How to remediate – AMQP Cleartext Authentication

1. Introduction

The AMQP Cleartext Authentication vulnerability means that communication with a messaging service uses unencrypted credentials. This allows attackers who intercept network traffic to steal usernames and passwords, potentially gaining unauthorized access to the system. Systems running RabbitMQ, Apache ActiveMQ, or similar message brokers are usually affected. A successful exploit could compromise confidentiality of messages, integrity of the queueing process, and availability of the messaging service.

2. Technical Explanation

The remote Advanced Message Queuing Protocol (AMQP) service supports authentication mechanisms that transmit credentials in plain text. This occurs because the AMQP configuration allows less secure authentication methods alongside more secure ones. An attacker can passively capture network traffic and extract usernames and passwords used to connect to the AMQP broker.

• Root cause: The AMQP service is configured to allow cleartext (e.g., PLAIN, SASL) authentication mechanisms.
• Exploit mechanism: An attacker uses a network sniffer (like Wireshark) to capture the traffic between clients and the AMQP server during login attempts. They then decode the captured data to reveal the credentials.
• Scope: RabbitMQ versions prior to 3.9.1, Apache ActiveMQ instances with default configurations, and other AMQP implementations allowing cleartext authentication are affected.

3. Detection and Assessment

To confirm a system is vulnerable, check the AMQP configuration for enabled cleartext authentication methods. A thorough method involves capturing network traffic during login attempts to verify credentials are sent in plain text.

• Quick checks: For RabbitMQ, use the `rabbitmqctl list_users` command to see configured users and their tags. Look for users using PLAIN authentication.
• Scanning: Nessus plugin ID 16384 can identify AMQP cleartext authentication. Qualys also has relevant scanners. These are examples only.
• Logs and evidence: Examine network captures (using Wireshark) during client login attempts. Look for unencrypted SASL or PLAIN negotiation sequences.

rabbitmqctl list_users

4. Solution / Remediation Steps

Disable cleartext authentication mechanisms in the AMQP configuration to secure communication. These steps should be performed during a maintenance window.

4.1 Preparation

• Dependencies: Access to the server hosting the AMQP broker and appropriate permissions to modify its configuration. Roll back by restoring the original configuration file.
• Change window needs: A short maintenance window is required. Approval from system owners may be needed.

4.2 Implementation

1. Step 1: Edit the AMQP configuration file (e.g., `rabbitmq.conf` for RabbitMQ).
2. Step 2: Comment out or remove any lines enabling PLAIN authentication.
3. Step 3: Restart the AMQP service to apply the changes.

4.3 Config or Code Example

Before

# RabbitMQ configuration file
auth_mechanisms: PLAIN, EXTERNAL

After

# RabbitMQ configuration file
# auth_mechanisms: PLAIN, EXTERNAL  (commented out to disable plain authentication)
auth_mechanisms: EXTERNAL

4.4 Security Practices Relevant to This Vulnerability

List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice. For example: least privilege, input validation, safe defaults, secure headers, patch cadence. If a practice does not apply, do not include it.

• Practice 1: Least privilege – limit user access to only the necessary queues and exchanges.
• Practice 2: Secure Defaults – configure AMQP services with strong authentication methods enabled by default.

4.5 Automation (Optional)

# Example Ansible task to disable PLAIN authentication in RabbitMQ configuration file
- name: Disable PLAIN authentication in RabbitMQ config
  lineinfile:
    path: /etc/rabbitmq/rabbitmq.conf
    regexp: '^auth_mechanisms:.*PLAIN'
    state: absent
  notify: Restart RabbitMQ

5. Verification / Validation

Confirm the fix by checking that cleartext authentication is no longer enabled in the AMQP configuration and that login attempts using PLAIN authentication fail. Perform a service smoke test to ensure functionality remains intact.

• Post-fix check: Run `rabbitmqctl list_users` again. The output should not include users with PLAIN authentication.
• Re-test: Capture network traffic during a login attempt using the PLAIN mechanism. Verify that credentials are not transmitted in plain text.
• Smoke test: Test connecting to the AMQP broker using a secure authentication method (e.g., EXTERNAL) and publishing/consuming messages.
• Monitoring: Monitor AMQP logs for failed authentication attempts, which could indicate an issue with the configuration change.

rabbitmqctl list_users

6. Preventive Measures and Monitoring

Suggest only measures that are relevant to the vulnerability type. Use “for example” to keep advice conditional, not prescriptive.

• Baselines: Update security baselines or policies to require secure authentication methods for AMQP services (e.g., CIS benchmarks).
• Pipelines: Add checks in CI/CD pipelines to validate the AMQP configuration against a known good state.
• Asset and patch process: Implement a regular patching cycle for AMQP brokers to address security vulnerabilities promptly.

7. Risks, Side Effects, and Roll Back

• Risk or side effect 2: Incorrect configuration changes could prevent the AMQP service from starting.
• Roll back: Restore the original AMQP configuration file and restart the service.

8. References and Resources

• Vendor advisory or bulletin: RabbitMQ Security Advisories
• NVD or CVE entry: CVE-2016-0839
• Product or platform documentation relevant to the fix: RabbitMQ Authentication Documentation