Apache Superset Hardcoded JWT Secret Key Leads to Authentication Bypass – CVE-2023-27524

Vendor Description:-

Apache Superset is an open-source data visualization and exploration web application that enables businesses and data analysts to construct interactive and shareable dashboards for data exploration and visualization. It is a simple interface that allows users to connect to numerous data sources, create charts and graphs, and develop interactive dashboards to acquire insights from their data.

Superset is developed in Python and uses the Flask web framework.

In terms of popularity, it has over 50K stars on GitHub and over 3000 instances exposed to the public Internet. Superset usage has grown during the last year.

CVE-2023-27524 Description:-

CVE-2023-27524 is a severe vulnerability in Apache Superset that allows the application to circumvent authentication owing to the usage of a weak, hardcoded default SECRET_KEY.Superset uses Flask’s session management, which ensures user authentication via cryptographically signed cookies. Cookies containing user information are signed with a secret key to ensure their integrity and authenticity. However, it was found that Superset’s default configuration includes a predictable and insecure SECRET_KEY, particularly \x02\x01thisismysecretkey\x01\x02\e\y\y\h. If this key is left untouched, an attacker can use tools such as flask-unsign to examine and reverse-engineer session cookies, allowing them to create valid authentication credentials. This enables an unauthenticated attacker to impersonate genuine users and obtain unauthorized access to the application. The vulnerability shows the serious security implications of using unsafe defaults in session-based authentication systems.

Impact:-

• Authentication Bypass: The vulnerability allows attackers to forge session cookies by exploiting the default SECRET_KEY in Apache Superset versions up to 2.0.1. This enables unauthorized access to the application without valid credentials.
• Potential Remote Code Execution (RCE): By gaining unauthorized access, attackers can execute arbitrary SQL queries or commands, potentially leading to remote code execution on the server, depending on the application’s configuration and connected databases.
• Widespread Exposure Due to Default Configuration: Many Superset installations use the insecure default SECRET_KEY, leaving over 70% of deployments vulnerable. This widespread misconfiguration significantly increases the risk of exploitation.

Mitigations:-

• Update Superset: Ensure that your Apache Superset installation is up to date, including updates for the unsafe default SECRET_KEY issue.
• Replace Default SECRET_KEY: To avoid cookie forgery, replace the default SECRET_KEY in the configuration file with a strong, random, and cryptographically secure value.
• Restrict Access to Configuration Files: Enforce rigorous file permissions on superset_config.py and any other file containing sensitive settings, allowing only necessary system users to access them.
• Audit Existing Sessions and Logs: Examine session cookies and authentication logs for any unusual behavior or unauthorized access, particularly if the default key was in use for an extended period.

POC

# Install dependencies
pip install -r requirements.txt

# Forge an administrative session (whose user_id is 1) cookie
python CVE-2023-27524.py --url http://your-ip:8088 --id 1 --validate

This script makes an attempt to crack the session cookie using known default secret keys. If successful, it will generate a new session cookie with user_id=1 (usually the admin user) and validate the login.

Then, You can access the Superset backend endpoint by using this JWT token in the cookie value, such as Cookie: session=eyJ…