Preface to the article
This article is the second notice after the previous "Nacos Identity Authentication Bypass Vulnerability Security Risk Notice", that is, Alibab Nacos unauthorized login to the backend, and the cause of the vulnerability is mainly due to the use of the default JWT key. Unauthorized access vulnerability, but exploited slightly differently
Sphere of influence
Nacos <= 2.1.0 version
Vulnerability description
Nacos uses the default JWT key to cause an unauthorized access vulnerability. Through this vulnerability, an attacker can bypass username and password verification and log in directly to the nacos user backend.
Vulnerability recurrence
Step 1: Directly access the Nacos website, fill in any username and password and use Burpsuite to capture packets
Step 2: Then intercept the echo packets
Step 3: The echo data packet is as follows
Step 4: Modify the echo packet status 403 to 200 and modify the echo data information
Step 5: Log in successfully after releasing the data package
Security advice
1. Switch the application to the intranet
2. Update to the latest version:
https://github.com/alibaba/nacos/releases/tag/2.2.0.1
3. Change the default value of token.secret.key in the application.properties file. Specific methods of changing Please refer to: https://nacos.io/zh-cn/docs/v2/guide/user/auth.html