Voyager18 (research)

CVE-2023-27524 in Apache Superset: what you need to know

CVE-2023-27524 opens the door to attackers remotely executing code in Apache Superset. Here's everything we know so far.

Yair Divinsky | April 30, 2023

 Apache Superset, a data exploration and visualization platform that helps users build and visualize interactive dashboards, has been recently found vulnerable to an insecure default configuration issue. A recent vulnerability discovered in Apache Superset, CVE-2023-27524, has the potential to allow attackers to remotely execute code on vulnerable systems.

In this post, we’ll discuss what CVE-2023-27524 is, whether it affects you and if it has been exploited in the wild, and how to fix it.

What is CVE-2023-27524?

CVE-2023-27524 is a vulnerability caused by an insecure default configuration in Apache Superset. The popular open-source data visualization and data exploration tool is claimed to be vulnerable to an authentication bypass and remote code execution (RCE) issue, enabling attackers to gain administrator access on targeted servers and collect and/or compromise user credential data. 

Using administrative privileges, any threat actor can “log in” to these servers, access and modify data connected to them, harvest credentials and execute remote code. Specifically, the vulnerability stems from the fact that the default configuration of Apache Superset allows arbitrary code execution through a remote command injection attack.

This vulnerability is a result of a default Flask Secret Key, which is defaulted to a predictable value at install time. At least 2000 of the over 3000 instances of Apache Superset exposed to the internet are running with this dangerous configuration.

The researchers responsible for these findings also repeated their search for instances of Superset in February 2023 and found that the default Flask key had been rotated to a new default, and a warning had been added to the logs.  

Does it affect me?

If you are using Apache Superset, you may be vulnerable to this attack. The flaw impacts all server instances that apply the default SECRET_KEY value as of version 1.4.1 and up to 2.0.1, and can potentially be exposed by threat actors to gain unauthorized access to the compromised devices. 

If you are running an older version of the software, it is recommended that you update to the latest version as soon as possible to avoid being affected by the vulnerability.



Has CVE-2023-27524 been actively exploited in the wild?

At this time, there is no evidence that CVE-2023-27524 has been actively exploited in the wild. However, a recent report from SOC Prime indicates that thousands of Apache Superset servers are vulnerable to this attack. Given the severity of the vulnerability, it is important to take steps to protect your system as soon as possible.

The potential impact of the CVE-2023-27524 vulnerability on the Superset application, allows an attacker who knows the SECRET_KEY of a Superset application to exploit the vulnerability and log in as an administrator. If the Superset server is not behind single sign-on, the attacker can forge a session cookie with a user_id value set to 1 using the flask-unsign toolkit. The first Superset user is almost always an administrator, and setting the forged session cookie in the browser’s local storage allows the attacker to access the application as an administrator. 

However, if the Superset server is behind SSO, discovering a valid user_id value may require more work, and the attack path has not been tested.

The team has shared the CVE-2023-27524 PoC exploit code on GitHub, which enables organizations to assess whether their Apache Superset server is using a risky default configuration. By utilizing the appropriate script, organizations can determine if their server instance is potentially vulnerable. If the script confirms that the server may be at risk, it is highly recommended that the organization either updates to the latest version with the available patch or removes the server altogether. 

How to fix CVE-2023-27524

To fix the vulnerability, users of Apache Superset are advised to update to the latest version, which includes a patch for the vulnerability. The patch fixes the default configuration to disallow arbitrary code execution through a remote command injection attack. It is also recommended that users review their system configurations to ensure that they are secure and that no other vulnerabilities exist.

Users are advised to update their Superset configuration to set the SECRET_KEY to a cryptographically secure random string. Administrative interfaces to web applications often result in remote code execution on the application server, and this is no different in the case of Apache Superset. Remote code execution is possible both on databases connected to Superset and the Superset server itself. The researchers did not disclose any exploit methods, though they expect attackers to figure it out.

Next steps

Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:

  1. VulnRX – cyber risk and threat database
  2. Q1 2023 Vulnerability watch report
  3. MITRE ATTACK framework – Mapping techniques to CVEs 
  4. Exploit maturity: an introduction 
  5. OWASP Top 10 vulnerabilities 2022: what we learned

And finally…

Don’t get found out by new vulnerabilities. Vulcan Cyber gives you full visibility and oversight of your threat environment and lets you prioritize, remediate and communicate your cyber risk across your entire organization. Get a demo today.

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy