An Access Control vulnerability exists in Nacos 2.0.3 in the access prompt page; enter username and password, click on login to capture packets and then change the returned package, which lets a malicious user login.

**Use of Hard-coded Credentials in Nacos**

High severity GitHub Reviewed Published Jul 6, 2022 • Updated Jul 6, 2022

GHSA-2g86-r6w2-wqqr: Use of Hard-coded Credentials in Nacos

Use of hard-coded credentials vulnerability exists in Machine automation controller NJ series all models V 1.48 and earlier, Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, Automation software 'Sysmac Studio' all models V1.49 and earlier, and Programable terminal (PT) NA series NA5-15W/NA5-12W/NA5-9W/NA5-7W models Runtime V1.15 and earlier, which may allow a remote attacker who successfully obtained the user credentials by analyzing the affected product to access the controller.

%PDF-1.7 %���� 530 0 obj <> endobj 547 0 obj <>/Encrypt 531 0 R/Filter/FlateDecode/ID\[<1D667602CB60E44EB1F84521BEC453B4>\]/Index\[530 40\]/Info 529 0 R/Length 89/Prev 239826/Root 532 0 R/Size 570/Type/XRef/W\[1 3 1\]>>stream h�bbd\`\`\`b\`\`�"��HƓ �i �d1�N��!�r��r�y;X�N��7o��� ����10120-���8��Wod�T endstream endobj startxref 0 %%EOF 569 0 obj <>stream �'<�M&%\_�p%��0��|4�v�b�:���V�R7��9���ּQ7�2 ���QՆ}�l�ޢ�LV��3���:�|��<�ܝuũ(�m���Ȅq/,�9������~�N�R ��� ƌ� �j���ʘ��f��B\`�q¯��z|Y����N$t/�͚�؛�\_A�� endstream endobj 531 0 obj <>>>/Filter/Standard/Length 128/O(��������Q�Ro,�\\)�C��19+���J)/P -1324/R 4/StmF/StdCF/StrF/StdCF/U(N��dS.3�C�A�>)/V 4>> endobj 532 0 obj <>/Metadata 17 0 R/PageLayout/SinglePage/Pages 528 0 R/StructTreeRoot 26 0 R/Type/Catalog/ViewerPreferences 548 0 R>> endobj 533 0 obj <>/MediaBox\[0 0 595.32 841.92\]/Parent 528 0 R/Resources<>/Font<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\]>>/Rotate 0/StructParents 0/Tabs/S/Type/Page>> endobj 534 0 obj <>stream Ur!���\`�����\`�j!\*����,S�N��1�m������'zS��BƠ �B�ԭ#����c\\�n�A�x=7�Y��֝v��z�<�A����'�@�"�0�\`��h������o�q�4H�Q�k҂bf����K&J��û,׈M>���U$���Q­ޝy�o���醈�8b<�\]�p Y�@��ֻQ�=��!��>@ɦ��wL��%ώC�a/��uO;���ԃ���"y����C��l'M�����fdH|�����\*:.