Cyber Security

Misconfigured Apache Airflow servers leak hundreds of credentials

apache airflow

Whereas investigating a misconfiguration flaw in Apache Airflow, researchers found many uncovered situations over the net leaking delicate info, together with credentials, from well-known tech corporations.

Apache Airflow is a well-liked open-source workflow administration platform for organizing and managing duties.

Cloud internet hosting suppliers, cost processors leaked credentials

This week, researchers Nicole Fishbein and Ryan Robinson from safety agency Intezer have disclosed particulars on how they recognized misconfiguration errors throughout Apache Airflow servers run by main tech corporations.

The misconfiguration flaws resulted in delicate information leakage together with hundreds of credentials from widespread platforms and companies corresponding to Slack, PayPal, and Amazon Net Providers (AWS), amongst others, declare the researchers:

services and platforms leaking creds
Researchers noticed generally used companies and platforms leaking credentials (Intezer)

“These unsecured situations expose delicate info of corporations throughout the media, finance, manufacturing, info know-how (IT), biotech, e-commerce, well being, vitality, cybersecurity, and transportation industries,” says Intezer’s researchers.

In numerous eventualities that researchers have analyzed, the commonest purpose for credential leak seen on Airflow servers was insecure coding practices.

For instance, Intezer’s group found numerous manufacturing situations with hard-coded passwords contained in the Python DAG code:

production environment credentials leak
 Examples of hardcoded password for a manufacturing PostgreSQL database (Intezer)

“Passwords shouldn’t be hardcoded and the lengthy names of photos and dependencies must be utilized. You’ll not be protected when utilizing poor coding practices even if you happen to consider the appliance is firewalled off to the web,” warn Fishbein and Robinson. 

In one other case of misconfiguration, researchers noticed Airflow servers with a publicly accessible configuration file: 

“The configuration file (airflow.cfg) is created when Airflow is first began. It incorporates Airflow’s configuration and it is ready to be modified,” state the researchers. The file incorporates secrets and techniques corresponding to passwords and keys.

However, if the `expose_config` possibility within the file is mistakenly set to ‘True,’ the configuration turns into accessible to anybody by way of the net server, who can now view these secrets and techniques.

publicly visible Airflow config file
Publicly seen Airflow config file ‘airflow.cfg’ (Intezer)

Different examples caught within the wild included delicate information saved in Airflow “Variables” that might be edited by an unauthorized person to inject malicious code, and the improper use of “Connections” characteristic—credentials saved within the unencrypted “Further” area as JSON blobs seen to everybody.

Analysis demonstrates dangers of delayed patching

Along with figuring out improperly configured Airflow belongings, the focus of this analysis was to attract consideration to dangers that come from delaying software program updates.

Intezer states the overwhelming majority of those flaws had been recognized in servers working Airflow v1.x from 2015, nonetheless in use by organizations from completely different sections.

In model 2 of Airflow, many new security measures had been launched together with a REST API that requires authentication for all operations. The newer model additionally would not retailer delicate info in logs and forces the administrator to explicitly verify configuration choices, fairly than go along with default ones.

Exposing buyer data and delicate information due to safety flaws ensuing from procrastinated patching might be in violation of information safety legal guidelines like the GDPR.

“Disruption of shoppers’ operations by way of poor cybersecurity practices can even end in authorized motion corresponding to class motion lawsuits,” advises the safety agency.

This discovery comes simply months after a misconfiguration in Argo Workflows, additionally found by Intezer, was abused by attackers to deploy cryptominers on Kubernetes clusters.

In August this yr, BleepingComputer reported on instances of misconfigured buckets exposing hundreds of thousands of delicate data from a secret terrorist watchlist.

Intezer states that prior to creating its findings public it has notified the recognized organizations and entities leaking delicate information by way of weak Airflow situations.

“In gentle of the most important adjustments made in model 2, it’s strongly really helpful to replace the model of all Airflow situations to the newest model. Guarantee that solely licensed customers can join,” advise Intezer’s researchers of their report.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *