CVE-2021-29441 — AI Deep Analysis Summary

🚨 **Essence**: Nacos Auth Bypass via User-Agent spoofing. <br>💥 **Consequences**: Attackers skip authentication checks entirely. <br>📉 **Impact**: Full administrative control over the service discovery & config platform.

🛡️ **CWE-290**: Authentication Bypass by Spoofing. <br>🔍 **Flaw**: The `AuthFilter` relies on the `User-Agent` HTTP header. <br>⚠️ **Mechanism**: Servers can spoof this header to bypass the filter logic.

🏢 **Vendor**: Alibaba. <br>📦 **Product**: Nacos. <br>📅 **Affected**: Versions **before 1.4.1**. <br>🔑 **Condition**: Must have `nacos.core.auth.enabled=true`.

👑 **Privileges**: Full Admin Rights. <br>👤 **Actions**: Create accounts, modify configs, manage services. <br>📊 **Data**: Access to all dynamic service discovery data.

📉 **Threshold**: LOW. <br>🔓 **Auth**: None required (if spoofed). <br>🌐 **Network**: Remote (AV:N). <br>🎯 **Complexity**: Low (AC:L).

🔥 **Exploits**: YES. <br>📂 **PoCs**: Multiple GitHub repos (e.g., `hh-hunter`, `bysinks`). <br>🛠️ **Tools**: Nuclei templates available. <br>🚀 **Status**: Wild exploitation possible.

🔍 **Check**: Scan for Nacos instances. <br>🧪 **Test**: Send requests with spoofed User-Agent. <br>📡 **Scan**: Use Nuclei template `CVE-2021-29441.yaml`. <br>👀 **Verify**: Check if admin endpoints respond without login.

✅ **Fixed**: YES. <br>🔧 **Patch**: Upgrade to **Nacos 1.4.1** or later. <br>📝 **Ref**: GitHub PR #4703. <br>🔒 **Action**: Mandatory update for security.

🚧 **Workaround**: If upgrade impossible, restrict network access. <br>🚫 **Block**: Prevent external access to Nacos ports. <br>🛡️ **WAF**: Block spoofed User-Agent patterns (if feasible).…

🔴 **Priority**: CRITICAL. <br>🚨 **Urgency**: HIGH. <br>📢 **Reason**: Remote, unauthenticated, full admin bypass. <br>⏱️ **Action**: Patch immediately. Do not delay.