�D��5���u�1H�=g����"�b��q=}NY�#���>\[|��G �p���Bf�׾D�L{���{\[���M�\`�BT$����3�k��U �B֮,�\_��ɽ���ِq��ɻ��z�\\\[x�\_�S)o��.�ٙn֪h��xC0��@S��R�Y֌��N���i�n�G��Z�Xb٠s� �|�v��P;VU��~��������4�7 �5�G��;�=bW$kĔ�5e�������!�M�(��\*�h�����1'�Ď��&��>��6��)"�0+e���~�"�?�tXa}"��v�<3I \[�$�PO�n|.�J�V��~��U� \*��5�@ .9�a�hsUw/vh��W�o���7n��~���=X.$@��DK#��=Yd��:���HMj�ry��� z� �~C�"DY�9��|�vp�y�L���σi�����P�N;ȧñv.\[�s�X�2�Se��'�7E�?͗#���(p$�W���(F�G�e�&w0HQEU��{O���z(�����(��cP��1\\K)�d���?\_x؊!�1�i�ĴTro�õIJAJԨ�&����C����D@\*1�3 �y�i�"��׽�-�SD�9���լ�\`�?��=�"���\]\]�1T��ߛCk ���˞���%�����!�(S����y�g�B��7��M��W�s���\*#���\_Nc endstream endobj 535 0 obj <>stream ��/�v5��=w��oz���Z��.b9v�Zs�2�P�x$����R�p %���<�\*���ʵ������eȏ�,i��/�Û�=�\\��B�����/�C�Z�ۢ��EJs����d\`D��5�v �mi�\[}op\]EIQDY@5~�)�P�k����J�ݗ���F>fS9����������ԩ�權1u���ם-�\*lnl�;89���=\`��������ݘ\_��j�z$x\\�l\\������A�?W��("����#A��E�D�y5�so⩂�^�+�v��)�et'�9'lM\\a���~�L2�c/��.���l Ϟ�B������eQ�5�-n��ӳ���v��5��u�-�����dx k1��f����e���GQL��A�A���,�N8pD^���F��4��Q�ʇ�=��㖣�/��Ɔ���4Ľ��#����=Gڛ����#-�����󅞦��D�������hk�yH�m�\]���f/\_U��� fg޵K;\*y�';�c�qD\]�t�����P����2ՑO����f��0n(,u����!���,�ʸ�\_\\p�2�n�z�}a endstream endobj 536 0 obj <>stream k��B�!-�\*��2�My�K&oe�q!����R9��5���J\\n�^r!�ݣ0�|�j.�Pn �܋;?��mM���z���,,j'�� ��E�=ut\_<+9�V�$����!���W!�������?���P�"�0�3H�!U~���Y,� +����1&��H�$��\[��'L�7�#�+\*f�� �2TM�Ӱ�~p�������ozڃ��i��~���f�r��x�|�O|��G��DJ�q8B:����3���r�2��җV>�Ff�� �ԣ��dm��z�L�ej�3~ �K����|f�N�5�(Ν\[�O�&�W��\`?���1T?o�\*��Jeg��!pQ��GI����3\_�nĉ# endstream endobj 537 0 obj <>stream ,U�0��Re�۸�� ���h$�����\]q����p�l'�9V����� �~���J�"lt.O�L�N�#\]�.��J/'!�\_=\[��gG�^g�͑��/�&�y���ѡ�%j�1їx�ۼ�)�zQ��w=WԠ&۬��!S��}��FH� ����ڹ\\��x&\\�|�~�V�om ;�\[V�JC�虶$���U#��5��t�i��� �Ƃ�r�i"!%�Ӳ}��w�9��? ��#���Vn����ͯp�H���%\`VƦ=�UuJ2��߯�, !��ַR4�j�St;\*G�����#��\*I�0/�\`��ĵ��#�E!��s�J�L<�\*Xnlԭ�L�i.�3aN���)\[���Y����Iϯ�{��/�#�:7 �K%���6��u��rG�;\_����ܿU�VT�Ts��~ڋ�r���������-0����#��F"��s4��)m���^�@d�,�߻۪k.��z�;t����Ps4c�+���Jj�敻ء�{�v9��0�/�w������m%��y/LX̺��wvM�,ƚ�Y��n�t����@ں'�In�P���m�qy$I1��+��{H�ݗv�t�zr�I��TsQS�Ze���{\[V���\`Cy�p�m��5;�sK � endstream endobj 538 0 obj <>stream �)'�w+�n�9\[a��e܄BD�??