Business
Thousands of Apache Superset Servers Open to RCE Attacks
Cybersecurity analysts at Horizon3 detected that thousands of Apache Superset servers are exposed to RCE attacks at default configurations.
This could allow the threat actors to perform the following illicit activities:-
- Access data
- Modify data
- Harvest credentials
- Execute commands
Apache Superset is an open-source tool that is used for:-
- Data visualization
- Data exploration
Initially, this tool was developed for Airbnb, but in 2021, it became a top-level project at the Apache Software Foundation.
Technical Analysis
Attackers could take advantage of the default Flask Secret Key utilized by Apache Superset for signing authentication session cookies to create fake session cookies.
Consequently, servers that haven’t altered the key may be susceptible to unauthorized access with elevated privileges.
While Horizon3 affirmed that they had identified this vulnerable default configuration in 2,000 internet-exposed servers. Most of these exposed servers belong to several organizations:-
- Universities
- Corporations of varying sizes
- Government organizations
Superset facilitates the exploration of data and the creation of visualizations by supporting integrations with multiple databases.
Attackers can execute arbitrary SQL statements against linked databases using the powerful SQL Lab interface.
While apart from this, administrators can avoid this attack by changing the default key to an unknown value unfamiliar to the attackers.
Impact
On October 11, 2021, Horizon3 discovered and reported the flaw to the Apache Security team.
The developers released version 1.4.1 of the software on January 11, 2022, which replaced the default ‘SECRET_KEY’ with a new string.
In addition, a warning was included in the logs to indicate the detection of the default string during startup.
Horizon3 found 2 default keys, used Shodan to search instances using them, and found 67% were misconfigured which totals around 2,124 total.
Horizon3 contacted Apache again and warned organizations to change their configuration in February 2023.
On April 5, 2023, the Superset team released version 2.1 which blocks default ‘SECRET_KEY’ at server startup.
Version 2.1 of Superset prevents new risky deployments but doesn’t fix over 2,000 existing misconfigurations.
Timeline
Here below, we have mentioned the complete timeline:-
- Oct. 11, 2021: Initial communication to the Apache Security team
- Oct. 12, 2021: Superset team says they will look into the issue
- Jan. 11, 2022: Superset team changes default SECRET_KEY and adds warning to logs with this Git commit
- Feb. 9, 2023: Email to the Apache Security team about new data related to the insecure default configuration. Started notifying specific organizations.
- Feb. 24, 2023: Superset team confirms code change will be made to address default SECRET_KEY
- Mar. 1, 2023: Pull request merged with a code change to address default SECRET_KEY
- Apr. 5, 2023: Superset 2.1 release
- Apr. 24, 2023: CVE disclosed
Source: https://cybersecuritynews.com/thousands-of-apache-superset-servers-open-to-rce-attacks/
IoT security threats highlight the need for zero trust principles
New infosec products of the week: October 27, 2023
Raven: Open-source CI/CD pipeline security scanner
Apple news: iLeakage attack, MAC address leakage bug
Hackers earn over $1 million for 58 zero-days at Pwn2Own Toronto
