CVE-2020-13945 Overview
CVE-2020-13945 is an authentication bypass vulnerability in Apache APISIX, a dynamic, real-time, high-performance API gateway. The vulnerability occurs when users enable the Admin API and delete the Admin API access IP restriction rules, allowing attackers to use the default authentication token to access APISIX management data. This misconfiguration exposes sensitive management interfaces to unauthorized network access.
Critical Impact
Attackers exploiting this vulnerability can access APISIX management data using the default token, potentially leading to unauthorized configuration changes, data exfiltration, and complete compromise of the API gateway infrastructure.
Affected Products
- Apache APISIX version 1.2
- Apache APISIX version 1.3
- Apache APISIX version 1.4
- Apache APISIX version 1.5
Discovery Timeline
- 2020-12-07 - CVE-2020-13945 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-13945
Vulnerability Analysis
This vulnerability stems from an insecure default configuration issue in Apache APISIX's Admin API. The Admin API provides a powerful interface for managing routes, services, plugins, and other core functionality of the API gateway. By design, Apache APISIX includes IP restriction rules to limit Admin API access to trusted sources.
When administrators disable or remove these IP restriction rules without implementing alternative security measures, the Admin API becomes accessible from any network location. Combined with the default authentication token that ships with APISIX, this creates a significant authentication bypass scenario. Attackers with network access can authenticate using the well-known default token and gain full administrative control over the API gateway.
The vulnerability requires low privileges to exploit and can be initiated remotely over the network without user interaction. While the immediate impact is high confidentiality exposure, the ability to access management data could facilitate further attacks including remote code execution, as documented in Packet Storm's RCE Exploit.
Root Cause
The root cause is a combination of insecure default configuration and insufficient security guidance. Apache APISIX ships with a default Admin API token that should be changed during deployment. When administrators remove IP restriction rules (perhaps for convenience or during troubleshooting) without changing this default token, the system becomes vulnerable to unauthorized access. The absence of mandatory token rotation or warnings when IP restrictions are disabled contributes to this vulnerability.
Attack Vector
The attack vector is network-based, requiring the attacker to have network connectivity to the APISIX Admin API endpoint (typically port 9080 or a custom-configured port). The attack flow involves:
- Attacker identifies an exposed Apache APISIX Admin API endpoint
- Attacker attempts authentication using the default Admin API token (edd1c9f034335f136f87ad84b625c8f1 or similar default values)
- Upon successful authentication, attacker gains access to management endpoints
- Attacker can enumerate routes, services, upstream configurations, and sensitive plugin data
- Further exploitation may include injecting malicious routes or plugins for code execution
The exploitation is straightforward and does not require specialized tools. Attackers can use standard HTTP clients like curl to interact with the Admin API using the default token in the X-API-KEY header.
Detection Methods for CVE-2020-13945
Indicators of Compromise
- Unexpected authentication attempts to the Admin API endpoint from external IP addresses
- Successful Admin API requests originating from non-administrative source IPs
- API calls using the default authentication token from unknown sources
- Configuration changes to routes, services, or plugins without corresponding change tickets
Detection Strategies
- Implement network monitoring for connections to APISIX Admin API ports from untrusted networks
- Enable and review Admin API access logs for authentication patterns using default tokens
- Deploy intrusion detection rules to alert on default APISIX token usage in HTTP headers
- Conduct periodic configuration audits to verify IP restriction rules are active
Monitoring Recommendations
- Configure SIEM alerts for Admin API access from external IP ranges
- Monitor for bulk enumeration requests to /apisix/admin/ endpoints
- Track authentication failures followed by successful authentications as potential brute-force indicators
- Review Admin API audit logs for unauthorized configuration modifications
How to Mitigate CVE-2020-13945
Immediate Actions Required
- Change the default Admin API token to a strong, unique value immediately
- Reinstate IP restriction rules to limit Admin API access to trusted management networks
- Audit current APISIX configuration for any unauthorized changes
- Review access logs to determine if exploitation has already occurred
Patch Information
Apache recommends upgrading to a patched version and implementing proper security configurations. Refer to the Apache Dev Mailing List Thread for official guidance. Users should upgrade beyond versions 1.2, 1.3, 1.4, and 1.5 to a version that addresses this vulnerability.
Workarounds
- Configure allow_admin in conf/config.yaml to restrict Admin API access to specific trusted IP addresses only
- Deploy a reverse proxy or firewall in front of the Admin API to enforce IP-based access controls
- Use mTLS (mutual TLS) for Admin API authentication as an additional security layer
- Consider disabling the Admin API entirely if not required for production operations
# Configuration example - conf/config.yaml
# Restrict Admin API access to localhost and internal management network
apisix:
admin_key:
- name: "admin"
key: "your-unique-strong-api-key-here" # Replace default token
role: admin
allow_admin:
- 127.0.0.1/24
- 10.0.0.0/8 # Internal management network only
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
