Apache Superset Shipped With Unpatched RCE Vulnerability

Researchers spotted a severe unpatched remote code execution vulnerability shipped by default in Apache Superset. The vulnerability existed due to a dangerous default configuration, making thousands of Superset instances open to the public.

Apache Superset Shipped With Unpatched RCE Vulnerability

Apache Superset Has A Default Key Vulnerability

According to a detailed post from Horizon3.ai, their researchers found at least 3000 Apache Superset instances exposed to the internet. And around 2000 of all run a dangerous default configuration. Exploiting this vulnerability allows a remote attacker to execute malicious codes on the target Apache Superset instance.

Apache Superset is an open-source data exploration and visualization tool that is popular for its lightweight, intuitiveness, and user-friendly options for big data management.

Specifically, the flaw existed due to an exposed SECRET_KEY that Superset’s underlying Flask framework uses for validating user session cookies. Although this key is randomly generated for security, leaving it vulnerable to snooping fails the entire purpose. Hence, an adversary may exploit this exposed SECRET_KEY to sign a fake session cookie and impersonate a legit user. And according to the researchers, doing so is trivial.

The off-the-shelf flask-unsign tool automates this work: “cracking” a session cookie to discover if it was signed by a weak SECRET_KEY, and then forging a fake but valid session cookie using a known SECRET_KEY.

Nonetheless, the onus of this vulnerability seemingly doesn’t lie on Superset since the Superset configuration guide already mentions the default SECRET_KEY and asks the users to change the key later. However, it appeared that most users didn’t pay attention to this requirement, leaving thousands of instances exposed to the public, according to a Shodan search.

This vulnerability has received the CVE ID CVE-2023-27524.

Apache Fixed The Flaw

Following the researchers’ bug report, the Superset team addressed the matter and released a patch with Superset version 2.1. This patch prevents the server startup with the default configuration, making the user need to change the SECRET_KEY. However, the researchers noted that this patch doesn’t adequately work for Superset installed with docker-compose file or a helm template.

For safety, the researchers have notified many organizations running vulnerable Superset servers. Also, they have released a script on GitHub for users to check for vulnerable configuration.

Attribution link