[github.com/nats-io/nats-server/v2] Arbitrary file write in nats-server

(This document is canonically: https://advisories.nats.io/CVE/CVE-2022-26652.txt)

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

JetStream is the optional RAFT-based resilient persistent feature of NATS.

Problem Description

The JetStream streams can be backed up and restored via NATS. The backup format is a tar archive file. Inadequate checks on the filenames within the archive file permit a so-called “Zip Slip” attack in the stream restore.

NATS nats-server through 2022-03-09 (fixed in release 2.7.4) did not correctly sanitize elements of the archive file, thus a user of NATS
could cause the NATS server to write arbitrary content to an attacker-controlled filename.

Affected versions

NATS Server:

• 2.2.0 up to and including 2.7.3.
  • Introduced with JetStream Restore functionality
• Fixed with nats-io/nats-server: 2.7.4
• Docker image: nats https://hub.docker.com/_/nats
• NB users of OS package files from our releases: a change in goreleaser defaults, discovered late in the release process, moved the install directory from /usr/local/bin to /usr/bin; we are evaluating the correct solution for subsequent releases, but not recutting this release.

NATS Streaming Server

• 0.15.0 up to and including 0.24.2
• Fixed with nats-io/nats-streaming-server: 0.24.3
• Embeds a nats-server, but this server is the old approach which JetStream replaces, so unlikely (but not impossible) to be
  configured with JS support

Workarounds

• Disable JetStream for untrusted users.
• If only one NATS account uses JetStream, such that cross-user attacks are not an issue, and any user in that account with access to the JetStream API is fully trusted anyway, then appropriate sandboxing techniques will prevent exploit.
  • Eg, with systemd, the supplied util/nats-server-hardened.service example configuration demonstrates that NATS runs fine as an unprivileged user under ProtectSystem=strict and PrivateTmp=true restrictions; by only opening a ReadWritePaths hole for the JetStream storage area, the impact of this vulnerability is limited.

Solution

Upgrade the NATS server to at least 2.7.4.

We fully support the util/nats-server-hardened.service configuration for running a NATS server and encourage this approach.

Credits

This issue was reported (on 2022-03-07) to the NATS Maintainers by
Yiming Xiang, TIANJI LAB of NSFOCUS.
Thank you / 谢谢你！

References

• https://github.com/nats-io/nats-server/security/advisories/GHSA-6h3m-36w8-hv68
• https://github.com/nats-io/nats-server/pull/2917
• https://github.com/nats-io/nats-server/releases/tag/v2.7.4
• https://github.com/nats-io/nats-streaming-server/releases/tag/v0.24.3
• https://nvd.nist.gov/vuln/detail/CVE-2022-26652
• https://advisories.nats.io/CVE/CVE-2022-26652.txt
• https://github.com/nats-io/nats-server/releases
• http://www.openwall.com/lists/oss-security/2022/03/10/1
• https://github.com/advisories/GHSA-6h3m-36w8-hv68