Apache Superset, an open-source data visualization and data exploration platform, has over 3000 instances exposed to the internet, leaving them vulnerable to remote code execution (RCE) attacks. The maintainers of the software have released security patches to address an insecure default configuration, tracked as CVE-2023-27524 (CVSS score: 8.9). The issue was discovered by researchers at Horizon3, who found that at least 2000 servers are running with a dangerous default configuration.
The advisory states, “Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources.” However, it clarifies that this does not affect Superset administrators who have changed the default value for the SECRET_KEY config. The CVE-2023-27524 flaw impacts versions up to and including 2.0.1.
Horizon3 explained, “Any attacker can “log in” to these servers with administrative privileges, access and modify data connected to these servers, harvest credentials, and execute remote code.” The security of the web application depends critically on ensuring the SECRET_KEY is actually secret. If the SECRET_KEY is exposed, an attacker with no prior privileges could generate and sign their own cookies and access the application, masquerading as a legitimate user.
Horizon3 researchers reported the issue to the Superset team in October 2021, but when they checked the fix in February 2023, they discovered that in January 2022, the default SECRET_KEY value was changed to “CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET“, and a warning was added to the logs with a Git commit. The experts also found two additional SECRET_KEY configurations using the values “YOUR_OWN_SECURE_RANDOM_KEY” and “thisISaSECRET_1234.”
Out of 3390 Superset instances exposed online, 3176 appeared to be actual Superset instances, and 2124 (~67%) out of 3176 instances were using one of the four default keys. Some of these installs belong to large corporations, small companies, government agencies, and universities. Horizon3 shared its findings with the Apache security team a second time, and the project maintainers addressed the issue with the release of version 2.1 on April 5, 2023.
The researchers warned, “This fix is not foolproof though as it’s still possible to run Superset with a default SECRET_KEY if it’s installed through a docker-compose file or a helm template. The docker-compose file contains a new default SECRET_KEY of TEST_NON_DEV_SECRET that we suspect some users will unwittingly run Superset with. Some configurations also set admin/admin as the default credential for the admin user.” They also released a Python script to help determine if Superset instances are vulnerable.