Thousands of publicly-exposed Apache Superset installs exposed to RCE attacks

Apache Superset open-source data visualization platform is affected by an insecure default configuration that could lead to remote code execution.

Apache Superset is an open-source data visualization and data exploration platform. The maintainers of the software have released security patches to address an insecure default configuration, tracked as CVE-2023-27524 (CVSS score: 8.9), that could lead to remote code execution.

The issue was discovered by Horizon3 researchers who reported that there are more than 3000 instances of the platform exposed to the Internet. Horizon3 found that at least 2000 servers are running with a dangerous default configuration.

“Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources.” reads the advisory. “This does not affect Superset administrators who have changed the default value for SECRET_KEY config.”

The CVE-2023-27524 flaw impacts versions up to and including 2.0.1.

Vulnerable versions are using the following default value for the SECRET_KEY:

“\x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h”

“Any attacker can “log in” to these servers with administrative privileges, access and modify data connected to these servers, harvest credentials, and execute remote code.” reported Horizon3.

“The web application signs the cookie with a SECRET_KEY, a value that is supposed to be randomly generated and typically stored in a local configuration file. With every web request, the browser sends the signed session cookie back to the application. The application then validates the signature on the cookie to re-authenticate the user prior to processing the request. The security of the web application depends critically on ensuring the SECRET_KEY is actually secret. If the SECRET_KEY is exposed, an attacker with no prior privileges could generate and sign their own cookies and access the application, masquerading as a legitimate user.”

Horizon3 researchers reported the issue to the Superset team in Oct. 2021, but when in February 2023 they checked the fix they discovered that in January 2022 the default SECRET_KEY value was changed to “CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET“, and a warning was added to the logs with this Git commit.

The experts also found two additional SECRET_KEY configurations using the values “YOUR_OWN_SECURE_RANDOM_KEY” and “thisISaSECRET_1234.”

The experts found 3390 Superset instances exposed online, of which 3176 appeared to be really Superset instances. The researchers discovered that 2124 (~67%) out of 3176 instances were using one of the above four default keys.

Some of these installs belong to large corporations, small companies, government agencies, and universities.

Horizon3 shared its findings with the Apache security team a second time, and the project maintainers addressed the issue with the release of version 2.1 on April 5, 2023.

“This fix is not foolproof though as it’s still possible to run Superset with a default SECRET_KEY if it’s installed through a docker-compose file or a helm template. The docker-compose file contains a new default SECRET_KEY of TEST_NON_DEV_SECRET that we suspect some users will unwittingly run Superset with. Some configurations also set admin/admin as the default credential for the admin user.” concludes the researchers who also released a Python script to determine if Superset instances are vulnerable.

Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

The Teacher – Most Educational Blog
The Entertainer – Most Entertaining Blog
The Tech Whizz – Best Technical Blog
Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Superset)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.