Security Experts:

Nexus Repository Flaws Expose Thousands of Private Artifacts

Two vulnerabilities in Nexus Repository exposed thousands of private artifacts across a broad range of industries, Twistlock’s security researchers reveal.

Nexus is Sonatype’s integrated open source governance platform that allows developers to proxy, collect, and manage Java dependencies, Docker images, Python packages and much more, as well as easily distribute their software.

A universal repository manager, the Nexus Repository Manager allows developers to configure their builds internally to publish artifacts to Nexus, thus making them available to other developers.

Nexus, Sonatype claims, is used by over 1,000 organizations and 10 million software developers. The company also notes that there are more than 120,000 active Nexus Repositories at the moment.

What Twistlock discovered was that the default Nexus settings include two issues, unrelated to each other, but which exposed artifacts from all affected repositories to the public.

Tracked as CVE-2019-9629, the first issue is that the default user in the Nexus Repository Manager is always set to be admin/admin123, essentially allowing anyone with knowledge of these credentials to access content in the repository.

More importantly, any unauthenticated user was allowed to read/download resources from Nexus, meaning that even if the default user was changed, people could still access content in a repository. This vulnerability is tracked as CVE-2019-9630.

“This means all the images in the repository can be download just by accessing the repository, with no authentication needed, or by authenticating as the default admin account if unchanged,” Twistlock’s Daniel Shapira explains.

The security researcher also notes that many users tend to skip a lot of configuration steps, which often results in software being exposed, because it is running under default settings with minor modification.

“Thanks to the ‘docker one-liner’ that anyone can find on Docker Hub, you can run Sonatype Nexus too. Under normal circumstances, users tend to see that the image is up and running, and leave everything else as it is. This is usually acceptable, unless the default settings of the product are somehow not aligned with the best practices for security, like in the case of Nexus Repository,” Shapira notes.

The security researcher says that at least half of the Internet accessible repositories he checked were using the default settings, which expose them to both of the aforementioned vulnerabilities.

“These vulnerabilities place a lot of users in a position in which they expose all of their private artifacts (images, packages, etc…) to the internet unintentionally, a scenario that it is more common than you might think,” the researcher notes.

In many cases, Shapira says, the default user was not deleted from the installation, although a different user was set up, complex password policies were employed, and the permissions on viewing resources were changed as well.

These vulnerabilities, the security researcher says, “exposed thousands of private artifacts across a broad range of industries, including financial services, healthcare, communications, government agencies and countless private companies.”

Twistlock reported the vulnerabilities to Sonatype in March and a fix was released on June 24, in Nexus Repository 3.17.0, which disables the default admin user and fixes the permission issues.

UPDATE. “The majority of repository managers are deployed inside a firewall and intentionally configured to allow anonymous access for sharing artifacts. This is a useful capability to provide organizations who choose to do so,” Sonatype’s Brian Fox explains in a blog post.

He also notes that, in certain situations, it is highly important to be able to provide access to common artifacts without requiring a user to sign up.

“Obviously providing wide open read access on the public Internet should be carefully considered, but as you see with many public forges, that ability to serve common artifacts without requiring a user to sign up, is critically important,” Fox says.

Related: Code Execution Flaw Found in Sonatype Nexus Repository Manager

Related: Risk-Based Vulnerability Management is a Must for Security & Compliance

view counter