Netmaker Authentication Bypass Vulnerability Allowing JWT Verification Bypass

A vulnerability allowing authentication bypass has been identified in Netmaker versions prior to 1.5.0. The issue arises in the VerifyHostToken function within logic/jwts.go, where the JWT signature is not properly validated when verifying host tokens. This oversight allows an attacker to forge a JWT, sign it with any key, and use it to impersonate a host on the network. Exploitation of this vulnerability grants access to sensitive information, including the host's full configuration, bcrypt-hashed passwords, MQTT credentials, and WireGuard peer data.

Impact

Exploitation of this vulnerability allows for unauthorized access to host endpoints, bypassing authentication mechanisms and leading to exposure of sensitive host configuration data, including passwords, MQTT credentials, and WireGuard peer information.

Reproduction

To reproduce this vulnerability, deploy Netmaker v1.4.0 and register a host to obtain a valid host ID. Then, create a JWT with the same claims structure (ID, MacAddress, Network) but signed with an arbitrary secret key. Finally, send a request to the '/api/v1/host' endpoint with the forged token in the Authorization header. The response will include the full host configuration, despite the token being signed with a different key than the server's secret.

Remediation

Upgrade to Netmaker v1.5.0 or later. After upgrading, rotate all MQTT credentials, host passwords, and the server's TrafficKey to invalidate any credentials that may have been obtained through exploitation. Audit access logs for unusual 'GET /api/v1/host' requests from unexpected sources.