Apache Airflow cases that haven’t been correctly secured are exposing every part from Slack to AWS credentials on-line.
On Monday, Intezer malware analyst Nicole Fishbein and cybersecurity researcher Ryan Robinson said the instances, weak to information theft, belong to industries together with IT, cybersecurity, well being, power, finance, and manufacturing, amongst different sectors.
Apache Airflow, obtainable on GitHub, is an open supply platform designed for scheduling, managing, and monitoring workflows. The modular software program can also be used to course of information in real-time, with work pipelines configured as code.
Apache Airflow model 2.0.0 was launched in December 2020 and carried out a variety of safety enhancements together with a brand new REST API that enforced operational authentication, in addition to a shift to express worth settings, fairly than default choices.
Whereas inspecting lively, older variations of the workflow software program, the cybersecurity agency discovered a variety of unprotected cases that uncovered credentials for enterprise and monetary companies together with Slack, PayPal, AWS, Stripe, Binance, MySQL, Fb, and Klarna.
“They [instances] are sometimes hosted on the cloud to offer elevated accessibility and scalability,” Intezer famous. “On the flip facet, misconfigured cases that permit internet-wide entry make these platforms superb candidates for exploitation by attackers.”
The most typical safety situation inflicting these leaks was using hardcoded passwords inside cases that have been embedded in Python DAG code.
As well as, the researchers found that the Airflow “variables” characteristic was a credential leak supply. Variable values could be set throughout all DAG scripts inside an occasion, but when it’s not configured correctly, this will result in uncovered passwords.
The staff additionally discovered misconfigurations within the “Connections” characteristic of Airflow which offers the hyperlink between the software program and a person’s atmosphere. Nevertheless, not all credentials could also be enter correctly they usually might find yourself within the “additional” area, the staff says, fairly than the safe and encrypted portion of Connections. In consequence, credentials could be uncovered in plaintext.
“Many Airflow cases comprise delicate info,” the researchers defined. “When these cases are uncovered to the web the data turns into accessible to everybody for the reason that authentication is disabled. In variations previous to v1.10 of Airflow, there’s a characteristic that lets customers run Advert Hoc database queries and get outcomes from the database. Whereas this characteristic could be useful, additionally it is very harmful as a result of on high of there being no authentication, anybody with entry to the server can get info from the database.”
Intezer has notified the homeowners of the weak cases by means of accountable disclosure.
It’s endorsed that Apache Airflow customers improve their builds to the most recent model and test person privilege settings to verify no unauthorized customers can receive entry to their cases.
Earlier and associated protection
Have a tip? Get in contact securely through WhatsApp | Sign at +447713 025 499, or over at Keybase: charlie0