The open-source data visualization and data exploration platform Apache Superset released security patches to address an insecure default configuration, tracked as CVE-2023-27524 with a CVSS score: 8.9, that could lead to remote code execution.
Researchers discovered that there are more than 3000 instances of the platform exposed to the Internet, and at least 2000 servers are running with a dangerous default configuration. The CVE-2023-27524 flaw impacts versions up to and including 2.0.1. Vulnerable versions are using the following default value for the SECRET_KEY:
“\x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h”
Any attacker can login to these servers with admin privileges, access and modify data connected to these servers, harvest credentials, and execute remote code.
- The web application signs the cookie with a SECRET_KEY, a value that is supposed to be randomly generated and typically stored in a local configuration file.
- With every web request, the browser sends the signed session cookie back to the application. The application then validates the signature on the cookie to re-authenticate the user prior to processing the request.
- The security of the web application depends critically on ensuring the SECRET_KEY is actually secret. If it is exposed, an attacker with no prior privileges could generate and sign their own cookies and access the application, masquerading as a legitimate user.
Researchers reported the issue to the Superset team in Oct. 2021, but when in February 2023 they checked the fix they discovered that in January 2022 the default SECRET_KEY value was changed to “CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET“, and a warning was added to the logs with this Git commit.
Two additional SECRET_KEY configurations using the values “YOUR_OWN_SECURE_RANDOM_KEY” and “thisISaSECRET_1234.”
Around 3390 Superset instances exposed online, of which 3176 appeared to be really Superset instances and 2124 out of 3176 instances were using one of the above four default keys. Some of these installs belong to large corporations, small companies, government agencies, and universities.
Researchers shared its findings with the Apache security team a second time, and the project maintainers addressed the issue with the release of version 2.1 on April 5, 2023. Still the patch can be overridden and it’s still possible to run Superset with a default SECRET_KEY if it’s installed through a docker-compose file or a helm template.
This research was documented by researchers from Horizon3
