Nacos authentication bypass vulnerability fixed

1 Vulnerability description and recurrence

1.1 Vulnerability description

Nacos officials disclosed in an issue posted on github that Alibaba Nacos has an authentication bypass vulnerability caused by improper handling of User-Agent. This vulnerability allows an attacker to perform arbitrary operations, including creating new users and performing post-login operations.

1.2 Vulnerability recurrence

If the request header is set to User-Agent and the value is Nacos-Server, then authentication is not required and users can be created at will. For example, visit http://ip:port/nacos/v1/auth/users?username=xxx&password=xxx, as follows Figure, the user is created successfully:

or visit http://ip:port/nacos/v1/auth/users?pageNo=1&pageSize=10, you can also query the created user information.

2 Bug fixes

Edit the nacos configuration file (/<nacos installation directory>/conf/application.properties), modify the following configuration information and save:

nacos.core.auth.enabled=true  
nacos.core.auth.enable.userAgentAuthWhite=false
nacos.core.auth.server.identity.key=serverIdentity
nacos.core.auth.server.identity.value=security

After saving, restart nacos.

If the nacos username and password information is not configured in the project, it will affect the service. If it is configured, it can be ignored. For example, in the springboot configuration file, the user name and password information of nacos need to be configured:

spring:
  cloud:
    nacos:
      discovery:
        server-addr: 127.0.0.1:8848
        username: nacos
        password: nacos

3 Verification after repair

After repairing, access again, as shown below, if 403 is displayed, the vulnerability has been repaired successfully.