A recent issue in Nexus Repository left many companies and government agencies vulnerable, as thousands of private artifacts were left unprotected, according to a July 2 blog post from researchers Daniel Shapira and Ariel Zelivansky, with Twistlock Labs.
While this issue was swiftly rectified, Shapira and Zelivansky noted that this type of hack could have had catastrophic consequences and cannot be taken lightly.
A team of dedicated white hats identified these weaknesses within Nexus Repository. In a July 2 blog post, researchers wrote, “During my recent work I have discovered two security vulnerabilities in Nexus Repository that affect all users under default settings.
“This post is a dive into these vulnerabilities, which exposed thousands of private artifacts across a broad range of industries, including financial services, healthcare, communications, government agencies and countless private companies. But first, let's dig into what a Nexus Repository Manager actually is.”
According to Sonatype’s website, millions of developers trust the Sonatype Nexus Repository Manager, which has more than 120,000 active repositories and claimed it is “the perfect system of record for all your software parts.”
"In March, a researcher from Twistlock contacted us about two issues he identified, stemming from user access settings. As with any disclosure, we immediately looked into it," explained Brian Fox, Sonatype CTO.*
"The disclosure was questioning the long standing ability to allow a repository to provide anonymous access for reading artifacts. Since this wasn’t a new capability and because it affects legitimate use cases, this was not a typical zero day and instead a product feature UX change that makes it easier to be more secure. We therefore decided to take a more thoughtful and diligent approach than we would with a true zero-day.
"The majority of repository managers are deployed inside a firewall and intentionally configured to allow anonymous access for sharing artifacts. This is a useful capability to provide organizations who choose to do so. Obviously providing wide open read access on the public Internet should be carefully considered, but as you see with many public forges, that ability to serve common artifacts without requiring a user to sign up, is critically important," Fox continued.
"While we disagreed with the assessment that anonymous access should be completely removed from the product, we agreed that more could be done to require a definitive choice to enable Anonymous access during initial setup. We addressed this as quickly as possible with a rolling fix - one in our 3.16.2 product release and one in our most recent update which is 3.17. As we always do, we do want to emphasize the importance of upgrading to the latest version of Nexus Repository. In this case, we additionally ask that organizations re-review if their use of anonymous read access is appropriate for their use case."
The Twistlock Labs researchers wrote that the universal repository manager allows users to proxy, collect and manage Java dependencies, Docker images, Python packages and much more. “In sum, it makes it easier to distribute your software. Internally, you configure your build to publish artifacts to Nexus and they then become available to other developers,” the blog post said.
Because users tend to skip a lot of configuration steps and let the software run under default settings with minor modification, researchers found that the default user is always set to be admin/admin123 - CWE-521 and any unauthenticated user can read/download resources from Nexus - CWE-276.
“This means all the images in the repository can be download just by accessing the repository, with no authentication needed, or by authenticating as the default admin account if unchanged. While reviewing some of these internet accessible repositories, I have found that at least 50% of them are using the default settings – meaning they are both affected by CWE-521 and CWE-276,” researchers wrote.
“These vulnerabilities mean users expose all of their private artifacts (images, packages and more) to the internet unintentionally. And unfortunately, this scenario is more common than you might think.”
*July 3, 2019: This story was updated to include comment from Sonatype's CTO
UPDATE: In a blog post, Sonatype clarified that a researcher from Twistlock contacted the company in March “about two issues he identified, stemming from user access settings” which it immediately looked into, and determined not to be a new capability “because it affects legitimate use cases.”
It said: “This was not a typical zero day and instead a product feature UX change that makes it easier to be more secure. We therefore decided to take a more thoughtful and diligent approach than we would with a true zero-day.
The majority of repository managers are deployed inside a firewall and intentionally configured to allow anonymous access for sharing artifacts. This is a useful capability to provide organizations who choose to do so.”
While it disagreed with the assessment that anonymous access should be completely removed from the product, Sonatype did agree that more could be done to require a definitive choice to enable Anonymous access during initial setup and addressed this with a rolling fix - one in our 3.16.2 product release and one in our most recent update which is 3.17.
“As we always do, we do want to emphasize the importance of upgrading to the latest version of Nexus Repository. In this case, we additionally ask that organizations re-review if their use of anonymous read access is appropriate for their use case.”