Insecure Default Configurations Expose Servers to RCE Attacks

April 26, 2023Ravie LakshmananServer Security / Vulnerabilities

Keepers of Apache supersets open source data visualization software has released a fix to plug in insecure default configurations that could lead to remote code execution.

Vulnerability, tracked as CVE-2023-27524 (CVSS Score: 8.9), impacts versions up to and including 2.0.1 and relates to using the default SECRET_KEY which could be abused by attackers to authenticate and access unauthorized resources on internet exposed installations.

Naveen Sunkavally, chief architect at Horizon3.ai, describes the issue as “a malicious default configuration in Apache Superset that allows an unauthorized attacker to gain remote code execution, harvest credentials, and compromise data.”

It should be noted that the flaw does not affect Superset instances that have changed the default value for the SECRET_KEY configuration to a cryptographically more secure random string.

The cybersecurity firm, which found that SECRET_KEY by default had a value of “\x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h” at install time, said that 918 of its 1,288 publicly accessible servers use the configuration default in October 2021.

An attacker who knows the secret key can then log into this server as an administrator by spoofing the session cookie and seizing control of the system.

On January 11, 2022, project maintainer tried to fix the problem by rotating the value of SECRET_KEY to “CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET” in Python code along with user instructions to override it.

Horizon3.ai said it further found two additional SECRET_KEY configurations that were assigned default values ​​”USE_YOUR_OWN_SECURE_RANDOM_KEY” And “thisISASECRET_1234.”

An extended search performed in February 2023 with these four keys found 3,176 instances, of which 2,124 used one of the default keys. Some of those affected include large companies, small companies, government agencies and universities.

After responsible disclosure to the Apache security team for the second time, a new update (version 2.1) was released on April 5, 2023, to plug the security hole by preventing the server from starting at all if configured with the default SECRET_KEY.

“This fix is ​​not easy as it is still possible to run Superset with default SECRET_KEY if installed via docker builder file or helm template,” Sunkavally said.

“The docker-compose file contains a new default SECRET_KEY of TEST_NON_DEV_SECRET which we suspect some users will unknowingly run Superset on. Some configurations also set admin/admin as the default credentials for admin users.”

Horizon3.ai also provides a Python script which can be used to determine if a Superset instance is vulnerable to defects.

“It is generally accepted that users don’t read documentation and applications should be designed to force users along a path where they have no choice but to be safe by default,” Sunkavally concludes. “The best approach is to take the choice out of the user and ask them to take deliberate action to be intentionally insecure.”