Apache has released a patch to address a session validation vulnerability in Superset. CVE-2023-27524 has been rated as high, with a CVSS score of 8.9. On successful exploitation, the vulnerability may allow an attacker to authenticate and access unauthorized resources and execute arbitrary code on the target system.
On January 8, 2024, CISA added the CVE-2023-27524 to the Known Exploited Vulnerabilities Catalog. CISA has recommended users to patch the flaw before Jan 29, 2024.
Apache Superset is an open-source data exploration and visualization platform that provides users with all skill sets to explore and visualize their data, from simple line charts to highly detailed geospatial diagrams.
The vulnerability exists in the default configuration that runs on almost two third of all the servers, making them vulnerable. The research shows that over 70% of the users have not modified the SECRET_KEY default value that Apache gave in the documentation at the installation time.
The advisory says that the installations that haven’t changed the SECRET_KEY default configuration following installation instructions make it possible for an attacker to authenticate and access restricted resources. Administrators who have altered the SECRET_KEY configuration’s default value are unaffected by this vulnerability. Research has shown that the vulnerability could lead to remote code execution.
Superset functionality is based on the Flask web framework that uses cryptographically signed session cookies for user state management. A session cookie with a user identity is sent back to the end user’s browser by the web application when a user logs in. A web application uses a SECRET_KEY to sign the cookie. The SECRET_KEY is usually kept in a local configuration file and is supposed to be randomly generated. The browser returns the signed session cookie to the application with each web request. Before completing the request, the application verifies the cookie’s signature to re-authenticate the user.
Making sure the SECRET_KEY is genuinely secret is crucial for the web application’s security. An attacker with no prior privileges may create and sign their cookies if the SECRET_KEY is made public, giving them access to the application while posing as a genuine user.
Apache Superset uses an off-the-shelf flask-unsign toolkit to automate “cracking” a session cookie to see if it was signed by a weak SECRET_KEY and then creating a false but legitimate session cookie using a known SECRET_KEY.
An attacker can log in as an administrator if the Superset server is not protected by single sign-on (SSO). Using the off-the-shelf flask-unsign toolkit, an attacker may forge a session cookie with a user_id or _user_id value set to “1”. The value “1” represents the first Superset user, who is generally an administrator. An attacker can get administrator access to the application by refreshing the page after setting the forged session cookie in the browser’s local storage.
A web application uses a SECRET_KEY to sign the cookie. The SECRET_KEY is usually kept in a local configuration file and is supposed to be randomly generated.
Here are some of the default SECRET_KEY exposed publicly:
Superset helps collaborate with various databases for data exploration and visualization. Attackers with admin access will greatly influence these databases, including the power to add and terminate database connections. An attacker with admin access can enable writes and DML (data model language) statements even though database connections are configured initially with read-only permissions. Attackers can use the robust SQL Lab interface to execute any SQL statement on linked databases. Attackers may query, edit, and remove any data in the database and remotely execute code on the database server, depending on the capabilities granted to database users.
Apache Superset versions up to and including 2.0.1 are affected by this vulnerability.
Customers are recommended to upgrade to the latest software version, which can be downloaded from the Apache Superset Documentation.
Please refer to the Apache Security Advisory for more information.
Qualys customers can scan their devices with QIDs 730792 and 992936 to detect vulnerable assets.
QID 992936 is currently available via the SCA (Software Composition Analysis) capabilities for Container Security.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.