates.io-index │ ----------------------------------------------------------------- security vulnerability detected │ = ID: RUSTSEC-2023-0029 = Advisory: https://rustsec.org/advisories/RUSTSEC-2023-0029 = The NATS official Rust clients are vulnerable to MitM when using TLS.
Beta Was this translation helpful? Give feedback.
All reactions