High-risk issues were discovered by GitHub’s in-house security team
Apache Storm, an open source real-time streaming data analytics platform, has patched two vulnerabilities that led to remote code execution (RCE).
Discovered and reported by GitHub Security Lab, the bugs included a command injection vulnerability and an unsafe deserialization bug.
Command injection in Apache Storm Nimbus
The function getTopologyHistory takes a username argument and concatenates it into a shell command without sanitizing it. An attacker can exploit the argument to send operating system commands to the Apache server.
“This vulnerability was not exploitable when reached through the REST API since the username that holds the payload cannot be controlled by an attacker,” Alvaro Munoz, researcher at GitHub Security Labs, told The Daily Swig.
“However, I found out that I could directly call the Thrift service and provide any username.”
When called directly through the Nimbus Thrift port, the function does not require any special privileges, which leads to a pre-auth RCE. Munoz posted a proof-of-concept that exploits the bug to execute the ‘touch’ command on the server operating system.
“The Apache Storm security guide recommends enabling a firewall and to restrict network access to these services, but unfortunately, there are many publicly exposed servers not following these recommendations,” Munoz said.
Unsafe deserialization on supervisor server
The second bug was found in Storm’s supervisor service, which runs on top of a Netty server. In his research, Munoz discovered that the server’s inbound pipeline (the different handlers that process the incoming network packets) uses an object parser that is prone to unsafe deserialization. An attacker can exploit the bug to send a malicious object and run it on the server.
Munoz became familiar with the Netty framework during a recent code review of Apache Dubbo, where he modeled the library with CodeQL, GitHub’s semantic code analysis engine, and identified possible sources of untrusted data.
“My past experience reviewing Apache Dubbo granted me familiarity with the Netty framework and in particular with the Netty architecture and inbound pipelines,” Munoz said.
A proof-of-concept shows the bug being exploited to load a gadget payload and run a DNS resolution command on the server. Like the code injection vulnerability, the deserialization bug also leads to pre-auth RCE.
“When I first reviewed the CodeQL result, I wasn’t sure about the criticality of the issue since the Storm workers can be configured to require authentication,” Munoz said. “However, after looking at the Netty inbound pipeline, I realized that the authentication was applied after triggering the deserialization. Therefore, an attacker would be able to trigger it with no valid credentials.”
“These vulnerabilities can affect default installations of Apache Storm. It is recommended to update as per the announcements,” Derek Dagit, member of the Apache Storm Project Management Committee (PMC), told The Daily Swig.
Regarding the code injection bug, Dagit said that the key takeaway is to treat any code that invokes an interpreter with scrutiny.
“The serialization vulnerability is harder to exploit, but its takeaway is simpler: In general, Java native serialization without registered types isn’t safe, neither as a default nor as a fallback,” he added.
Munoz recommended that web developers should apply validations as close as possible to the point where data is going to be consumed.
The Apache Storm vulnerabilities are also a reminder that authentication should be applied as early as possible in the data processing chain to reduce the chances of unauthenticated users being able to trigger potential vulnerabilities in the code, he said.
“Generally, enabling static analysis in your build pipeline can help you prevent critical bugs like these ones. If you maintain an open-source project, I encourage you to enable CodeQL-powered code scanning for free,” Munoz added.
DON’T FORGET TO READ Two men charged with deploying REvil ransomware attacks