CVE-2021-29441
published 2021-04-27CVE-2021-29441: Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, when configured to use…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
74.82%
99.4th percentile
Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, when configured to use authentication (-Dnacos.core.auth.enabled=true) Nacos uses the AuthFilter servlet filter to enforce authentication. This filter has a backdoor that enables Nacos servers to bypass this filter and therefore skip authentication checks. This mechanism relies on the user-agent HTTP header so it can be easily spoofed. This issue may allow any user to carry out any administrative tasks on the Nacos server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alibaba | nacos | < 1.4.1 | 1.4.1 |
Detection & IOCsextracted from sources · hover to see the quote
url/nacos/v1/cs/configs?dataId=nacos.cfg.dataIdfoo&group=foo&content=helloWorld
path/nacos/v1/cs/configs
- →Send two identical POST requests to /nacos/v1/cs/configs — one without User-Agent and one with 'User-Agent: Nacos-Server'. A 403 on the first and 200 on the second confirms the auth-bypass backdoor is active.
- →Response body of the bypassed request returns the literal string 'true' and Content-Type header contains 'application/json', confirming successful exploitation.
- →The AuthFilter servlet filter is bypassed when the HTTP request carries the 'Nacos-Server' User-Agent header; monitor for administrative API calls bearing this User-Agent from non-server sources. ↗
- ·The authentication bypass is only exploitable when Nacos is explicitly configured to use authentication. If auth is disabled (default), the filter is not active and the bypass is moot. ↗
- ·Affected versions are Nacos prior to 1.4.1; the Nuclei template also targets up to 2.3.5, so detection should be applied across that full range. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Authentication Bypass
ghsa·2021-04-27
CVE-2021-29441 [HIGH] CWE-290 Authentication Bypass
Authentication Bypass
When configured to use authentication (`-Dnacos.core.auth.enabled=true`) Nacos uses the `AuthFilter` servlet filter to enforce authentication. This filter has a [backdoor](https://github.com/alibaba/nacos/blob/5fa05aef52f7432aeab19fe53035431b9d8c91d9/core/src/main/java/com/alibaba/nacos/core/auth/AuthFilter.java#L78-L81) that enables Nacos servers to bypass this filter and therefore skip authentication checks. This mechanism relies on the `user-agent` HTTP header so it can be easily spoofed.
The following request to the `configuration` endpoint gets rejected as we are not providing any credentials:
```
❯ curl -X POST "http://127.0.0.1:8848/nacos/v1/cs/configs?dataId=nacos.cfg.dataIdfoo&group=foo&content=helloWorld"
{"timestamp":"2020-12-02T14:33:57.154+0000","status
OSV
Authentication Bypass
osv·2021-04-27
CVE-2021-29441 [HIGH] Authentication Bypass
Authentication Bypass
When configured to use authentication (`-Dnacos.core.auth.enabled=true`) Nacos uses the `AuthFilter` servlet filter to enforce authentication. This filter has a [backdoor](https://github.com/alibaba/nacos/blob/5fa05aef52f7432aeab19fe53035431b9d8c91d9/core/src/main/java/com/alibaba/nacos/core/auth/AuthFilter.java#L78-L81) that enables Nacos servers to bypass this filter and therefore skip authentication checks. This mechanism relies on the `user-agent` HTTP header so it can be easily spoofed.
The following request to the `configuration` endpoint gets rejected as we are not providing any credentials:
```
❯ curl -X POST "http://127.0.0.1:8848/nacos/v1/cs/configs?dataId=nacos.cfg.dataIdfoo&group=foo&content=helloWorld"
{"timestamp":"2020-12-02T14:33:57.154+0000","status
VulnCheck
alibaba nacos Authentication Bypass by Spoofing
vulncheck·2021·CVSS 8.6
CVE-2021-29441 [HIGH] alibaba nacos Authentication Bypass by Spoofing
alibaba nacos Authentication Bypass by Spoofing
Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, when configured to use authentication (-Dnacos.core.auth.enabled=true) Nacos uses the AuthFilter servlet filter to enforce authentication. This filter has a backdoor that enables Nacos servers to bypass this filter and therefore skip authentication checks. This mechanism relies on the user-agent HTTP header so it can be easily spoofed. This issue may allow any user to carry out any administrative tasks on the Nacos server.
Affected: alibaba nacos
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitat
No detection rules found.
Nuclei
Nacos <1.4.1 - Authentication Bypass
nuclei·CVSS 9.8
CVE-2021-29441 [CRITICAL] Nacos <1.4.1 - Authentication Bypass
Nacos = 2.3.5.
In Nacos before version 1.4.1, when configured to use authentication (-Dnacos.core.auth.enabled=true)
Nacos uses the AuthFilter servlet filter to enforce authentication. This filter has a backdoor that
enables Nacos servers to bypass this filter and therefore skip authentication checks.
This mechanism relies on the user-agent HTTP header so it can be easily spoofed.
This issue may allow any user to carry out any administrative tasks on the Nacos server.
Template:
id: CVE-2021-29441
info:
name: Nacos = 2.3.5.
In Nacos before version 1.4.1, when configured to use authentication (-Dnacos.core.auth.enabled=true)
Nacos uses the AuthFilter servlet filter to enforce authentication. This filter has a backdoor that
enables Nacos servers to bypass this filter and therefore skip a
Unit42
Network Security Trends: May-July 2021
blogs_unit42·2021-09-17
Network Security Trends: May-July 2021
## Executive Summary
Unit 42 researchers continue to observe network security trends, tracking how cybercriminals take advantage of vulnerabilities in the real world. The following sections present our analysis of the most recently published vulnerabilities, including their severity and category distribution. Additionally, we provide insight into how the vulnerabilities are exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls. We highlight vulnerabilities ranked medium severity and above that were newly published from May-July 2021 in order to raise awareness of their active exploits in the wild. We then draw conclusions about the most commonly exploited vulnerabilities we observed attackers using, as well as the severity, category and
Unit42
Network Security Trends: May-July 2021
blogs_unit42·2021-09-17
Network Security Trends: May-July 2021
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: May-July 2021
Yue Guan
Lei Xu
Published: September 17, 2021
Malware
Trend Reports
Vulnerabilities
Attack analysis
Exploit
Exploit in the wild
Network security trends
## Executive Summary
Unit 42 researchers continue to observe network security trends, tracking how cybercriminals take advantage of vulnerabilities in the real world. The following sections present our analysis of the most recently published vulnerabilities, including their severity and category distribution. Additionally, we provide insight into how the vulnerabilities are exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls . We highlight vulnerabilities ranked medium sever
Greynoiseio
NoiseLetter March 2024
blogs_greynoiseio
NoiseLetter March 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2021-04-27
Published
Exploited in the wild