Misconfigured Apache Airflow servers leak thousands of credentials

Experts discovered many misconfigured Apache Airflow servers exposed online that were leaking sensitive information from prominent tech firms.

Apache Airflow is an open-source workflow management platform used by many organizations worldwide for automating business and IT tasks.

Researchers from security firm Intezer have discovered many misconfigured Apache Airflow servers exposed online that were leaking sensitive information, including credentials, from several tech companies.

“These unsecured instances expose sensitive information of companies across the media, finance, manufacturing, information technology (IT), biotech, e-commerce, health, energy, cybersecurity, and transportation industries. In the vulnerable Airflows, we see exposed credentials for popular platforms and services such as Slack, PayPal, AWS and more.” states the post published by Intezer.

Experts analyzed the misconfiguration risks for organizations and their customers, they also provided details of the common causes for data leakage from vulnerable instances. Intezer researchers determined that most of the leaked credentials are exposed through insecure coding practices, many of the impacted instances have hardcoded passwords inside the Python DAG code.

Other misconfigured installs analyzed by Intezer had a publicly accessible configuration file (airflow.cfg) that contains secret information, including passwords and keys. Threat actors could also change the configuration causing unexpected behavior.

The credentials could also be leaked through the Airflow “variables” that are used across DAG scripts. Experts explained that it is quite common to find hardcoded passwords stored in these variables.

Threat actors could also abuse Airflow plugins or features to run malware that could be injected in variables.

“There is also the possibility that Airflow plugins or features can be abused to run malicious code. An example of how an attacker can abuse a native “Variables” feature in Airflow is if any code or images placed in the variables form is used to build evaluated code strings.” continues the analysis. “Variables are able to be edited by any visiting user which means that malicious code could be injected. One entity we observed was using variables to store internal container image names to execute. These container image variables could be edited and swapped out with an image containing and running unauthorized or malicious code.”

The research focused on older versions of Apache Airflow and highlighted the risks associated with the use of out-of-date software.

Most of the issues described in the report were affecting servers running Airflow v1.x, the good news is that recent versions of Airflow includes security features that mitigate the above issues.

“In light of the major changes made in version 2, it is strongly recommended to update the version of all Airflow instances to the latest version. Make sure that only authorized users can connect.” concludes the report. “Exposing customer information can also lead to violation of data protection laws and the possibility of legal action.”

“Disruption of clients’ operations through poor cybersecurity practices can also result in legal action such as class action lawsuits,”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Apache Airflow)

[adrotate banner=”5″]

[adrotate banner=”13″]