Pierluigi Paganini
April 26, 2023
Apache Superset is an open-source data visualization and data exploration platform. The maintainers of the software have released security patches to address an insecure default configuration, tracked as CVE-2023-27524 (CVSS score: 8.9), that could lead to remote code execution.
The issue was discovered by Horizon3 researchers who reported that there are more than 3000 instances of the platform exposed to the Internet. Horizon3 found that at least 2000 servers are running with a dangerous default configuration.
“Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources.” reads the advisory. “This does not affect Superset administrators who have changed the default value for SECRET_KEY config.”
The CVE-2023-27524 flaw impacts versions up to and including 2.0.1.
Vulnerable versions are using the following default value for the SECRET_KEY:
“\x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h”
“Any attacker can “log in” to these servers with administrative privileges, access and modify data connected to these servers, harvest credentials, and execute remote code.” reported Horizon3.
“The web application signs the cookie with a SECRET_KEY, a value that is supposed to be randomly generated and typically stored in a local configuration file. With every web request, the browser sends the signed session cookie back to the application. The application then validates the signature on the cookie to re-authenticate the user prior to processing the request. The security of the web application depends critically on ensuring the SECRET_KEY is actually secret. If the SECRET_KEY is exposed, an attacker with no prior privileges could generate and sign their own cookies and access the application, masquerading as a legitimate user.”
Horizon3 researchers reported the issue to the Superset team in Oct. 2021, but when in February 2023 they checked the fix they discovered that in January 2022 the default SECRET_KEY value was changed to “CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET“, and a warning was added to the logs with this Git commit.
The experts also found two additional SECRET_KEY configurations using the values “YOUR_OWN_SECURE_RANDOM_KEY” and “thisISaSECRET_1234.”
The experts found 3390 Superset instances exposed online, of which 3176 appeared to be really Superset instances. The researchers discovered that 2124 (~67%) out of 3176 instances were using one of the above four default keys.
Some of these installs belong to large corporations, small companies, government agencies, and universities.
Horizon3 shared its findings with the Apache security team a second time, and the project maintainers addressed the issue with the release of version 2.1 on April 5, 2023.
“This fix is not foolproof though as it’s still possible to run Superset with a default SECRET_KEY if it’s installed through a docker-compose file or a helm template. The docker-compose file contains a new default SECRET_KEY of TEST_NON_DEV_SECRET that we suspect some users will unwittingly run Superset with. Some configurations also set admin/admin as the default credential for the admin user.” concludes the researchers who also released a Python script to determine if Superset instances are vulnerable.
Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:
Please nominate Security Affairs as your favorite blog.
Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Superset)
