Apache Superset Vulnerabilities Expose Servers to Remote Code Execution Attacks
Patches have been released to address two new security vulnerabilities in Apache superset which could be exploited by an attacker to achieve remote code execution on affected systems.
The update (version 2.1.1) plugs in CVE-2023-39265 And CVE-2023-37941which enable nefarious actions to take place once a bad actor is able to take control of Superset’s metadata database.
Apart from these weaknesses, the latest version of Superset also fixes another issue of improper REST API authorization (CVE-2023-36388) which allows low-privileged users to perform server-side request forgery (SSRF) attacks.
“By design, the superset allows privileged users to connect to arbitrary databases and run arbitrary SQL queries against those databases using the powerful SQLLab interface,” Naveen Sunkavally of Horizon3 .have. said in a technical note.
“If Superset can be tricked into connecting to its own metadata database, an attacker can directly read or write the application’s configuration via SQLLab. This leads to harvesting credentials and executing remote code.”
CVE-2023-39265 concerns a case of URI bypass when connecting to the SQLite Database used for the metastore, allowing an attacker to execute data manipulation commands.
Lack of validation when importing SQLite database login credentials from a file is also tracked as part of the same CVE identifier, which could be abused to import a file from Maliciously crafted ZIP archive.
“Superset versions 1.5 through 2.1.0 use Python’s pickle package to store some configuration data,” Sunkavally said of CVE-2023-37941.
“An attacker with write access to the metadata database can insert an arbitrary pickle payload into the store and then trigger its deserialization, leading to remote code execution.”
Some of the other flaws that have been fixed in the latest version are below:
- A MySQL arbitrary file read vulnerability that could be exploited to obtain metadata database credentials
- The abuse of the superset load_examples command to get the metadata database URI from the UI and modify the data stored there
- Using default credentials to access the metadata database in some Superset installations
- Leaking database credentials in plain text when querying the /api/v1/database API as a privileged user (CVE-2023-30776fixed in 2.1.0)
The disclosure comes just over four months after the cybersecurity company revealed a high-severity flaw in the same product (CVE-2023-27524, CVSS score: 8.9) that could allow unauthorized attackers to gain administrator access to servers and execute arbitrary code. .
Way Too Vulnerable: Uncovering the State of the Identity Attack Surface
MFA achieved? WFP? Service account protection? Find out how equipped your organization really is against identity threats
The issue results from the use of a default SECRET_KEY which could be abused by attackers to authenticate and access unauthorized resources on installations exposed to the Internet.
Since the flaw was publicly disclosed in April 2023, Horizon3.ai said that 2,076 of 3,842 Superset servers still use a default SECRET_KEY, with approximately 72 instances using a trivially guessable SECRET_KEY as the superset, SUPERSET_SECRET_KEY, 1234567890, admin, changeme , thisisasecretkey, and your_secret_key_here.
“The user is responsible for setting the Flask SECRET_KEY, which invariably leads to some users setting weak keys,” Sunkavally said, urging maintainers to add support for automatic key generation.
“At the root of many of the vulnerabilities…is the fact that the Superset web interface allows users to connect to the metadata database. At the root of many of the vulnerabilities described in this article is the fact that the Superset web interface allows users to connect to the metadata database.
