The maintainers of the open-source data visualization platform, Apache Superset, have announced critical security measures to address an insecure default configuration that exposes installations to potential remote code execution vulnerabilities. This security flaw, identified as CVE-2023-27524 with a notable CVSS score of 8.9, affects all versions up to 2.0.1 due to the use of a default SECRET_KEY that attackers may exploit to authenticate unauthorized access.
Naveen Sunkavally, Chief Architect at Horizon3.ai, articulated the risks associated with this vulnerability, characterizing it as a serious misconfiguration that permits unauthenticated attackers to execute arbitrary code, harvest sensitive data, and further compromise resources. It is important to highlight that instances of Superset that have modified the default SECRET_KEY are insulated from this vulnerability.
A comprehensive analysis by Horizon3.ai revealed that the default SECRET_KEY is set to a predictable string at installation. In October 2021, the firm found that almost 72% of publicly accessible Superset servers relied on this insecure default configuration, significantly elevating their risk profile. Attackers aware of this default key could easily forge session cookies to gain administrative control over vulnerable systems.
In an effort to mitigate the risk, on January 11, 2022, project maintainers sought to rotate the SECRET_KEY to a generic placeholder “CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET” within the source code, alongside guidelines encouraging users to overwrite this default setting. However, the security concerns did not cease at this point. Horizon3.ai later uncovered two additional security keys that also retained their default values, suggesting a broader issue with configuration.
A comprehensive sweep conducted in February 2023 identified over 3,000 instances predicated on these insecure default configurations, affecting a range of organizations, including large corporations, small businesses, government bodies, and educational institutions. Notably, security experts made responsible disclosures to the Apache security team, resulting in the release of version 2.1 on April 5, 2023, which now prevents instances from operating with a default SECRET_KEY. This new version mandates that the server cannot initialize until configured with a secure key.
Although this new update represents a significant step forward in cybersecurity protections, it does come with limitations. Horizon3.ai points out that instances may still inadvertently operate on a default SECRET_KEY if deployed using specific installation methods like docker-compose. They specified that the docker-compose setup uses “TEST_NON_DEV_SECRET” as its key, which poses an ongoing risk of instances running without adequate security measures. Additionally, some configurations may still allow the admin user to be set to default credentials like admin/admin.
To aid organizations in verifying their security posture concerning this vulnerability, Horizon3.ai has released a Python script designed to assess whether Superset instances are at risk. Given that many users may overlook critical documentation, Sunkavally emphasizes the necessity for security measures that compel users to adopt safer configurations by default.
In terms of tactics and techniques from the MITRE ATT&CK framework, this vulnerability’s exploitation could relate to adversarial behaviors categorized under Initial Access, where unauthorized entities gain access, and Privilege Escalation, where they exploit permissions to assume higher access rights. As organizations navigate an increasingly complex cybersecurity landscape, this incident highlights the critical importance of adopting robust security configurations to protect against evolving threats.