Thousands Left Vulnerable in Nexus Repository
A recent breach in Nexus Repository left many companies and government agencies vulnerable, as thousands of private artifacts were left unprotected, according to a July 2 blog post from researchers Daniel Shapira and Ariel Zelivansky, with Twistlock Labs.
While this breach was swiftly rectified, Shapira and Zelivansky noted that this type of hack could have had catastrophic consequences and cannot be taken lightly.
A team of dedicated white hats identified these weaknesses within Nexus Repository. In a July 2 blog post, researchers wrote, “During my recent work I have discovered two security vulnerabilities in Nexus Repository that affect all users under default settings.
“This post is a dive into these vulnerabilities, which exposed thousands of private artifacts across a broad range of industries, including financial services, healthcare, communications, government agencies and countless private companies. But first, let's dig into what a Nexus Repository Manager actually is.”
According to Sonatype’s website, millions of developers trust the Sonatype Nexus Repository Manager, which has more than 120,000 active repositories and claimed it is “the perfect system of record for all your software parts.”
Researchers wrote that the universal repository manager allows users to proxy, collect and manage Java dependencies, Docker images, Python packages and much more. “In sum, it makes it easier to distribute your software. Internally, you configure your build to publish artifacts to Nexus and they then become available to other developers,” the blog post said.
Because users tend to skip a lot of configuration steps and let the software run under default settings with minor modification, researchers found that the default user is always set to be admin/admin123 – CWE-521 and any unauthenticated user can read/download resources from Nexus – CWE-276.
“This means all the images in the repository can be download just by accessing the repository, with no authentication needed, or by authenticating as the default admin account if unchanged. While reviewing some of these internet accessible repositories, I have found that at least 50% of them are using the default settings – meaning they are both affected by CWE-521 and CWE-276,” researchers wrote.
“These vulnerabilities mean users expose all of their private artifacts (images, packages and more) to the internet unintentionally. And unfortunately, this scenario is more common than you might think.”
Source: Information Security Magazine