Nexus Repository Manager Vulnerabilities CVE-2019-9629 and CVE-2019-9630 Could Expose Private Artifacts
Two vulnerabilities were uncovered in Sonatype’s Nexus Repository Manager (NXRM), an open-source governance platform used by DevOps professionals for component management in software development, application deployment, and automated hardware provisioning. Assigned CVE-2019-9629 and CVE-2019-9630, the vulnerabilities result from the poor configuration of the repository manager’s default settings and affect versions before 3.17.0.
Sonatype, which has more than 150,000 active NXRM active installations and is used by many organizations in the public and private industries, has already provided a fix for the vulnerabilities in their 3.16.2 and 3.17 releases.
CVE-2019-9629 and CVE-2019-9630 allow unauthorized access to private artifacts
Twistlock security researcher Daniel Shapira discovered that CVE-2019-9629 allows users to access the repository content via credentials that were set to admin/admin123 by default. Meanwhile, CVE-2019-9630 grants unauthenticated users read permissions on the repository files and images by default.
The successful exploitation of these vulnerabilities could expose users’ private artifacts, for example, Docker images, Java dependencies, and Python packages. In the case of CVE-2019-9630, even without authentication, an attacker will be able to download artifacts by merely accessing the repository. For CVE-2019-9629, an attacker could seize control of the repository by authenticating as the default admin account.
According to Shapira, at least 50% of the repositories exposed to the public internet were working under NXRM’s vulnerable default settings.
In March, Trend Micro researchers also uncovered a vulnerability in NXRM, tracked CVE-2019-7238, stemming from its insufficient access controls. Like CVE-2019-9630, CVE-2019-7238 can be exploited without authentication.
Sonatype: serving common artifacts without user signup critically important
Sonatype’s chief technology officer (CTO) and co-founder Brian Fox has written an explanation for CVE-2019-9629 and CVE-2019-9630 in a recently published blog post.
Fox said that allowing anonymous access to repository managers for sharing artifacts is a useful capability for organizations. “Obviously providing wide open read access on the public internet should be carefully considered, but as you see with many public forges, that ability to serve common artifacts without requiring a user to sign up, is critically important,” he added.
[Read: 190,000 Users Potentially Affected in Docker Hub Repository Data Breach]
Security recommendations and Trend Micro solutions
The use of NXRM and other software development tools speeds up processes and boosts the efficiency of software developers’ tasks. Since such tools can be susceptible to abuse, organizations should implement continuous monitoring in software development. This involves implementing the principle of least privilege that will address authorization issues, detecting vulnerabilities, and using the latest threat intelligence to combat malware or exploits that abuse security flaws like CVE-2019-9629 and CVE-2019-9630.
Organizations can also look into Trend Micro DevOps security solutions, which bake security into development processes via APIs to improve development cycles and reduce human touch points and errors. Such security solutions can also reduce disruption of development schedules and workflows with protection for images, containers, and hosts by quickly closing the security feedback loop.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: TargetCompany
- Email Threat Landscape Report: Cybercriminal Tactics, Techniques That Organizations Need to Know
- Preventing an Imminent Ransomware Attack With Early Detection and Investigation
- Inside the Halls of a Cybercrime Business
- Securing Cloud-Native Environments with Zero Trust: Real-World Attack Cases