Apache Superset Misconfiguration Allows Remote Code Execution
An unsecure default configuration in Apache Superset in versions shipping prior to April 5, 2023 could be exploited to obtain admin access to the data visualization and exploration tool and harvest credentials, compromise data, and remotely execute code. The issue exists in Apache Superset up through version 2.0.1. Users are urged to update to Apache Superset version 2.1 or later.
[Ullrich] On the one hand, users should read the manual, but on the other hand, software should not assume they actually do. If you add a default cryptographic key (or password) to your software's configuration at least display an error message and do not allow the software to run unless the key is changed.
Let’s break this down: This was a lab in the Advanced Web Pen Testing Course I authored many years ago. The bug here stems from how cookies are securely wrapped within the application. Since the encryption key is well known, and the attacker understands the algorithm to unwrap the cookie, the encryption is rendered ineffective as it just requires someone to look. These bugs are nasty because it's more than just resetting a user’s password; it has to do with rotating the application secret, which is the crux of this issue. Does this impact more than Apache Superset? Potentially, this bug affected Python Flask (in this case, being the target) and Ruby Sinatra. The advice given to most “developers” is “choose a strong key”; however, most developers that are building Flask applications should have this defaulted to a randomly generated long string. I advise many developers in this setting that “opinionated frameworks” can set safe defaults, while these microservices frameworks may not. This is the risk model you must assume.
This is the challenge of a functional default configuration. Ideally, security items that you're supposed to provide your own value for should be commented out, with a note about setting a value. Not only does version 2.1 fix the bug, but also will not start if you're using one of the default keys. If you're using a default key, you will not only need to generate a new secure one, but also the information secured with the old one will need to be re-encrypted. Apache Superset CLI includes a tool for rotating secrets -see the Superset SECRET_KEY Rotation page. https://superset.apache.org/docs/installation/configuring-superset/#secret_key-rotation
Default configuration is a delicate balance between user experience and security. The vendor too often tips the scale to user experience. There exists a marketplace that offers secure configuration recommendations for a variety of vendor products (CIS Benchmarks, DISA STIGs). In this case, the only alternative is to update to the latest version. Here’s a gentle reminder to build into your cybersecurity program, secure configuration.
Read more in
Horizon3: CVE-2023-27524: Insecure Default Configuration in Apache Superset Leads to Remote Code Execution
The Register: Apache Superset: A story of insecure default keys, thousands of vulnerable systems, few paying attention
Bleeping Computer: Thousands of Apache Superset servers exposed to RCE attacks
Security Week: Organizations Warned of Security Risk in Default Apache Superset Configurations
The Hacker News: Apache Superset Vulnerability: Insecure Default Configuration Exposes Servers to RCE Attacks