At its default settings, Apache Superset is vulnerable to authentication bypass and remote code execution, allowing attackers to read and alter data, gather passwords, and issue commands. Apache Superset is a top-level project of the Apache Software Foundation since 2021. It was initially created for Airbnb as an open-source data visualization and exploration tool.
Apache Superset uses a default Flask Secret Key to sign authentication session cookies, according to a recent Horizon3 investigation. Attackers can therefore log in with administrator access to servers that did not change the key by using this default key to create session cookies.
Although the Apache manual advises administrators to update the secret keys, according to Horizon3, this risky default configuration can presently be found on roughly 2,000 internet-accessible servers belonging to colleges, businesses of all sizes, governments, and other organizations.
Attackers that use flask-unsign and generate their own cookies to acquire administrator access on the target, access linked databases, or run arbitrary SQL statements on the application server are aware of the widely used default Flask secret key. Although we believe it will be simple for motivated attackers to figure it out, we are not revealing any exploit methods now, says Horizon3.
It is crucial to remember that installations are not susceptible to this attack if administrators have replaced the default key with a secret one. On October 11, 2021, the Horizon3 team found the problem and submitted it to the Apache Security team.
Version 1.4.1 of the software was released on January 11th, 2022, and it modified the default value of ‘SECRET_KEY’ to a new string and added a warning to the logs when the default value was seen during startup.
Horizon3 used Shodan to look for instances using the four default keys after discovering two more that were also commonly used in templates and documentation. At that moment, Horizon3 discovered that 2,124, or nearly 67% of the total, were incorrectly configured.
Once more, Horizon3 raised concerns with Apache, and in February 2023, the researchers started informing companies that they needed to modify their setup. The Superset team eventually released version 2.1 on April 5, 2023, which prevents the server from starting up if it is using a default “SECRET_KEY.”
This severe measure prohibits existing dangerous deployments but does not address the nearly 2,000 examples of misconfigurations that still persist, according to Horizon3. Administrators of Apache Superset can use a script that the security firm provided on GitHub to check whether their instance is vulnerable to assaults.
Conclusion
Apache Superset’s open-source data visualization maintainers fixed a default setup that could allow remote code execution. The cybersecurity firm found that 918 of 1,288 publicly accessible servers used the default SECRET_KEY value of “\x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h” at install time in October 2021. The issue does not affect Superset instances that have modified the SECRET_KEY config default to a cryptographically safe random string. An attacker with the secret key may forge a session cookie and take control of these servers by signing in as an administrator.
On January 11, 2022, the project maintainers tried to fix the problem by changing the SECRET_KEY value to “CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET” in the Python code and giving users instructions to override it. Horizon3.ai detected two more SECRET_KEY configurations with default values “USE_YOUR_OWN_SECURE_RANDOM_KEY” and “thisISaSECRET_1234.” These four keys were found in 3,176 instances in February 2023, 2,124 of which used a default key. Large, small, government, and university-affiliated firms are affected. After a second responsible disclosure to the Apache security team, version 2.1 was released on April 5, 2023, to close the security issue by prohibiting the server from starting up if configured with the default SECRET_KEY.