�>���E\*- �;��~�Q\]���0U�Ff��&6� P<\]��g\[�̯��K��F�,����aCIC|��+�}&\[/U� ,��;�X��x"��T�'��F\_\[��'!LU�����K�^T@ ��x1S�b�yז6�MTÂ�j�k���z���A�\`n�cr�K�@��@���G毨O�nT������b����\\�g�a4�x� ?~����4� �����"�B����ay��W� �g�9�X\`�\`t�t��$r~�jMe��t��L2F�� �T\_��\` �e�moI=��N=рW�\`\`?�o:��Lbc�=�(�#-��s�!����H��Vy�j�a��iV��QB�s#�#߀��-��}�;�����O�@�֋� u�������\`�'aR���HVjī��Ҡ�D��߬^���{���a�%ϔ�!���!���e���gyx�~K<�J�y���رk�b7d�D�S�=/摕<F�\*&�<�Qf%���j3�}��ً�(���t�t9��A�\]�iok,����Z���\]TP \]%)8Q0�\`����,��6�z����$�,�A��:K�z� endstream endobj 539 0 obj <>stream \\��k�F��~l���E���}íX��w3nv��p\_\_��\]f��@Og�$L��禧7�A�%����F�"UO�A�r���´��/��U6�\[�t���X���P>q�,�����^����h������Q�d:�(F��^�1�P��.�1�F!J�(�?�EUJ��^���'\[��d�E6<�ɽ�m&m?��W�κt�oK��������pF�=ou�A�HA ��̚����\_� j\_�8q�ha���F��u�{�^;�\`qޙ����=��KhvOd�eE��P������6�z�u5JJ�T��N ��i�� �{�� 9�Ȁ˽( ��N��@Mv��\*8 �}���oM1�oT<(�\_��>��Ku�E���c%����� W폑j��=�3��k��c>+0��\_���k<�.��3K;&�R'bÍ���s�8�QZ.޷IU{qFq��D�{�9QI��Q����aH�!��Ě��jO� z�P��1�|r�9�\_zT�\*�4���P�M+��7��}�E�|G\].�\`���flFaEM� .�nH�qs"? endstream endobj 540 0 obj <>stream �9��I��$IZ}±pz��3���'��q/h�(���RI�3���e�zY��X�蓻K.�J�����\`�i#Yi��hn�L-B��ph �㎊(��/F�MS�y\]o\]�:�\_R�\`������H�\*���x�β�-�hi��W�G���Y���<��;.'��&W�� G��ȲC��4�S;i��͘���2�Zcy�V����GXcP��M��G�'�(~��C�4���+xzW�����6���;kQ�3��a\]�����H,���#�e/ 6�sGw�8S�<�� �M2�W�ٞ6�g@w�I�I�ɶ�����'U�{�r��P��6d�S��A�����$e�41����л�\]�s}�B�������LC\]m�&��E����2�?��;���/��Dp��\`�P ���I'�H'\[ ��?r��+4�\\ø>��"��� ��9�bg\*)@�r��{��U�U�}�L��������c����0�x'�$ �@��9cV��{t�裂%эEp�$}�Eϵ=��{��Kbx:�|�-!{l��n�ܽ�Z"Z�U�i�F?j�4�k�7��\`T̓��A95��\\x�޳ ���$��)���ص� endstream endobj 541 0 obj <>stream ką�z����M�\]7r����eWze�4�:@V8;a7��^�����;��G���>��o�$֝�����?; ���e溓�}���{'{����꼙���O���M%�o��D��YR|��L�Сv�&'.W� X#�=�����r��O!�h���ֲ����f���Uo�g�v�Y�2�F�pݷgl�3t?⚔p��\_a����4�����u\[�@���T�r� Pj��+e�4\\R~+�3(�8Q|$J��^\*8n���s�$���kT@|Yʲ��{�Y�}\\��i���}����"U��{�)m��E�3}Z\*�P� .��3�$"@�(Ës4�o�،�᧏ގ:��Wv��P������;C3K �Hd�D�������n��\]�2q��d���ow�e����%r�1c)e���<����1�6������� xȾt�\`)G�S�C�~��Hiʕ#tճQ<�C�/S���+�=�+�Z6�D��{$�͠i���=�0P�f�l�Kf��o�������:l�Y�o

