CVE-2017-17717

Vulnerability

Sonatype Nexus Repository Manager 2.x through version 2.14.5 stores LDAP bind passwords using PBEWithSHAAnd128BitRC4 encryption with only 23 iterations and a hardcoded password CMMDwoV [1]. This weak encryption is implemented in the PasswordHelper class, which is used across multiple components, potentially affecting other stored passwords as well.

Exploitation

An attacker with read access to the Nexus configuration file (e.g., nexus.xml or similar) can extract the encrypted LDAP bind password. Because the encryption algorithm and the hardcoded password are known, the attacker can decrypt the password offline with minimal effort [1]. No authentication or special privileges are required beyond file access.

Impact

Successful decryption of the LDAP bind password allows the attacker to authenticate to the LDAP server with the same privileges as the Nexus service account. This can lead to unauthorized access to LDAP-managed resources, including user credentials and directory information, potentially compromising the entire authentication infrastructure of the organization.

Mitigation

As of the disclosure date, no official fix has been released for the 2.x series [1]. Users should upgrade to Nexus Repository Manager 3.x, which does not use the same vulnerable code. For immediate mitigation, restrict access to the Nexus configuration files to only trusted administrators and consider using a dedicated LDAP service account with minimal privileges.