NeuVector Insecure Default Password Vulnerability in Admin Account

A vulnerability exists in NeuVector versions prior to and including 5.4.5, where the default password for the built-in 'admin' account is a fixed string. If this password is not changed immediately after deployment, any workload with network access within the cluster could use the default credentials to obtain an authentication token. This token could then be used to perform any operation via NeuVector APIs. In earlier versions, NeuVector allowed setting the default password using a Kubernetes Secret named 'neuvector-bootstrap-secret'. If this value was not retrieved, NeuVector defaulted to the fixed password.

Impact

Exploitation of this vulnerability allows unauthorized access to the NeuVector API with the privileges of the 'admin' account, enabling any operation to be performed.

Remediation

Users should upgrade to NeuVector version 5.4.6 or later. For rolling upgrades, it is recommended to change the default 'admin' password to a secure one. Starting from version 5.4.6, NeuVector introduces additional Kubernetes RBAC permissions to manage the bootstrap password securely via Secrets. If deploying or upgrading manually, these roles must be created before starting NeuVector. After upgrading, NeuVector does not reset existing account passwords, so it's important to change the default 'admin' password. For new deployments, if the bootstrap password is not set, NeuVector generates a secure password and stores it in the 'neuvector-bootstrap-secret'. This password must be retrieved and changed during the first login via the NeuVector UI.