Sources

https://github.com/advisories/GHSA-5cx2-vq3h-x52c
https://nvd.nist.gov/vuln/detail/CVE-2023-27524

Risques

Using one of the default secrets a remote attacker can login as administrator. This allows the attacker to execute arbitrary code within the context of the application, possibly leading to a compromise of system/data integrity, confidentiality, and/or availability.

Actions recommandées

The Centre for Cyber Security Belgium strongly recommends system administrators to take the following actions in order to mitigate the impact of this vulnerability in the most efficient way.

Workaround

Replace the default SECRET_KEY with a long random string as suggested in the installation guide referenced below.

Patch

The Superset team made an update with the 2.1 release to not allow the server to start up if it’s configured with a default SECRET_KEY. In case you are using a docker version, please ensure the secret key is changed to a random value.

Monitor/Detect

The CCB recommends organisations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion. Monitor for suspicious adminstrator logins.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

When applying patches to systems that have been vulnerable to an RCE exploit, a proactive threat assessment should be performed to verify no exploitation occurred in the time between a patch becoming available and being applied.

Références

https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in...
https://superset.apache.org/docs/installation/configuring-superset/