Nacos authentication bypass vulnerability fixed
1 Vulnerability description and recurrence
1.1 Vulnerability description
Nacos officials disclosed in an issue posted on github that Alibaba Nacos has an authentication bypass vulnerability caused by improper handling of User-Agent. This vulnerability allows an attacker to perform arbitrary operations, including creating new users and performing post-login operations.
1.2 Vulnerability recurrence
If the request header is set to User-Agent and the value is Nacos-Server, then authentication is not required and users can be created at will. For example, visit http://ip:port/nacos/v1/auth/users?username=xxx&password=xxx, as follows Figure, the user is created successfully:
or visit http://ip:port/nacos/v1/auth/users?pageNo=1&pageSize=10, you can also query the created user information.
2 Bug fixes
Edit the nacos configuration file (/<nacos installation directory>/conf/application.properties), modify the following configuration information and save:
nacos.core.auth.enabled=true
nacos.core.auth.enable.userAgentAuthWhite=false
nacos.core.auth.server.identity.key=serverIdentity
nacos.core.auth.server.identity.value=security
After saving, restart nacos.
If the nacos username and password information is not configured in the project, it will affect the service. If it is configured, it can be ignored. For example, in the springboot configuration file, the user name and password information of nacos need to be configured:
spring:
cloud:
nacos:
discovery:
server-addr: 127.0.0.1:8848
username: nacos
password: nacos
3 Verification after repair
After repairing, access again, as shown below, if 403 is displayed, the vulnerability has been repaired successfully.