Article directory
Alibaba Nacos (Dynamic Naming and Configuration Service) is an open source project maintained by Alibaba. It is easy to build a dynamic service discovery, configuration management and service management platform for cloud-native applications. It provides a set of easy-to-use feature sets, It can quickly realize dynamic service discovery, service configuration, service metadata and traffic management.
Nacos provides four major functions
Service discovery and service health checks
Nacos makes it easy for services to register themselves and discover other services through DNS or HTTP interfaces. Nacos also provides real-time health checks of services to prevent requests from being sent to unhealthy hosts or service instances.
Dynamic configuration management
Dynamic configuration services allow you to centrally and dynamically manage the configuration of all services across all environments. Nacos does not need to redeploy applications and services during configuration updates, making configuration changes more efficient and agile.
Dynamic domain name resolution service
Nacos supports weighted routing, making it easier for you to implement middle-tier load balancing, flexible routing policies, traffic control, and simple DNS resolution services in the production environment of the data center. It helps you easily implement DNS-based service discovery and prevents applications from being coupled to vendor-specific service discovery APIs.
Service and Metadata Management
Nacos provides an easy-to-use service dashboard to help you manage service metadata, configuration, kubernetes DNS, service health and metrics statistics.
Alibaba Nacos Authentication Bypass Vulnerability
Name
Alibaba Nacos Authentication Bypass Vulnerability
Description
Alibaba Nacos is prone to an authentication bypass vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on HTTP requests, leading to an exploitable authentication bypass vulnerability. An attacker could exploit the vulnerability by sending crafted HTTP requests. A successful attack could lead to information disclosure with the privileges of the server.
CVE
CVE-2021-29441
Last Update
8748 (2023-08-24 UTC)
Reference
https://github.com/alibaba/nacos/pull/4703
The Alibaba Nacos unauthorized access vulnerability was first discovered in 2021, and the vulnerability has been reproduced before (Nacos <= 2.0.0-ALPHA.1
)。
1) Build a vulnerability environment (Nacos 1.2.0), modify nacos.core.auth.enabled in the application.properties configuration file to true, enable the authentication function, and log in to access Nacos related resources.
2) Construct specially crafted data, send a request to the Nacos server, add any user without authorization and directly obtain sensitive data such as user account password.
Vulnerability reproduction data source network: https://www.h3c.com/cn/d_202112/1519680_30003_0.htm
Recommended readingMicrosoft
Message Queuing Denial-of-Service VulnerabilityMicrosoft
Message Queuing Remote Code Execution VulnerabilityHow
small businesses can simply and effectively prevent cyber attacks Threat
Server Vulnerability Repair-Check and close the SMBv1 protocol that spreads ransomware Spread
security knowledge: How to let your computer go online Safe, worry-free surfing
OT network security-What measures should be taken for OT client security protection
Security knowledge popularization: telecommuting, 5 rules that employees must abide
byPhishing attack: identification of similar domain names and how to effectively prevent attacks