Active Exploitation of OpenMetadata Vulnerabilities in Kubernetes Clusters

April 17, 2024

Since the start of April, threat actors have been actively exploiting known vulnerabilities in OpenMetadata's open source metadata repository. This has enabled them to launch remote code execution attacks against unpatched Kubernetes clusters, as revealed by Microsoft Threat Intelligence. OpenMetadata operates as both a management tool and a central repository for metadata.

In mid-March, information about five new vulnerabilities (CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, CVE-2024-28254) affecting versions prior to v1.3.1 was published, as per Microsoft's report. While some cybersecurity teams may have overlooked the advisory, adversaries seized the opportunity to infiltrate vulnerable Kubernetes environments and exploit them for cryptocurrency mining.

As Microsoft researcher Yossi Weizman explains, 'In this case, a vulnerable Kubernetes workload which is exposed to the Internet got exploited.' While these cybercriminals were primarily engaged in crypto mining, Weizman warns that once inside a Kubernetes cluster, an adversary can engage in a variety of malicious activities.

'In general (not specifically in this case), once attackers have control over a workload in the cluster, they can try to leverage this access also for lateral movement, both inside the cluster and also to external resources,' Weizman adds.

Administrators of OpenMetadata are encouraged to update their systems, implement strong authentication, and reset any default credentials in use to mitigate the risk of these attacks.

Latest News

• Cisco Reveals High-Severity IMC Vulnerability with Available Public Exploit Code
• Multiple Botnets Targeting TP-Link Routers Exploiting Year-Old Security Flaw
• Critical Atlassian Vulnerability Exploited to Deploy Cerber Ransomware
• Ivanti Patches Two Critical Vulnerabilities in Avalanche MDM Solution
• Fortinet Flaw Exploited in New Cyberattack Campaign Involving ScreenConnect and Metasploit