Akka.NET Mutual TLS Authentication Vulnerability in Akka.Remote

A vulnerability exists in Akka.Remote versions 1.2.0 through 1.5.51, where mutual TLS (mTLS) authentication is not properly enforced. While TLS can be enabled and private key validation is correctly applied to inbound connections, the outbound-connecting client is not required to present a certificate. This allows untrusted parties to connect to an Akka.NET cluster secured with a private key and communicate without any certificate. The lack of mutual TLS means that all members of the Akka.Remote network cannot be ensured to be secured with the same private key, creating a potential security risk.

Impact

The vulnerability allows untrusted clients to connect to an Akka.NET cluster over TLS without presenting a certificate, undermining the intended certificate-based authentication. This could lead to unauthorized access and communication within the cluster.

Reproduction

To reproduce the vulnerability, enable TLS on Akka.Remote using the DotNetty transport, but do not configure mutual TLS. This can be done by setting 'require-mutual-authentication' to false and 'suppress-validation' to true, which disables certificate validation. Once TLS is enabled without mutual authentication, an untrusted client can connect to the server without presenting a certificate, bypassing the authentication mechanism.

Remediation

Upgrade to Akka.NET version 1.5.52 or later, where mutual TLS is enforced by default and the application validates certificate configurations at startup. For instructions on how to manage certificates and configure TLS in Akka.NET, refer to the Akka.NET documentation on security and TLS configuration.