CVE-2022-34151

This advisory contains mitigations for a Missing Authentication for Critical Function, Use of Hard-coded Credentials, Insufficient Verification of Data Authenticity, and Use of a Broken or Risky Cryptographic Algorithm vulnerabilities in the Emerson DeltaV Distributed Control System software management platform.

Emerson DeltaV Distributed Control System

This advisory contains mitigations for Use of Hard-coded Cryptographic Key, Use of Hard-coded Credentials, and Insufficient Verification of Data Authenticity vulnerabilities in the Motorola Solutions ACE1000 remote terminal unit.

Motorola Solutions ACE1000

Use of hard-coded credentials vulnerability exists in STARDOM FCN Controller and FCJ Controller R4.10 to R4.31, which may allow an attacker with an administrative privilege to read/change configuration settings or update the controller with tampered firmware.

CVE-2022-30997

This advisory contains mitigations for Cleartext Transmission of Sensitive Information, and Use of Hard-coded Credentials vulnerabilities in the Yokogawa STARDOM network control system.

Yokogawa STARDOM

Low-code/no-code platforms allow users to embed their existing user identities within an application, increasing the risk of credentials leakage.

According to the "2022 Verizon Data Breach Investigations Report," stolen credentials were the top path leading to data breaches. More often than phishing or exploiting vulnerabilities, attackers gain direct access to credentials, letting them virtually walk into victim organizations using the front door.

Low-code/no-code platforms make it extremely easy for users to share their credentials and embed their credentials into applications, thus drastically increasing the risk that employee mistakes will result in credentials leakage. Unintentionally, low-code/no-code development makes the No. 1 resource for attackers easier to obtain.

**How Low-Code/No-Code Platforms Sacrifice Security For Productivity**

Getting the required permissions to do your job in an enterprise can be very frustrating. It's not uncommon for new employees to wait more than a month before they have the full scope of permissions they need to access business data, review KPI dashboards, or join an internal communication channel.

The same thing is true, maybe even worse, for setting up a new application in the enterprise. Permissions requests typically need to be approved by your direct manager, their manager, and the team who owns the data/service. Some of the approvers might be in another continent with a time zone difference. It's next to impossible to start building an application without the required access to data/services, and so you end up waiting.

After you manage to get the right access for your application, you are finally ready to start building. A few months go by. Suddenly, you get a notification that your application has failed. A quick analysis shows that its permissions have been revoked. Enterprises typically set up an automated process that revokes access every few months, unless permissions are explicitly asked for by the application maker. This process is necessary to comply with regulations and reduce over-permissions, but it has its downsides — namely a periodic manual process that could hinder productivity.

Low-code/no-code is an attempt to empower every employee, especially business professionals, to address their own issues with custom-built applications and automations. Vendors do this by systematically identifying and removing roadblocks for building applications. Is learning to code challenging or scary? A drag-and-drop interface can help lower the barrier to entry. Is integration difficult? A wide range of managed connectors will remove the need to know what an application programming interface (API) is or how to interact with it. Is asking for permissions slowing you down? Sharing identities and leveraging existing user access can provide a quick alternative.

To boost innovation, low-code/no-code platforms allow their users to leverage their existing user identity, embed it within an application, and by doing so circumvent the enterprise permissions model entirely. For an outside viewer in security or IT, the application doesn't exist, and everyone using it is actually running it on its maker's account.

**Wait, But How?**

If you're thinking that there are better solutions out there than letting the application impersonate its maker, you are partially right.

In recent years, OAuth has been the de-facto standard for granting application access. Any time you go to a software-as-a-service (SaaS) marketplace, pick up a third-party integration, and get prompted with a small login and consent pop-up, you're most likely using OAuth. OAuth has many different consent flows, all resulting in the familiar pop-up experience. A key distinction is whether consent is granted to the application directly or on behalf of its currently signed-in user. Although this might sound like a minor detail, it is actually the root cause of the low-code/no-code identity problem.

