The popular open-source data visualization and data exploration tool, Apache Superset, is claimed to be vulnerable to authentication bypass and remote code execution (RCE), enabling threat actors to gain administrator access to the targeted servers and further collect user credentials and compromise data. The discovered bug is an insecure default configuration flaw tracked as CVE-2023-27524, with the basic proof-of-concept exploit code (PoC) already released on GitHub.
In view that CVE-2023-27524 PoC exploit code is publicly available on GitHub, timely detection and proactive cyber defense are critical to protecting the organization’s infrastructure against potential RCE attacks. SOC Prime Platform for collective cyber defense offers a curated Sigma rule aimed at CVE-2023-275424 exploitation patterns detection:
Possible Apache Superset CVE-2023-27524 PoC IOC Detection (via webserver)
This Sigma rule detects CVE-2023-27524 exploitation attempts enabling attackers to gain initial access to the vulnerable Apache Superset servers. The detection is compatible with 14 SIEM, EDR, and XDR platforms and is aligned with the MITRE ATT&CK framework v12, addressing the Initial Access tactic with Exploit Public-Facing Application (T1190) as the corresponding technique. Please pay attention to the fact that hackers might modify their attack patterns to evade detection.
To outsmart the attackers and always keep up with the threats associated with emerging vulnerabilities, SOC Prime provides curated detection content helping organizations to risk-optimize their cybersecurity posture. By clicking the Explore Detections button, organizations can gain instant access to even more detection algorithms aimed to help identify the malicious behavior linked to the exploitation of trending vulnerabilities. For streamlined threat investigation, teams can also drill down to relevant metadata, including ATT&CK and CTI references.
Horizon3.ai has recently uncovered a novel vulnerability in the Apache Superset servers, known as CVE-2023-27524, with a CVSS score of 8.9. According to the research, roughly two-thirds of all the company’s servers run on this insecure default configuration. The flaw impacts the server instances from version 1.4.1 and up to 2.0.1, which apply the default SECRET_KEY value and can potentially be exposed by threat actors to gain unauthorized access to the compromised devices. Among the impacted organizations are both large-scale enterprises and small companies in multiple industry sectors, including government institutions and universities.
Upon successful exploitation, an adversary who knows an Apache Superset session key is capable of logging in with administrator privileges, gaining access to the databases, and further modifying or deleting them, as well as performing RCE on the compromised databases and the server itself. As a result, attackers can gather sensitive data, like user and database credentials leading to further system compromise.
With the growing numbers of Superset customers and the widespread use of a default configuration, thousands of global organizations can be exposed to potential RCE attacks.
To help organizations remediate the threat, the company’s team has issued an update with its 2.1 product version, which prevents the server from initiating if it runs based on the default secret key configuration. Still, the patch is not a silver bullet since the server instances installed through a docker-compose file or a helm template keep on leveraging the default keys.
With the CVE-2023-27524 PoC exploit code released by the Horizon3.ai team on GitHub, organizations can check if their Apache Superset server uses a hazardous default configuration by applying the corresponding script. If the latter verifies that the server instance might be vulnerable, organizations are strongly recommended that they update their version to the latest one with the available patch or remove it.
Boost your threat detection capabilities and accelerate threat hunting velocity equipped with Sigma, MITRE ATT&CK, and Detection as Code to always have curated detection algorithms against any adversary TTP or any exploitable vulnerability at hand. Obtain 800 rules for existing CVEs to proactively defend against threats that matter most. Instantly reach 140+ Sigma rules for free at https://socprime.com/ or get all relevant detection algorithms with On Demand at https://my.socprime.com/pricing/.