Alibaba Nacos Authentication Bypass (CVE-2021-29441)
Description
Nacos is an open-source platform for dynamic service discovery, configuration management, and service orchestration in cloud-native applications.
Versions of Nacos prior to 1.4.1 contain an authentication bypass vulnerability (CVE-2021-29441) that allows attackers to circumvent authentication controls using specially crafted HTTP requests. This vulnerability enables unauthorized access to the Nacos management interface and APIs without valid credentials, potentially exposing all configuration data and service registry information.
Remediation
Take the following steps to remediate this vulnerability:<br/><br/>1. <strong>Immediately upgrade Nacos to version 1.4.1 or later</strong>, which contains the security fix for CVE-2021-29441<br/><br/>2. <strong>Review access logs</strong> for any suspicious authentication attempts or unauthorized access that may have occurred prior to patching<br/><br/>3. <strong>Implement network-level controls</strong> to restrict access to the Nacos management interface:<br/> • Place Nacos behind a firewall or security group that only allows access from trusted networks<br/> • Use a reverse proxy with additional authentication if Nacos must be exposed<br/><br/>4. <strong>Enable authentication and authorization</strong> properly in Nacos configuration and verify that default credentials have been changed<br/><br/>5. <strong>Rotate any sensitive credentials or configuration data</strong> that may have been exposed if unauthorized access is suspected