When an application is granted consent directly, it is issued its own identity, separate from that of the user who granted the consent. The application identity can be monitored for suspicious authentication or access patterns, and its permissions can be revoked at any time by a security or IT admin. Controls like IP restriction can be put in place to take advantage of the static nature of the infrastructure that the application runs on. Every application can have a separate identity, with separate access restrictions, and can be monitored and acted up--on separately. Another useful implication of application identity is admin control.

Granting consent on behalf of the currently signed-in application user, however, has very different implications. The application gains access to resources using its user's identity for the limited time when the user uses the app. On-behalf access means that the application is actually using its user's identity directly when querying external resources. Moreover, using multiple applications will result in all of them using the same identity: the user's identity. IT or security admins looking at logs will not be able to easily distinguish between the user or any application used by the user. Granting application access on behalf of users was originally designed to allow temporary access only while a user is actively using the application.

In many cases, services allow applications to gain access on behalf of users but deny applications direct access to service APIs. This raises an interesting question: If an application can only gain access to data on behalf of a user, how can it access data when no user is interacting with it? Creative engineers have come up with a solution. The application logs in as a user once, then records its authentication token and keeps on using it even after the user has logged off the application. In the case of low-code/no-code applications, that user is typically the application's creator. User authentication tokens are supposed to be short-lived in order to prevent this workaround. In practice, however, most services issue tokens that are valid for 12 months.

Let's say a business professional creates an application. Instead of having to wait for approval of an application identity or permissions, they use access on behalf of a user — in this case, their own. The application requires them to log in once (say to Salesforce or SharePoint), records their own private authentication token, and reuses it at will. Even if another user is using the application, it will still use its maker's identity.

There are ways to build low-code/no-code applications with dedicated identities — for example, by using service accounts. However, the methods are not very widely used.

Recall the positive properties of application identity stated above: The application can be monitored, its access to data can be controlled, and its privileges can be revoked. None of this is true when low-code/no-code platforms are embedded with their creator's identity. Every application a business professional makes might have their user identity built into it. Security and IT teams analyzing access logs will have no way to know that these applications even exist.

**Impersonation-as-a-Service**

Recording and replaying user authentication tokens as a way to grant applications access to resources has another implication: They open the door to simple and easy identity sharing among users. This manifests in a common low-code/no-code feature typically referred to as connections. Connections are how low-code/no-code applications gain access to resources like Slack, NetSuite, or BambooHR. They allow read operations, like reading employee HR data; write operations, like the ERP on recent sales; and delete operations, like permanently deleting a Slack channel. Connections are first-class objects, which means they can be created by one user and shared with another user, an entire team, or even an entire organization. Technically speaking, these are wrappers around user authentication tokens or hard-coded credentials.

When a user creates and shares a connection to Microsoft Office, for example, it is akin to them sharing their password. However, if a team of developers is collaborating on a project, they often need to be able to share an application identity with each other. Connection sharing enables working together in a team on a shared project, but unfortunately it can also enable users to share their identities with each other. Since many low-code/no-code applications are built with the creator's identity embedded within, identity sharing is a common risk low-code/no-code platforms introduce.

To make matters worse, credential sharing is just way too easy on many platforms. A single checkbox stands between you and sharing your identity — for example, your ServiceNow or Salesforce account — with your entire organization. In some cases, sharing an application with other users implicitly shares its underlying connections too.

This is a crucial point. Under certain circumstances, users who gain access to a business application will gain direct access to its underlying database implicitly, without direct consent or knowledge. Take an expense management application, for example. There's a big difference between letting people use the application to submit their expense reports and giving them access to the underlying database with everyone's expense reports within it.

Unintentionally, low-code/no-code applications make credentials — the No. 1 resource that attackers are after — easier to obtain.

