CVE-2021-29441 Overview
CVE-2021-29441 is an authentication bypass vulnerability in Alibaba Nacos, a platform designed for dynamic service discovery, configuration, and service management. In Nacos versions prior to 1.4.1, when authentication is enabled (-Dnacos.core.auth.enabled=true), the AuthFilter servlet filter responsible for enforcing authentication contains a backdoor mechanism. This backdoor allows requests to bypass authentication checks entirely by spoofing the User-Agent HTTP header, enabling attackers to gain full administrative access to the Nacos server without valid credentials.
Critical Impact
This vulnerability allows any unauthenticated remote attacker to carry out any administrative tasks on the Nacos server, potentially compromising all managed services and configurations.
Affected Products
- Alibaba Nacos versions prior to 1.4.1
- Nacos deployments with authentication enabled (-Dnacos.core.auth.enabled=true)
- All platforms running vulnerable Nacos versions
Discovery Timeline
- 2021-04-27 - CVE-2021-29441 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-29441
Vulnerability Analysis
This vulnerability stems from a severe design flaw in the authentication mechanism of Alibaba Nacos. The AuthFilter servlet filter, which is responsible for validating authentication credentials when Nacos is configured with authentication enabled, contains an intentional bypass mechanism that relies on the User-Agent HTTP header for identification of internal server-to-server communication.
The vulnerability is classified under CWE-290 (Authentication Bypass by Spoofing), which describes scenarios where an attacker can bypass authentication by forging or manipulating identity credentials. In this case, the User-Agent header serves as an implicit trust mechanism that was never intended to be exposed to external users but can be trivially exploited.
When exploited, attackers gain complete administrative control over the Nacos server, enabling them to modify service configurations, access sensitive data, register malicious services, and potentially pivot to other systems within the managed infrastructure.
Root Cause
The root cause of CVE-2021-29441 lies in the implementation of the AuthFilter class, which includes a hardcoded check for specific User-Agent values. When the filter detects a matching User-Agent string (intended for internal Nacos server communication), it bypasses all authentication validation and grants the request full access. This design assumes that the User-Agent header cannot be controlled by external attackers—a fundamentally flawed security assumption since HTTP headers are fully controllable by clients.
Attack Vector
The attack vector for this vulnerability is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending HTTP requests to the Nacos API with a crafted User-Agent header that matches the internal server identifier. This allows the attacker to:
- Bypass the authentication filter entirely
- Access all administrative API endpoints
- Create, modify, or delete service configurations
- Register malicious services within the Nacos cluster
- Extract sensitive configuration data including database credentials and API keys
The exploitation is straightforward and can be performed using standard HTTP tools such as curl, Burp Suite, or custom scripts. Since the vulnerability relies solely on header manipulation, no complex exploit chains or additional vulnerabilities are required.
Detection Methods for CVE-2021-29441
Indicators of Compromise
- Unusual User-Agent strings in web server access logs that match Nacos internal server identifiers
- Unauthenticated access to administrative API endpoints such as /nacos/v1/auth/users or /nacos/v1/cs/configs
- Unexpected configuration changes or service registrations in the Nacos console
- Access logs showing administrative operations without corresponding authentication events
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests with suspicious User-Agent headers targeting Nacos
- Monitor authentication logs for bypass attempts and anomalous access patterns to protected endpoints
- Deploy network traffic analysis to identify HTTP requests to Nacos with known exploit patterns
- Configure SIEM alerts for administrative API calls that lack corresponding successful authentication events
Monitoring Recommendations
- Enable detailed access logging on Nacos servers and forward logs to centralized SIEM for analysis
- Implement real-time alerting for any administrative configuration changes within the Nacos platform
- Monitor network traffic to Nacos instances for requests originating from unexpected source IPs
- Conduct periodic audits of service registrations and configurations for unauthorized modifications
How to Mitigate CVE-2021-29441
Immediate Actions Required
- Upgrade Alibaba Nacos to version 1.4.1 or later immediately to remediate the vulnerability
- Place Nacos servers behind a reverse proxy or firewall that strips or validates User-Agent headers
- Restrict network access to Nacos administrative interfaces to trusted IP ranges only
- Review access logs for evidence of exploitation and investigate any suspicious administrative actions
- Audit all service configurations and user accounts for unauthorized changes
Patch Information
Alibaba has addressed this vulnerability in Nacos version 1.4.1. The fix removes the User-Agent-based bypass mechanism from the AuthFilter class, ensuring that all requests must properly authenticate regardless of header values. Organizations should upgrade to version 1.4.1 or later as soon as possible. The patch details can be reviewed in the GitHub Pull Request.
Workarounds
- Deploy a reverse proxy (such as nginx or HAProxy) in front of Nacos that overwrites or sanitizes the User-Agent header before forwarding requests
- Implement network segmentation to restrict access to Nacos servers from trusted networks only
- Use IP-based allowlisting at the network or firewall level to limit who can reach the Nacos API
- If authentication cannot be enforced, consider disabling external network access to Nacos until patching is complete
# Example nginx configuration to sanitize User-Agent headers
location /nacos/ {
proxy_pass http://nacos-backend:8848/nacos/;
proxy_set_header User-Agent "sanitized-client";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
