Insecure Default Configuration in Apache Superset allows an attacker to bypass authentication
CVE-2023-27524 (CVSS Not assigned)
Using one of the default secrets a remote attacker can login as administrator. This allows the attacker to execute arbitrary code within the context of the application, possibly leading to a compromise of system/data integrity, confidentiality, and/or availability.
Apache Superset is a data exploration and visualization platform. Versions prior to v2.1 contained hard coded secret keys for administrator web access. Although documentation states this secret key should be modified during initial setup, security researchers observed most internet facing Apache Superset servers implemented one of the default secret keys.
Security researchers were able to leverage this administrator access for remote code execution (RCE) and credential harvesting.
The Centre for Cyber Security Belgium strongly recommends system administrators to take the following actions in order to mitigate the impact of this vulnerability in the most efficient way.
Replace the default SECRET_KEY with a long random string as suggested in the installation guide referenced below.
The Superset team made an update with the 2.1 release to not allow the server to start up if it’s configured with a default SECRET_KEY. In case you are using a docker version, please ensure the secret key is changed to a random value.
The CCB recommends organisations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion. Monitor for suspicious adminstrator logins.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
When applying patches to systems that have been vulnerable to an RCE exploit, a proactive threat assessment should be performed to verify no exploitation occurred in the time between a patch becoming available and being applied.