NATS-Server mTLS DN-Based Authentication Bypass Vulnerability

An authentication bypass vulnerability has been identified in NATS-Server versions prior to 2.11.15 and 2.12.6. When using mutual TLS (mTLS) for client identity, certain patterns of Relative Distinguished Name (RDN) in the client certificate's Subject Distinguished Name (DN) were not properly enforced. This flaw allowed for authentication bypass, although it is considered an unlikely attack scenario. The vulnerability requires a valid certificate from a Certificate Authority (CA) trusted for client certificates, and specific DN naming patterns that are rarely used. However, administrators with complex DN constructions could be affected.

Impact

Exploitation of this vulnerability could lead to unauthorized authentication, allowing clients to bypass mTLS identity verification and potentially gain access to resources or functionalities that require valid NATS identities.

Remediation

Users can upgrade to NATS-Server versions 2.12.6 or 2.11.15, both of which include the necessary fix. Additionally, it is recommended to review CA issuing practices to ensure that DN patterns do not inadvertently create vulnerabilities.