Exploited: Apache Superset Data Visualization & Exploration Tool
May 02, 2023
Story
The Apache Superset data visualization and exploration tool has been forked more than 10,000 on GitHub and amassed well over 50K stars (bookmarking and appreciation) on the popular code-sharing platform. But the tool was recently found to have a critical vulnerability, CVE-2023-27524, which has already been identified in more than 3000 separate occurrences.
The Horizon3.ai research team discovered that two out of the three Apache Superset servers have an integrated fault that, when exposed, can cause significant damage to your complete environment. The servers in question are open to the public and can be logged-into by bad actors trying to gain administrative privileges to change data, harvest credentials, and execute remote code.
ALERT: SECRET_KEY
Apache Superset is based on the Flask web architecture that uses cryptographically signed session cookies. When users log-in, session cookies are exchanged between the server and the user’s browser, and the cookie is given a “believed” randomly created SECRET_KEY that’s stored in a local configuration file.
Knowing the SECRET_KEY will give the exploiter an administrator log-in that can be used to compromise the system. These keys can be forged using the off-the-shelf flask-unsign toolkit, which creates session cookies for derivatives of the username “user_id” – the forged session cookie is then placed in a browser’s local storage to give attackers unimpeded access to the codebase once the webpage is refreshed.
Horizon3.ai researchers sent an initial report to Apache Superset repository managers in October 2021, only to find that the SECRET_KEY value had been rotated to a new default, CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET in January 2022. A warning was posted on this Git commit.
In response, the Superset team issued Update 2.1, in April 2023, to prevent servers from starting up if configured with a default SECRET_KEY, so database passwords encoded with the SECRET_KEY will have to re-encrypt with a new SECRET_KEY. More information on managing rotating secrets using the Superset command line interface tool is available on superset.apache.org.
Still, given the 3000 known occurrences of the vulnerability impacting government, education, and private sector companies, the research team Horizon3.ai recommends all Superset-reliant codebases be inspected using Superset’s in-depth built-in action log. Things to look for include suspicious admin-level activity, such as viewing or modifying database configurations, adding new databases, exporting data, unusual SQLLab queries, or uncommon API calls.
There is also a script available on GitHub that uses the flask-unsign toolkit to check if Superset session cookies are signed with known default SECRET_KEYs.