Work together to create and grow together! This is the 25th day of my participation in the "Nuggets Daily New Plan·August Update Challenge", click to view the details of the event
1. Write in front
At present, nacos is becoming more and more widespread. When most enterprises use the microservice architecture, they basically choose nacos as the registration center and configuration center.
That nacos is actually an open source project of Alibaba, there are loopholes, at least it is inevitable.
Then today we will share some vulnerabilities in nacos, mainly some security vulnerabilities.
After all, many government affairs projects will do the waiting guarantee test. The more guarantees are done, the more loopholes.
No, there is another loophole today. Then start fixing it! ! !
backend service
1. nacos permission bypass vulnerability
For details, please check the nacos official website: link
This vulnerability is when nacos has enabled account password access, and when user-agent: Nacos-Server is added to the header, it will bypass permission access and directly obtain nacos configuration and other information.
nacos version:1.4.2
Details are as follows:
- Access without account and password (403)
- Add account password access (normal)
- Access without account and password, but add header (normal)
It can be seen that the addition of the header
user-agent:Nacos-Servercan indeed bypass the nacos authentication.
2. Bug fixes
Upgrade to the latest version of nacos: 2.1.1(current time: 2022-08-19)
Download address: nacos official website
Download address: official address
From 1.4.2upgrade to 2.1.1, nacos official website has detailed documentation: Details
For our current environment upgrade, here are the things to note:
2.1 Modification of nacos configuration file
vi nacos/conf/application.properties
#122行
server.tomcat.basedir=file:.
#148行
nacos.core.auth.enable.userAgentAuthWhite=false
nacos.core.auth.server.identity.key=serverIdentity
nacos.core.auth.server.identity.value=security
复制代码It needs to be changed to this here, otherwise the startup will report an error.
2.2 nacos database modification
/*config_info表增加字段*/
ALTER TABLE jxbp_nacos.config_info ADD COLUMN encrypted_data_key text NULL COMMENT '秘钥';
/*his_config_info表增加字段*/
ALTER TABLE jxbp_nacos.his_config_info ADD COLUMN encrypted_data_key text NULL COMMENT '秘钥';
复制代码2.3 Test after nacos is started
- Access without account and password, but add header (403)
It can be seen that the vulnerability has been fixed
- Add account password to access, do not add header (normal)
After testing, it is normal.
Notice:
Of course , if you don't want to upgrade, it is also possible to modify the configuration file directly on 1.4.2the basis of:
vi nacos/conf/application.properties
#148行
nacos.core.auth.enable.userAgentAuthWhite=false
nacos.core.auth.server.identity.key=serverIdentity
nacos.core.auth.server.identity.value=security
复制代码Seeing this, do you feel that you have tossed for a long time, and there is an easier way to solve it in the end.
Haha, really drunk! ! !
Seeing this, I hope everyone can spray it lightly. After all, there is no easy way to release it at the first time.
Well, the above is the sharing of the nacos permission bypass vulnerability .
The content may be a bit short, but it's all dry stuff! ! !
Personal understanding may not be comprehensive enough, and the class has made an axe.
If you find it useful, please help 点赞、评论、收藏! ! !