**Where Do We Go From Here?**

As we've seen, low-code/no-code platforms had to overcome many challenges in making enterprise applications easy to build for everyone from professional to business developers. Sometimes, the solutions come at a cost. In the case of credentials, the ability to move fast is unfortunately coupled with the ability to break things — namely, the enterprise identity model.

It is important to mention here the immense value that low-code/no-code platforms create for the enterprise: reducing the time between idea and execution, lowering the bar for application development, and increasing business velocity.

Platforms cannot be expected to resolve security concerns on their own; it is a responsibility shared between the platform and its customers. To reduce the risk, security teams should familiarize themselves with the ways identities are treated as part of the low-code/no-code platforms their organizations use. Most platforms can be configured to reduce the level of credential sharing and turn off implicit sharing.

More importantly, security teams must realize that low-code/no-code platforms introduce an inherent new risk into the enterprise that cannot be mitigated by traditional monitoring approaches because of the confusion between application and user identities. Therefore, security teams should invest in guiding business developers, reviewing potentially risky applications, and taking action to mitigate risk.

Credential Sharing as a Service: The Hidden Risk of Low-Code/No-Code

This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in the Siemens Spectrum Power data modelling and monitoring system.

Siemens Spectrum Power Systems

This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in the Siemens Teamcenter product lifecycle management software.

Siemens Teamcenter

Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 uses a hard-coded credential which may allow a remote unauthenticated attacker to log in with the root privilege and perform an arbitrary operation.

Published:2022/05/19  Last Updated:2022/05/19

**Overview**

Rakuten Casa provided by Rakuten Mobile, Inc. contains multiple vulnerabilities.

**Products Affected**

*   Rakuten Casa version AP\_F\_V1\_4\_1 or AP\_F\_V2\_0\_0

**Description**

Rakuten Casa provided by Rakuten Mobile, Inc. contains multiple vulnerabilities listed below.

*   **Use of Hard-coded Credentials (CWE-798)** - CVE-2022-29525
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
    
    **Base Score: 5.9**
    
    CVSS v2
    
    AV:N/AC:M/Au:N/C:C/I:N/A:N
    
    **Base Score: 7.1**
    
*   **Improper Access Control (CWE-284)** - CVE-2022-28704
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    
    **Base Score: 7.5**
    
    CVSS v2
    
    V:N/AC:L/Au:N/C:C/I:N/A:N
    
    **Base Score: 7.8**
    
*   **Improper Access Control (CWE-284)** - CVE-2022-26834
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    
    **Base Score: 7.5**
    
    CVSS v2
    
    AV:N/AC:L/Au:N/C:C/I:N/A:N
    
    **Base Score: 7.8**
    

**Impact**

*   An attacker who can obtain information about the product housing may log in with the root privileges and perform arbitrary operations - CVE-2022-29525
*   If the product is in its default settings in which is set to accept SSH connections from the WAN side, and is also connected to the Internet with the authentication information unchanged from the default settings, a remote attacker may log in with the root privileges and perform arbitrary operations - CVE-2022-28704
*   The information stored in the product may be obtained as the product is set to accept HTTP connections from the WAN side by default - CVE-2022-26834

**Solution**

**Update the software**  
According to the developer, the fixed software for these vulnerabilities has been released in August 2021, and in the case where the product housing is properly set in accordance with Terms of Installation, the update is applied automatically.

**Vendor Status**

**References**

**JPCERT/CC Addendum**

**Vulnerability Analysis by JPCERT/CC**

**Credit**

CVE-2022-29525  
Narumi Hirai of LAC Co., Ltd. reported this vulnerability to IPA.  
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2022-28704  
Hiroki Oshiro and Tagawa, Masaki reported this vulnerability to IPA.  
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2022-26834  
Tagawa, Masaki reported this vulnerability to IPA.  
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

**Other Information**

Tag

#hard_coded_credentials