Apache Superset Insecure Default Config Part II: RCE, Credential Harvesting and More (IOCs)

In April 2023, threat researchers at Horizon3.ai analyzed CVE-2023-27524, which Horizon3.ai Chief Architect Naveen Sunkavally described at the time as “a dangerous default configuration in Apache Superset that allows an unauth attacker to gain remote code execution, harvest credentials, and compromise data.”

Today, Sunkavally and team have updated their analysis of CVE-2023-27524 with the publication of Apache Superset Part II: RCE, Credential Harvesting and More. This post includes indicators of compromise (IOCs) and examples of what an attacker can do once he/she has attained admin privileges, either from exploiting CVE-2023-27524, or by other means. The blog post includes:

  • Accessing Default Metadata Database Credentials
  • Harvesting Credentials from the Metadata Database
  • Conducting Remote Code Execution on the Superset Server
  • Conducting Remote Code Execution on Any Connected DB Server
  • Indicators of Compromise
  • Remediation Guidance and Remediation Resource Links 

Sunkavally notes: “As of this writing, there are still a few default settings to be aware in the Superset helm template and docker-compose setup. The Superset team is aware of these defaults and planning to remove them. The latest data we gathered supports removing these defaults and providing a complete fix for CVE-2023-27524.”

Apache Superset is an open-source data visualization and exploration tool with over 50,000 stars on GitHub. More than 3000 instances of it are exposed to the Internet.

Previous (April 23, 2023) Horizon3.ai research on “CVE-2023-27524: Insecure Default Configuration in Apache Superset Leads to Remote Code Execution”  https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/

Leave a Reply

%d bloggers like this: